|
|
Total Number of Subscribers: 426 |
|
|
|
||
|
|
||
|
Date: 16 May 2008 |
Compiled by Mr. M. Sathya Kumar |
|
|
|
Information System Audit for
Companies - Voluntary or Compulsory? "The need for Information
System (IS) Audit cannot be overemphasised" There are approximately 10,000 companies, which are at various
stages of computerisation for various functions
within the organisation. The areas are wide and varied. Right from plain and simple gate
entry/security scanning to the most complicated areas like production
process, all are controlled by the IT setup of an organisation.
This article discusses the need of the IS
audit and the need to spread awareness about the
strengths of the professionals in this area. The ‘Information System Audit’ is the latest
buzzword in the world of auditing. The ICAI has taken
upon itself the task of ensuring that there is enough supply of qualified
Information System (IS) Auditors. The process has been put on fast track and
the initial thrust is indeed showing the desired results, slowly but surely. As a holder of DISA (ICA) what will be
bothering the Members most? I tried to put things in the right perspective and came up with
some more questions! Mind you, we are looking for some answers here! Is there awareness amongst the Companies/ Corporates
about the need for IS Auditors? Is there a real need for this kind of audit?
What is the level of awareness amongst the Chartered Accountants about the
need and utility of the IS audit? What value gets added to the CA who
qualifies as DISA (ICA) or CISA? Easy questions?Not
really. These are the fundamental issues that we, members, need to
collectively ponder so that we can make better utilisation
of the highly qualified and large numbers of professionals with deadly
combination of dual qualification – CA and ISA. The need for IS audit cannot be over emphasised.
There are approximately 10,000 companies, which are at various stages of computerisation for various functions within the organisation. The areas are wide and varied. Right from
plain and simple gate entry/security scanning to the most complicated areas
like production process, all are candidates for being controlled by the IT
setup of an organisation. In most cases the employees do not even realise
that they are using computerised processing in
their daily routine. In the present scenario of almost complete dependence on
the computerisation of the activities of the corporate
world it becomes necessary to give some sort of assurance to the stakeholders
and the users of the reports on the management’s assertions with reference to accounts, corporate
governance and the operations of the companies in general Surely, none of the corporates would
dispute over-dependence on the computerisation.
What we are really interested in is the assurance that the system setup is
appropriate for the business today, and that this system is appropriate for
the same business tomorrow also. What is the assurance that the financial
statements presented to us are exact reflections of the books of accounts of
the company? In a computerised environment it is
very difficult to keep track of the accounting. How can the shareholder be
satisfied that what he sees is what he gets? Since the accounts are audited
by Chartered Accountants, there are hardly any doubts about their reliability
or authenticity. But what we are not aware of or probably do not want to be aware
of is the discrepancy which is not apparent. The discrepancy can be noticed
only if you look for it in places other than in the area of accounting. Are
the companies aware of the IS audits? Yes and No. We can easily put the companies into three groups.
The first category comprises companies that are highly progressive, forwardlooking and completely run by automated processes.
They are not only aware of it but also insist on periodical IS audit as they are conscious about the
interests of their stakeholders and cannot risk a fraud due to laxity in
systemic control. They define the scope, verify the tools needed and
stringently interview the IS auditor before assigning him the job. The second group comprises
companies, which are not middle-sized but are not in the large segment
either. These companies are aware of the need of IS audit but are not willing
to accept that this is a must. Even the middlesized
companies today extensively use ERP in view of the availability of good ERP
in a very affordable range. The practice of using ERP has penetrated deep
into the hierarchy of these middle class and upper middle class companies, as
we may call them. These companies, which are in transition mode, are fully
automatic physically but the controls are still very much the traditional
one- or two-man based. How do we create awareness about IS audit in these companies? How do we make them aware that we are as much capable and qualified as anybody else to carry out IS audit? In fact I would go a step further. Considering our training and
experience in dealing with a variety of organisations
as also the financial background that we possess, we as members of ICAI have
an edge over other IS audit Professionals. I believe that the best way to
create awareness is to market our services in the most aggressive manner. This is not to say that we start hiring out hoardings or
advertise on TV. Please. No. What we need to do is to get out of our comfort
zone and highlight this part of our skills whenever an opportunity knocks. The third category of companies comprise ‘lower middle class’ companies who
are using computerised processes to run
their business but are not highly dependent on them. The result is a mix of
automatic, semi automatic and manual controls. These companies are at greater
risk of being victims of the automatic processes than the others. Why? You
may well ask. Simply because they are overly dependent on the manual and
semi-automatic processes, more than the automatic process. In fact, these
companies would be almost arrogant about the strength of the controls outside
of their computerised environment. The holes in the
security or the internal control defined in their computerised
process would be of a secondary or lower priority as compared to signing of
vouchers or approval of advance or issue of material through a process, where the owner or owner’s right hand man ‘Mr. Know-it-all’ is involved. The question of
awareness does not arise in this category. They are blissfully ignorant about the state of computerisation. In some cases they may not even be keen
on it. These are the touch targets, the clients who would benefit most from
IS audit of their organisation. In this background,
the voluntary compliance of IS audits would be immediate in the first
