INTRODUCTION TO INFORMATION SYSTEMS AUDIT PROCESS
IS audit process encompasses the entire practice of Information Systems
auditing, including procedures and a thorough methodology which allows an
Information Systems auditor to perform an audit on any IT area in a professional
manner – ISACA Technical Review Manual.
In practice, the IS audit environment presents three scenarios:
(a) Data input scenario;
(b) Data processing stage; and
(c) Output/Result stage, all of which constitutes the IS audit universe.
Generally, the audit activity that should be covered in the above stages is spelt
out in three areas namely:
(a) Application systems reviews;
(b) System development reviews; and
(c) Installation and facilities reviews
Application Review
This process covers audit of controls over business systems that aresupported by computers For example, applications could include:
(a) General ledger;
(b) Payroll;
(c) Accounts receivable; and
(d) Banking applications in the case of financial institutions.
Application controls are classified into:
(a) Input controls;
(b) Processing controls;
(c) Output controls;
(d) Documentation; and
(e) Programming/Change controls.
System Development Reviews
This has to do with the audit of application development process. Thestages in this process include review of:
(i) Feasibility study;
(ii) Application Development process;
(iii) Application Testing;
(iv) Implementation;
(v) Documentation; and
(vi) Maintenance.
Installations and Facilities Review
These are audits of operations and support functions of the computerenvironment. These are also called Computer Information Systems (CIS)
operations review. These will cover such things as: Proper controls over
installation and facilities to ensure that computer systems are operating
efficiently and adequately secured from loss or damage. The following
areas should be covered under the review:
(a) Security of installations/facilities and should include:
(i) Physical access to the computer area;
(ii) Environmental controls;
(iii) Data security; and
(iv) Disaster recovery issues (the ability to recover and process
in the event of an interruption or disaster).
(b) Organisation of the computer functions to ensure adequate
segregation of duties. Segregation of duties ensures that no one
can manipulate the processing or data for unauthorised purposes.
For example, the programming function should be separate from
the operating of the computer.
(c) Data Control covering:
Examination of controls governing the receipt of data for
processing; these controls should include methods that ensure
that all data was received for processing and that only authorised
transactions were received.
(d) Computer equipment; accounting for individual computer
equipment, maintenance procedures should maximise the life
and usefulness of the equipment.
(e) Computer equipment controls should include:
(i) Periodic preventive maintenance;
(ii) Documented maintenance agreements;
(iii) Service request procedures;
(iv) Documented procedures for use of equipment; and
(v) Review of equipment should include perishables and nonperishables.
(f) Library
(i) Library contain files used by applications and systems/
sub-system for data processing activities;
(ii) Magnetic tape files may also be controlled by the library;
and
(iii) Controls should include: library management systems
(manual or automated) which provides records of file
location, contents, and retention periods, inventory
procedures for accounting for files; and cleaning,
maintenance and replacement procedures.
(e) Programs and Systems
(i) Establish procedures to ensure that systems and programs
in live working environment are authorised and fully
documented,
(ii) The IS auditor should evaluate the controls over support
systems such as operating systems, database management
systems, telecommunications software and utility
programs.
Jika Anda menyukai Artikel di blog ini, Silahkan
klik disini untuk berlangganan gratis via email, Anda akan mendapat kiriman artikel setiap ada artikel yang terbit di Our Akuntansi
0 komentar:
Post a Comment