IS Audit and Internal Controls
published in caclubindia.com on 31st January 2014
Implementation and continuous review of effectiveness of Internal Controls has always been a challenge for enterprises. Internal Controls can be compared to the chassis of a vehicle – without the chassis, the engine is rendered useless. Internal Controls are most needed in a corporate environment to prevent fraud incidence and to manage risk of loss to assets and profits. In recent years, enterprises have become more enterprising and competitive and along with help of technology, they have succeeded in increasing their size of services, produces and presence. Enterprises are now having their locations all over the world. Thus the need of having correct Internal Controls is more than ever.
A CA provided the following services until the effect of technology struck business. As a professional, he used to provide services such as Audit, Tax, Company Matters, Legal Compliances, and Accounting etc. Specifically as an Audit Professional, he used to render services of conducting audit engagements such as Statutory Audit, Tax Audits (both Direct and Indirect Taxes), Special Audits (as prescribed under various Acts), Bank Audits, and Internal Audits etc. There is a paradigm shift in the expectations from Chartered Accountants in the new scenario.
A CA as an audit professional can provide more services that relate to technology such as IS Audits, Implementation of ERP and GRC (Governance, Risk Management and Compliance), Design of Access and Process Controls, Forensic Audits etc.
A CA is expected to know and review implementation of new regulations and standards like The Sarbanes – Oxley Act of 2002 – Section 302 and 404, The Companies Act 2013 – Section 134 and 143, Clause 49 of SEBI’s Listing Agreement, Privacy Acts of various Countries and Standards like ISO 27000 Family, ISO 22301, BSI (British Standards Institute) Standards, and PAS (Public Available Standards) Standards etc., not forgetting Frameworks like COBIT 5 (Control Objectives for Information and Related Technology) and COSO (Committee of Sponsoring Organizations) Framework for Internal Controls.
One such greenfield service is the engagement of conducting IS Audits or Information Systems Audit. An IS Audit is related to Internal Audit. Internal Controls that are present in the enterprise are completely relevant while conducting an IS Audit.
These are some keywords that would be repeating in this study and is important to understand them.
- Control: It literally means Internal Controls that is present in a business environment. It can be IT Controls or non IT Controls.
- Risk: It is the rate at which there is a threat to the business which has arisen from a specific happening/non happening.
- Process: A set of tasks make a work flow. A set of work flows make a process. A process is controlled by a “Process owner” or “Function head”. E.g. HR Process, Procurement Process.
Internal Control simply means “Policies framed by the management in order to have stronger and adequate control of affairs within the enterprise, and which can be checked by the Internal or Statutory Auditor in order to ensure that the goals and objectives of the enterprise are duly met”. They are practices and processes enforced on the employees of an enterprise to prevent fraud and to maintain integrity of the data.
Internal Controls is said to be a sum of General Controls and IS Controls. IS controls is said to be a sum of IT Application Controls and IT General Controls. General Controls refers to Internal controls that are not enforced through the IT System unlike the IS Controls. IS Controls are controls that are present on the enterprise’s IT Infrastructure. IT Infrastructure includes hardware and software.
IT Application Controls: They vary depending on the applications that have been installed by the enterprise for its revenue generation. Application software is the software that processes business transactions. The Application software could be a retail banking system, an Inventory system or possibly an integrated ERP. Controls which relate to business applications leading to judicial use of the application and enforced through the application itself to the end user are called IT Application Controls. IT Application Controls can be broadly classified into five categories:
- Input Controls: Controls that are enforced during the input of data by a user. E.g. Data Checks and validations.
- Processing Controls: Controls that are enforced during the processing of data that have been input. E.g. duplicate checks, File Identifications and Validations etc.
- Output Controls: Controls that are enforced during display of output of the processed data. E.g. Update Authorizations etc.
- Integrity Controls: These controls are used to preserve the genuineness and accuracy of data. E.g. Data Encryption, Input Validations etc. These controls can be enforced during input and processing and storage of data.
- Management Trails: These controls are for the management to find out the audit trail of a transaction. E.g. Time stamps and snapshots of application.
