Information systems audit: the basics

What should you expect from an IS audit? Jennifer Bayuk spells out the audit process, step by step

In the early days of computers, many people were suspicious of their ability to replace human beings performing complex tasks. The first business software applications were mostly in the domain of finance and accounting. The numbers from paper statements and receipts were entered into the computer, which would perform calculations and create reports. Computers were audited using sampling techniques. An auditor would collect the original paper statements and receipts, manually perform the calculations used to create each report, and compare the results of the manual calculation with those generated by the computer. In the early days, accountants would often find programming errors, and these were computer audit findings.

However, these exercises also sometimes yielded findings of fraud. Fraud activities ranged from data entry clerks changing check payees to programmers making deliberate rounding errors designed to accumulate cash balances in hidden bank accounts. [Editor's note: For more, see Essential Reading on Fraud.] As auditors recognized repeating patterns of fraud, they recommended a variety of security features designed to automatically prevent, detect, or recover from theft of assets.

As computers became more sophisticated, auditors recognized that they had fewer and fewer findings related to the correctness of calculations and more and more on the side of unauthorized access. Moreover, the checks and balances that were devised to maintain correctness of calculations were implemented as software change control measures. These rely heavily on security to enforce controls over segregation of duties between programming, testing, and deployment staff. This meant that even programming changes relied in some measure for their effectiveness on computer security controls. Nowadays, information systems audit seems almost synonymous with information security control testing.

The Scope of an IS Audit

However, the normal scope of an information systems audit still does cover the entire lifecycle of the technology under scrutiny, including the correctness of computer calculations. The word "scope" is prefaced by "normal" because the scope of an audit is dependent on its objective. Audits are always a result of some concern over the management of assets. The concerned party may be a regulatory agency, an asset owner, or any stakeholder in the operation of the systems environment, including systems managers themselves. That party will have an objective in commissioning the audit. The objective may be validating the correctness of the systems calculations, confirming that systems are appropriately accounted for as assets, assessing the operational integrity of an automated process, verifying that confidential data is not exposed to unauthorized individuals, and/or multiple combinations of these and other systems-related matters of importance. The objective of an audit will determine its scope.

It is sometimes a challenge for auditors representing management interests to map the audit objective onto technology. They first identify business activity that is most likely to yield the best type of evidence to support the audit objective. They identify what application systems and networks are used to handle the information that supports the business activity. For example, an audit may focus on a given IT process, in which case its scope will include the systems used to create input for, to execute, or to control the IT process. An audit focused on a given business area will include the systems necessary to support the business process. An audit that focuses on data privacy will cover technology controls that enforce confidentiality controls on any database, file system, or application server that provides access to personally identifiable data.

Join the CSO newsletter!

Error: Please check your email address.

Tags data securityauditing

More about Amazon.comAmazon Web ServicesISMISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jennifer Bayuk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place