IS Audits and Internal Controls
3
IS Audit and Internal Controls Implementation and continuous review of effectiveness of Internal Controls has always been a challenge for enterprises. Internal Controls can be compared to the chassis of a vehicle - without the chassis, the engine is rendered useless. Internal Controls are most needed in a corporate environment to prevent fraud incidence and to manage risk of loss to assets and profits. In recent years, enterprises have become more enterprising and competitive and along with help of technology, they have succeeded in increasing their size of services, produces and presence. Enterprises are now having their locations all over the world. Thus the need of having correct Internal Controls is more than ever. A CA provided the following services until the effect of technology struck business. As a professional, he used to provide services such as Audit, Tax, Company Matters, Legal Compliances, and Accounting etc. Specifically as an Audit Professional, he used to render services of conducting audit engagements such as Statutory Audit, Tax Audits (both Direct and Indirect Taxes), Special Audits (as prescribed under various Acts), Bank Audits, and Internal Audits etc. There is a paradigm shift in the expectations from Chartered Accountants in the new scenario. A CA as an audit professional can provide more services that relate to technology such as IS Audits, Implementation of ERP and GRC (Governance, Risk Management and Compliance), Design of Access and Process Controls, Forensic Audits etc. A CA is expected to know and review implementation of new regulations and standards like The Sarbanes – Oxley Act of 2002 – Section 302 and 404, The Companies Act 2013 – Section 134 and 143, Clause 49 of SEBI’s Listing Agreement, Privacy Acts of various Countries and Standards like ISO 27000 Family, ISO 22301, BSI (British Standards Institute) Standards, and PAS (Public Available Standards) Standards etc., not forgetting Frameworks like COBIT 5 (Control Objectives for Information and Related Technology) and COSO (Committee of Sponsoring Organizations) Framework for Internal Controls. One such greenfield service is the engagement of conducting IS Audits or Information Systems Audit. An IS Audit is related to Internal Audit. Internal Controls that are present in the enterprise are completely relevant while conducting an IS Audit. These are some keywords that would be repeating in this study and is important to understand them. 1. Control: It literally means Internal Controls that is present in a business environment. It can be IT Controls or non IT Controls. 2. Risk: It is the rate at which there is a threat to the business which has arisen from a specific happening/non happening. 3. Process: A set of tasks make a work flow. A set of work flows make a process. A process is controlled by a “Process owner” or “Function head”. E.g. HR Process, Procurement Process. Internal Control simply means “Policies framed by the management in order to have stronger and adequate control of affairs within the enterprise, and which can be checked by the Internal or Statutory Auditor in order to ensure that the goals and objectives of the enterprise are duly met”. They are practices and processes enforced on the employees of an enterprise to prevent fraud and to maintain integrity of the data. Internal Controls is said to be a sum of General Controls and IS Controls. IS controls is said to be a sum of IT Application Controls and IT General Controls. General Controls refers to Internal controls that are not enforced through the IT System unlike the IS Controls. IS Controls are controls that are present on the enterprise’s IT Infrastructure. IT Infrastructure includes hardware and software. IT Application Controls: They vary depending on the applications that have been installed by the enterprise for its revenue generation. Application software is the software that processes business transactions. The Application software could be a retail banking system, an Inventory system or possibly an integrated ERP. Controls which relate to business applications leading to judicial use of the application and enforced through the application itself to the end user are called IT Application Controls. IT Application Controls can be broadly classified into five categories: 1. Input Controls: Controls that are enforced during the input of data by a user. E.g. Data Checks and validations.
-
Upload
bharath-rao -
Category
Business
-
view
123 -
download
1
Transcript of IS Audits and Internal Controls
IS Audit and Internal Controls
Implementation and continuous review of effectiveness of Internal Controls has always been a challenge for
enterprises. Internal Controls can be compared to the chassis of a vehicle - without the chassis, the engine is rendered
useless. Internal Controls are most needed in a corporate environment to prevent fraud incidence and to manage risk
of loss to assets and profits. In recent years, enterprises have become more enterprising and competitive and along
with help of technology, they have succeeded in increasing their size of services, produces and presence. Enterprises
are now having their locations all over the world. Thus the need of having correct Internal Controls is more than ever.
