Information Systems Auditing
This article examines the purposes of information systems (IS) auditing, the methods that are used to perform IS audits, and the types of findings that IS auditors include in audit reports. The article explains the five different types of audits performed on information systems: Development, application, computer operations, management, and technology. Control Objectives for Information and related Technology (COBIT) are explained and the use of COBIT in the audit process is examined. To illustrate the types of findings that IS auditors present to audit sponsors, the results of a General Accountability Office (GAO) audit of multiple U.S. Government agencies are presented. The development and dissemination of the IS Auditing Standards by Information Systems Audit and Control Association (ISACA) are reviewed along with the IS auditor's code of ethics.
Keywords: Access Controls; Application Reviews; Application Software Development and Change Controls; Control Objectives for Information and related Technology (COBIT); Development Audit; Information Systems Auditing; IT Governance; Management Audits; Operations Audit; Segregation of Duties; Service Continuity Controls; System Software Controls; Technology Audits
The function of an information systems (IS) audit is to review management controls applicable to the security, integrity, reliability, and the effective utilization of information systems. An IS audit of an existing application or system often includes tests of transactions and outputs in order to provide reasonable assurance that security standards and controls are properly designed and implemented (Morris & Pushkin, 1995). There are several types of audits performed on information systems including:
- During a _B_development audit, system designers and auditors work together to ensure that the application being developed has adequate controls and security.
- An _B_application review is a process where auditors often with assistance from designers review that adequate controls exist to assure proper levels of security.
- An _B_operations audit focuses on information systems operations environment to assess the overall control of the environment.
- A _B_management audit concentrates on the management practices of an IS organization and is designed to assess how well controls of the IS environment are designed, implemented, and monitored.
- A _B_technology audit is designed to review a specific technology used in the processing business data in order to assess how well information systems controls are implemented for the technology.
During a development audit, auditors participate in projects before and during implementation to ensure that adequate controls and security are built into the system. There are two steps in the development audit. The first round of work is done before an application program is put into use in an organization (pre-implementation). The second round of work is done after the application program is in use (post-implementation). The first audit process examines security plans for and documentation among other things. The second round of audit work examines the conversion of data from old systems to new systems and checks for integrity and validity. Weaknesses identified in the either phase of the audit are reported to managers responsible for the application program ("IS Auditing Guideline," 2001).
An application review is designed to "ensure that controls exist to provide a reasonable assurance that transactions are complete, valid, recorded accurately, and in a timely manner." Many auditors use computer assisted audit techniques (CAATs) to perform a reconciliation of control totals, review outputs of the application, or perform a review of the logic, parameters or other characteristics of the application. There are several CAATs available for use by auditors ("IS auditing guideline,"1998). Audit Expert Systems "can be used to assist IS auditors in the decision-making process by automating the knowledge of experts in the field. This technique includes automated risk analysis, system software, and control objectives software packages" ("IT Standards, Guideline and Tools," 2009).
An operations audit focuses on an information system's operations environment in order to assess the overall control of the environment. Auditors examine operations policies and procedures for adequacy and compliance with appropriate laws, regulations or standards. A review of implemented policies and procedures is conducted to assure that all the resources required for implementation are available and in place. Auditors also test to determine if personnel consistently follow policies and procedures.
A management audit concentrates on the management practices of an IS organization and is designed to assess how controls of the systems environment are implemented and monitored. Auditors can use a variety of approaches when examining IS management practices and many rely on the IT Governance Institute's (ITGI) Control Objectives for Information and related Technology (COBIT) as a guide to widely adopted best practices. The COBIT framework has been structured into 34 IT processes clustering interrelated life cycle activities or interrelated discrete tasks. IS management audits based on the COBIT IT Assurance Guide minimize the impact of opinions dominating audit conclusions. COBIT is based on numerous standards and best practices documents that were published by standards organizations around the world including Europe, Canada, Australia, Japan and the United States ("COBIT Mapping," 2007).
A technology audit is designed to review a specific technology used in the processing of business data in order to assess how well an information system's controls are implemented for the technology. This could include specific types or models of file servers, security tools, or network equipment. Auditors examine how the technology is used, deployed, and configured to determine if appropriate standards and practices are applied for the environment.
What IS Auditors Find From an Audit
One of the largest IS auditing organizations in the world is the U.S. Government Accountability Office (GAO), which is an independent, nonpartisan agency that works for Congress. The GAO is often called the "congressional watchdog" because it investigates how the federal government spends taxpayer dollars. The GAO gathers information to help Congress determine how well executive branch agencies are doing their jobs. The GAO supports the United States Congress' oversight of government agencies by:
- Performing evaluations of government agencies and programs to determine how well they are working.
- Performing audits of government agency operations to determine if federal funds are being spent properly.
- Performing investigations of alleged illegal or improper activities of government agencies.
- Researching, developing, and issuing opinions and decisions on legal matters.
The GAO has been conducting IS audits of United States government agency information systems for decades. The findings of a GAO audit provide examples and insight into what IS auditors may find during an audit. In one multiple agency audit, the GAO found that the weaknesses that the audit revealed increased the risks that many federal government operations are exposed to including potential fraud, intentional as well as unintentional misuse, and possible disruption from a wide array of events. The Department of the Treasury, for example, was vulnerable to fraud and with the hundreds of billions of dollars that that the federal pays and collects each month could easily be jeopardized. The audits also showed that as the Department of Defense was continuously rely on more and more computer systems that there was a corresponding increase in the vulnerability of several military functions that support the war-fighting capability of the United States and its allies ("Serious and widespread weaknesses," 2000).
Access to Information
The GAO audits further indicated that the information security weaknesses that were found during the audits of federal agencies put vast amounts of very confidential data at risk. This included personal and tax data as well as proprietary business information. One very serious case was in 1999, when a Social Security Administration employee gained unauthorized access to computer systems that held the files of social security recipients. The employee used this unauthorized access to obtain information and make inappropriate disclosures.
In numerous cases the GAO audits showed federal agencies had very weak computer security controls in place on a wide range of computer systems and applications software. Some audit findings were very basic and showed that several aspects security planning and implementation were inadequate. Additional audit findings addressed complex security problems including ineffective physical and logical access controls as well as ineffective software change controls.
Access controls were evaluated at all 24 of the agencies covered in this particular audit, and significant weaknesses were reported. The GAO found that agencies had not implemented effective user account and password management practices to reduce the risk that accounts could be used to gain unauthorized system access. One problem that auditors encountered on a widespread basis was very poor control over user accounts on computer systems and many accounts were still active even though the person with the account now longer worked at the agency. Numerous contractors and former employees still had access to computers and could still read, modify, copy, or delete data ("Serious and widespread weaknesses," 2000).
Application Software Development
The GAO identified weaknesses in application software development and change controls in 19 of the 21 agencies where such controls were evaluated. Problems found during the audits ranged from undisciplined testing...
(The entire section is 4602 words.)