In the fragile 'e' world, where TRUST is the most critical requirement, can you provide ASSURANCE on systems and processes of the INTERNET galaxy? We help you get to the core of business process controls to evaluate processes and systems.

IS Assurance (audit) is most often considered to be a subset of internal audit with the scope and objective are prescribed by the management of the company. The overall objective of internal audit is to ensure that appropriate internal controls are implemented within the enterprise as designed and envisaged by the senior management. Similarly, the overall objective of IS Audit is to ensure that appropriate controls are implemented in IT as designed and envisaged by the senior management. IS Audit is expected to provide reasonable assurance to management that appropriate controls are designed and implemented in the Information systems supported by Information Technology. IS Auditors have to understand the key concepts of IS Risks, Risk management, IS Security, Controls, Control objective and the methodology of IS Audit.

IS Audit is expected to provide reasonable assurance to management on IT Governance encompassing the key information criteria of Quality (effectiveness, efficiency and economy), IS security (Confidentiality, Integrity and Availability) and Fiduciary (Compliance and reliability). IS Auditors help their clients in understanding and managing the risks of IT thus enabling organizations to use leading edge technology and stay ahead in a competitive environment by implementing business and process-oriented controls. IS Audit involves primarily assessing the existence and adequacy of security.

IS Audit Process

The responsibility of assessing the risks and implementing appropriate security and controls is primarily that of the management. IS Auditors are expected to provide reasonable assurance to management whether information systems risks arising out of implementing IT have been adequately and appropriately addressed through relevant security and controls. IS Audit assignment primarily involves review of the IT risks so as to confirm whether adequate and appropriate controls have been implemented as designed by the management. The focus in IS Audit is on evaluating the IT controls and identifying areas of control weaknesses. In a IS Audit assignment depending on the type of audit, auditor would be primarily interested in ensuring that:

• IT risks have been appropriately addressed;
• Required controls are available;
• Where available – assess whether they are adequate and appropriate;
• Identify the key areas of control weaknesses; and
• Recommend corrective steps for mitigating the risks.

Compliance Testing (Test of Controls)

The primary focus of compliance testing is to test whether controls as envisaged by management are in operation and working. Based on the results and reliance of the above tests, IS Auditor would determine the extent of substantive testing to be conducted. Compliance testing is used to verify the adequacy of internal control points documented in the relevant work papers. In developing the test procedures, the IS Auditor must consider the key controls and control objectives. The IS Auditor should design the test procedures to evaluate the key controls. The tests involve taking source documents, reports, and other company records and comparing them, in terms of timing and placement, with prescribed policies and procedures.

Substantive Testing: (Testing of detailed transactions)

In case the compliance testing reveals:

• There are insufficient application controls to ensure correct processing of data; or
• There are insufficient general controls to ensure basic integrity of system;

Then the IS Auditor would rely more on substantive testing approach, which involves detailed testing of transactions as required.

Substantive testing validates the details of financial transactions and balance, whereas compliance-testing concentrates on validating the internal control procedures exercised over those financial transactions. Substantive testing validates the amounts of the transactions themselves. In case of substantive testing, the scope is the sample of transactions or events identified for verification of integrity of processing and the objective is to test the integrity of transactions processed.

The Data Analytics solutions of WinCAAT can be used in different areas of audit including risk assessment, evaluation of controls by performing compliance and substantive testing procedures. The audit findings can be evaluated for risk rating. Further, data can be evaluated to effectiveness of controls and business processes.