Many people have asked me, why I choose Information Systems Audit as my majority during my college and what is it I do as an Information Systems Auditor in the future?
The answer, not, in brief, is below:
Many organizations, no matter their size or scope of operation, have come to realize the importance of using Information Technology (IT) to stay ahead in the current global scenario. Companies have invested in Information Systems because they recognize the numerous benefits IT can bring to their operations. Management should realize the need to ensure IT systems are reliable, secure and invulnerable to computer attacks.
The bottom line in IT is Data Security. The importance of Information Security is to ensure Data Confidentiality, Integrity, and Availability (CIA).
- Confidentiality refers to the protection of data from unauthorized disclosure. Unauthorized,unintended,or unanticipated disclosure can result in legal action,ﬁnancial loss, loss of public conﬁdence,or embarrassment. For example,personal medical information is protected by law and any unauthorized disclosure of such information,regardless of whether it was intentional or not,is illegal. Protecting this information is a major part of Information Security.
- Integrity has to do with the information being protected from unauthorized or unintended modiﬁcation. Hackers often have as one of their goals the modiﬁcation of data— whether that data includes user permissions,network access,or business data modiﬁcation such as pricing on a Web site or pay rates for employees. Protecting data from tampering by unauthorized persons is paramount in Information Security.
- Availability pertains to critical business data being available when needed. If a database is corrupted,it is not available for use. If a Web site is hacked,it is not available for use. If a Web site is ﬂooded with connection requests (a Denial of Service attack),it is not available for use.These kinds of availability problems can also be intentional or accidental. The key to ensuring data availability is back-up. Backed-up data should ideally be stored at a location far away to ensure its safety, but this distance should take into account the time it would take to recover the backed-up data.
An Information Systems Audit would therefore ensure that the organization’s data is confidentially stored, that data integrity is ensured and data is available at all times for the authorized users. An Information Systems Audit is an audit of an organization’s IT Systems, management, operations and related processes.
Auditing IT systems involves a set of tasks that help reduce the risk of an intrusion or attack. Audits are concerned primarily with ensuring the company maintains data conﬁdentiality, integrity,and availability,because these are the areas that typically come under attack.In some cases,this can disable a company’s critical business functions;in more extreme cases,it disables the company’s entire operations and creates a signiﬁcant legal or ﬁnancial liability for the ﬁrm as well
There are three types of Information System Audits:
- Audit carried out in support of a financial statements audit (Financial Audit),
- Audit to evaluate compliance to applicable laws, policies and standards related to IT, and (Compliance Audit),
- Finally an IT audit can also be a performance (or value-for-money) audit (Information Technology Audit).The objectives of this audit include finding out if there are any excesses, inefficiency and wastage in the use and management of IT systems. This audit is carried out to assure the stakeholders that the IT system in place is value for the money invested in it.
IT Auditors can be involved from the initial design and installation of Information Systems to ensure that the three components of Information Security (confidentiality, integrity and availability) will be complied to. IT auditors’ roles therefore, can be summarized as: participating in the development of high risk systems to ensure appropriate IT controls are in place, auditing of existing information systems, providing technical support to other auditors and providing IT risk consultancy services.
An IT auditor uses some general tools, technical guides and other resources recommended by ISACA or any other accredited body. This is why many audit organizations will encourage their employees to obtain relevant certifications such as CISA (Certified Information Systems Auditor) which is awarded by ISACA.
The general steps followed during an IT audit are establishing the objectives and scope, developing an audit plan to achieve the objectives, gathering information on the relevant IT controls and evaluating them (groundwork), carrying out testing, and finally reporting on the findings of the audit. Additionally, there may be a follow-up step to find out if any recommendations by the audit team have been implemented as well as to address any arising issues.
The basic areas of an IT audit scope can be summarized as: the organization policy and standards, the organization and management of computer facilities, the physical environment in which computers operate, contingency planning, the operation of system software, the applications system development process, review of user applications and end-user access.
Auditors in general have long been perceived as sadists, whose role was to find mistakes employees have made. Perception of IT auditors is somewhat similar, and it’s not strange to encounter slightly uncooperative employees. This is quite unfortunate, because IT auditors (like any other auditors) are not there to make life harder for everyone but to listen, observe and identify any risk areas in order to make life easier for everyone thereafter.
Thus IT Managers and other employees that may be involved in the audit process are encouraged to be cooperative and to look at the audit as a chance to improve their systems’ security and reliability. Any recommendations by the audit team should be taken as advice, because the auditor’s role is purely that of advisory. The management is responsible for developing their security policies and implementing the recommendations from the audit report. Audits are a management tool, not a punishment.
For a company venturing into new markets, it is important to note that an audit is useful in building confidence and public reputation. Suppose a company is setting up in a new market, and the business head decides that cutting costs is priority. The business head then goes ahead and chooses the cheapest information systems to be installed, not taking into account the vulnerabilities of the new systems which he may not be aware of. The process of installation may not take into account various IT controls leading to a system that is vulnerable to tampering. If an incident occurs and is reported in the news, this company risks losing its reputation and any customers it may have gained. Dealing with negative security incidents in the news is much more costly than preventing them in the first place. Losing on your reputation means competitors gain a larger customer base and profit margin.
In summary, an Information Systems Audit is important because it gives assurance that the IT systems are adequately protected, provide reliable information to users, and are properly managed to achieve their intended benefits. It also reduces the risk data tampering, data loss or leakage, service disruption and poor management of IT systems.