Auditing Information Systems: Enhancing Performance of the Enterprise

Copyright 2015 Abraham Nyirongo.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the written prior permission of the author.

ISBN: 978-1-4907-5499-4 (sc)

ISBN: 978-1-4907-5498-7 (hc)

ISBN: 978-1-4907-5497-0 (e)

Library of Congress Control Number: 2015903592

Because of the dynamic nature of the Internet, any web addresses or links contained in this book may have changed since publication and may no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect the views of the publisher, and the publisher hereby disclaims any responsibility for them.

Any people depicted in stock imagery provided by Thinkstock are models,

and such images are being used for illustrative purposes only.

Certain stock imagery © Thinkstock.

Trafford rev. 03/10/2015

22970.png www.trafford.com

North America & international

toll-free: 1 888 232 4444 (USA & Canada)

fax: 812 355 4082

Contents

Preface

Chapter 1 Introduction to Auditing Information Systems

Chapter 2 Information Systems Audit Process

Chapter 3 Use of Information Systems Audit Standards

Chapter 4 Information Technology Review

Chapter 5 IT Governance

Chapter 6 Auditing IT Risk Management

Chapter 7 Auditing Information Security Management

Chapter 8 Auditor Involvement in Systems Deployment

Chapter 9 Auditing Disaster Recovery Management

Chapter 10 IT General Controls Audit

Chapter 11 Application Systems Controls Audit

Chapter 12 Specialised Information Systems Auditing

References

To my wife, Clara, and daughters, Susan and Sarah

Preface

This book was written out of my information systems audit practice, research, and presentation notes developed for information systems auditing workshops, which were conducted for corporate clients, and information systems audit training sessions at the University of Zambia. Further research and refinement of presentation notes culminated into the publication of this book. Although the book is targeted at new information systems audit practitioners, it is also a good reference book for those already practicing IS auditing.

The main objective of this book is to get IS audit practitioners and students alike to appreciate that IS auditing can be used to enhance performance of our enterprises by providing sound and appropriate assurance services to senior management. The IS auditor’s role is not just about compliance and performance testing but also adding value to the enterprise. It is for this reason that the subtheme for this book, ‘Enhancing Performance of the Enterprise’, was developed. Most of the examples used in this book are focused on emphasising this subtheme.

The other roles of an IS auditor is to be an advisor to management on how information technology is used and adding value to the enterprise through evaluating investment in IT and its returns. Most organisations, if not all, use IT to enhance efficiency and competitiveness, and IS auditors are used to ensure that this requirement is assured.

The terms IS audit and IT audit have been used interchangeably throughout the book to carry the same meaning. Some professional associations prefer to use one term or the other. The word client has been used to mean auditee and engagement letter being applicable to either internal or external clients.

After refreshing your IS audit skills through reading all the chapters in this book, it is recommended that, if you are new to IS auditing, you start your IS audit practice by learning how to conduct an IT general controls audit. This type of audit will give you a broad and good perspective of IS auditing. IT general controls audit is covered in chapter 10.

The IT general controls audit chapter covers key areas which an enterprise requires in order to have an assurance on the performance and status of the IT infrastructure. The ITGC audit can be used to conduct an assessment of the IT environment and make appropriate recommendations to management on the existence and effectiveness of controls which have been implemented. Key areas which may be covered in an IT general controls audit, but not limited to these, include IT governance, IT risk management, information security management, access controls, disaster recovery, environmental controls, change management, and incident management.

Included in this book is a chapter on application controls audit. This is an audit of application systems, such as accounting application systems or enterprise resource planning (ERP) application systems which include integrated modules used to automate business processes. Modern ERP software would include modules like accounting, distribution or warehousing, manufacturing, sales, marketing, customer service, and business intelligence.

Once the IS auditor has assessed the IT general controls audit results as effective and is confident that appropriate controls do exist and are effective, the next task would be to carry out an application controls audit. This type of audit will establish whether the controls in an application system are effective or not. Line managers are normally interested in knowing the results of an applications controls audit because it directly involves business processes which they use every day.

