Information systems auditing is a comprehensive examination of one or more systems, which consists of an evaluation of the components of that system, with examination and testing in its various areas. Often, mapping the purpose of auditing of information systems it's a challenge for auditors. Learn about the main areas involved in the work of auditing of information systems :
High-level system architecture review. Business process mapping (for example, determining the dependence of information systems on the user's business processes). End user identity management (for example, authentication mechanisms, password patterns, limiting functions, or granting system functionality). Operating system configurations. App security controls. Database access controls (for example, database configuration, access to the database account, functions defined in the database). Antivirus/anti-malware controls. Network and physical infrastructure controls (for example, switch and router structure, use of physical space access control lists, and firewall rules). Registration and auditing systems and processes. Privileged IT access control (for example, system administrator or root access). IT processes in supporting the system (for example, user account reviews, change management). Backup and restore procedures. The activities of auditing of information systems consist of verifying by sample the files of Log , carry out subsequent interviews with people related to the technology sector. Tests are also carried out with regard to internal controls. Systems auditing may also require the creation of user accounts so that auditors can examine the system in more detail and determine the effectiveness of the controls implemented and the expected results. In addition, a subset of integration tests can be performed in test or preparation environments to ensure that the controls that the general user may have are working as described and expected.
Scope of Systems Auditing A auditing of information systems is similar to information security control tests. However, the normal scope of a systems audit covers the entire lifecycle of the technology under review. Audits are always the result of some concern with the management of technological assets and generally those who seek them are the owners of technological assets or interested parties interested in the information and systems environment, including the systems managers themselves.
Often, mapping the purpose of auditing of information systems it's a challenge for auditors. They begin by identifying the business activity most likely to produce the best type of evidence to support the purpose of the audit. They then identify which application systems and networks are used to compute the information that supports the companies' operational and commercial activities.
For an information technology manager, the scope of auditing of information systems should be clear from the start. It must comprise a well-defined set of people, processes, and technologies that clearly correspond to the objective of the audit. If an auditor does not understand the technological environment before an audit begins, there may be errors in defining the scope. Where such errors happen, they are often caught in the course of the audit and systems that were not previously in scope can be declared as existing.
The fieldwork of auditing of information systems encompasses the process of identifying people, processes, and technologies within a given system environment that correspond to expected control activities. The management responsible for the results of the audit must do their best to ensure that the auditor receives the information directly from the specialist in the area under review, including warning about the importance of the answers to the auditor's questionnaire that are correct and concise to the questions for the audit, that is, referring the auditor to the specialist in the subject addressed, or if not, to return to the responsible contact.
auditing of information systems If they do not find evidence that a control objective is achieved, they will return to the responsible manager to see if there is any activity with the organization that qualifies as satisfying the objective that was not anticipated by the auditor. During fieldwork, a systems auditing professional will have a list of potential findings. They may not yet be fully documented, but the condition may be known. It is the IT contact's role to assist management and auditor in seeking evidence to ensure that the control objective is achieved and thus complete the auditor's work.
Whether or not there are findings from auditing of information systems , the work will conclude with an assessment report containing the auditor's formal opinion regarding the topic of management concern that drives the objective of the audit. The purpose of the audit will be defined, the auditing methodology will be briefly described, and there will be a statement regarding the auditor's professional opinion as to whether management's concern is adequately addressed. The report may also include recommendations for management activities that would reduce the impact of the results.
The auditing of information systems within an organization A auditing of information systems it is a great security tool for achieving an organization's objectives. It acts with a disciplined approach, evaluating and improving the effectiveness of a system. The work of the systems auditor also highlights points of reduction, elimination, and prevention of non-compliances.
A auditing of information systems In an organization it monitors the controls, system development, IT procedures, infrastructure, operations, performance, and the security involved in the processing of information critical to decision-making.
Its main objectives are: evaluation of the organization system, determination of the compliance or non-compliance of the elements, suggestions for improvements, compliance with regulatory requirements. However, it is currently expected that auditing of information systems , a result in addition to auditing for compliance, such as attention to risks.
A auditing of information systems it doesn't just involve equipment (hardware ) or specific procedures, but also your Inputs , processes, controls, files, security, and Output of data (software ). It is extremely important for the good performance of information systems, since it evaluates, in addition to the controls necessary for the systems to be reliable, the entire Information Technology environment: Equipment, CPD and Software.
