Information System (IS) audit is a systematic process of objectively obtaining and evaluating evidence/ information regarding the proper implementation, operation, and control of information and the Information System resources. Information Technology (IT) in banks and financial institutions, has facilitated greater systemic efficiency in the banking and financial sector. It has introduced new areas of risk.
RBI has advised banks to implement IS Audit as a part of the risk-based internal audit system. The IS audit system in banks has replaced the earlier computer/ EDP audit.
Information System (IS) Audit identifies risks and methods to mitigate those risks arising out of Information Technology (IT) infrastructure such as server architecture, local and wide area networks, physical and information security, telecommunications, etc.
Information System (IS) Audit covers the effectiveness of policy and oversight of Information Technology (IT) systems, evaluates the adequacy of process and internal controls, recommends corrective action to address deficiencies and follow-up. IS Audit also evaluates the effectiveness of business continuity planning, disaster recovery set up and ensures that BCP is effectively implemented in the organization. During IS Audit, importance shall be given to compliance with all the applicable legal and statutory requirements.
The Information System (IS) Audit reviews and evaluates automated information processing systems, related non-automated processes, and the interfaces among them.
The objectives of IS audit include the following:
- Safeguarding of Information System Assets/Resources
- Maintenance of Data Integrity
- Maintenance of System Effectiveness
- Ensuring System Efficiency
Information Systems Audit Approaches:
I. Auditing around the computer:
Under this approach, special attention is given on checking the correctness of the output data with reference to the input of a process without going into the details of the processing involved. This approach is used, where auditors do not have the technical skills to adopt the other approaches. This is also used, when high reliance is placed on the users rather than the computer controls to safeguard the assets, maintain data integrity, and attain effectiveness and efficiency objectives. The focus is on the procedural controls rather than the computer controls.
II. Auditing through the Computer:
Auditing through the computer requires knowledge of the operating system, hardware being used, and certain technical expertise in systems development. Under this approach, the computer programs and the data constitute the target of the Information System (IS) audit. IS auditor can test the application system effectively using this approach. The Information System (IS) auditors can use computers to test logic and controls existing within the system and also records produced by the system. This approach increases the confidence of the IS auditor in the reliability and applicability of the evidence collected and evaluated. It is a time-consuming approach, as it needs an understanding of the application system. It also needs some technical expertise.
III. Auditing with the Computer:
Under this approach, the computer system and programs are used in the audit process. The objective is to perform substantive tests using computers and their programs. The data from the auditee’s computer system are retrieved to an independent environment. Audit interrogation and the query are carried out on such data, using special programs designed for the purpose. This method is used where the Application system consists of a large volume of inputs, producing a large volume of outputs and where the direct examination of the inputs/outputs is difficult and logic of the system is complex.
Computer-Assisted Audit Tools and Techniques (CAATTs): CAATTS are efficient and effective ways to audit system-generated files, records, and documents and to evaluate internal controls of an accounting system in many Information Systems. Banks should adopt a proper mix of manual techniques and CAATs for conducting IS Audit. CAATs may be used in critical areas (such as detection of revenue leakage, treasury functions, assessing the impact of control weaknesses, monitoring customer transactions under AML requirements and generally in areas where a large volume of transactions are reported) particularly for critical functions or processes having financial/regulatory/legal implications. There are five basic approaches, as under, for testing the application controls using CAATT (Computer Aided Audit Tools and Techniques).