The term ‘specialised audits’ has been used to refer to other types of audits such as audit of network devices (firewalls or routers), wireless networks, CAATs, databases, operating systems, servers, and specific utilities supporting other systems. Specialised audits are covered in chapter 12.

In this book, there is an emphasis on the use of and reference to IS auditing standards, procedures, and guidelines. In order to carry out an effective audit, an IS auditor is required to make use of best practice standards regularly published by professional associations such as ISACA, the Institute of Internal Auditors (IIA), and many other related professional organisations. IS audit standards, procedures, and guidelines are required in order to ensure that audit work, recommendations, and comments are guided and are within accepted standards or best practice.

Substantive analysis is one type of audit procedure which can be conducted in order to validate certain assertions made by management during an IT general controls or application system audit. Typically, CAATs is one tool which can be used to perform substantive analysis. Often controls may be assessed as effective but may still not be able to detect certain types of weaknesses or errors. Substantive analysis can be used to investigate such errors in collected data. There are other types of substantive analysis which can be conducted to support ITGC and application system controls audits which are beyond the scope of this book.

A good training in IS auditing should be complimented by practice. Without practice the IS auditor may not be able to sharpen his or her IS audit skills. To be a good and effective IS auditor, one requires a variety of skills, such as a good understanding of the business and IT environment, IT governance, performance metrics, information security, IT risk, and project management. In addition, soft skills such as interpersonal skills, interviewing skills, coaching skills, and advisory skills are necessary.

I hope you will find this book interesting and a good introduction to auditing information systems and a useful start-up literature to the young and new IS audit professionals.

Abraham Nyirongo

Christmas Day 2014

Chapter 1

Introduction to Auditing Information Systems

Overview

Information system auditing or information technology auditing is the activity of examining or evaluating of information technology systems. IS auditing also involves assessment of compliance with established policies, procedures, standards, controls, regulations, and legislation. You will find a long list of what IS audit is all about especially with the ever-growing use of IT in enterprises. We will take a close look at the various applications of IS audit later in the chapter.

An IS audit can also be considered as a process of gathering and examining evidence of an organization’s information systems practices and operations. The evidence obtained from such a review would help determine if the IT systems are secure, compliant, provide protection to data, and ensure effective and efficient IT service delivery.

It is important to realise that information systems are the lifeline of enterprises that are highly dependent on IT systems. Typical examples are banks, stock exchanges, or airlines. These enterprises operate real-time systems and cannot do without the use of IT systems for more than a few seconds; otherwise, this would entail worldwide disruption of services. The level of automation in such enterprises is usually end to end meaning that most of their business processes are automated.

Because of huge investments and dependence on IT systems, it is important that management keeps an eye on how IT systems are used and operated. This calls for a systematic way of ensuring that IT policies and procedures are implemented and monitored. Senior management requires assurance from time to time that IT systems are being used efficiently and are adding value to the enterprise. This assurance can be provided through the use of information system auditors who are called to regularly examine information systems and associated policies, procedures, practices, and advise management on the status of the systems. IS auditors not only are invited to examine information systems but can be used to conduct various other types of advisory services, which we will review later in the chapter.

Enterprises often implement IS auditing either by setting up an internal IS audit function or use an external IS audit firm. Later in the book, we will assess the benefits and disadvantages of using either audit organisation.

IT risk is a key requirement when an enterprise is implementing an IS audit framework. Before an IS audit framework is implemented, it is important that an IT risk policy is in place. The IS auditor should have a good understanding of the nature of IT risks and how they are being mitigated before developing an IS audit program. We will analyse IT risk in more detail in chapter 6.

History of IS Auditing

The advent of microcomputer systems brought about increased dependence on the use of IT systems by private and public organisations in the mid 1960s and early 1970s. The increased dependence on IT systems also brought in the need to ensure that systems were reliable, secure, and processed data with high accuracy. The use of computer auditors was one way which was considered to enhance assurance and saw the birth of a new profession, which today has hundreds of thousands of practicing IS auditors around the world. The development of IS auditing as a profession was also largely influenced by the growth of the use of computerised accounting systems and the need to have effective IT controls which would provide assurance to management on financial record-keeping in an automated environment.

