Information Systems Audit

Published in

CryptoGen Nepal

9 min readJun 2, 2021

With the ever-increasing reliance of enterprises’ throughout on IT systems, the threat vectors faced by these systems increases too. IS Audit is the continuous and comprehensive assessment of the current state of the IT systems, identifying the risks and the appropriate controls to bring the said risks to an acceptable level. It includes the collection of relevant audit evidences to determine whether the Information Systems maintain the Confidentiality, Integrity and Availability, also known as the CIA triad of the processed and stored data. This being an introductory read, these three foundational elements of cybersecurity have been briefly explained.

Confidentiality: Confidentiality addresses the fact that sensitive information in storage or in transit is protected from unauthorized access. It covers the need of any information in the systems to be disclosed only to those who have the access and the need to see and use the information and not to anyone else.
Availability: Availability addresses the fact that information and systems should be available to authorized users when needed. It covers the requirement of any information systems on which the business is heavily dependent be available when necessary along with it being protected against all types of losses and disasters.
Integrity: Integrity covers the overall accuracy, completeness, and consistency of data. When the integrity of the data is maintained, the information provided by the systems is accurate and reliable with no alterations between two instances of the data record.

So, what audits really are is making sure that appropriate controls are in place and whether they are sufficient or not.

An Audit opinion on the status and management of the available information resources towards achieving the set objectives of the Auditee is then prepared as a result of the auditors’ examination. It is based on the procedures followed that ensure the effective aforementioned CIA and the conformity with the applicable standards, laws, and regulations.

The IS audit process

1. Defining requirements

This stage covers the evaluation of the subject matter. The Information Systems audit process generally starts with the requirements defined and the drivers to those requirements. These drivers could be the results of past business risk assessments that showed the need to improve some aspects. It could be the need to comply or follow laws and certain frameworks and the controls laid out by them. As an example, if the auditee deals with protected health information, they are required to follow the Health Insurance Portability and Accountability Act (HIPPA) Compliance. Here in Nepal, if the auditee is a banking or a financial institution, they need to follow the Bank and Financial Institution Act, (BAFIA) 2073. Insurance companies are required to follow the latest amendment of the Insurance Act, 1992. So, basically there are various regulations in place aimed at companies and organizations with different specializations.

By identifying the controls that are to be audited, the scope of the audit is defined. An information Systems can go about in many ways but typically, the auditors prepare check lists based on the requirements and map them to the drivers. This helps the auditors to avoid deviating from the tasks in hand as audits include many elements of the organization. Among the business processes, people, assets, and other things, it does not take much to lose track. With the list of controls to test against, the auditors then start inspecting and testing the controls.

2. Inspection, testing and analysis

At this phase of the Audit process, the auditors start reviewing the documentations, the internal policies and procedures, the business processes, software development lifecycle, network diagrams etcetera of the organization. This is when we get into collecting evidences for the test controls to see if they are providing sufficient level of security. From reviewing the system configurations to interviewing staffs, all of the findings are recorded and analyzed for gaps, anomalies, and susceptibilities.

3. Audit Findings

The outputs from various test cases and gap assessments work holistically to draw conclusions to determine if the controls are appropriate and if the requirements are being met. By analyzing the evidence and findings, auditors interpret the larger picture on what those mean for the organization. If the employees are found sharing passwords among themselves, it might be inferred that they lack security awareness. Everyone knows that one should not share their passwords, even more so when the practice is backed up by policies and guidelines. Such practices are developed as findings which are compared to any preexisting baselines. This could be any short-term goals set by the organization, or the audit reports from the past audit projects. The findings are then included in the Audit report with an elective recommendations section to enhance the controls to close the gaps after presenting them to the management to clear any misunderstandings on the scope covered, tests conducted or any other topics.

4. Follow Up

As Audit is a continuous process, there may be the requirement to perform a follow-up after a certain period of closing the findings. If the audit was performed by an external auditor and if the follow up was agreed upon, they come back and perform a follow-up assessment on all of the audit issues identified through proper verification processes as analysis, testing, discussion, evaluation and conclusion to determine if management actions provided in response to audit recommendations have been properly implemented.

Job Prospects of an Information systems auditor

Due to the very dynamic nature of the IT field with an ever changing cyber-threat landscape, IS auditors must be current on the latest computer technology, equipment, or systems. There are magnitudes of technology and innovation surfacing every day. With the concept of IOTs and stuffs taking off rapidly, newer control mechanisms need to be implemented to ensure that the elements that make up these new technologies are intact and secure both physically and logically. As businesses and organizations are always struggling to keep their internal IT controls updated and maintain conformity, they seek highly trained individuals to assess their systems. IS auditors manage the process of evaluating a company’s IT infrastructures and assess the weaknesses and vulnerabilities in their IS infrastructures along with their associated controls.

