Information systems audit is the process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, enables communication and access to information, achieves operational goals effectively, and consumes resources efficiently. Thus, information systems auditing supports traditional audit objectives that focus on asset safeguarding, data integrity, and management objectives that encompass not only attest objectives but also effectiveness and efficiency objectives.

An auditor can assume the following three roles in a computerised environment :

* Auditor as a user of the (Computerised) Information System; * Auditor as an evaluator of the Information System; * Auditor as a designer of the Information System.

Auditors, as users, need to acquire certain skills in order to make productive use of information technology. It is expected of an auditor to possess knowledge in the following areas :

* A thorough understanding of at least one operating system; *

A thorough understanding of at least one basic accounting package, word processing software, spreadsheet, database, e-mail software and a browser;

A general understanding of systems and application controls for safeguarding systems and data against unauthorised use, piracy, virus attacks and system failure;

As user of information technology, an auditor must also know how to test and assess the acceptability of a particular system being acquired or developed for his use and to operate and manage such a system and keep it up to date.

The areas and types of training required increases when an auditor moves from being the user of the information system to the evaluator of the information system. As evaluator of the information system, auditors must acquire practical skills in the following areas :

• Information Technology concepts 
• Risks associated with the use of information technology
• Role of information system in the organisation
• Management and implementation of information technology
• Hardware and software concepts
• Database and transaction processing
• Data communication networks
• EDI and electronic commerce
• Backup and recovery 

Legal issues and guidelines of the Institute of Chartered Accountants of India and other professional bodies.

As a designer, an auditor has to understand business processes and control and map business processes to the system, considering the cost and benefit of different options and critical business needs. It may be noted that the involvement of the auditor at an early stage of system development pays the highest dividends to the organisation. This is so because controls need to be incorporated in the system at the design stage itself. Auditors need the following skills in addition to skills needed as a user and evaluator for designing a system :

* Skills in RDBMS * System analysis and design techniques * Software development life cycle phases * Control standards * Skills in software development and project management * Risk management * Designing and testing of audit trails.

Developments in the last decade have had great impact on the method of working of an auditor. Image processing has changed the way documents are stored, retrieved and read; communication channels have opened endless possibilities by making it possible for one to communicate at the speed of thought; Internet has reduced the world to a global village without any boundaries; the emergence of e-commerce, Electronic Document Interchange (EDI), Electronic Fund Transfer (EFT) have opened up thousands of opportunities hitherto unknown. All these developments have created new areas of practice for auditors. The auditors have already started providing value-added services like :

* Writing IS Security Policy; * Building Information Systems; * Evaluating Information Systems; * Providing attest functions; * Providing Assurance Services (risk assessment, business performance measurement, information system reliability, electronic commerce).

Why audit a computerised system :

An organisation must control and audit computer based information system because the cost of errors or irregularities that arise in these systems can be high. An organisation’s ability to survive can be severely undermined through corruption or destruction of its database, decision-making errors caused by poor quality information system, losses through computer abuse, loss of valuable computer hardware and software and personnel, the high cost of some types of computer errors, failure to maintain the privacy of individual persons, and the failure to control how computers are used within the organisation.

Unless properly controlled, the following threats emanating from within or outside the organisation can cause serious damage to the organisation :

* The destruction of the asset due to fire, water, energy variations and theft of assets * Modification of the asset with or without malicious intentions * Misuse of software, data, and services * Hackers à Unauthorised intrusion.

The existence of these threats explains the importance of information system control and audit for the survival and continued business operations of an organisation.

The Internal Controls Framework :

While internal controls are very important in manual systems, in computerised systems, their importance cannot be over-emphasised. Control is a system that prevents, detects, or corrects unlawful events. The overall purpose of controls is to reduce expected losses from unlawful events that can cause harm to the system. They do so in two ways. First, Preventive Controls reduce the probability of unlawful events occurring in the first place. Second, Detective and Correct Controls reduce the amount of losses that arise if the unlawful event occurs. The auditor must be concerned to see that at least one control exists to cover each unlawful event that might occur, and whether the control is operating effectively.

Traditionally, major components of an Internal Control System include separation of duties, clear delegation of authority and responsibility, recruitment and training of high quality personnel, a system of organisations, adequate documentation, physical control over assets and records, management supervision, independent checks on performance, and periodic comparison of recorded accountability with assets.

