| Steps involved in information
systems audit
The following are the steps in information systems audit:
- The preliminary review phase
The first step in an IS audit is the preliminary review of
the computer installation. The main objective of this step
is to obtain the information necessary for the auditor to
make a decision on how to proceed with the audit. This stage
includes a review of the management and application controls
existing in the company. During the review, the auditor tries
to understand the management practices used at different levels
of the computer hierarchy.
The main sources of information during this phase include
interviews with installation personnel, observations of installation
activities, and reviews of installation documentation. Questionnaires,
flowcharts, and other databases can also be used to gather
required information. Based on the initial review, the auditor
takes a decision whether to proceed with the audit or abandon
the entire process.
- The detailed review phase
The objective of this phase is to obtain the information
necessary for the auditor to have an in-depth understanding
of the controls used in a computer installation. Upon review,
once again a decision by the auditor as to proceed with the
process or abandon it must be taken.
On taking a decision to proceed with the audit process, the
auditor reviews both the management and application controls.
The management controls are reviewed first, as major weaknesses
in these controls enables the auditor to abandon the review
of application controls. In this phase, the auditor must also
identify the causes of loss existing within the installation
and the controls established to reduce the effects of these
causes of loss. At the end of this phase the auditor must
evaluate whether the controls established reduce the expected
losses to an acceptable level.
Like the preliminary stage, the auditor obtains information
for conducting the audit from various sources like company
databases, interviews with the concerned personnel, questionnaires
etc.
- The compliance testing phase
The objective of this phase is to determine whether or not
the system of internal controls operates as it is supposed
to operate. The auditor checks whether all internal controls
exist and are working reliably. The auditor makes use of both
manual sources of information mentioned above and computer-assisted
evidence collection techniques to gather inputs for evaluation.
At the conclusion of this phase, the auditor must evaluate
the internal control system in the light of the evidence collected
on the reliability of individual controls.
- The substantive testing phase
The objective of this phase is to obtain sufficient evidence
to enable the auditor make a final judgement on whether or
not material losses have occurred during computer data processing.
The external and the internal auditor express the results
of this phase differently. The former expresses his judgement
in the form of an opinion as to whether any misstatement of
accounts really exists. The latter however, is concerned with
a broader perspective i.e. given the state of the internal
control system, have the losses occurred or could they occur
in future due to the weaknesses in control systems used to
safeguard assets.
The following are the five types of substantive tests that
can be used within a data processing installation:
- Tests to identify erroneous processing
- Tests to assess the quality of data
- Tests to identify inconsistent data
- Tests to compare data with physical counts
- Confirmation of data with outside sources
Upon substantive testing, the auditor once again has an overall
view of the control systems existing within the company.
On completing the audit process, the auditor prepares a comprehensive
audit report giving details of all the phases of review and
testing conducted. The audit report also consists of the recommendations
of the auditor for improvement in control systems.
|
