Page 136 - DCOM509_ADVANCED_AUDITING
P. 136
Unit 8: Auditing in Computerized Environment
The other form of audit is called as Information System Audit, in which a study of the Information Notes
Systems is made to ensure that they are functioning in desired way and controls to prevent their
misuse or abuse are properly functioning. In many organizations, auditors are also involved at
the time of development of the software, so as to assure the organization that the software,
which they intend to use, have the desired security and control features to prevent their misuse
or abuse and to ensure that the software serves the intended purpose in efficient and effective
way. This basically raises some major concerns to the auditors. These concerns relate to controls
over computer systems, security of the systems, and functionality of the system and accessibility
of data for auditing.
!
Caution The auditors may also ensure that the software development life cycle (SDLC) is
properly followed and systematic systems documentation is done for future references.
8.2.1 Control Risks in Computer Systems
In earlier systems, processing of financial transactions was manual and one could examine the
paper documents and accounts. The authorizations by concerned authorities were very much
visible and their authenticity was verifiable from the papers and signatures of the authorities.
However, every thing changed as reliance on computer processing increased. Not only,
transactions are being created on computers, these are being authenticated on computers using
various techniques and hence auditors have to ensure whether sufficient controls exist in the
computer systems to avoid any fraud and misuse of the systems. As present day organizations
depend more and more on networking for resources sharing and efficiency, this increases the
risks, as physical controls to such systems become insufficient - as data can be assessed from
anywhere and anytime.
8.2.2 Security of the Computer Systems
As dependence on computer system for carrying out business increases, maintaining computer
systems for their all-round availability for business becomes important, as their non-availability
can cause serious damage to organization’s interests and reputation. However, these systems
are basically machines and hence prone to risks other than control risks. While some components
of system are physical such hardware (including storage media and peripherals), facilities (such
as uninterrupted power supply, air-conditioning etc.), personnel, documentation and supplies;
other important components are software and data. These computer system assets of an
organization are not only prone to damage from fire, water, variations in power supply, pollution
and unauthorized intrusion, these are also susceptible to misuse of software, data, services and
virus attacks. Although, present day organizations have a different security system for such
risks to computer systems, auditors have to take into account the effectiveness and efficiency of
such a system.
!
Caution Controls and security always come at a cost and hence before putting them in
place, a detailed view of the issues involved, particularly their cost benefit analysis is
important before management takes a view.
There should also be some prioritization of the applications for implementation of security and
controls. Here Control objectives for Information and related Technology (better known as
CobiT principles) developed by Information Systems Audit and Control Association (ISACA
website is www.isaca.org) come to our help a lot, but more about it later.
LOVELY PROFESSIONAL UNIVERSITY 131
