Information Systems Auditing

This article examines the purposes of information systems (IS) auditing, the methods that are used to perform IS audits, and the types of findings that IS auditors include in audit reports. The article explains the five different types of audits performed on information systems: Development, application, computer operations, management, and technology. Control Objectives for Information and related Technology (COBIT) are explained and the use of COBIT in the audit process is examined. To illustrate the types of findings that IS auditors present to audit sponsors, the results of a General Accountability Office (GAO) audit of multiple U.S. Government agencies are presented. The development and dissemination of the IS Auditing Standards by Information Systems Audit and Control Association (ISACA) are reviewed along with the IS auditor's code of ethics.

Keywords: Access Controls; Application Reviews; Application Software Development and Change Controls; Control Objectives for Information and related Technology (COBIT); Development Audit; Information Systems Auditing; IT Governance; Management Audits; Operations Audit; Segregation of Duties; Service Continuity Controls; System Software Controls; Technology Audits

Overview

The function of an information systems (IS) audit is to review management controls applicable to the security, integrity, reliability, and the effective utilization of information systems. An IS audit of an existing application or system often includes tests of transactions and outputs in order to provide reasonable assurance that security standards and controls are properly designed and implemented (Morris & Pushkin, 1995). There are several types of audits performed on information systems including:

  • During a ‗B‗development audit, system designers and auditors work together to ensure that the application being developed has adequate controls and security.
  • An ‗B‗application review is a process where auditors often with assistance from designers review that adequate controls exist to assure proper levels of security.
  • An ‗B‗operations audit focuses on information systems operations environment to assess the overall control of the environment.
  • A ‗B‗management audit concentrates on the management practices of an IS organization and is designed to assess how well controls of the IS environment are designed, implemented, and monitored.
  • A ‗B‗technology audit is designed to review a specific technology used in the processing business data in order to assess how well information systems controls are implemented for the technology.

Development Audits

During a development audit, auditors participate in projects before and during implementation to ensure that adequate controls and security are built into the system. There are two steps in the development audit. The first round of work is done before an application program is put into use in an organization (pre-implementation). The second round of work is done after the application program is in use (post-implementation). The first audit process examines security plans for and documentation among other things. The second round of audit work examines the conversion of data from old systems to new systems and checks for integrity and validity. Weaknesses identified in the either phase of the audit are reported to managers responsible for the application program ("IS Auditing Guideline," 2001).

Application Reviews

An application review is designed to "ensure that controls exist to provide a reasonable assurance that transactions are complete, valid, recorded accurately, and in a timely manner." Many auditors use computer assisted audit techniques (CAATs) to perform a reconciliation of control totals, review outputs of the application, or perform a review of the logic, parameters or other characteristics of the application. There are several CAATs available for use by auditors ("IS auditing guideline,"1998). Audit Expert Systems "can be used to assist IS auditors in the decision-making process by automating the knowledge of experts in the field. This technique includes automated risk analysis, system software, and control objectives software packages" ("IT Standards, Guideline and Tools," 2009).

Operations Audits

An operations audit focuses on an information system's operations environment in order to assess the overall control of the environment. Auditors examine operations policies and procedures for adequacy and compliance with appropriate laws, regulations or standards. A review of implemented policies and procedures is conducted to assure that all the resources required for implementation are available and in place. Auditors also test to determine if personnel consistently follow policies and procedures.

Management Audits

A management audit concentrates on the management practices of an IS organization and is designed to assess how controls of the systems environment are implemented and monitored. Auditors can use a variety of approaches when examining IS management practices and many rely on the IT Governance Institute's (ITGI) Control Objectives for Information and related Technology (COBIT) as a guide to widely adopted best practices. The COBIT framework has been structured into 34 IT processes clustering interrelated life cycle activities or interrelated discrete tasks. IS management audits based on the COBIT IT Assurance Guide minimize the impact of opinions dominating audit conclusions. COBIT is based on numerous standards and best practices documents that were published by standards organizations around the world including Europe, Canada, Australia, Japan and the United States ("COBIT Mapping," 2007).

