Information system audit group conducts thecontrolling and implementation of data processing organizations, hardware and software applications. The objectives of these audits are assessing the quality of protection and control over the assets of the organizations, using data processing resources effectively, adhering to management policies, and promoting adaptation and design of adequate control over computer applications and used computer environment.
All these objectives are designed for :
- To evaluate the adequacy, policies, procedures and controls of data processing operations; and to help improve operational efficiency and efficiency controls by taking into account the unclear risks with high costs.
- Determine the amount of data processing value of the company protected from any loss.
- To provide management for the development of the transactions (profit, cost, use of assets) determined during the course of these audits.
- To promote the development of information systems management responsibility and auto control concepts throughout the company.
INFORMATION ABOUT IT AUDITING
1- Audit of planning and organization activities
Planning and organizing activities include strategies and methods for providing the most appropriate way of giving support to the information technology in order to meet the business objectives. Strategies are planned to include different aspects of the view are communicated to the relevant units and persons within the organization. The fact that the technological infrastructure can work efficiently and effectively in a healthy organizational structure is taken into consideration during the information systems audit process.
Within the framework of general controls on planning and organization, control objectives related to the following processes are monitored;
- Identification of strategic information technology plan,
- Identification of information architecture,
- Determination Technological direction,
- Identification of IT processes, organization and relationships,
- IT investment,
- Transmission of the objectives and instructions of the administration,
- Human resources management,
- Quality management,
- The evaluation and management of information system risk,
- Project management
2- Data Center / Computer Operations Audits
The reviews on the data center and computer operations are conducted to assess administrative controls on data center resources and data processing staff. The scope of this review may include assessment, classification, policies / procedures, allocation of responsibilities, budgets, administrative reports, records and performance measurements.
Within the framework of general controls on data center and computer operations audits, control objectives related to the following processes are monitored;
- Hardware management,
- Software management,
- Preservation and correction of the source,
- Access controls,
- Operations management and network / communication management
A data center / computer operations audit can focus on any of these responsibilities, or it can include everything depending on the size of the data center, the classification of operations, and the time budget. For example; for large, multi-computer data centers and large numbers of users, data center reviews can only focus on access controls and security management. For small data centers, auditing may involve all responsibilities
The purpose of data center / computer operations reviews is to identify the risks on hardware, software, or data and to suggest a cost-effective way to reduce these risks. Suggestions can include activities such as physical protection methods, data backup operations, software change controls, security management, and hardware usage or capacity.
3- Supply and Implementation Activities Audit
Supply and implementation activities include the identification, development or outsourcing information technology solutions, implementation and integration into business processes related to the realization of information technology strategies. The maintenance and changes in the systems are evaluated in this control area.
Within the framework of general controls on supply and implementation activities, control objectives related to the following processes are monitored;
- Determination of automation solutions,
- Development and maintenance of application software,
- Creation and maintenance of the technology infrastructure,
- Operation and utilization,
- Meeting the resources of information systems,
- Change management,
- Implementation of system solutions and changes
Purpose of application systems audits is to identify risks of processing data in a timely and efficient wayin the software, developed to process data, and ofidentifying corrupt or incomplete data.
Suggestions from implementation systems controls may include extra control procedures, just-in-time backup exercises, increased data access restrictions, or requirements for extra user instruction.
4- Service Delivery and Support Activities Audit
Service delivery and support activities refer to the safe and continuous delivery of the services required, including providing the necessary training.
Within the framework of general controls on service delivery and support activities, control objectives related to the following processes are monitored;
- Identification and management of service levels,
- Management of services from third parties,
- Performance and capacity management,
- Provision of service continuity,
- Ensuring system security,
- Determination and distribution of costs,
- Training of users,
- Service delivery management,
- Configuration management,
- Problem management,
- Data management,
- Pyhsical environment management,
- Operations management
5- Monitoring and Evaluation Activities Audit
Within the framework of general controls on monitoring and evaluation activities, control objectives related to the following processes are monitored;
- Monitoring and evaluation of information system performance,
- Monitoring and evaluation of internal control,
- Ensuring compliance with the relevant legislation, including internal procedures and principles,
- The institutional governance of information systems
6- System Development Audit
The objective of system development audits is evaluating the administrative controls on the implementation, authorization, and development of new computer-aided applications; and monitoring the design of computer-aided controls / audit trails on the proposed system.
The scope of these inspections may include the evaluation of the administrative controls on the project (feasibility results, classification, budgeting, distribution of responsibilities, project plans and status of reports etc.) or the assessment of the quality of each of system developments or transmissions(assessment of controls’ design and audit trails, system test plans and results, user trainings, system and program’s documentation etc.) . The main responsibility among these audits is the development of a new system and installation of projects and the method of changing the management.
The purpose of a system development audit is to ensure early detection of those issues that can be prevented in a timely manner, and in-budget adaptation of a computerized system that is documented and operated by an adequately trained user group.
Suggestions by system development inspections may include extra project plans, file reconciliation and balancing controls, or document test plans and expected test results.
7- Other Personal or Departmantal Information Environment Audit
The “other” computing environment term identifies areas in which the computer stores and processes data for a person, group, or partition (remote from traditional computing centers). The control level and importance of the environment vary depending on the type of data, its impact on the business, its use and purpose, etc. Examples of computing environments in the “other” category include: engineering / scientific process, personal computing, laboratory test data collection, segmented applications, local area networks, wide area networks, etc.
The scope of these inspections includes the majority of the same issues that are passed on in the data center control. (For example, managerial controls on the functioning environment, personnel operation, hardware and software management, resource protection, improvement, access controls, network control)
The purpose of auditing other information environments is to identify hardware, software and data risks and make suggestions in order to minimize such risks with the most efficient manner.
Recommendations may include data backup applications, job separation, documentation of transaction procedures, deployment of program change controls, relocation of the application to a more controlled environment, or compliance with the software license agreement.
Proper backup and data security, maintained on personal computers are provided to internal audit personnel as a personal responsibility. To keep, copy and backup their own work is the responsibility of the auditors. This procedure is applied to the lap-top provided to each auditorand to the shared desktop models in other places.
The timing of the backup procedure is a personal decision, depending on the level and complexity of the information stored. As a reference, it is recommended to copy the files (word, Excel, etc.) to the floppy disk at the end of each day of the “Backup / Help” menu option on the laptop. This will only copy the files created and stored in the control subdirectories. This process is fast and easy. Keeping backup disks in a safe place away from the laptop provides potential time protection.
Taking the output of the documents while the control is in progress enables the operation of the current control in case of loss of the hard disk. While occasionally backing up to a floppy disk saves time in subsequent checks.
Since back-up is a personal responsibility, every staff member should evaluate the data that need to be restructured in the event of hard disaster damage. A few days or weeks in the audit documentation or the loss of the majority of audit time should not be accepted.
A weekly backup procedure should be executed for the shared personal computers, in other locations. Under the weekly backup procedure, files under the audit subdirectories should be backed up every Friday. Persons using desktop computers in the department should consider backing up their own jobs if it is appropriate to safeguard on time.