AN INTRODUCTION TO INFORMATION SYSTEMS AUDITING

https://ecampusontario.pressbooks.pub/auditinginformationsystems/chapter/0101/

https://iibf.org.in/documents/ceisb-module2.pdf

https://community.mis.temple.edu/mis5201sec001sp2017/files/2017/03/IS-Auditing-Tools-and-
Techniques-Creating-Audit-Programs.pdf

Briefly reflect on the following before we begin:

 What is the primary purpose of Information Systems (IS) Auditing?

 Why is it crucial for IS Auditors to understand the objectives and goals of their audit work?
 What potential challenges might IS Auditors face when working within legal and regulatory
frameworks, and how can these challenges be mitigated?

An Introduction to Information Systems (IS) Auditing

Information Systems (IS) Auditing is a specialized branch of Auditing. It focuses on assessing

the controls and processes around Information Technology (IT) systems.

Information Systems (IS) are defined as the combination of strategic, managerial, and
operational activities involved in gathering, processing, storing, distributing, and using
information and its related technologies.

Information Systems are distinct from Information Technology (IT) in that an information
system has an IT component that interacts with the process components.

IT is defined as the hardware, software, communication, and other facilities used to input, store,
process, transmit and output data in whatever form.

Therefore, the terms “IS” and “IT” will be used throughout this textbook according to these
definitions.

1
At its core, IS Auditing involves examining and evaluating an organization’s information system,
its management, related operations, and processes.

This encompasses the assessment of data integrity, system security, and IT governance to ensure
the organization’s data and assets are safeguarded. In the early days of computing,

Auditors focused on batch processing systems. They were concerned with physical controls over
data entry and output.

As technology evolved, so did the role of IS Auditors.

Over time, IS Auditors began assessing more complex, connected, integrated, and real-time
computer systems, including networked and cloud-based applications.

Also, IS Auditing was initially considered an extension of traditional financial Auditing, focused
on verifying computer-processed financial data’s accuracy, completeness, and reliability.

As the role of technology continued to increase in augmenting business operations, the scope of
IS auditing broadened.

These days, IS Auditors assess the effectiveness and security of the entire IT infrastructure and
proactively assess how various components of Information Systems facilitate the achievement of
the organization’s objectives.

The role of an IS Auditor has become increasingly strategic. They are both watchdogs and
advisers, providing insights on technology trends, risks, and controls. This helps organizations
leverage technology for competitive advantage while managing risks.

IS Auditing plays a critical role in corporate governance? It provides assurance that IS supports
business objectives and complies with regulations.

IS Auditors work closely with IT departments, management, and external stakeholders? They
verify whether IT systems are reliable, secure, and efficient.

Another critical area of IS Auditing is risk assessment, where they analyze the likelihood and
impact of potential threats to the organization’s IS (internal and external) to inform the
management’s decision-making about IT investments and security measures.

Yet another critical area is compliance, where IS Auditors determine whether the organization’s
Information Systems comply with laws, regulations, and internal policies.

This includes data protection laws, industry regulations, and best practices. IS Auditors evaluate
existing controls, policies, and procedures and identify gaps in non-compliance that may result in
significant penalties or restrictions on the organizations.

Lastly, the significance of IS Auditing also extends to ethical considerations. In a world where
data is one of the most valuable commodities, facilitating its confidentiality, integrity, and
availability is not just a technical necessity but a moral, social, and professional obligation.

2
 The Objectives and Goals of IS Auditing

Progressive IS Auditing functions align with the broader aims of the organization’s objectives of
ensuring the integrity, confidentiality, and availability of Information Systems. Governed by
these objectives, IS Audit teams work toward the achievement of the following goals:

 Reliability and Integrity of Information: IS Auditors assess whether information produced by