Technology Audits

A technology audit is designed to review a specific technology used in the processing of business data in order to assess how well an information system's controls are implemented for the technology. This could include specific types or models of file servers, security tools, or network equipment. Auditors examine how the technology is used, deployed, and configured to determine if appropriate standards and practices are applied for the environment.

Applications

What IS Auditors Find From an Audit

One of the largest IS auditing organizations in the world is the U.S. Government Accountability Office (GAO), which is an independent, nonpartisan agency that works for Congress. The GAO is often called the "congressional watchdog" because it investigates how the federal government spends taxpayer dollars. The GAO gathers information to help Congress determine how well executive branch agencies are doing their jobs. The GAO supports the United States Congress' oversight of government agencies by:

  • Performing evaluations of government agencies and programs to determine how well they are working.
  • Performing audits of government agency operations to determine if federal funds are being spent properly.
  • Performing investigations of alleged illegal or improper activities of government agencies.
  • Researching, developing, and issuing opinions and decisions on legal matters.

Fraud Susceptibility

The GAO has been conducting IS audits of United States government agency information systems for decades. The findings of a GAO audit provide examples and insight into what IS auditors may find during an audit. In one multiple agency audit, the GAO found that the weaknesses that the audit revealed increased the risks that many federal government operations are exposed to including potential fraud, intentional as well as unintentional misuse, and possible disruption from a wide array of events. The Department of the Treasury, for example, was vulnerable to fraud and with the hundreds of billions of dollars that that the federal pays and collects each month could easily be jeopardized. The audits also showed that as the Department of Defense was continuously rely on more and more computer systems that there was a corresponding increase in the vulnerability of several military functions that support the war-fighting capability of the United States and its allies ("Serious and widespread weaknesses," 2000).

Access to Information

The GAO audits further indicated that the information security weaknesses that were found during the audits of federal agencies put vast amounts of very confidential data at risk. This included personal and tax data as well as proprietary business information. One very serious case was in 1999, when a Social Security Administration employee gained unauthorized access to computer systems that held the files of social security recipients. The employee used this unauthorized access to obtain information and make inappropriate disclosures.

In numerous cases the GAO audits showed federal agencies had very weak computer security controls in place on a wide range of computer systems and applications software. Some audit findings were very basic and showed that several aspects security planning and implementation were inadequate. Additional audit findings addressed complex security problems including ineffective physical and logical access controls as well as ineffective software change controls.

Access controls were evaluated at all 24 of the agencies covered in this particular audit, and significant weaknesses were reported. The GAO found that agencies had not implemented effective user account and password management practices to reduce the risk that accounts could be used to gain unauthorized system access. One problem that auditors encountered on a widespread basis was very poor control over user accounts on computer systems and many accounts were still active even though the person with the account now longer worked at the agency. Numerous contractors and former employees still had access to computers and could still read, modify, copy, or delete data ("Serious and widespread weaknesses," 2000).

Application Software Development & Change Controls

The GAO identified weaknesses in application software development and change controls in 19 of the 21 agencies where such controls were evaluated. Problems found during the audits ranged from undisciplined testing procedures which could not really ensure that software used by the agencies operated as it was intended to operate. In some agencies auditors found that policies and procedures designed to protect software program libraries maintained by the agency were not adequate to address that important security need ("Serious and widespread weaknesses," 2000).

Segregation of Duties

Segregation of duties is important to maintain security in both the private and public sector. The design of jobs and functions in managing computer systems is generally done in a manner that keeps employees from having end-to-end control over a process involving financial management. Auditors found that many weaknesses in how agencies were managing segregation of duties. One of the most common issues the auditors encountered was that computer programmers and operators were authorized to perform a wide scope of tasks and responsibilities. The auditors contended that under the job structure that the computer programmers and operators could independently modify, circumvent, and disable system security features. Auditors pointed out cases where staff with procurement responsibilities had system access privileges that enabled them to personally request, approve, and record the receipt of purchased items. This enabled those staff to purchase equipment and process paperwork without anybody else knowing it and could result in theft or misappropriation of equipment and supplies ("Serious and widespread weaknesses," 2000).