A CA provided the following services until the effect of technology struck business. As a professional, he used to
provide services such as Audit, Tax, Company Matters, Legal Compliances, and Accounting etc. Specifically as an Audit
Professional, he used to render services of conducting audit engagements such as Statutory Audit, Tax Audits (both
Direct and Indirect Taxes), Special Audits (as prescribed under various Acts), Bank Audits, and Internal Audits etc. There is a paradigm shift in the expectations from Chartered Accountants in the new scenario.
A CA as an audit professional can provide more services that relate to technology such as IS Audits, Implementation
of ERP and GRC (Governance, Risk Management and Compliance), Design of Access and Process Controls, Forensic Audits etc.
A CA is expected to know and review implementation of new regulations and standards like The Sarbanes – Oxley
Act of 2002 – Section 302 and 404, The Companies Act 2013 – Section 134 and 143, Clause 49 of SEBI’s Listing
Agreement, Privacy Acts of various Countries and Standards like ISO 27000 Family, ISO 22301, BSI (British Standards
Institute) Standards, and PAS (Public Available Standards) Standards etc., not forgetting Frameworks like COBIT 5
(Control Objectives for Information and Related Technology) and COSO (Committee of Sponsoring Organizations) Framework for Internal Controls.
One such greenfield service is the engagement of conducting IS Audits or Information Systems Audit. An IS Audit is
related to Internal Audit. Internal Controls that are present in the enterprise are completely relevant while conducting
an IS Audit.
These are some keywords that would be repeating in this study and is important to understand them.
1. Control: It literally means Internal Controls that is present in a business environment. It can be IT Controls or
non IT Controls.
2. Risk: It is the rate at which there is a threat to the business which has arisen from a specific happening/non
happening.
3. Process: A set of tasks make a work flow. A set of work flows make a process. A process is controlled by a “Process owner” or “Function head”. E.g. HR Process, Procurement Process .
Internal Control simply means “Policies framed by the management in order to have stronger and adequate control
of affairs within the enterprise, and which can be checked by the Internal or Statutory Auditor in order to ensure that
the goals and objectives of the enterprise are duly met”. They are practices and processes enforced on the employees of an enterprise to prevent fraud and to maintain integrity of the data.
Internal Controls is said to be a sum of General Controls and IS Controls. IS controls is said to be a sum of IT Application
Controls and IT General Controls. General Controls refers to Internal controls that are not enforced through the IT
System unlike the IS Controls. IS Controls are controls that are present on the enterprise’s IT Infrastructure. IT Infrastructure includes hardware and software.
IT Application Controls: They vary depending on the applications that have been installed by the enterprise for its
revenue generation. Application software is the software that processes business transactions. The Application
software could be a retail banking system, an Inventory system or possibly an integrated ERP. Controls which relate to
business applications leading to judicial use of the application and enforced through the application itself to the end user are called IT Application Controls. IT Application Controls can be broadly classified into five categories:
1. Input Controls: Controls that are enforced during the input of data by a user. E.g. Data Checks and validations.
2. Processing Controls: Controls that are enforced during the processing of data that have been input. E.g.
duplicate checks, File Identifications and Validations etc.
3. Output Controls: Controls that are enforced during display of output of the processed data. E.g. Update
Authorizations etc.
4. Integrity Controls: These controls are used to preserve the genuineness and accuracy of data. E.g. Data
Encryption, Input Validations etc. These controls can be enforced during input and processing and storage of
data.
5. Management Trails: These controls are for the management to find out the audit trail of a transaction. E.g.
Time stamps and snapshots of application.
IT General Controls: They may also be referred as General Computer controls. These are controls other than IT
Application Controls, which relate to the environment within which computer-based application systems are
developed, maintained and operated and are therefore applicable to all applications These are policies and procedures
that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems.
IT General Controls can be broadly classified into the following areas:
1. Physical Access Controls: These controls are enforced at protecting the physical locations of the IT
Infrastructure. E.g. Security Personnel, Physical Locks, Bio Metric Locks, CCTV etc.