In a computer system, these controls must still exist, however, use of computers affect the implementation of these internal control components in several ways. In a computer system, the traditional notion of separation of duties does not always apply. Instead, the separation of duties exists in a different form. The authority to access a program in design environment is kept separate from the authority to access the program in a production environment.

In a computer system, delegating authority and responsibility in an unambiguous way might be difficult because some resources are shared among multiple users. Authority and responsibility lines have been blurred by the rapid growth of end user computing. The power vested in the personnel responsible for computer system often exceeds the power vested in the personnel responsible for manual systems. In a computerised environment, a lot depends upon the competence, trustworthiness, and integrity of the personnel.

In a manual system, auditors can evaluate the adequacy of procedures for authorisation by examining the work of employees. In a computer system, authorisation procedures are embedded within a computer program, making it very difficult for an auditor to assess whether the authorities assigned to individual persons are consistent with management wishes. Physical control over computerised assets is very critical because in a computerised information system, the information system assets and records of an organisation are concentrated in a few places.

This concentration of information system assets and records also increases the losses that can arise from computer abuse or a disaster. In a computerised system, physical supervision over the work being done by an employee is often very difficult and supervisory controls must be built into the computer system to compensate for the controls that usually can be exercised through observation and enquiry. In manual systems, independent checks are carried out because employees are likely to forget procedures, make genuine mistakes, become careless, or intentionally fail to follow prescribed procedures. If the program code in the computer system is authorised, accurate, and complete, the system will always follow the program procedures in the absence of some other type of failure like a hardware or software failure.

Because of the test nature of auditing, auditors might fail to detect real or potential material losses, on account of misstatement. The risk of an auditor failing to detect an actual or potential material loss or misstatement at the conclusion of the audit is called the audit risk. The auditor should choose an audit approach and design audit procedure in such a way that he is able to reduce this risk to a level deemed acceptable. The following audit risk model can be used as a basis for determining the level of desired audit risk :

DAR = IR X CR X DR

Where DAR is Desired Audit Risk, IR is Inherent Risk, and CR is Control Risk. The inherent risk reflects a likelihood that a material loss or misstatement existing in some segment of audit before the reliability of internal controls is not considered. The control risk reflects a likelihood that internal control in some segments of audit will not prevent, detect, or correct material losses on account of misstatement. Detection Risk is the risk that reflects that the audit procedures used in some segments of the audit will fail to detect material losses or misstatement. The audit efforts should be focussed over the areas which have the highest pay offs. Throughout the audit the auditors must continually make decisions on what to do next. Their notion of materiality and audit risk should guide them in making this decision.

Auditor’s approach to the audit in a computerised environment :

‘Auditing around the computer’ involves treating computer as a ‘black box’ and arriving at an opinion through examining and evaluating management controls and input and output only for application systems. Based on the quality of an application system’s input and output, an auditor infers the quality of the application systems processing. Application systems processing is not examined directly. Auditing around the computer is advantageous when the system is simple and Batch oriented, when the application system uses a generalised package as its software platform, and when a high reliance is placed on users rather than computer controls to safeguard assets, maintain data integrity, and attain effectiveness and efficiency objectives. The biggest drawback of ‘Auditing around the computer’ is that it does not provide information about the system’s ability to cope with stress and change. Moreover this approach should not be used when systems are complex.

Auditors are now involved in ‘auditing through the computer’. Depending upon the complexity of the Application system, the task of auditing through the computer might be simple or it might require extensive technical competence on the part of the auditor. ‘Auditing through the computer’ must be used in the following cases, where :

* the inherent risk associated with the application system is high. * the Application system processes large volumes of input and produces large volumes of output that makes extensive, direct examination of the validity of input and output difficult to undertake. * significant part of the internal control systems are embodied in the computer system. * the processing logic embedded within the application system is complex. * substantial gaps in the visible audit trail are common in the system.

Auditing with the computers’ involves conducting computer-based test and techniques to review and evaluate the computer-based accounting information system. This is important because it is no longer possible to carry out the required test manually in a computerised environment. Computer-based tools and techniques are required to enable the auditor to access, analyse and evaluate the data stored on computers. The type of computer-assisted audit tools that an auditor will use is determined by the technology being used, applications to be reviewed, and the level of expertise of people who are going to use such techniques.