category of companies and to some extent in a few companies falling in the second category. Then how do we spread the awareness about IS audit among a large
number of the remaining corporates? Will
legislation be effective? Or will it end up as one more unwanted compliance
of law? We will come to this later. On the other side, how many members, who are now qualified as
ISA, do actually believe that they have enough capabilities to actually
perform the audit effectively? Let us not arrive at any judgment but despite
this aspect being discussed in our seminars and conferences, much remains to be
done to instil confidence in general public and
particularly the corporate world about the abilities of CAs
to perform this job professionally. The tools for conducting the audit are not cheap. There is also very little awareness
about such tools. The awareness about the vendors for this job is also not so
great. We need to concentrate on the ability to use the tools available
for IS audit. Unless we know what these are, it is highly unlikely, that we
would know how to use them. Unless you get into water, you cannot learn how
to swim. Too many questions! I hope there are people who are thinking or have
started thinking. I had the pleasure to be part of a subcommittee, which
presented a white paper to the Corporate and Allied Laws Committee of ICAI,
where we recommended that the best way to begin the compliance could be with
the Listed companies. More so because a lot of users of their annual
financial statements are not having enough resources to understand the complicated
process by which these statements are prepared and sent to them. Not only
this but also the fact that these financial statements are widely publicised in newspapers and are also used as USP by them
to show the growth and efficiency. It would be really reassuring to the members who are
performing the attest function for these companies to know that the systems
and processes are checked by another set of professionals who have certified
its integrity and robustness. There is no difference in the perception of the
prospective client between the CA-ISA and similar qualification by a
non-member. A lot of effort has been put into by ICAI too. What it all boils down to is the practical experience that one
has. In many cases we find that the requirements of the clients are such that
prequalification of small or medium sized firms is out of question. In some
cases a corporate structure is required. In all cases, high Turnover
criterion, threshold on clients’ turnover, number of
clients, number of employees, etc. are required for prequalification,
effectively reducing the number of firms/organisations
that can hope to qualify in the process and render the service to get some
valuable experience. The CAs receive a lot of
enquiries from banks and companies outside India (awareness?). That itself is
a good barometer of our value. The question remains as to how to increase the
awareness. An idea floated some time back was that tools like Clause 49 of
the listing agreement should be used to enforce IS audits. The extract of the
white paper which is reproduced hereunder, deals with the fact that all the
listed companies need the IS audit, and that reduction in the number by any
filtration process does not achieve the ultimate objective: "The reasons and justification for
focusing on listed companies are: 1. The number of stakeholders is huge. Customers, Suppliers and
the organisation itself are heavily dependent on theinformation systems used by such companies. 2. Being listed, they have a responsibility to the users of the
reports that these companies periodically publish. When the company asserts
that the reports are made by their Computerised
system it becomes imperative for the users of such report to know how
reliable these are. 3. Even if these companies do not make such assertions it
becomes necessary for the users to know how good the system is so that they
get a fair idea about the forecasts and predictions that are being made
quarterly by them. 4. That the companies in which they have placed faith have
proper control over its assets, what is the quality of the system, and, what
are the procedures that they follow to assure themselves about the strength
of this system. Why should all listed companies undertake
IS Audits? We can always reduce the number for beginning the process by
prescribing a slab on the basis of the turnover or profit or asset base, etc.
but then what are we going to achieve by this exclusion? 1. It would reduce the scope and importance of the prescribed
audit. 2. The larger companies in any case have got an enlightened
management, which are proactively getting the audit done. While there is no standardisation of the reporting or the process or the
authority that these audits have, they are nevertheless conducted. 3. Currently the larger companies, say those worth over Rs. 500 crore, also have an infrastructure in place to identify
the defect in their Information System. They also get inputs from the
supplier and customers, which are in the formats compatible with their own
system. All the assertions are confirmed when they undertake the audit of
such systems 4.For all the other companies, which have lower turnover and are
what is called Medium Scale or Small Scale and yet are Listed on the Stock
Exchange also face similar problems, but they do not have IS audits in their
list of priorities. 5. Which means that when we restrict the compulsion to get IS
audit done to larger companies we are, in fact, not doing anything new. It
would be a great value addition to the investing public and the regulators if
we can make all the listed companies undertake the IS audit. 6. There are possibilities of weakness in selection of
applications for accounting or production, there could be lack of knowledge about security, there could be a hacking incident
which is far more likely in case of medium-scale industries, for two major
reasons a) because of the sheer number of such medium scale/small scale
companies and b) the lack of awareness in this segment about the necessity to
keep the IS infrastructure protected and finetuned. 7. A few companies in this segment might be getting some kind of
report in this area for their satisfaction but that doesn’t serve the purpose. We need assurance from an independent source
about the reliability and controls of IS infrastructure of these companies Courtesy : Mr. Chirag
Bakshi, The Author is the member of the Institute |
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
Rewards waiting for feedback at |
|
|
|
|
|
|
|
||
|
|
|
|
|
|
Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here. |
|
|
|
||
|
|
|
|
|
|
Click here to contact us, if you are unable to view the content properly |
|
|
|
|
|
