Auditing Information Systems Process PowerPoint
Running head: AUDITING INFORMATION SYSTEMS PROCESS 1
AUDITING INFORMATION SYSTEMS PROCESS 2
Auditing information systems process
Student’s Name
University Affiliation
Process of Auditing information systems
Information system is the livelihood of every huge company. As it has been in the past years, computer systems don’t simply document transactions of business, rather essentially compel the main business procedures of the venture. In this kind of a situation, superior administration and company managers usually have worries concerning an information system. assessment is a methodical process in which a proficient, autonomous person impartially gets and assesses proof concerning affirmations about a financial unit or occasion with the intent to outline an outlook about and giving feedback on the extent in which the contention matches an acknowledged standards set. information systems auditing refers to the administration controls assessment inside the communications of Information Technology. The obtained proof valuation is used to decide if systems of information are defensive assets, maintenance reliability of data, and also if they are efficiently operating in order to attain organization’s goals or objectives (Hoelzer, 2009).
Auditing of Information Systems has become an essential part of business organization in both large and small business environments. This paper examines the preliminary points for carrying out and Information system audit and some of the, techniques, tools, guidelines and standards that can be employed to build, manage, and examine the review function. The Certified Information Systems Auditor (CISA) qualifications is recognized worldwide as a standard of accomplishment for those who assess, monitor, control and audit the information technology of an organization and business systems. Information Systems experts with a concern in information systems security, control and audit. At least five years of specialized information systems security, auditing and control work practice is necessary for certification. An audit contract should be present to evidently state the responsibility of the management, purpose for, in addition to designation of power to audit of Information System . The audit contract should also summarize the general right, responsibilities and scope of the purpose of audit. The uppermost level of management should endorse the contract and on one occasion it is set up, this contract is supposed to be distorted merely if the amendment is and might be meticulously defensible.
The process of auditing information systems involves;-
Audit Function Management; this process includes assessment which is systematic of policies and methods of management of the organization in management and utilization of resources, improvement of organization and employee, strategic and tactical planning. The main goals are to establish the present effectiveness level, suggesting improvements and putting down standards for performance in future.
Standards of Assurance, IT Audit and Guidelines; these involve the relationships between standards, tools, guidelines and techniques. It also comprises of the assurance framework of Information technology among other standards. They describe a framework of guidance and standards which relates to performance and acceptance of assurance activities and auditing (John, 2007).
Risk Analysis; this involves identifying specific risks that might be faced by the information system of the organization and establish the impacts, occurrence likelihood, severity and priority and recommendations of strategies of mitigation.
Internal Controls; these are actions that the management and other groups take for risk management and increase the possibility that the identified goals and objectives will be attained.
Perform an Information System Audit; this process involves the evaluation of weaknesses and strengths of the audit, testing, sampling, recommendation implementation of the management and communicating the results of the audit, among others (Richard, 2007).
The function of audit of Information System is to evaluate and offer suggestions, reassurance in addition to feedback. These apprehensions may be categorized in three wide categories:
· accessibility:
This entails whether the information scheme which the organization greatly depends on will be accessible for the company during all the occasions when needed. It also answers questions like whether the whole of the system is well protected against all kinds of disasters and losses.
· discretion:
This concerns whether the data inside the system will be revealed solitary to the people who are in need to see it and utilize it but not to everyone else.
· reliability:
This entails whether the data offered by the system will at all times be timely, dependable in addition to being accurate. It also makes sure that there is no illegal alteration that could be carried out on the software or else the data inside the system.
The advantages of review can be categorized into four groups which include:
· Strategic Benefits.
Reliability of information formed by the business.
Improved client assurance.
· Operational advantages.
Improved worker Morale in addition to Productivity.
Reliability of Data makes it possible for Management to formulate accurate and informed choices.
· economic Benefits.
Improved Performance of the hardware.
prices of burglary of Information System property are condensed.
· technological Benefits.
Organization choices regarding Computer generated information are consistent.
Company associates trust the Organization’s administration distribution in addition to control of susceptible Data.
ASPECTS OF INFORMATION SYSTEM AUDIT:
information systems are not merely processors. present information systems have become intricate and contain many constituents which come together to build a company resolution (Weber, 2002). Reassurance about information systems could be attained simply if every constituent is assessed and protected. The main aspects of Information Systems review could be largely categorized into:
· Environmental and physical evaluation
which consists of humidity control, air conditioning, power supply, physical security in addition to other ecological aspects.
