It Audit
It Audit
It Audit
I. Risk Assessment
a.A risk asseessment is often performed at the start of an IT intiative before tools and technologies have been
deployed.
b.It is also performed every time the internal or external threat landscape changes.
c.In a oraganisation with mature security processes,risk assessment is performed regularly to assess new risks
and re-evaluate risks that were previously idenified.The goal of a risk asessment is to determine how best to
build IT infrastructure to address known security risks.Henc,this activity is focused on outward factors and
how they affect infrastructure.
II.Security Audit
a.A security audit is performed on existing IT infrastructure to test and evaluate the security of current
systems and operations
b.As a best practice , schedule security audits to be performed at regular intervals so that overall security
posture is on an ongoing basis
Security Audit
Point in time assessment
Verifies security commitments are being met
Leads to potential action items where gaps are identified
Less expensive typically that a risk assessment
Does not validate that the security program is aligned with risk
Does not provide a basis of design for an organizational security program
RBI also expects the Banks to report to the Cyber Security and Information Technology Examination (CSITE) Cell of the
Department of Banking Supervision, with the following details.
The objectives of IS audit are to identify the risks that an organization is exposed to in the computerized
environment. IS audit evaluates the adequacy of the security controls and informs the Management with suitable
conclusions and recommendations. IS audit is an independent subset of the normal audit exercise in an
organization. The overall objectives of the normal audit exercise do not change, when applied to the
computerized environment. The major objectives of IS audit include, among others, the following:
The Information System Assets of the organization must be protected by a system of internal controls. It
includes the protection of hardware, software, facilities, people (knowledge), data files, system
documentation, and supplies. This is because hardware can be damaged maliciously, software and data
files can be stolen, deleted, or altered and supplies of negotiable forms can be used for unauthorized
purposes. Safeguarding of the Information System Assets is a very important function of each
organization.
Data Integrity includes the safeguarding of the information against unauthorized addition, deletion,
modification, or alteration. This includes items such as accounting records, backup, documentation, etc.
Information Systems are used to capture, store, process, retrieve and transmit the data securely and
efficiently. The emphasis is on the accuracy of the data and its transmission in a secured manner. Data
Integrity also implies that during the various phases of electronic processing, various features of the data
viz.
Accuracy Reliability
Confidentiality Availability
Completeness Timeliness
The resources used by the Information Systems such as the machines, computer peripherals, software, etc.
are scarce and costly. Efficient Information Systems use minimum resources to achieve the desired
objectives. When a computer no longer has excess capacity, system efficiency becomes important. It
becomes necessary to know whether the available capacity has been exhausted or the existing allocation
of the computer resources is causing the bottlenecks.
Approaches of IS Audit
i. The emphasis is on checking the correctness of the output data/documents concerning the input of a process
Where auditors themselves do not have the desired level of technical skills to adopt the other approaches.
When high reliance is placed on the users rather than the computer controls to safeguard the assets, maintain
i. The computer programs and the data constitute the target of IS audit
ii. Compliance and substantive tests are performed on the computer system. its software, and the data. IS auditors
can test the application system effectively using this approach.
iii. This approach is time-consuming, as it needs an understanding of the internal working of an application
system
C. Auditing with the Computer
i. The computer system and its programs are used as tools in the audit process.
ii. The objective is to perform substantive tests using the computers and their programs.
iii. This method is used where
Application system consists of a large volume of inputs, producing a large volume of outputs
Logic of the system is complex
There are substantial gaps in the visible trails
iv.The IS audit documentation should contain the description of the CAAT application.
Information Systems Audit Methodology
Audit activity is broadly divided into 5 major steps for the convenience and effective conduct of audit.
Planning IS Audit
Tests of Controls
Tests of Transactions
Test of Balances
Completion of Audit