Information systems auditors generally work as a team to run system audit projects at hand. As an IT auditor, one can opt to work for private companies while others may choose to work for consulting firms. IT auditors generally start their careers working under a supervisor and with time and experience, they can become supervisors themselves. The job role as an information systems auditor typically requires a bachelor’s degree or higher in information systems, computer science, or a related field. The job role demands a set of preferred qualifications and certifications to back ones’ expertise in work-related domains.

| Getting started

1. Academic Qualification

Almost all of the Audit firms or the cybersecurity companies that provide IS audit services require a bachelor’s degree of some sort. Some may prefer a more cybersecurity focused background whereas others may provide leeway with the background and enroll professionals from other industries like finance or law. One can learn how their prior engagements applies to IT auditing and build themselves up from there.

2. Job Experiences

IS auditors need to understand the IT systems and architectures along with ways to help improve them. This is why it is necessary for an IS auditor to obtain professional experience in IT. Roles as a systems or database administrator, systems analyst etcetera may serve prior to their job role as an IS Auditor. Taking up internships in such companies and organizations can help meet the requirements of an IT auditor job description. The required job experience can vary depending on the position with some of the positions requiring auditors to have at least five years in their field.

Despite the fact that majority of the Banking and Financial Institutions (BFSIs) and large organizations having their own internal auditing teams that perform audits and follow ups on various compliance issues, other companies and firms outsource their service requirements. If one ends up in the later, they may be required to visit different auditee with every audit projects. But landing a job on either of these roles require auditors to continue their learnings and keep upskilling to remain efficient for their job roles.

There are various sources if you are an IS auditor aspirant or have landed the role already and are looking to go even further in the field of compliance and security to enhance your auditing skills. It could be getting certified with audit related certifications and such but besides certifications, there are options to enroll in various training approaches to explore and maintain the audit knowledge and keep them relevant.

3. Trainings

Online courses: There are tons of IS audit training courses that can be found online. Some require payments while others are free of cost. Every now and then these global marketplaces for teaching and learning give offers on their courses. These offers range from some heavy discounts to free paid courses for a limited period of time. Some of the materials can be accessed with the use of a credentials of a recognized educational institute. So, if one wants to benefit from these offers, regular research is a must. These courses help cover various audit knowledge bases. The following courses can be a great way to learn or retain general Audit skills and knowledge.

https://www.coursera.org/learn/information-systems-audit/home/welcome

https://www.linkedin.com/learning/paths/become-a-certified-information-systems-auditor-cisa?u=57118729

Training seminars/webinars: Various companies conduct IS audit related seminars or webinars where different domains of the field are covered. Attending these training programs can be very helpful when they cover the information that relate to new process or procedure that aid to perform audit. Some sessions are even recorded and uploaded in video sharing sites in case the interested attendees failed to attend the program. These materials can be found easily with a tad bit of recon.
Regulatory Standards, Guidelines and Frameworks: Getting familiar with the relevant standards and guidelines can be extremely helpful while taking on audit projects. As an example, going through the Bank and Financial Institution Act, (BAFIA) 2073 helps learn the compliance requirements posed by the said act upon banking and financial institutes of Nepal. Basically, having a general idea of the IT standards, and frameworks helps identify the relevant compliance requirements for a specific organization.

https://techgenix.com/frameworks-and-standards/

Audit Certifications

There are a number of popular audit focused certifications controlled and maintained by different certification authorities. Some of the certifications that cover the relevant practices and skills beneficial for audit projects like knowledge base on governance and security standards, change controls, risk managements etcetera are as follows.

. GIAC Systems and Network Auditor (GSNA) offered by Global Information Assurance Certifications

· Certified Information Systems Auditor (CISA) offered by the Information Systems Audit and Control Association (ISACA).

There is plethora of other certifications related to IT Audit. Another credential offered by ISACA is the Certified in Risk and Information Systems Control (CRISC) certification that indicates that a professional holds a firm background in IT risk assessment, response, and reporting. These certifications validate and help acknowledge the special skills, knowledge and expertise of auditors to effectively address their job roles to assess and audit the controls of any IT infrastructure. Also, they provide a competitive advantage, job security, more job opportunities and higher pay scale.

Organizations like International Organization for standardization (ISO) that develop and publish international Standards have their related market differentiation certification programs. An ISO certification certifies that a service, manufacturing process, management systems, or documentation procedure has all the requirements for standardization and quality assurance. As an example, the ISO 9001 standard refers to quality management and defines criteria for meeting a number of quality management principles aimed at improving customer satisfaction. Being ISO 9001 certified means that the Quality Management System complies with the ISO 9001 standard and has cleared the ISO 9001 audit assessment from a certified body. Certifications like the ISO 9001 | ISO/IEC 27001 Lead implementer and Lead Auditor proves that one possesses the necessary expertise to support an organization to implement a Quality Management Systems or the Information Security Management System that complies with ISO 9001 or ISO/IEC 27001.

We at CryptoGen Nepal treat security as an ongoing concern. Every week we release Infosec, a compilation of security related news feed, to update users about cyber security, cyber threats, malware attacks and cyber security awareness. We also provide range of services to help you make your organization secured.

If you have any queries, feel free to communicate with us.

#CryptoGenNepal #Made4Security #ISAudit #ISA #CISA #ISACA #ISA #ProjectSayCure #StaySayCure #SayCure #CyberSecurity #CyberAware #Share2Learn #MadeForSecurity