Introduction An information technology audit, or information systems audit, is an examination of the controls within an Information technology (IT) infrastructure. IT auditing is a branch of general auditing concerned with governance (control) of information and communications technologies (computers). IT auditors primarily study computer systems and networks from the point of view of examining the effectiveness of their technical and procedural controls to minimise risks. IT audits are also known as automated data processing (ADP) audits and computer audits or IS, IT or ICT auditing and systems auditing. They were formerly called electronic data processing (EDP) audits History of IS Audit The concept of IT auditing was formed in the mid-1960s. Since that time, IT auditing has gone through numerous changes, largely due to advances in technology and the incorporation of technology into business. Functions of IS/IT Auditor IT Auditor often is the translator of business risk, as it relates to the use of IT, to management, someone who can check the technicalities well enough to understand the risk (not necessarily manage the technology) and make a sound assessment and present risk-oriented advice to management. IT auditors review risks relating to IT systems and processes, some of them are: 1. Inadequate information security (e.g. missing or out of date antivirus controls, open computer ports, open systems without password or weak passwords etc.) 2. Inefficient use of corporate resources, or poor governance (e.g. huge spending on unnecessary IT projects like printing resources, storage devices, high power servers and workstations etc.) 3. Ineffective IT strategies, policies and practices (including a lack of policies for use of Information and Communication Technology (ICT) resources, Internet usage policies, Security practices etc.) 4. IT-related frauds (including phishing, hacking etc) 1 Compiled by: Mr.Avadh Yadav,Bos,Noida
INFORMATION SYSTEMS AUDIT
Categories of IS/IT audits IT audits has been categorized in to five types: 1.
Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions. Systems Development: An audit to verify that the systems under development meet the objectives of the organization and to ensure that the systems are developed in accordance with generally accepted standards for systems development. Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing. Telecommunications, Intranets, and Extranets: An audit to verify that controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.
IS Audit Standards The most obvious source of Best Practice for information security is ISO, the coordinating body for most of the world’s national standards bodies. For example ISO/IEC 27002, the Code of Practice for Information Security Management, is part of a coherent and growing suite of information security standards (the ISO27k series) that is being actively developed and extended. National standards bodies such as BSI, ANSI and NIST issue lots of carefullyconsidered guidance on information security and other areas that could be considered Best Practice, at least within the specific scope of their intended applications Professional bodies such as (ISC)2, SANS, ISSA, ISF and ISACA also promote best information security practices in...