It is necessary for the auditor to evaluate whether the information security administrators have ensured that information system assets are secured. Assets are secure when the unexpected losses that will occur some time are at an acceptable level. The auditors must examine the physical security as well as the logical security. A typical security plan would consist of identifying the asset, valuation of assets, threat identification, threat-likelihood assessment, exposure analysis, and control adjustments. Threat to the information security assets could come in the form of physical damage to the assets because of fire, water, energy variations, structure damages, pollution; or unauthorised inclusion; Viruses and bombs; misuse of software, data, Services; hackers. An integral part of the risk management technique is the Exposure Analysis which consists of identification of the controls in place, assessment of the reliability of the controls in place, evaluation of the likelihood that a threat incident will be successful given the set of controls in place and their Reliability, an assessment of the loss that will result if a threat incident circumvents control in place.

In spite of ensuring elaborate security for the information systems assets, there could be situations when things go wrong. Controls of last resort consisting of backup and recovery plans should be specified in great detail to ensure that the normal operations are restored. In India, a disaster recovery plan is a neglected area of business operations, and it is noticed that the quality of the disaster recovery plans, even if an organisation has one, is very low. Auditors are concerned to see that the organisation under audit has an appropriate, high quality disaster recovery plan in place. The auditor will be specially interested in the plan’s ability to continue as a going concern in the event a disaster strikes. Comprehensive disaster recovery plan consists of an emergency plan, a backup plan, a recovery plan, and a test plan. The backup plan could come in the form of the following backup options namely, cold site, hot site, warm site, reciprocal arrangement. The emergency plan should specify the actions to be undertaken immediately when a disaster occurs. The recovery plan sets up procedures to restore full information system capabilities after the backup plan has restored the necessary operations. And the test plan is meant to identify deficiencies in the emergency, backup, or recovery plans or in the preparedness of the organisation and its personnel in the event of a disaster.

Backup and recovery :

A crucial element in the availability of the information in a computerised environment is adequate backup of all assets, so as to enable restoration of the system from the backed up resources. In this broad sense, a backup plan should provide for not only the backup of data files, but of all important resources, including key employees, data files, program files, system files, documents, supplies, and information. The auditor should evaluate the backup plan to ensure that it is adequate to meet the requirements of the business.

Backing up data and application is, copying of files and applications on a removable media and storing them at an offsite location. Backups could be complete backup or incremental backup. Certain common methods of backups are tape backups, mirroring (RAID 0), data guarding (RAID 5), duplexing, partitioning (across servers), replicating and clustering (across servers).

Password management :

Password management is another important area that the information systems auditor needs to examine in greater details, because poor management of password system threatens the data integrity, and privacy. Moreover, it performs a very important management role : since the username-password combination is unique to a user, the password system holds a user accountable for all the actions done using his password. Fixed passwords, which are not changed frequently, are liable to be hacked. If the password is systems generated, it is sometimes too difficult for the user to remember, and the users have a tendency to either writing the password on the computer cabinet, or automating the logon process. The auditor should examine evidence of such short cuts adopted by employees. Dynamic passwords, such as one-time-passwords, combined with Smartcards, or biometric scanners are being preferred for sensitive applications. The auditor should examine the adequacy of control in the method of administration and distribution of passwords. Pass-words should always be encrypted.

With increasing number of transactions taking place on-line, using Internet, Intranet, EFT and EDI, greater reliance is being placed on the science of cryptography to ensure data integrity, data confidentiality, and non-repudiation by the sender or receiver. The science of cryptography has really come of age with the development of Public Key Infrastructure. It is in the domain of knowledge of an auditor auditing in a computerised environment to be thorough with the concepts and practice of cryptography, Public Key Infrastructure, and Digital Signatures.

The auditor working in a com-puterised environment needs to be aware of the subversive threats to the systems, and the controls incorporated in the system by the management to control them. The auditor needs to know about the reliability of various communication media, call-back modems, access limitations and firewalls, encryption techniques, authentication codes, etc., that will help an organisation control subversive threats. The auditor needs to examine the data base management system, to analyse what provision has been made to resolve deadlocks arising due to an attempt by two processes to simultaneously update a data-item. Locking of files, or data-items depending upon the level of granularity desired, pre-sequencing, pre-ordering and pre-empting resources are some of the methods adopted to resolve deadlock, and the auditor needs to examine the suitability of a particular deadlock management technique in the given circum-stances.

