Information Systems Audits

During an information systems audit, the IS auditor should review the internal control environment of information systems and the use of these systems. The IS audits usually evaluate processing controls, system input/output backup and recovery plans, and security. Four main types of audits are used in reviewing information systems:

• Attestation The auditor provides assurance on something for which the client is responsible. This type of audit is considered a compliance audit and can ensure internal or external compliance.

• Finding and recommendation This is a consulting or advisory engagement in which the auditor performs a less structured type of engagement, such as a systems-implementation engagement.

• SAS 94 This type of audit is referred to as an integrated audit. Typically, this is part of a regular financial audit, in which the auditor must evaluate controls around a client's information system and the entries that are processed through that system.

Attestation

The objective of a true attestation audit is to render an opinion on whether the reader of the statement or report can be reasonably sure that the information contained in the report is correct. An attestation audit can include reports on descriptions of systems of internal controls and compliance with statutory, contractual, or regulatory requirements.

Types of attestation audits include the following:

• Data analytic reviews

• Commission agreement reviews

• WebTrust engagements

• Systrust engagements

• Financial projections

• Compliance reviews

An example of attestation standards is the WebTrust audit standards introduced by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). The AICPA/CICA WebTrust provides a set of standards for reviewing e-commerce websites to ensure security, online privacy, availability, confidentiality, and process integrity. Auditors examine both the company and the e-commerce website with regard to business practices, transaction integrity, and information protection. If the site passes inspection per the AICPA statements on standards for attestation engagements, the auditor should create an independent accounts report for submission to the AICPA. The AICPA then issues a WebTrust seal to the website. This seal represents a third-party, AICPA, attestation that the website meets the AICPA/CICA standards.

Other types of attestation audits include compliance audits. In these audits, the auditor verifies that the organization's business practices have sufficient controls to meet contractual or regulatory standards. Regulatory standards might include HIPAA, Sarbanes-Oxley, GLBA, or others.

These types of auditing engagements require that the auditor clearly understand the business functions, have a high degree of technical proficiency, and be able to conduct security and integrity tests to verify that the systems meet the standards.

Findings and Recommendations

Findings and recommendations do not produce an opinion; they provide a summary of the work performed in connection with the engagement. These consulting or advisory types of engagements can include review of the following:

• System implementations

• Enterprise resource planning

• System security reviews

• Database application reviews

• Internal audit services

The IS auditor defines the audit objectives and, through the examination of sufficient, competent, and relevant information, testing, and other evaluations, develops the audit report. The IS auditor must understand the business functions, clearly define the audit objectives, and have the technical proficiency to conduct the required review and testing.

SAS 70

The Statement on Auditing Standards (SAS) 70, "Service Organizations," is a recognized auditing standard developed by AICPA. The SAS 70 audit or service auditor's examination is widely recognized and indicates that an organization has been through an in-depth audit of its control activities, including controls over IT and related processes. The opinions offered in an SAS 70 report can be created only by a Certified Public Accountant (CPA). Two types of SAS 70 audits exist, appropriately named Type I and Type II. In a Type I report, the IS auditor expresses an opinion on whether the organization's description of its controls is aligned with the controls that are actually in place and whether the controls achieve the specified control objectives. In a Type II report, the IS auditor expresses an opinion on the items in Type I and whether the controls that were tested were operating effectively to provide reasonable assurance that the control objectives were achieved.

The SAS 70 report is an independent third-party review of the organization's controls and states that the controls meet the control objectives. This report helps the organization build trust with customers and third-party partners. The specialization of IT services and outsourcing of some or part of those services means an increased reliance on partners; a service organization might have to entertain audit requests from partners or customers as a condition of providing services. The SAS 70 audit ensures that the service organization will not have to perform multiple audits at the request of potential partners and customers, and that all potential partners and customers will have access to the same information about the organization's business practices and controls.

SAS 94

The Statement on Auditing Standards (SAS) 94, "The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit," amends SAS 55 and provides guidance to auditors on the impact of IT on internal controls. The SAS 94 audit complies with the SAS 55 requirement to obtain an understanding of the five internal control components: the control environment, risk assessment, control activities, information and communication monitoring, and how IT impacts the overall audit strategy. For this reason, the SAS 94 is considered an integrated audit. In other words, the IS auditor must ensure that the information provided by IT systems is accurate and complete, and also must understand what procedures (whether manual or automated) were used in preparing the financial statements. The SAS 94 standard acknowledges that IT systems and their associated controls can be so significant that the quality of the audit evidence depends on those controls and that the IT process for managing and creating financial statements has a major influence on the audit.

