Information System Audit in Indian Banks

Information itself is an important summation in todays c be. If nurture is lost, modified, misused huge exhalation can occur to business. Hence information security becomes important for whatsoever(prenominal) business. Information system in business including that of banking is becoming technology oriented. Computers ar being used in all the aras of business including that of pecuniary accounting. upcountry lateralitys used in a Computerized Information System (CIS) environment should consume at information security also. This aspect of internal control is broadly speaking overlooked in a Financial take stock where evidence collection and evaluation is more important. scrutinize provides the assurance to stakeholders of business. Assurance provided by a fiscal size up is about financial accounts, which atomic number 18 relied upon and based on which decisions atomic number 18 taken by many stakeholders. However there are risks associated in any business, which is not highlighted in a financial audit. functional Risk and canvas For example Basel II Accord mentions of operational risks that are due to failure of system, mold, procedure and human action/inaction (fraud) and legal restrictions, etc. in the operation of banks, some of which are not dealt in financial audit.The Basle committee has identified people, processes, systems and international events, as potential hazards for operations. in competentness and failure of any of them can result into events, which cause losses. Every business has to identify events of their relevance. The events may be similar in the comparable industry, but when vary from an organization to organization. The whole exercise of the operational risk guidance is to identify potential events, which are likely to cause losses.Here is a list of some of the events, which could lead to operational risk (non exhaustive) Technology fallacy Fraud and theftLegal, Regulatory non compliance, Transaction risk Pro cesses, people and systems are closely linked with information systems. Even measurement and recognition of external events need information systems. Therefore, below the new Accord, the job of an audit and control practiti superstarr shall become more onerous and challenging. Therefore a financial audit cannot assure that the information system is foolproof as financial listener is not skillful in information technology. Hence an expert should provide an opinion that information system is risk-free. This is where Information System canvass (IS Audit) comes into picture.Meaning of IS audit Information systems audit is a part of the general audit process, which is one of the facilitators for good corporate governance. While there is no single universal definition of IS audit, Ron Weber has defined it as the process of collecting and evaluating evidence to determine whether a computer system (information system) Safeguards assets Maintains information integrity Achieves organiz ational goals effectively and Consumes resources efficiently. Key Challenge in IS Audit IS audit often involves finding and recording observations that are highly technical. much(prenominal) technical depth is required to perform effective IS audits. At the same time it is incumbent to translate audit findings into vulnerabilities and businesses impacts to which operational managers and senior counsel can relate. Therein lies a main challenge of IS audit. Scope of IS Audit IS auditing is an integral part of the audit function because it supports the auditors judgment on the tone of the information processed by computer systems. Initially, auditors with IS audit skills are viewed as the technological resource for the audit staff. The audit staff often looks o them for technical assistance.Within IS auditing there are many types of audit needs, much(prenominal) as Organizational IS audits ( worry control over information technology), Technical IS audits (infrastructure, data ce nters, data communication), Application IS audit (business/financial/operational), Development/implementation IS audits (specification/ requirements, design, training and post-implementation phases) Compliance IS audits involving national or international standards. The IS auditors place has evolved to provide assurance that adequate and appropriate controls are place.Of course, the responsibility for ensuring that adequate internal controls are in place rests with management. Audits primitive role, except in areas of management advisory services, is to provide a statement of assurance as to whether adequate and reliable internal controls are in place and are operating in an efficient and effective manner. So, whereas management is to ensure, auditors are to assure. The breadth and depth of knowledge required to audit information technology and systems is extensive.For example, IS auditing involves the pplication of risk-oriented audit approaches use of computer assisted audit to ols and techniques(CAATs) applications programme of standards (national or international) such as ISO-9000/3 to improve and implement part systems in software development understanding of business roles and expectations in the auditing of systems under development as well as the purchase of software promotion and project management paygrade of complex Systems Development Life pass (SDLC) or new development techniques (e. g. , prototyping, end-user computing, rapid systems or application development).Evaluation of complex technologies and communications protocols involves electronic data interchange, client servers, local and broad area networks, data communications, telecommunications and integrated voice/data/video systems. Elements/components of IS Audit An information system is not just a computer. Todays information systems are complex and have many components that piece together to make a business solution. Assurances about an information system can be obtained only if all the components are evaluated and secured. The proverbial weakest link is the total strength of the chain.The major(ip) elements of IS audit can be broadly classified Physical and environmental go offThis includes physical security, power supply, air conditioning, humidity control and some other environmental factors. System administration reviewThis includes security review of the operating systems, database management systems, all system administration procedures and compliance. Application software reviewThe business application could be payroll, invoicing, a web-based customer order affect system or an enterprise resource planning system that actually runs the business.Review of such application software includes rise to power control and authorizations, validations, misunderstanding and exception handling, business process flows within the application software and complemental manual controls and procedures. Additionally, a review of the system development lifecycle shou ld be completed. net income security reviewReview of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.Business continuity reviewThis includes existence and maintenance of defect tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster convalescence/business continuity plan. Data integrity reviewThe purpose of this is interrogation of live data to verify adequacy of controls and impact of weaknesses, as observe from any of the above reviews. Such substantive testing can be done using generalized audit software (e. g. , computer assisted audit techniques).It is important to understand that each audit may inhabit of these elements in varying measures some audits may scrutinize only one of these elements or drop some of these elements. While the fact remains that it is necessary to do all of them, it is not mandatory to do all of them in one assignment. The skill sets required for each of these are different. The results of each audit need to be seen in relation to the other. This will enable the auditor and management to get the total view of the issues and problems. This overview is critical.