· system management evaluation:
system management evaluation entails safety evaluation regarding the database administration schemes, operating structures and each and every system management compliance along with procedures.
· appliance software evaluation.
The appliance of the business can be an enterprise resource planning system, a web based client order processing system, invoicing or a payroll scheme that essentially operates the company. The evaluation of such appliance software would include corresponding manual procedures and controls, business procedures within the application software, mistake and exception handling, validations, authorizations and access control. In addition, an evaluation of the scheme development lifecycle is supposed to be accomplished.
· system security evaluation.
The typical areas covered by this review include the evaluation of the external and internal connections to the system, intrusion detection and port scanning, router admission control lists, review of the firewall and boundary security.
· Business permanence review.
Business permanence review entails maintenance plus existence of error lenient and superfluous hardware, backing storage, procedures plus tested disaster and documented business or recovery stability arrange.
· information reliability evaluation.
The intention of this examination of live information is for confirming the impact of weaknesses in addition to sufficiency of controls like observed on or after one of the previous evaluations. Such substantial investigation can be carried out using a software for comprehensive auditing. for instance PC aided review procedures (Weber, 2002). It can be imperative appreciating that every review may have all of these aspects in different extents. various auditors may examine just one of the aspects and leave the other aspects. However, it is essential to carry out all the aspects though it is not compulsory to carry out all of them in one task. The set of skills that is needed for every of these aspects is dissimilar. The outcomes on every review require not to be perceived in relation to another. This allows the examiner and the administration to obtain the full scrutiny of problems and concerns. This review is very important.
All these aspects require to be tackled in order to give the administration an apparent evaluation of the scheme. For instance, appliance software can be fine planned and executed with all the safety characteristics, and the defaulting user secret code inside the working system utilized on the server could not have been altered, thus permitting somebody to see the records files openly. a circumstance like this contradicts whatsoever precautions that was constructed into the appliance. similarly, technological system safety and firewalls might have been executed thoroughly, excluding the access controls and task definitions in the application software might have also been inadequately planned and executed where making use of the client IDs, workers might get to see vital and delicate data far ahead of their positions (Weber, 2002)..
We should also appreciate that every examination might entail these aspects in different actions. Some reviews may inspect just one of the aspects or leave some of the aspects. It is however necessary to to carry out all of these aspects but it is not compulsory to carry out all of them in a single task. The set of skills needed for every aspect is dissimilar. The outcomes of each review should not be perceived the same as another. This will allow the examiner and the administration to get a complete view of concerns and difficulties. This review is very significant.
threat based Approach
each organization utilizes several of systems of information. There might be diverse functions for diverse activities in addition to functions and there might be various workstation installations at diverse physical positions. The examiner is confronted with the difficulties of what to audit, at what time in addition to how regularly he should do so. The response to all this is to implement an approach that is threat based. whereas there are hazards intrinsic to the systems, the hazards crash diverse schemes in diverse ways. hazards of no availability can be severe even if it happens for an hour (Weber, 2002). hazards of illegal alteration could be a basis to potential losses as well as frauds to online bank system. A bunch dispensation scheme or an information merging system might be comparatively a little more susceptible to a number of these perils. The industrial surroundings on which the scheme operate on may also have an effect on the hazard connected by the system.
The procedure that could be pursued for a threat based approach to creation of an review plan include:
1. Account for the information system in exercise in the business and classify them.
2. Decide on which of the system has vital assets or functions, for examle how close to actual time they function, decision making, customers, materials and money.
3. Evaluate which hazards influence the systems and their strictness of consequence on the company.
4. Categorize the schemes on basis of the above evaluation and settle on the review frequency, schedule, assets and priority.
The auditor can then come up with an annual review plan that classifies the reviews that will be carried out during the period od of time according to the plan in adition to the assets that are necessary. Groundwork before instigating a review entails gathering of background data and examining the skills plus the resources needed to perform the review. This allows employees having the correct type of proficiency to be selected to the correct task. It is at all times good to have an official review beginning convention with the top administration answerable for the section under review to conclude the extent, recognize the extraordinary problems, if present, plan the date as well as clarify on the technique for the review. conventions like this should get topr administration concerned, permit individuals to meet up with one another, explain concerns and essential company worries as well as assist the review to be performed efficiently (Weber, 2002).
References
Weber, R. (2002). EDP Auditing. Conceptual Foundations and Practice.
Hoelzer, D. (2009). Audit Principles, Risk Assessment & Effective Reporting. SANS Press.