Information technology or Information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization’s goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. Information systems audit is a part of the overall audit process, which is one of the facilitators for good corporate governance. While there is no single universal definition of IS audit, it is basically been defined as “the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently.”
Information systems are the lifeblood of any large business. As in years past, computer systems do not merely record business transactions, but actually drive the key business processes of the enterprise. The purpose of IS audit is to review and provide feedback, assurances and suggestions.
Amband auditors’ first study the organization’s concerns and group them under three broad heads:
Availability: Will the information systems on which the business is heavily dependent on be available for the business at all times when required? Are the systems well protected against all types of losses and disasters?
Confidentiality: Will the information in the systems be disclosed only to those who have a need to see and use it and not to anyone else?
Integrity: Will the information provided by the systems always be accurate, reliable and timely? What ensures that no unauthorized modification can be made to the data or the software in the systems?
An information system is not just a computer. Today’s information systems are complex and have many components that piece together to make a business solution. Assurances about an information system can be obtained only if all the components are evaluated and secured.
Our experienced auditors study and review the IT infrastructure in an organization and then group them into the major elements of IS audit;
Physical and environmental review—Includes physical security, power supply, air conditioning, humidity control and other environmental factors.
System administration review—Includes security review of the operating systems, database management systems, all system administration procedures and compliance.
Application software review— Review of application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures.
Network security review—Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.
Business continuity review—Includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan.
Data integrity review—Is the scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews.