CA Bharatish Ballal
Information systems and audit
Information itself is an important asset in today’s business. If information is lost, modified, misused huge loss can occur to business. Hence information security becomes important for any business. Information system in business including that of banking is becoming technology oriented. Computers are being used in all the areas of business including that of financial accounting. Internal controls used in a Computerized Information System (CIS) environment should aim at information security also. This aspect of internal control is mostly overlooked in a Financial Audit where evidence collection and evaluation is more important. Audit provides the assurance to stakeholders of business. Assurance provided by a financial audit is about financial statements, which are relied upon and based on which decisions are taken by many stakeholders. However there are risks associated in any business, which is not highlighted in a financial audit.
Operational Risk and Audit
For example Basel II Accord mentions of ‘operational risks’ that are due to failure of system, process, procedure and human action/inaction (fraud) and legal restrictions, etc. in the operation of banks, some of which are not dealt in financial audit. The Basle committee has identified people, processes, systems and external events, as potential hazards for operations. Inadequacy and failure of any of them can result into events, which cause losses. Every business has to identify events of their relevance. The events may be similar in the same industry, but vary from an organization to organization. The whole exercise of the operational risk management is to identify potential events, which are likely to cause losses. Here is a list of some of the events, which could lead to operational risk (non exhaustive): Technology error
Fraud and theft
Legal, Regulatory non compliance,
Processes, people and systems are closely linked with information systems. Even measurement and recognition of external events need information systems. Therefore, under the new Accord, the job of an audit and control practitioner shall become more onerous and challenging.
Therefore a financial audit cannot assure that the information system is foolproof as financial auditor is not expert in information technology. Hence an expert should provide an opinion that information system is risk-free. This is where Information System Audit (IS Audit) comes into picture.
Meaning of IS audit
Information systems audit is a part of the overall audit process, which is one of the facilitators for good corporate governance. While there is no single universal definition of IS audit, Ron Weber has defined it as "the process of collecting and evaluating evidence to determine whether a computer system (information system) Safeguards assets
Maintains data integrity
Achieves organizational goals effectively and
Consumes resources efficiently."
Key Challenge in IS Audit
IS audit often involves finding and recording observations that are highly technical. Such technical depth is required to perform effective IS audits. At the same time it is necessary to translate audit findings into vulnerabilities and businesses impacts to which operating managers and senior management can relate. Therein lies a main challenge of IS audit. Scope of IS Audit
IS auditing is an integral part of the audit function because it "supports the auditor's judgment on the quality of the information processed by computer systems." Initially, auditors with IS audit skills are viewed as the technological resource for the audit staff. The audit staff often looks to them for technical assistance. Within IS auditing there are many types of audit needs, such as Organizational IS audits (management control over information technology),...