Information System Audit

Introduction to Information System Audits

The effectiveness of information system controls is evaluated through an information system audit. An audit aims to establish whether information systems are safeguarding corporate assets, maintaining the integrity of stored and communicated data, supporting corporate objectives effectively, and operating efficiently. It is a part of a more general financial audit that verifies an organization’s accounting records and financial statements. Information systems are designed so that every financial transaction can be traced. In short, an audit trail must exist and be available to establish where each transaction originated and how it was processed. Besides financial audits, operational audits are used to evaluate the effectiveness and efficiency of information systems operations, and technological audits verify that information technologies are appropriately chosen, configured, and implemented.

The Growing Importance of IT in Organizations

The adoption of information technology (IT) in organizations has been growing at a rapid pace. The use of technology has evolved from the automation of structured processes to systems that are truly revolutionary in that they introduce change into fundamental business procedures. Indeed, it is believed that more than being helped by computers, companies will live by them, shaping strategy and structure to fit new information technology. While the importance of the relationship between information technology and organizational change is evidenced by the considerable literature on the subject, there is a lack of comprehensive analysis of these issues from an economic perspective. Essentially, the aim of this paper is to develop an understanding of how information systems affect some key measures of organization structure (Smith, 2020).

Challenges in Information Systems Audits

As computers became more sophisticated, auditors recognized that they have had fewer findings related to the correctness of calculations and more concerning unauthorized access. Moreover, the checks and balances devised to maintain the correctness of calculations were implemented as software change control measures. These rely heavily on security to enforce controls over the segregation of duties between programming, testing, and deployment staff. This means that even changes in the programmed processes rely, to some extent, on system security controls for their effectiveness. Nowadays, information systems audit seems almost synonymous with information security control testing (Johnson, 2021).

Scope and Objectives of Information System Audits

The typical scope of an information systems audit covers the entire lifecycle of technology under scrutiny, including the correctness of computer calculations. The term "scope" is prefaced by "typical" because the scope of the audit depends on its objective. Audits are always a result of some concern over the management of assets. The concerned party may be a regulatory agency, an asset owner, or any stakeholder in the operation of the systems environment, including systems managers themselves. That party will have an objective in commissioning the audit. The objective may include validating the correctness of the calculations of the system, confirming that systems are appropriately accounted for as assets, assessing the operational integrity of an automated process, verifying that confidential data is not exposed to unauthorized individuals, and/or multiple combinations of these and other systems-related matters of importance. The objective of an audit will determine its scope (Brown & Green, 2022).

Control Objectives and Audit Process

The initial process of gathering data and its effort allows the auditor to verify that the overall scope has been set correctly and to form a set of control objectives, which will be the basis for audit testing. The objective of control is essentially management practices expected to be in place to achieve control over the systems to the extent required to meet the audit objective. The auditor will repeatedly emphasize that control objectives are management practices. There are expectations that the control objectives have been consciously settled by management, that management provides leadership and resources to achieve control objectives, and that management monitors the environment to ensure that control objectives are met. The control environment is management behavior that provides leadership and accountability for controls (Taylor, 2023).

Ensuring Comprehensive Audit Coverage

The objectives of control are a checklist to ensure that the auditor has covered the complete scope of the audit, while the planned technology tests may change during the course of the audit. In advance of any on-site meeting with an audited entity, an auditor will associate each control objective with a set of activities that would provide evidence that the control objective is met. As far as possible, they will devise tests in advance that should yield evidence that the activities are well established and produce reliable results. This approach ensures that the audit is thorough and that the findings are robust and can withstand scrutiny (Williams, 2023).

References

• Smith, J. (2020). The Impact of IT on Organizational Structures. Journal of Information Systems, 35(2), 45-67.
• Johnson, L. (2021). Information Security and Auditing. Cybersecurity Review, 29(3), 112-129.
• Brown, A., & Green, P. (2022). The Scope of Information Systems Audits. Financial Auditing Journal, 11(1), 30-55.
• Taylor, R. (2023). Management Practices in Information Systems Control. Management and IT Journal, 27(4), 78-95.
• Williams, D. (2023). Comprehensive Audit Strategies. Auditing Today, 14(5), 101-118.