2. Data Center Controls: These controls are enforced specifically at the data centers of an enterprise. A data
center is treated as an extremely sensitive area and thus a higher risk would be present. E.g. Biometric Locks,
Presence of Server Racks, Presence of Air Conditioners, Fire Extinguishers, Weather Controls, Log Register of
people etc.
3. IS Security: These controls are enforced at every level of IT Infrastructure. The objectives of these controls are
protection of Information Assets. The CIA triad is enforced i.e. Confidentiality, Integrity and Availability of Data
and information security is maintained. E.g. Firewall, Antivirus, Anti Spyware, Timely updating of software and
antivirus updates and patches etc.
4. System Development Life Cycle and Change Management Controls: These controls are enforced to ensure that
the correct process of software development/procurement and release management is followed. E.g.
Documented Process for procuring software, Documented Process of incorporating changes to the acquired
software etc.
5. Logical Controls: These are controls which provide access restrictions to the employees who use the IT
Infrastructure. The motive of these controls is to protect the identities of the employees and to prevent
misuse. E.g. User Account Passwords, Access Removal upon termination, screen locks etc.
6. Backup and Recovery: These controls are present to ensure proper backup and recovery processes of the data
of the organization. E.g. Daily Backup of data and environment (OS), Restoration Practice trial etc.
7. End user computing: These controls are enforced directly on the employees. These controls are enforced with
an objective of prevention of IT Infrastructure Abuse by the employees. E.g. Logging of user activity and
Review, Disabling of USB Ports etc.
An IS Audit is performed to provide assurance that all of the above mentioned controls are adequate and satisfactory
to the nature of the enterprise and effectively operational in the functions of the enterprise. An IS Audit is typically
divided into two sections i.e. Review of IT Application Controls (ITAC) and Review of IT General Controls (ITGC). An IS
Audit would have the following process:-
An IS Auditor would begin his audit engagement by having conversation with the IT Administrator/CIO of an
enterprise. The IS auditor would review all the documented policies and processes that are being enforced
within the organization. Documented policies would include a IS Security Policy, Bring Your Own Device Policy
(BYOD), Password Policy, BCP etc. The IS Auditor would be gaining an understanding of the overall level of the
Internal Controls.
An IS Auditor would then gain an understanding of the applications that have been implemented in the IT
Infrastructure. It would be a base for him to decide the plan of action of the Audit.
The next step would be to collect a list of all the types of logs that can be generated by the applications.
After collecting the above information, the auditor the auditor identifies the risks that are applicable for the
enterprise. The approach that would be followed is to create a matrix for each application and area (for ITAC
and ITGC respectively) and would identify the controls that are enforced in the enterprise. All the identification
and Review of controls would be performed by sampling, observations or any other method.
Testing of Design Effectiveness and testing of operating effectiveness would be performed by the IS Auditor
on every identified control. Testing of Design Effectiveness refers to the working design of the control as
documented. It is a blue print of the control. Testing of Operating Effectiveness refers to actual performance
of the Control in the IT Environment.
It is important for the IS Auditor to collect sufficient evidence while identifying the controls. Evidence s can be
in the form of Screenshots, Email threads, Scanned documents, photographs, Minutes of Meetings etc.
A Risk Rating exercise is then performed to the identified controls to see whether the identified control is
sufficient to mitigate the identified risk.
Based on the Risk Ratings and the evidences collected, suitable recommendations would be suggested and accordingly an IS Audit report would be drafted and shared to the enterprise.
Thus the ultimate test of IT Internal Controls can be performed in an IS Audit. Based on the findings and
observations, an IS Auditor would be able to provide sufficient assurance whether the incorporated controls are
adequate or not to the nature and size of the IT Infrastructure of the enterprise.
![ENVIRONMENTAL REPORT 2010 · 2012-02-19 · Progress Toward ISO 14001 Certification Environmental Audits [Internal Environmental Audits] Internal environmental audits are conducted](https://static.fdocuments.in/doc/165x107/5f695965099288505f615353/environmental-report-2010-2012-02-19-progress-toward-iso-14001-certification-environmental.jpg)
