· Processed on 09-Dec-2014 9:01 PM CST
· ID: 488406360
· Word Count: 1969
Similarity Index
47%
Similarity by Source
Internet Sources:
46%
Publications:
2%
Student Papers:
N/A
sources:
1
30% match (Internet from 27-Mar-2009)
http://www.isaca.org/Content/ContentGroups/Journal1/20023/The_IS_Audit_Process.htm
2
13% match (Internet from 29-Mar-2011)
http://www.scribd.com/doc/36655995/Chapter-1-the-Information-System-Audit-Process
3
2% match (publications)
Athula Ginige. "Web site auditing", Proceedings of the 14th international conference on Software engineering and knowledge engineering - SEKE 02 SEKE 02, 2002
4
1% match (Internet from 26-Feb-2012)
http://www.dc.fi.udc.es/~parapar/files/ai/The_IS_Audit_Process_isaca_sayana.pdf
5
1% match (Internet from 01-Apr-2009)
http://www.idkk.gov.tr/web/guest/it_audit_manual_isaca
paper text:
Running head: AUDITING INFORMATION SYSTEMS PROCESS Auditing information systems process Student’s Name University Affiliation Auditing information systems 2process Information systems are the livelihood of any huge business. As in past years, computer systems do not simply record transactions of business, but essentially drive the main business procedures of the enterprise. In such a situation, superior management and business managers do have worries concerning information systems. Auditing is a methodical process by which a proficient, independent person impartially obtains and assesses evidence concerning assertions about a financial entity or occasion for the reason of outlining an outlook about and reporting on the extent to which the contention matches to an acknowledged set of standards. Auditing of information systems is the administration controls assessment inside the communications of Information Technology. The obtained proof valuation is used to decide if systems of information are defensive assets, maintenance reliability of data, and also if they are efficiently operating in order to attain organization’s goals or objectives (Hoelzer, 2009). Auditing of Information Systems has become an essential part of business organization in both large and small business environments. This paper examines the preliminary points for carrying out and Information system audit and some of the, techniques, tools, guidelines and standards that can be employed to build, manage, and examine the review function. The Certified Information Systems Auditor (CISA) qualifications is recognized worldwide as a standard of accomplishment for those who assess, monitor, control and audit the information technology of an organization and business systems. Information Systems experts with a concern in information systems security, control and audit. At least five years of specialized information systems security, auditing and control work practice is necessary for certification. An audit contract should be present to evidently state the responsibility of the management, 2objectives for, and designation of authority to Information .
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
1. · Processed on 09-Dec-2014 9:01 PM CST
· ID: 488406360
· Word Count: 1969
Similarity Index
47%
Similarity by Source
Internet Sources:
46%
Publications:
2%
Student Papers:
N/A
sources:
1
30% match (Internet from 27-Mar-2009)
http://www.isaca.org/Content/ContentGroups/Journal1/20023/T
he_IS_Audit_Process.htm
2
13% match (Internet from 29-Mar-2011)
http://www.scribd.com/doc/36655995/Chapter-1-the-
Information-System-Audit-Process
3
2% match (publications)
Athula Ginige. "Web site auditing", Proceedings of the 14th
international conference on Software engineering and
knowledge engineering - SEKE 02 SEKE 02, 2002
4
1% match (Internet from 26-Feb-2012)
http://www.dc.fi.udc.es/~parapar/files/ai/The_IS_Audit_Process
_isaca_sayana.pdf
5
1% match (Internet from 01-Apr-2009)
http://www.idkk.gov.tr/web/guest/it_audit_manual_isaca
paper text:
2. Running head: AUDITING INFORMATION SYSTEMS
PROCESS Auditing information systems process Student’s
Name University Affiliation Auditing information systems
2process Information systems are the livelihood of any huge
business. As in past years, computer systems do not simply
record transactions of business, but essentially drive the main
business procedures of the enterprise. In such a situation,
superior management and business managers do have worries
concerning information systems. Auditing is a methodical
process by which a proficient, independent person impartially
obtains and assesses evidence concerning assertions about a
financial entity or occasion for the reason of outlining an
outlook about and reporting on the extent to which the
contention matches to an acknowledged set of standards.
