Systems Audit is another area of Assurance for an Assurance professional. Auditing a Computer Environment is just as important as auditing the books of accounts.
Hence it is important for a Chartered Accountant to provide sufficient assurance to the stakeholders having interest, that the internal controls deployed in the IT Environment as well as in the Non IT Environment operate effectively.
This article gives an approach for conducting an IS Audit.
1. IS Audit and Internal Controls
Implementation and continuous review of effectiveness of Internal Controls has always been a challenge for
enterprises.Internal Controlscanbe comparedto the chassisof avehicle - withoutthe chassis,the engine isrendered
useless.Internal Controlsare mostneededinacorporate environmenttopreventfraudincidence andtomanage risk
of loss to assets and profits. In recent years, enterprises have become more enterprising and competitive and along
withhelpof technology,they have succeededinincreasingtheirsize of services,producesandpresence. Enterprises
are nowhavingtheirlocationsall overthe world. Thusthe needof havingcorrectInternal Controlsismore thanever.
A CA provided the following services until the effect of technology struck business.As a professional, he used to
provide servicessuchasAudit,Tax,CompanyMatters,Legal Compliances,andAccountingetc.SpecificallyasanAudit
Professional, he usedto render services of conducting audit engagements such as Statutory Audit, Tax Audits (both
DirectandIndirectTaxes),SpecialAudits(asprescribedundervarious Acts),BankAudits,andInternal Auditsetc.There
is a paradigm shift in the expectations from Chartered Accountants in the new scenario.
A CA as an audit professional can provide more services that relate to technologysuch as IS Audits, Implementation
of ERP and GRC (Governance, Risk Management and Compliance), Design of Access and Process Controls, Forensic
Audits etc.
A CA is expectedtoknowand review implementationof new regulationsandstandards like The Sarbanes – Oxley
Act of 2002 – Section 302 and 404, The Companies Act 2013 – Section 134 and 143, Clause 49 of SEBI’s Listing
Agreement,Privacy Acts of variousCountries and Standards like ISO 27000 Family, ISO 22301, BSI (British Standards
Institute) Standards, and PAS (Public Available Standards) Standards etc., not forgetting Frameworks like COBIT 5
(Control Objectives for Information and Related Technology) and COSO (Committee of Sponsoring Organizations)
Framework for Internal Controls.
One such greenfield service is the engagement of conducting IS Audits or Information Systems Audit. An IS Audit is
relatedtoInternal Audit.Internal Controlsthatare presentintheenterpriseare completelyrelevant whileconducting
an IS Audit.
These are some keywords that would be repeating in this study and is important to understand them.
1. Control:It literallymeansInternal Controlsthatispresentina businessenvironment.Itcan be IT Controlsor
non IT Controls.
2. Risk: It is the rate at which there is a threat to the business which has arisen from a specific happening/non
happening.
3. Process: A set of tasks make a work flow. A set of work flows make a process. A process is controlled by a
“Process owner” or “Function head”. E.g. HR Process, Procurement Process.
Internal Control simply means “Policies framedby the management in order to have stronger and adequate control
of affairswithinthe enterprise,andwhichcanbe checkedbythe Internal orStatutoryAuditorinorderto ensure that
the goalsandobjectivesof the enterpriseare dulymet”. Theyare practicesandprocessesenforcedonthe employees
of an enterprise to prevent fraud and to maintain integrity of the data.
Internal Controlsissaidtobe asumof General ControlsandISControls.IScontrolsissaidtobe asumof IT Application
Controls and IT General Controls. General Controls refers to Internal controls that are not enforced through the IT
System unlike the IS Controls. IS Controls are controls that are present on the enterprise’s IT Infrastructure. IT
Infrastructure includes hardware and software.
IT Application Controls: They vary depending on the applications that have been installed by the enterprise for its
revenue generation. Application software is the software that processes business transactions. The Application
software couldbe aretail bankingsystem, anInventorysystemorpossibly anintegratedERP.Controlswhichrelateto
businessapplicationsleading tojudicial use of the applicationand enforcedthroughthe applicationitself tothe end
user are called IT Application Controls. IT Application Controls can be broadly classified into five categories:
1. InputControls:Controlsthatare enforcedduringthe inputof databya user.E.g.Data Checksandvalidations.
2. 2. Processing Controls: Controls that are enforced during the processing of data that have been input. E.g.
duplicate checks, File Identifications and Validations etc.
3. Output Controls: Controls that are enforced during display of output of the processed data. E.g. Update
Authorizations etc.
4. Integrity Controls: These controls are used to preserve the genuineness and accuracy of data. E.g. Data
Encryption,InputValidationsetc.These controlscan be enforcedduringinputandprocessingand storage of
data.
5. Management Trails: These controls are for the management to find out the audit trail of a transaction. E.g.
Time stamps and snapshots of application.