Operating System Software Controls

Auditors found problems with operating system software controls in most of the agencies. The most typical problem was that access to computer systems and operating systems was not restricted in a manner that could keep computer staff from disabling or circumventing controls. This included the ability to change data in the system audit log. Auditors contended that this lack of control could allow computer personnel to perform a variety of inappropriate and unauthorized actions. In the event that staff did do something to systems that they wanted to hide they had the ability to delete related segments of the audit log which means that their actions would be very difficult to detect ("Serious and widespread weaknesses," 2000).

Service Continuity Controls

Auditors also examined service continuity controls and found the controls to be inadequate in most agencies. The auditors typically found that service continuity plans were often incomplete and could not be used to ensure continuity. The missing element in most plans had to do with a complete and up-to-date inventory of operations and supporting resources and priorities were not properly set for recovery of systems and data. In addition, the auditors found that disaster recovery plans had not been tested and thus computer staff in the agencies had not gone though the proper steps to identify the weaknesses in the plans.

The auditors concluded that there were a wide variety of causes for the security and control procedures and processes in the agencies being as weak as they were. However, the roots of these problems were that the agencies were not adhering to existing security program management standards and techniques. The ongoing trends may also show that government agencies do not have an adequate program of internal IS auditing procedures in place. Ongoing IS audits are a means of detecting problems and supporting continuos process improvement ("Serious and widespread," 2000).

Issues

Setting Standards for Auditing

As corporations grow in both size and in value investors and investment advisors rely heavily on the reliability of financial and operational information provided by companies. It is also important because of public investment and public trust that not-for-profits, nongovernment organizations, as well as government agencies have reliable financial and operational disclosure. The audit process is one way to help assure the accuracy of information corporate managers, investors, policy makers, and regulators rely upon in their decision making processes (Janvrin & Jeffrey, 2007).

Globalization has lead to more complex corporate structures that face more complex accounting challenges and thus more complex audit challenges. The need for international auditing standards is now more important because the health of global corporations is more important to the economic well-being of most nations. The frequency of international investment is also on the rise and thus the use of a common set of international standards auditing can provide clear benefits to investors, regulators and, audit firms. To help achieve stronger international standards for auditing The International Auditing and Assurance Standards Board (IAASB) was founded as a standard-setting body designated by, and operating under the auspices of, the International Federation of Accountants ("IFAC History," 2007).

Information Systems Audit & Control Association

IS auditing requires both knowledge of audit methods as well as an in-depth understanding of information technology, applications software, and the processes by which both are managed in an organization. There must also be a common set of standards and methods applied to IS audits and the Information Systems Audit and Control Association (ISACA) has taken on the role of developing and advancing globally applicable IS audit standards.

These standards developed or recommended by ISACA provide a base-line of mandatory requirements for IS auditing and reporting. These standards and practices are the minimum level of audit performance that is required to achieve the professional responsibilities documented in the ISACA Code of Professional Ethics. The standards also communicate to corporate managers and the business and government world in general of how professional IS auditors conduct audit work. The various IS auditing procedures documented by ISACA give auditors and others very detailed information on how an organization and individuals can be in compliance with the body of IS auditing standards ("IFAC History," (2007). As corporate governance becomes more complex the ISACA audit standards and the ISACA Code of Professional Ethics provide boards of directors with a critical tool to examine and mitigate risk to which their organization is exposed (Holm & Laursen, 2007).

