Knowledge Base

IT Systems Audit

The dictionary defines a ‘system’ as a set of things, principles, or procedures working cohesively to achieve a common objective. As far as an organization is concerned, there are many systems involved that are important for its financial success. The procurement system, the HR system, payroll processing, the IT system, and many other such systems are examples of system that are necessary for the proper functioning of the organization. Needless to say, unless all these systems run cohesively and smoothly, the organization as such will not function properly. That is the reason why internal audits and systems audit plays an important role for the success of an organization. Note that the word ‘systems audit’ can refer to all the audits a firm undertakes, or the information technology IT system audit. For the purpose of this article, whenever we say ‘systems audit’, we mean IT systems audit.

IT Systems
In the past, computers were a novelty. They were mostly used for mathematical and scientific purposes. The mainframe computers were massive, clumsy to operate and highly expensive. However, the desktop / PC introduced in the late 80s were compact, inexpensive, and perfectly suitable for simple accounting work like bookkeeping and accounts writing. As the processing chips grew faster and better, more and more organizations started to use computers to automate their tasks. Payroll processing, inventory management, bookkeeping, debit credit balances, HR – everything became automated. The technology of today is rapidly changing the nature of work for most accountants and auditors. Readymade software packages are available that allow accountants to summarize transactions in standard formats of financial records and organize data in special formats employed in financial analysis. With increased connectivity thanks to the better penetration of high speed internet, it is now even possible to outsource tasks like payroll processing, HR activities and other such activities that were essentially only undertaken in-house first. Thanks to Industry 4.0, which allows multiple devices to talk with each other and exchange real-time data, information technology has radically changed the way accounts and finance is processed. Moreover, IT trends keep on changing over time. What was amazing a month back becomes obsolete when something better comes up. Hackers always up the ante with innovative disruptive techniques and auditors need to be aware of the latest threats. E-mails play an extremely important part in today’s business ecosystem. Auditors need to be aware of catching malpractices and educating their clients about server security.

Information Systems Audit
An information systems audit is taking stock of various controls within the IT systems infrastructure. It is the process involving collection and evaluation of evidence of the design and function of controls designed and implemented in information systems, practices, and operations. In many countries, it is not mandatory by law to perform an information systems audit; it is mostly done as a best practice. It can be performed by any competent auditor with recognized qualification in this field. An information systems audit can be performed independently of or along with an audit of financial statements. More often than not, it remains an independent function used during testing of controls.

IT Auditing Objectives
Exactly what to audit depends upon what has been defined as the scope of the IT audit. It can include standardization of hardware, operating systems, system software and applications.  It can include interoperability of financial data across software, or it can involve data integrity and security. Before starting an IT audit, it is important to define and freeze the scope of work as ‘IT audit’ is a vague term. However, in general, an IT audit entails:

  • Application of risk-oriented audit approaches
  • Use of computer assisted audit tools and techniques
  • Application of national or international standards
  • Understanding of business roles and expectations in the auditing of systems under development
  • Compliance adherence
  • IT security

An information systems audit ensures that the computerization activity of an organization follows the best practices and abides by all statutory requirements. The scope of a systems audit extends over all information systems assets (which include information assets such as databases, guides, backup guidelines, continuity plans, etc, software assets like the operating systems, application software, development tools and environment, monitoring utilities and so on, and physical assets like computer hardware and peripherals, communication equipment, storage devices, etc.) and processes that are owned or used by an entity or its representatives. An systems audit seeks to ensure that the confidentiality, integrity, and availability of all information systems assets and processes are not compromised. In order to achieve this, an information system audit focuses on the existence, adequacy, and efficiency of relevant controls.

In the end, the management needs to lay its hand on reports that tell them what they are doing right, and how to improve the systems if they are doing something wrong. The IT audit team provides computerized audit trail, assessment of interwoven and complex systems and identifying its strengths and weaknesses.

IT System Audit Services
It is not an easy task to properly audit IT systems. The auditing team needs to have deep knowledge of:

  • Hardware and software security concerns
  • Risk based information systems audit
  • Auditing disaster recovery plans
  • Auditing in the e-commerce and cloud environment
  • Security testing

It is not easy to locate a competent team that can perform IT audits as it is a complicated and ever evolving task. IT systems auditors need to stay abreast of the latest IT trends, be aware of the various software platforms and be able to assess vulnerabilities. There are only a few consultants that provide systems audit in conjunction with other audits like internal audit or finance audit.