Auditing of information systems is the administration controls
assessment inside the communications of Information
Technology. The obtained proof valuation is used to decide if
systems of information are defensive assets, maintenance
reliability of data, and also if they are efficiently operating in
order to attain organization’s goals or objectives (Hoelzer,
2009). Auditing of Information Systems has become an essential
part of business organization in both large and small business
environments. This paper examines the preliminary points for
carrying out and Information system audit and some of the,
techniques, tools, guidelines and standards that can be
employed to build, manage, and examine the review function.
The Certified Information Systems Auditor (CISA)
qualifications is recognized worldwide as a standard of
accomplishment for those who assess, monitor, control and
audit the information technology of an organization and
business systems. Information Systems experts with a concern
in information systems security, control and audit. At least five
years of specialized information systems security, auditing and
control work practice is necessary for certification. An audit
contract should be present to evidently state the responsibility
of the management, 2objectives for, and designation of
3. authority to Information System audit. This document should
summarize the general authority, responsibilities and scope of
the function of audit. The uppermost management level should
endorse this charter and once set up, this charter should be
distorted only if the amendment can be and is meticulously
justified. The process of auditing information systems
involves;- Audit Function Management; this process includes
assessment which is systematic of policies and methods of
management of the organization in management and utilization
of resources, improvement of organization and employee,
strategic and tactical planning. The main goals are to establish
the present effectiveness level, suggesting improvements and
putting down standards for performance in future. Standards of
Assurance, IT Audit and Guidelines; these involve the
relationships between standards, tools, guidelines and
techniques. It also comprises of the assurance framework of
Information technology among other standards. They describe a
framework of guidance and standards which relates to
performance and acceptance of assurance activities and auditing
(John, 2007). Risk Analysis; this involves identifying specific
risks that might be faced by the information system of the
organization and establish the impacts, occurrence likelihood,
severity and priority and recommendations of strategies of
mitigation. Internal Controls; these are actions that the
management and other groups take for risk management and
increase the possibility that the identified goals and objectives
will be attained. Perform an Information System Audit; this
process involves the evaluation of weaknesses and strengths of
the audit, testing, sampling, recommendation implementation of
the management and communicating the results of the audit,
among others (Richard, 2007). 1The purpose of Information
System audit is to evaluate and provide suggestions, assurances
and feedback. These apprehensions can be categorized under
three wide categories: ? Availability: This entails whether the
information systems on which the organization heavily depends
on will be available for the business at all the times when
4. required. It also answers the question whether all 2the systems
well protected against all types of disasters and losses. ?
Confidentiality: This concerns whether the information in the
systems will be revealed only to those who have a necessity to
see and make use of it and not to everyone else. ? Integrity:
This entails whether the information offered by the systems will
always be timely, reliable and accurate. It also ensures that no
illegal alteration can be made to the software or the data in the
systems. The advantages of auditing can be categorized into
four groups which include: ? Strategic Benefits. Reliability 2of
Data formed by the Organization. Improved Customer
assurance. ? Operational Benefits. Improved Employee Morale
and Productivity. Reliability of Data makes it possible for
Management to formulate accurate and informed 2decisions. ?
Financial Benefits. Improved Hardware Performance Cost of
burglary of Information System Assets is condensed. ?
Technical Benefits. Organization Decisions on Computer
generated Data are consistent. Company Partners trust the
Organization’s Management distribution and control of sensitive
Data. ELEMENTS OF IS AUDIT: An information system is not
just a processor. Today's information systems are intricate and
have many constituents that come together to make a business
resolution (Weber, 2002). Reassurance 5about an information
system can be attained only if all the constituents are assessed
and secured. The major aspects of Information System audit can
be largely classified into: ? Environmental and physical review
This consists of humidity control, air conditioning, power
supply, physical security 1and other ecological factors. ?
System management review: This entails security evaluation of
the database administration systems, operating systems and all
system administration compliance and procedures. ? Application
software review. The application of the business could be an
enterprise resource planning system, a web based client order
processing system, invoicing or a payroll 1system that
essentially runs the business. The review of such application
software would include corresponding manual procedures and
5. controls, business procedures within the application software,
mistake and exception handling, validations, authorizations and
access control. In addition, an evaluation 1of the system
progress lifecycle should be accomplished. ? Network security
review. The typical areas covered by this review include the
evaluation of the external and internal connections to the
system, intrusion detection and port scanning, router admission
control lists, review of the firewall and perimeter security. ?
Business 1continuity review. This entails maintenance and
existence of error tolerant and superfluous hardware, backup
storage and procedures and tested disaster and documented
business or recovery stability 2plan. ? Data reliability review.