Today we are seeing the development of large integrated information systems used by multinational corporations such as Microsoft, Samsung, Citibank, and many other similar corporations. These corporations, due to the volumes of transactions, are able to generate large volumes of electronic data. Big data has become a subject of discussion in many enterprises as this has created new opportunities to analyse data and extract various types of information which enterprises can use to enhance performance of their businesses and have a competitive advantage in the marketplace.

The growth of IS auditing has also been influenced by the increasing use of the Internet to conduct business by many enterprises. Most business transactions today are conducted using the Internet, and global enterprises have taken advantage of the Internet to grow and offer their services to a global market.

The original focus of IS auditing was very technical and was more concerned with the technical features of systems than it is today where our focus is more risk-based and centred on the need to enhance business performance.

Accounting scandals in the USA and Europe also reinforced the importance of using IS auditing. IS auditing is used by many enterprises that are dependent on information technology, and it is also highly influenced by various forms of corporate regulations and legislation by jurisdictions around the world.

ISACA is one of the professional organisations which are promoting the practice and development of the information systems auditing profession. The association has been in operation since 1969 when it was incorporated. The Institute of Internal Auditors is one other professional association responsible for promotion of IS auditing. The two organisations collaborate on development of many professional standards and guidelines. There are many other professional and private (for profit) organisations who are involved in the development and practice of IS auditing.

IS auditing is a new profession compared to other professions such as law, accounting, and medicine. The future of IS auditing is dependent on the use of IT systems by enterprises. Every sign indicate that IS auditing is here to stay and will grow with the growth of usage of IT systems in organisations. No one can dispute the fact that IT systems have changed the way enterprises conduct business and that these systems should be regulated to ensure protection of client information and also compliance with many complex legislations being enacted by governments around the world.

Many IS auditors did not join the IS auditing profession straight from college or university but could have joined the profession after many years as external or internal auditors. Many could also have come from other professions such as information technology, accounting, or other business backgrounds. The IS audit profession has grown compared to what it was forty or more years ago. Many large- and medium-sized enterprises today do have IS audit functions or internal auditors performing IS audit responsibilities.

The future of IS auditing can also be assessed from the job market demand for IS auditing professionals. There are many enterprises looking for IS auditors with various skills, from general IS auditors to specialist IS auditors, in areas such as IT security, IT governance, databases, application systems, and networks.

The benefits of implementing IS auditing whether in a small, medium, or large organisation are many, and it is no longer an option but a must to ensure that systems are secure and used to support business goals.

An enterprise which is using and dependent on IT systems to produce business information or automate business processes require the use of IS audit services. Management of any enterprise, small or large, requires to place reliance on IT systems, and this can be effectively done through the use of an IS auditor. A small- or medium-sized enterprise does not necessarily require to employ full-time IS auditors but can consider using the services of external IS auditors or an independent or part-time IS audit consultant who can equally do a good job.

Many medium to large enterprises have full-time IS audit functions supervised by a director or manager. They may also have full-time IS auditors specializing in various areas of IS auditing. Many IS audit functions also provide support services to other functions, such as financial auditing, information security, or risk management.

The IS audit profession is growing, and one can say it is reaching maturity level in that it is now driven and moderated by various standards and guidelines. Governments in the USA, Europe, and other parts of the world have developed legislation which requires the use of IS auditing in order to ensure use of effective IT controls in public organisations and private enterprises enlisted on the stock exchange.

Types of Information Systems Audits

There are various types or reasons for conducting information systems audits as indicated earlier. In the next two pages, we will review the common types of IS audits (see figure 1.1) which are used in most enterprises. You will discover later that IS audit can be used to support various types of advisory work.

Figure 1.1 Types of Audits

IT General Controls Audit

This is a general review of global controls in an IT environment. There are a number of areas which are covered using an IT general controls audit, such as access controls, compliance with internal policies and IT procedures, environmental controls, and disaster recovery. IT general controls audits may be performed to support or in conjunction with financial statement audits, internal audits, or other forms of attestation.

When an IT general controls audit is used to support financial audits, IS auditors would be requested to perform an ITGC audit so that they give assurance to financial auditors on the existence and effectiveness of IT controls. Once IT controls are determined to be effective, financial auditors may consider going ahead with the audit and review financial data.