COBIT

COBIT has become widely accepted around the world as a set of detailed control techniques for the IS management environment. It is used by IS managers as well as IS auditors as a framework for IS management as well as IS auditing (Violino, 2006). The framework and techniques provided by COBIT is used as a baseline in information security and management and encompasses a wide variety of best practices and standards from several countries (Ali Pabrai, 2005). The COBIT framework is divided into several sections which are aligned with IT management process. These are control objectives and control practices, management guidelines, and management guidelines. The management guidelines provide metrics that allow auditors and managers alike to assess performance of IS in business terms and help to identify control gaps and strategies for improvement ("COBIT Mapping," 2007; Lainhart IV, 2001).

Engagement Letters & Charter Audits

IS auditors may be required to perform audits of information systems that are designed and governed by varying standards. The applicable standards will be determined by the type of organization being audited and may be different for publicly traded companies, government agencies, nongovernment organizations, or even for privately held companies (O'Donnell & Rechtman, 2005).

An IS auditor generally works with the guidance of an engagement letter or audit charter. These documents set out the scope of an audit and provide high level statements of what the audit team will examine during the audit process. The engagement letter, or scope of audit, is most often mutually agreed upon by the auditors and the parties responsible for the information systems being audited. The charter provides the authority for the IS audit and gives auditors access to appropriate information and resources to effectively and efficiently complete the audit. IS auditors also retain the working files, documents and audit evidences obtained during the course of the audit and can use the material as the basis of reference in case of any issues or contradictions.

Auditor Code of Conduct

Accounts and accounting firms and auditors have faced considerable criticism during the last decade. There have been several crisis of confidence as some of the world's largest companies have fallen under the weight of misrepresented financial statements and misunderstood risks. There were many warning signs that such a crisis was coming and that ethics were waning (Pearson, 1995). ISACA has been addressing the issue of ethics for IS auditing. The IS Auditing Guideline on Responsibility, Authority and Accountability from the ISACA provides a basic outline of the acceptable code of conduct for IS auditors and the companies that employee the IS auditor. Highlights from a long list of ethical standards include:

  • Auditors should be honest and sincere in their approach to their audit work.
  • Auditors should maintain an independent position and appearance from the firms they audit.
  • Auditors should abide by their respective codes of professional ethics.
  • Auditors should conduct all audits in accordance with appropriate standards and practices.
  • Auditors should comply with all applicable regulatory and legal requirements in the situations where the conduct audits.
  • Auditors should be adequately trained to conduct their audit assignments.
  • All audit staff assigned to an IS audit should be appropriately supervised.
  • Auditors should always collect and properly handled audit evidence that supports of their conclusions.
  • Auditors should always assure that their audit evidence is adequately and properly stored and stored and is retrievable if required.
  • Auditors should always respect the confidentiality of information obtained from clients.
  • Auditors should not make misstatements or ambiguous statements.
  • Auditors should always be honest about any instance where there is a loss of independence ("IS auditing guideline," 2005).

Conclusion

There are several different types of audits performed on information systems including development, application, computer operations, management, and technology audits. Auditors can use a variety of approaches when examining IS management practices and many rely on the IT Governance Institute's (ITGI) Control Objectives for Information and related Technology (COBIT) as a guide to widely adopted best practices. The COBIT framework has been structured into 34 IT processes clustering interrelated life cycle activities or interrelated discrete tasks. COBIT is based on numerous standards and best practices documents that were published by standards organizations around the world including Europe, Canada, Australia, Japan and the United States ("COBIT Mapping," 2007).

The GAO has been conducting IS audits of United States government agency information systems for several decades. The findings of a GAO audit provide examples and insight into what IS auditors may find during an audit. In one multiple agency audit, the GAO found that the weaknesses that the audit revealed increased the risks that many federal government operations are exposed to including potential fraud, intentional as well as unintentional misuse, and possible disruption from a wide array of events.

Globalization has lead to more complex corporate structures that face more complex accounting challenges and thus more complex audit challenges. The need for international auditing standards is now more important because the health of global corporations is more important to the economic well-being of most nations. As corporations grow in both size and in value investors and investment advisors rely heavily on the reliability of financial and operational information provided by companies.