The intention of this scrutiny of live data is to confirm the
impact of weaknesses and sufficiency of controls as observed
from any of the previous evaluations. Such substantial testing
can be done using comprehensive auditing software for instance
computer aided audit techniques (Weber, 2002). It is imperative
to appreciate that every audit may consist of these aspects in
different measures. Some auditors may examine only one of
these aspects and drop the other aspects. However, 1it is
necessary to carry out all of them though it is not mandatory to
do all of them in one assignment. The set of skills that is
1required for each of these aspects is different. The outcomes of
every audit require not to be seen in relation to the other. This
allows the auditor and the administration to get the full view of
problems and issues. This overview is very important. All these
aspects require 1to be tackled to present to administration a
clear evaluation of the system. For instance, appliance software
may be well planned and implemented with all the security
characteristics, but the defaulting super-user secret code in the
operating system utilized on the server may not have been
altered, thereby permitting someone to see the data files openly.
Such a circumstance contradicts whatever security is
constructed into the application. similarly, technical system
security and firewalls may have been executed very well, but
the access controls and role definitions within the appliance
6. software may have been so inadequately planned and executed
that by making use of their user IDs, workers may get to see
vital and delicate information far ahead of their roles (Weber,
2002).. It is vital to appreciate that each examination may entail
these elements in different measures. Some audits may inspect
only one of these elements or drop some of these elements.
While the fact remains that it is necessary to do all of them, it is
not mandatory to do all of them in one assignment. The skill
sets required for each of these are different. The results of each
audit need to be seen in relation to the other. This will enable
the auditor and management to get the total view of the issues
and problems. This overview is critical. Risk-based Approach
Every organization utilizes several of information systems.
There may be diverse applications for different activities and
functions and there may be various computer installations at
diverse physical locations. The examiner is faced with the
questions of what to audit, at what time and how regularly. The
response to this is to implement an approach that is 1risk-based.
While there are hazards intrinsic to information systems, these
hazards impact diverse systems in different ways. The hazard of
no availability even for an hour can be severe for a listing
system at a busy trade store (Weber, 2002). The hazard of
illegal modification can be a basis of potential losses and frauds
to an online banking system. A batch dispensation system or a
data merging system may be comparatively less susceptible to
some of these perils. The industrial environments on which the
systems run also may have an effect on 1the risk connected with
the systems. The steps that can be pursued for a risk-based
approach to creation of an audit plan are including: 1. Account
the information systems in exercise in the organization and
classify them. 2. Decide which of the systems have vital assets
or functions, such as how close to actual time they function,
decision making, customers, materials and money. 3. Evaluate
4what risks influence these systems and the strictness of impact
on the company. 4. Categorize the systems based on the above
evaluation and settle on the audit frequency, schedule, resources
7. and priority. The auditor then can draft an annual 1audit plan
that lists the audits that will be carried out during the time, as
per a plan, as well as the assets necessary. The groundwork
before instigation 1an audit involves gathering background
information and evaluating the skills and resources necessary to
carry out the audit. This allows staff with the correct kind of
skills to be selected to the right task. It is always a good
practice to have an official audit beginning meeting with the
senior administration accountable for the section under audit to
conclude the scope, recognize the extraordinary concerns, if
any, plan the dates and clarify on the method for the audit. Such
conventions should get senior administration involved, permit
people to meet up with each other, explain issues and essential
business worries and assist the audit to be performed smoothly
(Weber, 2002).. Likewise, after the audit inspection is
completed, it is better to talk about the audit findings and
propositions for counteractive action to senior administration in
an official convention using a presentation. This will make sure
there is a better appreciation and boost buy-in of audit
commendations. It also offers audited a chance to articulate
their viewpoints on the concerns raised. Report writing 1after
such a convention where harmony is reached on all audit
concerns can significantly improve audit efficiency. Audit of
information systems often entail 1finding and soundtrack
observations that are very technical. Such industrial depth is
essential to carry out effective Information System audits. All
together 1it is essential to interpret audit answers into
susceptibility and organization impacts to which operating
