Discover the main areas involved in the work of information systems audit:
- High-level systems architecture review.
- Business process mapping (e.g. determining the dependency of information systems on user business processes).
- End-user identity management (e.g. authentication mechanisms, password patterns, limiting roles or granting systems functionality).
- Operating system settings.
- Application security controls.
- Database access controls (e.g., database configuration, database account access, roles defined in the database).
- Antivirus/Anti-Malware Controls.
- Network and physical infrastructure controls (e.g. structure of switches and routers, use of physical space access control lists and firewall rules).
- Registration and auditing systems and processes.
- IT privileged access control (e.g. system administrator or root access).
- IT processes in support of the system (e.g. user account reviews, change management).
- Backup and restore procedures.
The activities of information systems audit consist of checking the data files by sampling log, carry out subsequent interviews with people related to the technology sector. Tests are also carried out regarding internal controls. Systems auditing may also require the creation of user accounts so that auditors can further examine the system and determine the effectiveness of implemented controls and expected results. Additionally, a subset of integration tests may be performed in test or staging environments to ensure that controls that the general user may have are functioning as described and expected.
Scope of Systems Audit
A information systems audit resembles information security control tests. However, the normal scope of a systems audit encompasses the entire lifecycle of the technology under review. Audits are always the result of some concern with the management of technological assets and usually those who seek it are the owners of technological assets or interested parties in the information and systems environment, including the systems managers themselves.
Often, mapping the purpose of the information systems audit is a challenge for auditors. They begin by identifying the business activity most likely to produce the best type of evidence to support the audit objective. They then identify which application systems and networks are used to compute the information that supports the companies' operational and business activities.
For an information technology manager, the scope of information systems audit must be clear from the start. It should comprise a well-defined set of people, processes and technologies that clearly correspond to the audit objective. If an auditor does not understand the technology environment before an audit begins, there may be errors in scope definition. Where such errors do occur, they are often caught in the course of the audit and systems that were previously not in scope can be declared as existing.
The field work of information systems audit encompasses the process of identifying people, processes, and technologies within a given systems environment that correspond to expected control activities. Management responsible for audit results must do its best to ensure that the auditor receives information directly from the expert in the area under analysis, including advising on the importance of responses to the auditor's questionnaire that are correct and concise to the questions for the audit, or In other words, direct the auditor to the specialist on the subject covered, or if there is none, return to the responsible contact.
If the professionals information systems audit do not find evidence that a control objective is achieved, they will return to the responsible manager to see if there is any activity with the organization that qualifies as satisfying the objective that was not anticipated by the auditor. During fieldwork, a systems audit professional will have a list of possible findings. They may not yet be fully documented, but the condition may be known. It is the role of the IT contact to assist management and the auditor in the search for evidence to ensure that the control objective is achieved and thus complete the auditor's work.
Whether or not there are findings of information systems audit, the engagement will be concluded with an assessment report, containing the auditor's formal opinion regarding the topic of management concern that drives the audit objective. The objective of the audit will be defined, the audit methodology will be briefly described, and there will be a statement regarding the auditor's professional opinion as to whether management's concern is adequately addressed. The report may also include recommendations for management activities that would reduce the impact of the results.
Auditing information systems within an organization
It operates with a disciplined approach, evaluating and improving the effectiveness of a system. The systems auditor's work also highlights points of reduction, elimination and prevention of non-conformities.
A information systems audit in an organization it monitors the controls, systems development, IT procedures, infrastructure, operations, performance and security that involves the processing of critical information for decision making.
Its main objectives are: evaluation of the organization system, determination of conformity or non-conformity of elements, suggestions for improvements, compliance with regulatory requirements. However, it is currently expected that information systems audit, an outcome beyond auditing for compliance, such as attention to risks.
A information systems audit does not only involve equipment (hardware) or specific procedures, but also their inputs, processes, controls, files, security and output of data ( ). It is extremely important for the good performance of information systems, as it evaluates, in addition to the controls necessary for the systems to be reliable, the entire Information Technology environment: Equipment, CPD and Software.
Currently, organizations have been expanding their way of acting, carrying out stricter controls through information systems audit, aiming to ensure the integrity and security of data traffic. Added to this context is the wide use of technology for storing accounting, financial and operational information, making Systems Auditing seek improvement in the organization's field of action.