Terms & Concepts

Access Controls: Mechanisms or processes that limit or detect inappropriate or unauthorized access to computer applications or data.

Application Review: An audit process designed evaluate if appropriate controls are in place so that an application completely performs all steps in a program and that those steps results in valid transactions.

Application Software Development and Change Controls: Mechanisms or processes that prevent unauthorized applications software programs or modifications to applications software from being implemented.

Development Audit: An audit process that is conducted while an application is under development or being implemented to ensure that adequate controls and security are built into the system, and that any concerns are addressed before the system is completed.

Management Audit: An audit process that concentrates on the management practices of an IS organization that is designed to assess how controls of the IS environment are implemented and monitored.

Operations Audit: An audit process that focuses on the information system's operations environment in order to assess the overall control of the environment.

Segregation of Duties: A process of splitting duties among IT and other staff that assures that one individual does not control all of the major aspects of a process or operation that would enable them to implement unauthorized activities or achieve unauthorized access to assets or records.

Service Continuity Controls: Mechanisms or processes to that guide IT staff in implementing measures to maintain uninterrupted service and protect sensitive data during unexpected events such as natural disasters.

System Software Controls: Mechanisms or processes to limit and monitor access to applications programs or sensitive data related to computer systems operation.

Technology Audit: An audit process designed to review a specific technology used in the processing of business data in order to assess how well information system controls are implemented for the technology.

Bibliography

Ali Pabrai, U. (2005). The CobiT security baseline. Certification Magazine, 7, 28-29. Retrieved August 30, 2007, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=17325245&site=ehost-live

COBIT Mapping: Overview of international IT guidance, 2nd edition. (2007). Retrieved August 30, 2007, from Information Systems Audit and Control Association (ISACA). http://www.isaca.org/Content/ContentGroups/Research1/Deliverables/COBIT%5fMapping%5fOverview%5f2ndEd%5fResearch%5f1Aug07.pdf

Grabski, S. V., Leech, S. A., & Schmidt, P. J. (2011). A review of ERP research: A future agenda for accounting information systems. Journal of Information Systems, 25, 37-78. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=59414947&site=ehost-live

Holm, C., & Laursen, P. (2007). Risk and control developments in corporate governance: Changing the role of the external auditor? Corporate Governance: An International Review, 15, 322-333. Retrieved August 30, 2007, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=24361385&site=ehost-live

IFAC history in brief. (2007). Retrieved August 30, 2007, from The International Federation of Accountants. http://www.ifac.org/History/

IS Auditing Guideline Application Systems Review Document G14. (2001). Information Systems Audit and Control Association (ISACA). Retrieved August 30, 2007, from Information Systems Audit and Control Association (ISACA). http://www.isaca.org/AMTemplate.cfm?Section=Standards,%5fGuidelines,%5fProcedures%5ffor%5fIS%5fAuditing&Template=/ContentManagement/ContentDisplay.cfm&ContentID=45689

IS auditing guideline use of computer assisted audit techniques (CAATs) document G3. (1998). Information Systems Audit and Control Association (ISACA). Retrieved August 30, 2007, from Information Systems Audit and Control Association (ISACA). http://www.isaca.org/AMTemplate.cfm?Section=Standards,%5fGuidelines,%5fProcedures%5ffor%5fIS%5fAuditing&Template=/ContentManagement/ContentDisplay.cfm&ContentID=39261

IS auditing guideline responsibility, authority and accountability document G34. (2005). Information Systems Audit and Control Association (ISACA). Retrieved August 30, 2007, from Information Systems Audit and Control Association (ISACA). http://www.isaca.org/Template.cfm?Section=Home&Template=/ContentManagement/ContentDisplay.cfm&ContentID=22918

IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals. (2009). Information Systems Audit and Control Association (ISACA). Retrieved August 30, 2007, from Information Systems Audit and Control Association (ISACA). http://www.isaca.org/AMTemplate.cfm?Section=Standards2&Template=/ContentManagement/ContentDisplay.cfm&ContentID=52295