directors and senior administration can recount. Within, lays a
major challenge of audit of information systems. References
Weber, R. (2002). EDP Auditing. Conceptual Foundations and
Practice. Hoelzer, D. (2009). Audit Principles, Risk Assessment
& Effective Reporting. SANS Press. John, B. (2007). Public
Sector Auditing: Is it Value for Money? Creating a culture of
compliance Richard, C. (2007). Information system auditing;
Auditor's Guide to Information Systems Auditing. High Tower
8. Software ZENER, B. (2012). Public Sector Auditing: SANS
Press. 1 AUDITING 3INFORMATION SYSTEMS PROCESS 2
AUDITING INFORMATION SYSTEMS PROCESS 2
AUDITING3INFORMATION SYSTEMS PROCESS 2
AUDITING INFORMATION SYSTEMS PROCESS 2
AUDITING3INFORMATION SYSTEMS PROCESS 2
AUDITING INFORMATION SYSTEMS PROCESS 2
AUDITING3INFORMATION SYSTEMS PROCESS 2
AUDITING INFORMATION SYSTEMS PROCESS 2
AUDITING3INFORMATION SYSTEMS PROCESS 2
AUDITING INFORMATION SYSTEMS PROCESS 2
1
Running head: THE PROCESS OF AUDITING INFORMATION
SYSTEMS
The process of auditing information systems
2
The process of auditing information systems
Student’s name
Institutional affiliation
THE PROCESS OF AUDITING INFORMATION SYSTEMS
The audit of information systems is the management controls
examination inside the infrastructure of Information
Technology. The obtained evidence valuation is used to
9. determine if systems of information are protecting assets,
upholding integrity of data, and also if they are effectively
operating in order to achieve organization’s objectives or goals
(Hoelzer, 2009). This process involves;-
Audit Function Management; this process includes assessment
which is systematic of policies and methods of management of
the organization in management and utilization of resources,
improvement of organization and employee, strategic and
tactical planning. The main goals are to establish the present
effectiveness level, suggesting improvements and putting down
standards for performance in future.
Standards of Assurance, IT Audit and Guidelines; these involve
the relationships between standards, tools, guidelines and
techniques. It also comprises of the assurance framework of
Information technology among other standards. They describe a
framework of guidance and standards which relates to
performance and acceptance of assurance activities and auditing
(John, 2007).
Risk Analysis; thisinvolves identifying specific risks that might
be faced by the information system of the organization and
establish the impacts, occurrence likelihood, severity and
priority and recommendations of strategies of mitigation.
Internal Controls; these are actions that the management and
other groups take for risk management and increase the
possibility that the identified goals and objectives will be
attained.
Perform an Information System Audit; this process involves the
evaluation of weaknesses and strengths of the audit, testing,
sampling, recommendation implementation of the management
and communicating the results of the audit, among others
(Richard, 2007).
10. Annotated Bibliography
Hoelzer, D.( 2009). Audit Principles, Risk Assessment &
Effective Reporting. SANS Press.
According to Hoelizer David, the author of ‘Audit Principles,
Risk Assessment & Effective Reporting’,
InformationTechnology audit is an assessment of the
organization controls within an infrastructure of Information
Technology (IT). David states in his book that the purpose of
financial audits is to assess if an organization is holding to the
standard types of accounting performances. He continues to
explain that IT auditing is essential while controlling the
internal designs as well as examining the company’s
effectiveness. In his book, Hoelizer states that the main function
of IT auditing is system evaluation in charge of the main
company’s information. Richard, C. (2007). Information system
auditing; Auditor's Guide to Information Systems Auditing.
High Tower Software
In his book Auditor's Guide to Information Systems Auditing ,
11. Richard Carsicarino states the most important points about
auditing in the most comprehensive manner. His books have at
least something for every auditor no matter their departments of
specialization. Richard gives new auditors a platform of being
able to study and precisely understand what their roles are while
performing the process of auditing. Richard further gives his
reads a snick preview of what they should expect in the field of
auditing. This book is also educative to the already experienced
auditors; because it gives them a detailed focus of how they
should too do their job
John, B. (2007). Public Sector Auditing: Is it Value for Money?
Creating a culture of compliance
In his book, ‘Public Sector Auditing: Is it Value for Money?’;
John Bourns basically gives his personal account on the
influence value and role of money auditing in making
governments accountable as well as in making public
institutions deliver their services appropriately. David, who has
an experience of over twenty years as a general auditor and
comptroller, in the United Kingdom National Audit Office, has
used his experience and his qualifications to come up with this
book. Richards book has an in detailed case studies from US,
UK, China, Canada, India as well as Australia; thorough
analysis of compound areas of expenditure of public for
example; education, health, regulation, privatization, defense
and Information Technology and finally, the book also shows
examples on how auditing promotes positive outcomes.