IT Audit as “the process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, allows organisational goals to be achieved effectively and uses resources efficiently”.
IT Audit is a broad term that includes Financial Audits (to assess the correctness of an organization’s financial statements), Operational Audits (evaluation of internal control structure), Information Systems Audit( including performance Audit), Specialized Audits (evaluation of services provided by a third party such as outsourcing etc.) and Forensic Audits. However, a common factor is the formation of an opinion regarding the degree of reliance that can be placed on the IT systems in the audited organization. Audits of Information Technology Systems under development and IT enabled audits (using CAATs) also fall under this broad Grouping.
Objectives of IT Audit
The objectives of IT audit include assessment and evaluation of processes that
(a) Ensures asset safeguarding –‘assets’ which include the following five types of assets:
• Data- Data objects in their widest sense, i.e., external and internal, structured and nonstructured, graphics, sound, system documentation etc.
• Application Systems- Application system is understood to be the sum of manual and programmed procedures.
• Technology- Technology covers hardware, operating systems, database management systems, networking, multimedia, etc.
• Facilities- Resources to house and support information systems, supplies etc.
• People- Staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor information systems and services
(b) Ensures that the following seven attributes of data or information are maintained.
• Effectiveness - deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. Deals with System effectiveness – evaluating whether the IT system meets the overall objectives of top management and users.
• Efficiency - concerns the provision of information through the optimal (most productive and economical) usage of resources. Deals with System efficiency – efficient systems use optimum resources to achieve the required objectives
• Confidentiality - concerns protection of sensitive information from unauthorized disclosure.
• Integrity - relates to the accuracy and completeness of information as well as to its validity in accordance with the business' set of values and expectations.
• Availability - relates to information being available when required by the business process, and hence also concerns the safeguarding of resources.
• Compliance - deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria. This essentially means that systems need to operate within the ambit of rules, regulations and/or conditions of the organisation. For example, an FIR to be filed normally requires signature of the complainant as per rules, and needs to be reengineered by changing the rules to permit web based complaints. Similarly, banking operations will have to conform to the banking regulations and legislation. It is also the duty of the IT Auditor to see that the work practices are in tune with the laws of the land such as the IT Act promulgated by the Government of India.
• Reliability of information - relates to systems providing management with appropriate information for it to use in operating the entity, in providing financial reporting to users of the financial information, and in providing information for reporting to the regulatory bodies regarding compliance with laws and regulations
Thus, IT Audit is all about examining whether the IT processes and IT Resources combine together to fulfill the intended objectives of the organization to ensure Effectiveness, Efficiency and Economy in its operations while complying with the extant rules.
Mandate for IT Audit
The mandate of SAI India for IT audit is derived from the Constitution of India and established under the Comptroller and Auditor General’s (Duties, Powers and Conditions of Service), Act 1971. The mandate of CAG of India for Systems Audit is governed under Sections 13, 14, 16, 17, 18, 19 and 20, as the case may be, read with Section 23 of this Act.