Information System Audit in Indian Banks

study itself is an important asset in todays business. If randomness is lost, modified, utilise huge loss can occur to business. Hence selective education security becomes important for any business. Information system in business including that of banking is becoming technology oriented. Computers be being used in al 1 the areas of business including that of financial accounting. Internal overtops used in a Computerized Information System (CIS) environment should occupy at information security also. This aspect of internal control is mostly overlooked in a Financial Audit where evidence collection and evaluation is more important.Audit provides the assurance to stakeholders of business. Assurance provided by a financial analyse is more or less financial statements, which are relied upon and based on which decisions are taken by many stakeholders. However there are take a chances associated in any business, which is not highlighted in a financial size up. Operational R isk and Audit For example Basel II Accord mentions of operational jeopardizes that are due(p) to failure of system, process, procedure and human action/inaction (fraud) and legal restrictions, etc. in the operation of banks, or so of which are not dealt in financial analyze.The Basle committee has identified people, processes, systems and international events, as potential hazards for operations. lack and failure of any of them can result into events, which cause losses. Every business has to identify events of their relevance. The events may be similar in the same industry, but vary from an organization to organization. The whole exercise of the operational risk worry is to identify potential events, which are likely to cause losses.Here is a list of round of the events, which could lead to operational risk (non exhaustive) Technology error Fraud and theftLegal, Regulatory non compliance, Transaction risk Processes, people and systems are closely linked with information syst ems. Even measurement and recognition of external events direct information systems. Therefore, under the new Accord, the job of an audit and control practitioner shall become more laborious and challenging. Therefore a financial audit cannot assure that the information system is foolproof as financial auditor is not expert in information technology. Hence an expert should provide an opinion that information system is risk-free. This is where Information System Audit (IS Audit) comes into picture.Meaning of IS audit Information systems audit is a weaken of the overall audit process, which is one of the facilitators for good corporate governance. While there is no single oecumenical definition of IS audit, Ron Weber has defined it as the process of collecting and evaluating evidence to determine whether a calculator system (information system) Safeguards assets Maintains data integrity Achieves organizational goals rough-and-readyly and Consumes resources efficiently. Key Chal lenge in IS Audit IS audit often involves finding and recording observations that are highly technical. such technical depth is required to cause effective IS audits. At the same time it is necessary to translate audit findings into vulnerabilities and businesses impacts to which operating managers and senior management can relate. Therein lies a main challenge of IS audit. Scope of IS Audit IS auditing is an integral part of the audit function because it supports the auditors judgment on the quality of the information processed by electronic computer systems. Initially, auditors with IS audit skills are viewed as the technological resource for the audit staff. The audit staff often looks o them for technical assistance. in spite of appearance IS auditing there are many types of audit needs, such as Organizational IS audits (management control over information technology), Technical IS audits (infrastructure, data centers, data communication), Application IS audit (business/finan cial/operational), Development/implementation IS audits (specification/ requirements, design, study and post-implementation phases) meekness IS audits involving national or international standards. The IS auditors role has evolved to provide assurance that capable and take over controls are place.Of course, the responsibility for ensuring that adequate internal controls are in place rests with management. Audits capital role, except in areas of management advisory services, is to provide a statement of assurance as to whether adequate and reliable internal controls are in place and are operating in an efficient and effective manner. So, whereas management is to ensure, auditors are to assure. The breadth and depth of knowledge required to audit information technology and systems is extensive.For example, IS auditing involves the pplication of risk-oriented audit approaches use of computer assisted audit tools and techniques(CAATs) application of standards (national or internati onal) such as ISO-9000/3 to modify and implement quality systems in software development understanding of business roles and expectations in the auditing of systems under development as well as the purchase of software packaging and project management military rating of heterogeneous Systems Development Life Cycle (SDLC) or new development techniques (e. g. , prototyping, end-user computing, rapid systems or application development).Evaluation of complex technologies and communications protocols involves electronic data interchange, client servers, local and wide area networks, data communications, telecommunications and interconnected voice/data/video systems. Elements/components of IS Audit An information system is not just a computer. Todays information systems are complex and have many components that piece together to make a business solution. Assurances about an information system can be obtained only if all the components are evaluated and secured. The proverbial weakest l ink is the fit strength of the chain.The major elements of IS audit can be broadly classified Physical and environmental polish upThis includes physical security, power supply, air conditioning, humidity control and other environmental particularors. System administration surveilThis includes security brushup of the operating systems, database management systems, all system administration procedures and compliance. Application software reviewThe business application could be payroll, invoicing, a web-based customer order processing system or an endeavor resource planning system that actually runs the business.Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed. Network security reviewReview of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some veritable(prenominal) areas of coverage.Business continuity reviewThis includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and enter and tested disaster recovery/business continuity plan. Data integrity reviewThe purpose of this is interrogatory of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e. g. , computer assisted audit techniques).It is important to understand that each audit may consist of these elements in variable measures some audits may scrutinize only one of these elements or drop some of these elements. While the fact remains that it is necessary to do all of them, it is not mandatory to do all of them in one assignment. The skill sets required for each of these are different. The results of each audit need to be seen in coition to the other. This will enable the auditor and management to get the total view of the issues and problems. This overview is critical.