Audit software :

There is a variety of software available to auditors to assist evidence collection. For a start, auditors can use generalised audit software, which has been designed specifically to allow them to access and manipulate data maintained on computer storage media. It provides powerful functions that enable access to files maintained in a variety of formats, sorting, and merging of files, selection of data that satisfy certain conditions, statistical sampling, and evaluation of data, arithmetic operations on data, stratification and frequency analysis of data, file creation and updating, and flexible reporting of results obtained. Sometimes auditors might also be able to use Industry-specific audit software, which has been designed to provide audit function that they would find useful during the conduct for a specific industries. Auditors can use High Level Languages, such as those provided in fourth generation software or statistical software, wherever they provide easier access to data or more compre-hensive range of functions than generalised audit software. Auditor might use Utilities software to access security and integrity within application systems, to facilitate their understanding of the information system to be audited, assess data quality, and assess program quality.

When auditors use software for evidence collection purpose, they must exercise careful control over software to ensure that it has not been modified improperly and that the results produced using the software have integrity. If they have to employ software controlled by a party, they can use hash totals and test data to detect any modification that might have been made to the software. If auditors rely on other parties to execute software on their behalf, they should carefully examine the results produced to determine whether they are accurate and complete. If auditors can maintain independent library of audit software on a machine they control, they can have more confidence in the integrity of the results produced using audit software.

There are many Generalised Audit Softwares, Utilities, and other software aids available to auditors. ACL (www.acl.com) is the most popular GAS available that handles a wide variety of jobs. It can read a wide variety of data files, such as sequential files, dbase, FoxPro, clipper and .dbf files, .txt files, .del files. It can edit data, create data, analyse, and do statistical sampling on data.

ADM PLUS for Windows is very good software from Pleier Corporation. allCLEAR is ideal for quality, auditing, IS, training, and human resources. allCLEAR turns a simple text outline into a flowchart automatically. Auditor Assistant is a teamwork-based audit system using Lotus Notes. Audit Leverage department management software for internal auditors uses Microsoft Access for workpapers, risk assessment, staffing and scheduling, timekeeping, and more. AutoAudit is a complete workflow automation system designed to increase the productivity and effectiveness of medium and large sized audit firms. Bankers Trust Software has a financial and risk management system. One system that may interest auditors is The Auditor’s Work-station; a Lotus Notes based system for streamlining the audit process. Barefoot Auditor is a software-auditing program, with advanced network security qualities. CaseWare is an engagement and reporting software. Dr. Solomon’s Audit is vendor of a PC auditing solution. FlowCharter is a business drawing, diagramming, and charting tool. It can be used to create organisation charts, network diagrams, statistical control charts, and flow diagrams of any type. Galileo is a comprehensive system of fully integrated modules that can be tailored to suit the precise needs of an Internal Audit or other Project oriented Department.

IDEA is an audit automation package. KeyAudit is a free Software Audit Tool that deter-mines the status of Software License Compliance. Advisor software automates international frameworks such as Cobit and COSO, and assists organisations perform control self-assessment, quality reviews, risk evaluations and more. QSAK software can be used to schedule, manage analyse and conduct internal audits, assessments, tests, inspections. Random Audit Assistant is a software program that generates authentic random samples of a given audit range. WizRule is a data auditing and cleansing application that analyses databases and shows inconsistencies in the data.

CA Office, an Indian software interfaces with Tally and can be used to access Tally database for analysis.

Concurrent Auditing Techniques :

Concurrent Auditing Techniques collect audit evidence at the same time as an application system processing occurs. This evidence can be written to a file and periodically printed for auditors to analyse and evaluate. Alternatively, auditors can print or display the evidence immediately so that they can determine whether to take some type of immediate action.

Four major concurrent audit techniques are : Integrated Test Facility (ITF), Snapshot/Extended Records, System Control Audit Review Files (SCARF), and Continuous and Intermittent Simulation (CIS). ITF involves establishing a dummy entity in an application system files and processing audit test transactions against the dummy entity. The Snapshot/Extended Record Techniques involve embedding audit modules in an application system and capturing images of the transaction as it passes through the system. SCARF also involves embedding audit modules within an application system and capturing variances and exceptions that are of interest to auditor. CIS replicates application system processing for transactions that are of interest to auditors. It is invoked by the database management system used by the applications system that processes the transactions.

The major advantage of using concurrent auditing techniques are that they provide auditors with a viable alternative to using expost auditing and auditing around the computer, they allow auditors to implement a surprise testing capability, they facilitate testing of application systems by information system staff, and they provide training vehicle for application system users. The major limitations are that they are often costly to develop, implement, operate, and maintain; they require auditors to have a fairly extensive knowledge of information systems audit and control if they are to use them effectively and efficiently; and they are unlikely to work satisfactorily if their host application system is likely to be frequently modified.