Internal Audit Standard No. 28 Information System Audit
Information Systems (IS) have become increasingly diverse and complex, providing a range of services to a variety of stakeholders. The increasing reliance on technology and its changing role has expanded the scope of potential risks, both the risk of exploitation by fraud and the risk of business disruption. Internally developed Is and the systems purchased from third-party suppliers require assurance that they are both operating efficiently and are able to support the stated goals of the organisation.
Internal auditors, as independent assurance providers, are well-placed to provide senior management with a review of the effectiveness of the IS environments in terms of both development and operational controls. They provide vital insights into the key areas of potential exposure, including security of information, operational effectiveness and compliance with law and regulation.
The following guidance outlines the key areas that need to be assessed by internal audit when conducting an audit of the organisations IS environment.
The scope of the IS audit should include, but is not limited to, the following:
1. System development and acquisition: Determining if the systems are operating effectively and meeting the user requirements. Assessing the adequacy of system development processes, tools, techniques and methodologies; any changes or enhancements, software or hardware acquisition processes and the proper use of standards.
2. System operation: Ensuring that the application runs in a timely and accurate manner; adheres to data access and security requirements; meets performance and availability specifications; and ensures cost-effective support and maintenance.
3. System administration: Verifying that proper system administration procedures and personnel are in place to ensure effective control over system resources and protect against potential security vulnerabilities.
4. Backup and recovery measures: Evaluating the adequacy of recovery plans and procedures to ensure the preservation of data and minimise down-time and service disruption in the event of a system failure.
5. System security: Examining the measures in place to protect the system against unauthorised access and data loss or manipulation.
6. System audit logs: Ensuring that appropriate audit logs are in place and operating effectively.
7. System change control: Examining the system change control processes and their effectiveness in ensuring that the procedures are strictly adhered to.
8. System documentation: Reviewing the maintenance of system documentation and its use to support the system development, operation and maintenance.
9. System integrity: Assessing the level of system integrity and the effectiveness of the processes and controls in place to ensure accuracy and completeness of data.
10. System performance: Evaluating whether the system is meeting the performance standards expected.
11. System governance: Reviewing the existing system governance framework, its policies and procedures, processes and control measures, and their effectiveness in ensuring that the IS operates in line with business objectives and all relevant laws, regulations, codes and standards.
In undertaking an IS audit, internal auditors should collect evidence, review the implementation and effectiveness of internal controls in practice, evaluate the production environments and any third-party systems and services, analyse the IS data and information, and assess the risks and potential fraud. The internal auditors should also consider the use of automated scanning tools and manual penetration tests to help assess the effectiveness of IS controls, in order to identify any vulnerabilities.
The provision of assurance of the IS environment is a critical aspect of the internal audit function, allowing senior management to have greater confidence in their software assets, particularly in regard to information security, the recovery of viable and accurate systems and data, and in the defence against unpredictable external threats.
