Understanding and Conducting Information Systems Auditing + Website
The increased dependence on information system resources for performing key activities within organizations has made system audits essential for ensuring the confidentiality, integrity, and availability of information system resources. One of the biggest challenges faced by auditors is the lack of a standardized approach and relevant checklist. Understanding and Conducting Information Systems Auditing brings together resources with audit tools and techniques to solve this problem.
Featuring examples that are globally applicable and covering all major standards, the book takes a non-technical approach to the subject and presents information systems as a management tool with practical applications. It explains in detail how to conduct information systems audits and provides all the tools and checklists needed to do so. In addition, it also introduces the concept of information security grading, to help readers to implement practical changes and solutions in their organizations.
Includes everything needed to perform information systems audits
Organized into two sections - the first designed to help readers develop the understanding necessary for conducting information systems audits and the second providing checklists for audits
Features examples designed to appeal to a global audience
Taking a non-technical approach that makes it accessible to readers of all backgrounds, Understanding and Conducting Information Systems Auditing is an essential resource for anyone auditing information systems.
VEENA HINGARH is Joint Director of the South Asian Management Technologies Foundation, a center for research, training, and application in the areas of finance and risk management, which provides training in areas including IS auditing, enterprise risk management, and risk modeling. Winner of numerous merit-based awards during her career, Hingarh's major areas of focus are IFRS and IS. She speaks frequently at conferences and platforms throughout Asia and the Middle East. Hingarh is a Chartered Accountant from the Institute of Chartered Accountants of India (ICAI), Certified Company Secretary of the Institute of Company Secretaries of India (ICSI), and Certified Information System Auditor (CISA) from ISACA (USA).
ARIF AHMED is a professor at and Director of the South Asian Management Technologies Foundation as well as a Chartered Accountant from the Institute of Chartered Accountants of India (ICAI). He is an Information Security Management System Lead Auditor for the British Standards Institution. Ahmed's areas of focus are finance and risk management, and he has over two decades of postqualification experience in training and strategic consulting. He has been interviewed and quoted throughout the media and has spoken at various seminars and institutions, including the Institute of Chartered Accountants of India, XLRI, and the Institute of Company Secretaries of India.
Understanding and Conducting Information Systems Auditing + Website
Overview of Systems Audit
IN THIS CHAPTER WE discuss why an information systems audit would be conducted. The chapter also identifies the challenges that an auditor will face while auditing a computerized system. Critical differences between computerized and noncomputerized systems have also been identified. Upon completion of this chapter, the reader will have an understanding of the salient features of a computerized system that an information systems auditor must keep in mind.
Information Systems Audit
An information systems audit is an examination of various controls within an information systems infrastructure. It is the process involving collection and evaluation of evidence of the design and functions of controls designed and implemented in information systems, practices, and operations. The auditor, subsequent to evaluation of the evidence, forms an opinion on whether the information systems safeguard assets, maintain data integrity, and operate effectively and efficiently in order to achieve the agreed-upon goals and objectives of the entity. An information systems audit can be performed independently of or along with an audit of financial statements. More often than not, it remains an independent function used during testing of controls.
Information Systems Auditor
Under the existing practices in various countries, any person having a recognized qualification in information systems audit can conduct an information systems audit. To be a recognized qualification, it must be awarded by an institution that is acknowledged by the laws of the country. These institutions can be academic or professional bodies. The qualification can also be designated by membership of an association or body of person on the basis of their internal norms of qualification for such membership. Usually such membership is renewable annually by paying a membership fee. Qualifications from academic institutions usually do not involve any recurring membership cost. It is important to note whether the regulatory authorities recognize the qualification of an information systems auditor for conducting an information systems audit in a specific country. Industries are free to recognize qualifications awarded by institutions other than those mentioned earlier.
It may be noted that, unless specified by the auditee or regulatory authorities, there is no requirement of any additional qualification other than that of an information systems auditor, in order to conduct an information systems audit.
Legal Requirements of an Information Systems Audit
More often than not, an information systems audit is a best practice or an ethical exercise rather than a legal requirement. However, the audit may be legally required in some countries, such as under the Sarbanes-Oxley Act of 2002 in the United States.
Major requirements of the Sarbanes-Oxley Act with relation to information systems audit are provided in the following sections.
The Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act came into force in 2002 to ensure better regulation of financial practices and corporate governance and requires a number of compliances. The act is named after Senator Paul Sarbanes and Representative Michael Oxley, who were its main architects.
Form 10-K is the name of the form that every domestic issuer in the United States has to submit to the Securities and Exchange Commission. The form provides a comprehensive overview of the business of the filer, along with the business's financial condition and audited statements.
Securities and Exchange Commission
Better known by its acronym, SEC, the Securities and Exchange Commission is the apex regulator responsible for enforcing all of the laws and regulations of the securities industry in the United States.
Section 302 assi