The IS auditor should examine IT system controls and determine whether the controls prevent unauthorized access to menus, programs, and data:

• Destruction or improper changes

• Unauthorized, nonexistent, or inaccurate transactions

• Errors or fraud

The IS auditor needs a high degree of technical proficiency to integrate an SAS 94 audit. During the audit planning, the IS auditor should identify the types of misstatements that could occur and should consider the factors that affect the risk of material misstatement. In addition, the auditor should identify controls that are likely to prevent or detect material misstatement in specific assertions and should test those controls. In addition, the auditor must understand both the business practices and the manual and automated processes used in creating the financial statements.

The CISA Exam might not ask specifically about audit types (SAS 70 and SAS 94), but it is important to understand the difference between audit types. Additional information can be found on the American Institute of Certified Public Accountants website, www.aicpa.org.

Attribute Sampling

Attribute sampling deals with the rate of occurrence or frequency of items that have a certain attribute. The attribute either is there or is not. The policy/procedure either exists or does not. Attribute sampling is the primary sampling method used for compliance testing.

When the IS auditor uses attribute sampling, the results are expressed as a sample frequency or error rate. An example of expressing an error rate is review system logs in which one event, such as a daily backup, is not logged 1 day in 100. This would represent a 1% sample error rate. There may be 1,000 logs to review, so the IS auditor must choose a sample (100 logs) of the total population (1,000 logs); the error rate of the sample population is most likely to be the same error rate for the entire population because the sample population should be representative of the entire population.

Variable Sampling

Variable sampling deals with variations in some unit of measure. As an example, system logs should have time stamps for the start and end of backups on a given day. Those times might vary, depending on the type of backup or the amount of data backed up.

When the IS auditor uses variable sampling, a random sample can produce results that can be expressed as a percentage. Going back to the example of the backups when using variable sampling, the auditor would choose a sample (100 logs) of the total population (1,000 logs), sampling only the same type of backups (daily), and would sample the start and end times of the backup. The results of the random sample might show that on 10 out of the 100 days reviewed, the backups took 50% less time. This percentage of the sample population is most likely to be the same percentage of the entire population.

As the IS auditor gathers samples from the environment, it is important to ensure that the sample population is representative of the total population. The sampling confidence coefficient is a percentage expression of the probability that the characteristics of the sample are considered a true representation of the population. If the organization has stronger controls, there will be less reliance on sampling, which will allow for a smaller accepted sample size (confidence coefficient). If the strength of controls is not known, the auditor must choose a larger sample size to provide a greater confidence coefficient. The confidence coefficient is expressed in percentages; a 95% confidence coefficient is considered a high degree of confidence. If incorrect assumptions are made about a population that the sample is selected from, this introduces sampling risk. Sampling risk is calculated using this formula:

Sampling risk = 1 Confidence coefficient

If an auditor knows that internal controls are strong, the auditor risks less detection error, resulting in a decrease in reliance on sampling. Therefore, smaller samples can be used even though the confidence coefficient is lowered for the sampling process.

So what have we learned from these particular samples? In the case of error sampling, there are days when the backups either are not logged or do not run for some reason, introducing risk into the environment by either not being able to recover from a data error (backup not running) or not being able to ensure that the backups are actually running (not logging). When reviewing the results of variable sampling, we find that daily backups that should require approximately the same amounts of time for backup do not. Assuming that there have not been significant changes in the amount of data being backed up, the results of variable sampling might indicate errors in the backup program. The cause of these errors could include the exclusion of data that should be backed up or start and end times not logged correctly 10% of the time.

Substantive Tests

Substantive testing substantiates the integrity of actual processing, sometimes called transaction integrity. This type of testing provides an appropriate assurance of detecting the possibility of material errors. Neither attribute nor variable sampling is a perfect fit for substantive testing because attribute sampling measures frequencies/percentages, not value, and variable sampling measures averages. The IS auditor can use one or both sampling methods combined with observation and interviews as a part of substantive testing.

Compliance Tests

Compliance testing tests controls in the environment, to ensure that they are being applied in a manner that complies with the organization's policies and procedures. Using the examples discussed in sampling, the auditor tests to see that backups are backing up all data and logging in accordance with backup policies and business continuity planning. The IT auditor used both types of testing (attribute and variable) to meet the compliance testing objective.

A distinction that can be made between compliance testing and substantive testing is that compliance testing tests controls, whereas substantive testing tests details.

IS auditors are most likely to perform compliance tests of internal controls if, after their initial evaluation of the controls, they conclude that control risks are within the acceptable limits.

Another example of compliance testing involves obtaining a list of current users with access to the network or applications and verifying that those listed are current employees.