Janvrin, D., & Jeffrey, C. (2007, September). An Investigation of Auditor Perceptions about Subsequent Events and Factors That Influence This Audit Task. Accounting Horizons, 21, 295-312. Retrieved August 30, 2007, from Business Source Premier database. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=26452358&site=ehost-live

Lainhart IV, J. (2001). An IT assurance framework for the future. Ohio CPA Journal, 60, 19. Retrieved August 30, 2007, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=4191058&site=ehost-live

Morris, B., & Pushkin, A. (1995). Determinants of information systems audit involvement in EDI systems development. Journal of Information Systems, 9, 111-128. Retrieved September 5, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=9709053765&site=ehost-live

O'Donnell, J., & Rechtman, Y. (2005). Navigating the standards for information technology controls. CPA Journal, 75, 64-69. Retrieved August 30, 2007, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=17861447&site=ehost-live

Pearson, M. (1995). Doing the right thing. Journal of Accountancy, 179, 82-86. Retrieved August 30, 2007, from EBSCO online database, Business Source Premier. http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=9506220882&site=ehost-live

Serious and widespread weaknesses persist at federal agencies. (2000). United States General Accounting Office (GAO) Report to the Chairman, Subcommittee on Government Management, Information and Technology, Committee on Government Reform, House of Representatives. Retrieved August 30, 2007, from United States General Accounting Office (GAO). http://www.gao.gov/archive/2000/ai00295.pdf

Violino, B. (2006). Sorting the standards. Computerworld, 40, 46-47. Retrieved August 30, 2007, from EBSCO online database, Academic Search Complete. http://search.ebscohost.com/login.aspx?direct=true&db=a9h&AN=20544850&site=ehost-live

Wright, M., & Capps, I. J. (2012). Auditor independence and internal information systems audit quality. Business Studies Journal, 463-83. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=81151408&site=ehost-live

Suggested Reading

Bertine, H., Faynberg, I., & Lu, H. (2003). Overview of data and telecommunications security standardization efforts in ISO, IEC, ITU, and IETF. Bell Labs Technical Journal, 8, 203-229. Retrieved August 30, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=12816752&site=ehost-live

Carnaghan, C. (2000). Discussion of an analysis of the group dynamics surrounding internal control assessment in information systems audit and assurance domains. Journal of Information Systems, 14, 117. Retrieved September 5, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=4472132&site=ehost-live

Leech, T. (2000). Discussion of an analysis of the group dynamics surrounding internal control assessment in information systems audit and assurance domains. Journal of Information Systems, 14, 123. Retrieved September 5, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=4472137&site=ehost-live

O'Donnell, E., Arnold, V., & Sutton, S. (2000). An analysis of the group dynamics surrounding internal control assessment in information systems audit and assurance domains. Journal of Information Systems, 14, 97. Retrieved September 5, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=4472121&site=ehost-live

O'Donnell, E., Arnold, V., & Sutton, S. (2000). Reply to discussion of an analysis of the group dynamics surrounding internal control assessment in information systems audit and assurance domains. Journal of Information Systems, 14, 127. Retrieved September 5, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=4472141&site=ehost-live

Pierce, E. (2004). Assessing data quality with control matrices. Communications of the ACM, 47, 82-86. Retrieved September 5, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=12213299&site=ehost-live

Schneider, G. (1995). Discussion of determinants of information systems audit involvement in EDI systems development. Journal of Information Systems, 9, 129-132. Retrieved September 5, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=9709053767&site=ehost-live

Essay by Michael Erbschloe, M.A.

Michael Erbschloe is an information technology consultant, educator, and author. He has taught graduate level courses and developed technology-related curriculum for several universities and speaks at conferences and industry events around the world. Michael holds a Masters Degree in Sociology from Kent State University. He has authored hundreds of articles and several books on technology.