the systems is accurate, complete, and reliable since it is crucial for decision-making and
operational processes within an organization.
 Safeguarding of information assets: IS Auditors evaluate controls designed to protect
information assets from loss or damage, including assessing measures against unauthorized
access, data breaches, and cyber threats.
 Compliance with laws and regulations: IS Auditors review whether IT systems comply with
applicable laws, regulations, and contractual agreements to protect against legal penalties and
reputational damage.
 Operational effectiveness and Efficiency: IS Auditors examine whether IS is being used
effectively and efficiently to support business processes and identify ways to improve operations,
reduce costs, and enhance productivity.
 Data privacy and confidentiality: IS Auditors review how data is stored, accessed, and shared
to verify that sensitive information is adequately protected from unauthorized access or
disclosure.
 IS Risk Management: IS Auditors may support identifying, assessing, and monitoring risks
related to IT systems. In doing so, they can recommend measures to manage these risks to
acceptable levels and evaluate the potential for fraud and other illegal activities.
 System Security and Control: IS Auditors provide expert advice on designing and
implementing adequate IS controls to prevent, detect, and correct issues that could harm the
organization.
 Business Continuity and Disaster Preparedness: IS Auditors evaluate disaster recovery and
business continuity plans to verify that these plans are robust and can be effectively executed in
case of significant disruptions.
 Facilitating Communication among Stakeholders: IS Auditors act as a bridge between
technical staff, management, and external parties to facilitate clear communication regarding the
status, risks, and needs of IT systems.
 Promoting an understanding of IT risks and controls throughout the organization: IS
Auditors actively lead initiatives to educate the front-line staff and management on the
importance of governance of enterprise IT to foster a culture of risk awareness and compliance.

IS Auditors aim to accomplish these goals by diligently, effectively, and systematically

performing the following primary tasks.

3
 Five Steps of IS Auditing

1. Execute a risk-based IS audit strategy in compliance with the auditing standards.

2. Plan specific audits to determine whether IS are protected and controlled and provide value to
the organization.
3. Conduct audits in accordance with auditing standards to achieve planned audit objectives.
4. Communicate audit results and offer recommendations through meetings and audit reports to
promote change as necessary.
5. Follow-up to determine whether audit findings are remediated in a timely manner.

The Legal and Regulatory Framework for IS Auditing

The legal and regulatory framework for IS Auditing provides the requisite guidelines and
constraints within which IS Auditors are expected to conduct their assurance and consulting
activities legally, ethically, and effectively. Several legal and regulatory framework facets drive
the IS Auditors’ practices.

Most importantly, ethical guidelines provided by professional bodies such as ISACA

(Information Systems Audit and Control Association) form the bedrock upon which IS Auditors
set the standards for professional conduct and integrity in their assurance and consulting
engagements.

Next, data protection and privacy laws, such as the General Data Protection Regulation (GDPR)
in the European Union and various data protection acts globally, set standards for handling
personal data.

In the context of these laws, IS Auditors are expected to support all relevant organizational
initiatives to demonstrate compliance with these laws, protecting sensitive information from
misuse and unauthorized access.

Another crucial aspect is industry-specific regulations. For instance, the Health Insurance
Portability and Accountability Act (HIPAA) in the healthcare sector or the Payment Card
Industry Data Security Standard (PCI-DSS) in the financial sector impose specific requirements.
IS Auditors are expected to maintain familiarity with these industry standards and competence in
assessing organizational compliance accordingly.

Corporate governance regulations also play a significant role as they require organizations to
implement and report on internal controls over financial reporting, many of which are IT-related.

With the rise of cyber threats, regulatory bodies across the globe are enacting laws to ensure
organizations protect against, respond to, and report cyber incidents.

Intellectual property laws are also relevant, especially in industries where software and digital
innovation are essential. Furthermore, international standards and frameworks guide IS Auditing
practices.

4
Standards such as ISO/IEC 27001 provide guidelines for information security management
systems.

Collectively, these regulations form critical input into the IS Auditors’ multi-year risk-based
audit plan and offer due consideration from a risk of non-compliance perspective as a part of
their operational and financial statement support audit programs.

The legal framework also includes contractual obligations and service level agreements (SLAs).
Organizations often enter into agreements with third-party service providers or vendors.

Occasionally, IS Auditors review these agreements to assess compliance and the risks associated
with third-party engagements. In addition to external laws and regulations, internal policies and
procedures form part of the regulatory framework.

Organizations establish their IT governance policies, which IS Auditors review for completeness,
relevance, and enforcement.

The legal and regulatory framework is dynamic and evolves with technological advancements
and emerging risks. IS Auditors are expected to stay informed about new laws, regulations, and
standards and continually adapt their audit practices to remain compliant and effective.

In the Spotlight
For additional context on the increasingly important role of IS Auditing, please read the article
titled “The Evolution of Information Systems Audit” [opens in new tab].

Sayana, A. (2022). The evolution of information systems audit. ISACA Online Journal,
1. https://www.isaca.org/resources/isaca-journal/issues/2022/volume-1/the-evolution-of-
information-systems-audit