IT General Controls: They may also be referred as General Computer controls. These are controls other than IT
Application Controls, which relate to the environment within which computer-based application systems are
developed,maintainedandoperatedandare thereforeapplicabletoall applicationsTheseare policiesandprocedures
that relate tomanyapplicationsandsupportthe effectivefunctioningof applicationcontrolsbyhelpingtoensure the
continued proper operation of information systems.
IT General Controls can be broadly classified into the following areas:
1. Physical Access Controls: These controls are enforced at protecting the physical locations of the IT
Infrastructure. E.g. Security Personnel, Physical Locks, Bio Metric Locks, CCTV etc.
2. Data Center Controls: These controls are enforced specifically at the data centers of an enterprise. A data
centeristreatedas an extremelysensitive areaandthusa higherriskwouldbe present.E.g.BiometricLocks,
Presence of ServerRacks, Presence of AirConditioners,Fire Extinguishers,WeatherControls,LogRegisterof
people etc.
3. IS Security:These controlsare enforcedateverylevelof ITInfrastructure.The objectivesof thesecontrolsare
protectionof InformationAssets. The CIA triadisenforcedi.e.Confidentiality,IntegrityandAvailabilityof Data
andinformationsecurityismaintained.E.g.Firewall,Antivirus,Anti Spyware,Timely updatingof software and
antivirus updates and patches etc.
4. SystemDevelopmentLifeCycle andChangeManagementControls:Thesecontrolsare enforcedtoensure that
the correct process of software development/procurement and release management is followed. E.g.
Documented Process for procuringsoftware, Documented Processof incorporating changes to the acquired
software etc.
5. Logical Controls: These are controls which provide access restrictions to the employees who use the IT
Infrastructure. The motive of these controls is to protect the identities of the employees and to prevent
misuse. E.g. User Account Passwords, Access Removal upon termination, screen locks etc.
6. Backupand Recovery:These controlsare presentto ensure properbackupandrecoveryprocessesof the data
of the organization. E.g. Daily Backup of data and environment (OS), Restoration Practice trial etc.
7. End usercomputing:These controlsare enforceddirectlyonthe employees.Thesecontrolsare enforcedwith
an objective of prevention of IT Infrastructure Abuse by the employees. E.g. Logging of user activity and
Review, Disabling of USB Ports etc.
An ISAuditisperformedtoprovide assurance thatall of the above mentionedcontrolsare adequateandsatisfactory
to the nature of the enterprise and effectively operational in the functions of the enterprise. An IS Audit is typically
dividedintotwosectionsi.e.Review of ITApplicationControls(ITAC) andReview of ITGeneral Controls(ITGC).AnIS
Audit would have the following process:-
An IS Auditor would begin his audit engagement by having conversation withthe IT Administrator/CIO of an
enterprise. The IS auditor would review all the documented policies and processes that are being enforced
withinthe organization.Documentedpolicieswouldinclude aISSecurityPolicy,BringYourOwnDevice Policy
(BYOD),PasswordPolicy,BCPetc.The ISAuditorwouldbe gaininganunderstandingof the overall level of the
Internal Controls.
An IS Auditor would then gain an understanding of the applications that have been implemented in the IT
Infrastructure. It would be a base for him to decide the plan of action of the Audit.
The next step would be to collect a list of all the types of logs that can be generated by the applications.
3. Aftercollectingthe above information,the auditorthe auditor identifiesthe risksthat are applicable forthe
enterprise. The approachthatwouldbe followed istocreate a matrix foreach applicationandarea (forITAC
andITGC respectively) andwouldidentifythecontrolsthatare enforcedinthe enterprise.All the identification
and Review of controls would be performed by sampling, observations or any other method.
Testing of Design Effectivenessand testing of operating effectiveness would be performed by the IS Auditor
on every identifiedcontrol. Testing of Design Effectiveness refersto the working design of the control as
documented.Itis a blue printof the control.Testingof OperatingEffectivenessreferstoactual performance
of the Control in the IT Environment.
It isimportantforthe ISAuditorto collectsufficientevidencewhile identifyingthe controls.Evidencescanbe
in the form of Screenshots, Email threads, Scanned documents, photographs, Minutes of Meetings etc.
A Risk Rating exercise is then performed to the identified controls to see whether the identified control is
sufficient to mitigate the identified risk.
Based on the Risk Ratings and the evidences collected, suitable recommendations would be suggestedand
accordingly an IS Audit report would be drafted and shared to the enterprise.
Thus the ultimate test of IT Internal Controls can be performed in an IS Audit. Based on the findings and
observations,anIS Auditorwouldbe able to provide sufficientassurance whetherthe incorporatedcontrolsare
adequate or not to the nature and size of the IT Infrastructure of the enterprise.