IT general controls audits can also be performed to give a general assurance to management on the effectiveness of IT controls without any additional specialised audits. Management might want to just have a general picture of existing IT controls and their effectiveness. The IT general controls audit will be reviewed in more detail in chapter 10.

Application Systems Controls Audit

This is an examination of IT controls in an application system such as an accounting package or ERP system. An application systems controls audit involves examining specific application systems used to automate business processes. An enterprise might have one or more application systems which are used to operate the business. In many cases, enterprises today are opting for integrated systems, such as ERP systems, compared to using non-integrated systems which require multiple data input.

There are a number of areas which are covered during an application systems controls audit, such as input controls, processing controls, output controls, access controls, and disaster recovery procedures.

Application systems controls audits can either be conducted in conjunction with an IT general controls audit or a specialised audit. An application systems controls audit is specific to a particular business process or processes and requires specialised skills. It is normally recommended that an IS auditor auditing a financial system should also have training in that particular application system in addition to having general IS auditing skills. This topic will be considered in more detail in chapter 11.

IT Governance Audit

IT governance is about ensuring that IT is aligned and supports business goals, good management of IT risk, appropriate investment in IT infrastructure, and use of IT to achieve a competitive advantage or creation of business opportunities. Enterprises that have implemented IT governance have witnessed a number of new opportunities. You may have also noticed that small or medium enterprises would not like to remain behind in the effective use of IT which results from implementing IT governance.

When auditing an IT governance framework, IS auditors focus on areas such as involvement of the board of directors in IT governance, investment in IT, how regular IT is discussed at board and management levels. The IS auditor would also look at how IT strategy is aligned to business strategy. One other important area is to assess how IT governance is translated into IT management and operational strategies at management and operational levels. This topic will be reviewed in more detail in chapter 5.

IT Investment Audit

This is an evaluation of an enterprise’s investment in IT infrastructure in order to determine returns from the use the IT systems. Returns can be determined by savings resulting from automation of business processes or the use of new or more efficient and effective IT systems. Savings can also be determined from use of fewer employees because most processes are now being performed by computers. Returns can also be determined from use of less paper in the office. Instead of sending paper invoices, the new system can make use of email to send invoices electronically or copies of invoices can be accessed on the company web portal.

There are a number of other factors that can be used to determine returns on IT investments. Sometimes it is difficult and not so obvious as automation might increase operating costs, such as the requirement of highly skilled employees who might command a higher salary. One might also think of increased network connection fees to link the head office, branch offices, and business partners.

IT Risk Audit

IT risk audit involves an evaluation of how IT risk has been implemented and is managed in the enterprise. Effective management of IT risk is a key requirement in any IT environment. An IS auditor would review an IT risk profile of an enterprise by looking at IT risk policies, procedures, and the IT risk register. The IS auditor would be looking for evidence that risks have been properly identified and mitigated. The IS auditor would also be looking for evidence of risk awareness across all levels in the enterprise. This topic will be reviewed in more detail in chapter 6.

Information Security Audit

In our interconnected world, security risks are ever increasing, and enterprises are vulnerable to various threats especially those hosting sensitive client data. Enterprises are required to put in place effective security measures which will ensure that the IT infrastructure is properly secured.

Information security auditing involves reviewing areas such as network security, database and application security, protection from viruses, website security, and intrusion detection. The IS auditor will also be looking at how secure the IT systems are from both internal and external threats. An information security audit also covers protection of a number of information types, such as information in soft copy, hard copy, voice, and video.

Information security is an important aspect of the enterprise, and management normally calls for security audits to be held more frequently than other audits. In some enterprises, security audits are real-time and security auditing is a continuous activity. This topic will be analysed in more detail in chapter 7.

System Deployment Audit

IS auditors are often required to get involved when systems are being developed and implemented. This is to ensure that the systems being deployed have all the required security and IT controls included as specified in the system specification. It is common to find developers or integrators missing out one or more features on a new system even when such features are in the specifications. In order to avoid such costly mistakes, it is important that auditors are involved when new systems are being deployed in the enterprise. IS auditors should also be involved when major changes are being made to business systems.

The