The results obtained by information systems audit, through work carried out by trained and experienced professionals, are widely used by decision makers, with the aim of improving the organization's performance.
Responsibilities of the Information Systems Audit Professional
The responsibilities of the professional information systems audit they encompass strategizing and inspecting the company's information processing systems and programs in order to protect the integrity of information, ensure that the information stored is correct, and promote the effectiveness of their work. He is also known as a computer systems auditor, who verifies the platform where the company's private information is saved.
the professional of information systems audit it also examines the company's specialized systems (operating systems) and the systems that support activities other than the company's specialized ones (corporate systems) as well as the communication between legacy systems and their integrations. Thus, he educates the company's administrators about the effectiveness and vulnerability of computer systems and networks while keeping up to date with the auditing and software skills of the systems that are installed in the company.
It is also the responsibility of the information systems audit evaluate data processing systems to estimate their effectiveness, efficiency and accuracy; study and examine the company's trading strategies and programs in order to estimate the comprehensiveness and accuracy of transactions that have been processed.
In summary, the audit of systems independent of the branch of activity of the companies and its size, being as the main responsibilities of a professional of information systems audit:
- Analyze the program's systems and its business purposes, in order to, as a systems auditor, estimate and verify whether the objectives are being completed.
- With each new system incorporated into the companies, verify how they were built in the company to verify the effectiveness and security of the information.
- Assessing the areas of the company where systems are installed, the systems auditor makes sure that all security methods are being followed and that the company's systems are in perfect working order.
- Track and analyze software and hardware commodities, parts and components that have been purchased to ensure that it will help the company achieve its goals, targets and objectives.
- Observe and record the application of computer programs in the company.
- Communicate to information processing administrators and information technology associates working on the company's computer systems.
- Formulate documented reports on new systems and implement them, which would really help in improving the company's work output.
- Study, examine and verify the company's accounts, audit and software records.
- Perform the role and duties when the systems auditor is internal to the company's information systems and assess.
- Examine functional and usable data across various computer networks and company systems to ensure that information systems are processed properly, resulting in benefits for them.
- Complete all other duties, positions, responsibilities and functions of an information systems auditor in the company that are assigned to him.
Information systems audit combined with financial/accounting audit
A information systems audit can be carried out in an integrated manner, that is, it is one that treats information technology, financial and operational controls as mutually dependent to establish an effective and efficient internal control environment.
In the context of information technology, the objective of information systems audit it is ensuring that information technology controls are effective and efficient in supporting the business process. In the financial and operational context, the objective is to ensure that financial and operational controls are effective and efficient to support the business process.
Even if financial and operational controls do not identify problems, they can be identified in information technology and are capable of nullifying the effectiveness of financial and operational controls and vice versa. Therefore, for a information systems audit integrated, perspectives need to be fully considered, as information technology, financial and operational issues can significantly impact the achievement of management's objectives in protecting information system assets and ensuring reliability and integrity of information.
A information systems audit Integrated audit includes an audit of the applications, servers, and network configurations that support the business process. Examining and testing the application, servers, and network configuration is similar to an information systems audit. Additionally, the information system and financial and operational auditors collaboratively consider the following aspects related to the business process being examined:
- Business and information processing risks and controls are understood and agreed upon by the business owners, the information technology and support organization, and the information systems audit integrated.
- Feeds manual and automated systems interfaces and communications are accurate, timely and secure.
- Manual and automated transactions are approved, processed in a timely and accurate manner.
- Information is secure and privacy controls comply with current regulations.
- Disaster recovery plans and business continuity plans provide reasonable assurance that both system and business operations can recover and continue when a system or business interruption occurs.
- Program changes are authorized, tested, approved, and migrated to production as prescribed by the business process owners.
In one information systems audit integrated, the business process owner is responsible for ensuring that information technology and financial and operational controls are implemented, effective and efficient.
Please contact TATICCA, which operates with integrated auditing, accounting, tax, corporate finance, financial advisory, risk advisory services, tech, business consultancy and training, for more information, visit www.taticca.com.br or email taticca@taticca.com.br and find out more. Our company has professionals with extensive experience in the market and has certified methodologies for carrying out activities.