Currently, organizations are expanding their way of acting, carrying out stricter controls through auditing of information systems , in order to ensure the integrity and security of data traffic. In addition to this context, the wide use of technology for the storage of accounting, financial and operational information, making Systems Auditing seek improvement in the organization's field of activity.
The results obtained by auditing of information systems , through work carried out by trained and experienced professionals, are widely used by decision makers, with the objective of improving the organization's performance.
Responsibilities of the Information Systems Auditing Professional The responsibilities of the professional of auditing of information systems include creating strategies and inspecting company information processing systems and programs, in order to protect the integrity of the information, ensure that the information stored is correct, in addition to promoting the effectiveness of their work. He is also known as a computer systems auditor, who verifies the platform where the company's private information is saved.
auditing of information systems it also examines the company's specialized systems (operating systems) and the support systems for activities other than the company's specialized activities (corporate systems) as well as the communication between legacy systems and their integrations. Thus, it instructs company administrators about the effectiveness and vulnerability of computer systems and networks and at the same time it updates itself with the auditing and software skills of the systems that are installed in the company.
It is also the responsibility of the professional of auditing of information systems evaluate data processing systems to estimate their effectiveness, efficiency, and accuracy, study and examine the company's trading strategies and programs, in order to estimate the scope and accuracy of the transactions that were processed.
auditing of information systems :
Analyze the program's systems and their business purposes, in order to, as a systems auditor, estimate and verify that the objectives are being completed. With each new system incorporated by companies, verify how they were built in the company to verify the effectiveness and security of the information. Evaluating the areas of the company where the systems are installed, the systems auditor makes sure that all security methods are being followed and that the company's systems are in perfect working order. Monitor and analyze software and hardware commodities, parts, and components that have been purchased to ensure that it will help the company achieve its goals, goals, and objectives. Observe and record the application of computer programs in the company. Communicate with administrators about information processing and information technology associates who work on the company's computer systems. Formulate documented reports on new systems and implement them, which would really help in improving the company's labor output. Study, examine, and verify the company's accounts, auditing, and software records. Perform the role and duties when the systems auditor is internal to the company's information systems and evaluates. Examine functional and usable data in various computer networks and company systems to ensure that information systems are processed properly, resulting in benefits for them. Complete all other duties, positions, responsibilities, and functions of an information systems auditor in the company that are assigned to him. Information systems auditing combined with Financial/Accounting Auditing A auditing of information systems can be carried out in an integrated manner, that is, it is one that treats information technology, financial and operational controls as mutually dependent for the establishment of an effective and efficient internal control environment.
In the context of information technology, the purpose of auditing of information systems is the guarantee that information technology controls are effective and efficient to support the business process. In the financial and operational context, the objective is to ensure that financial and operational controls are effective and efficient to support the business process.
Although financial and operational controls do not identify problems, they can be identified in information technology and are capable of overriding the effectiveness of financial and operational controls and vice versa. Therefore, for a auditing of information systems integrated, perspectives need to be fully considered, since information technology, financial, and operational issues can significantly impact the achievement of management objectives to protect information system assets and ensure information reliability and integrity.
A auditing of information systems integrated includes an audit of the applications, servers, and network configurations that support the business process. Examining and testing the application, servers, and network configuration is similar to that of an information systems audit. In addition, the information system and the financial and operational auditors collaboratively consider the following aspects related to the business process being examined:
Information and business processing risks and controls are understood and agreed upon by business owners, the information technology and support organization, and the team of auditing of information systems integrated. Feeds manual and automated system interfaces and communications are accurate, timely, and secure.Manual and automated transactions are approved, processed in a timely and accurate manner. The information is secure and the privacy controls comply with current regulations. Disaster recovery plans and business continuity plans provide reasonable assurance that both the system and business operations can recover and continue when a system or business interruption occurs. Program changes are authorized, tested, approved, and migrated to production as prescribed by business process owners. In a auditing of information systems integrated, the owner of the business process is responsible for ensuring that information technology and financial and operational controls are implemented, effective, and efficient.
Get in touch with TACTIC , which provides integrated auditing, accounting, tax, corporate finance, financial advisory, risk advisory services, technology , business consulting and training, for more information, at www.taticca.com.br or e-mail taticca@taticca.com.br and learn more. Our company has professionals with extensive experience in the market and has certified methodologies for carrying out activities.