IT General Controls: They may also be referred as General Computer controls. These are controls other than IT Application Controls, which relate to the environment within which computer-based application systems are developed, maintained and operated and are therefore applicable to all applications These are policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems.
IT General Controls can be broadly classified into the following areas:
- Physical Access Controls: These controls are enforced at protecting the physical locations of the IT Infrastructure. E.g. Security Personnel, Physical Locks, Bio Metric Locks, CCTV etc.
- Data Center Controls: These controls are enforced specifically at the data centers of an enterprise. A data center is treated as an extremely sensitive area and thus a higher risk would be present. E.g. Biometric Locks, Presence of Server Racks, Presence of Air Conditioners, Fire Extinguishers, Weather Controls, Log Register of people etc.
- IS Security: These controls are enforced at every level of IT Infrastructure. The objectives of these controls are protection of Information Assets. The CIA triad is enforced i.e. Confidentiality, Integrity and Availability of Data and information security is maintained. E.g. Firewall, Antivirus (or an anti-ransomware), Anti Spyware, Timely updating of software and antivirus updates and patches etc.
- System Development Life Cycle and Change Management Controls: These controls are enforced to ensure that the correct process of software development/procurement and release management is followed. E.g. Documented Process for procuring software, Documented Process of incorporating changes to the acquired software etc.
- Logical Controls: These are controls which provide access restrictions to the employees who use the IT Infrastructure. The motive of these controls is to protect the identities of the employees and to prevent misuse. E.g. User Account Passwords, Access Removal upon termination, screen locks etc.
- Backup and Recovery: These controls are present to ensure proper backup and recovery processes of the data of the organization. E.g. Daily Backup of data and environment (OS), Restoration Practice trial etc.
- End user computing: These controls are enforced directly on the employees. These controls are enforced with an objective of prevention of IT Infrastructure Abuse by the employees. E.g. Logging of user activity and Review, Disabling of USB Ports etc.
An IS Audit is performed to provide assurance that all of the above mentioned controls are adequate and satisfactory to the nature of the enterprise and effectively operational in the functions of the enterprise. An IS Audit is typically divided into two sections i.e. Review of IT Application Controls (ITAC) and Review of IT General Controls (ITGC). An IS Audit would have the following process:-
- An IS Auditor would begin his audit engagement by having conversation with the IT Administrator/CIO of an enterprise. The IS auditor would review all the documented policies and processes that are being enforced within the organization. Documented policies would include a IS Security Policy, Bring Your Own Device Policy (BYOD), Password Policy, BCP etc. The IS Auditor would be gaining an understanding of the overall level of the Internal Controls.
- An IS Auditor would then gain an understanding of the applications that have been implemented in the IT Infrastructure. It would be a base for him to decide the plan of action of the Audit.
- The next step would be to collect a list of all the types of logs that can be generated by the applications.
- After collecting the above information, the auditor the auditor identifies the risks that are applicable for the enterprise. The approach that would be followed is to create a matrix for each application and area (for ITAC and ITGC respectively) and would identify the controls that are enforced in the enterprise. All the identification and Review of controls would be performed by sampling, observations or any other method.
- Testing of Design Effectiveness and testing of operating effectiveness would be performed by the IS Auditor on every identified control. Testing of Design Effectiveness refers to the working design of the control as documented. It is a blue print of the control. Testing of Operating Effectiveness refers to actual performance of the Control in the IT Environment.
- It is important for the IS Auditor to collect sufficient evidence while identifying the controls. Evidences can be in the form of Screenshots, Email threads, Scanned documents, photographs, Minutes of Meetings etc.
- A Risk Rating exercise is then performed to the identified controls to see whether the identified control is sufficient to mitigate the identified risk.
- Based on the Risk Ratings and the evidences collected, suitable recommendations would be suggested and accordingly an IS Audit report would be drafted and shared to the enterprise.
Thus the ultimate test of IT Internal Controls can be performed in an IS Audit. Based on the findings and observations, an IS Auditor would be able to provide sufficient assurance whether the incorporated controls are adequate or not to the nature and size of the IT Infrastructure of the enterprise.