What is Information Systems Audit (IS Audit)?
IS Audit refers to audit of systems (especially computer based) which provide information (like Accounts, Payroll, MIS etc.) to assure management that the information generated from these systems are reliable. It includes:
• Test of application controls
• Draft/implement information security Policy
• Draft/implement Business Continuity Policies
• Audit of physical and environmental controls etc.
Need for Information Systems Audit
Most organizations like Banks, Insurance Companies, Mutual Funds, Manufacturing companies, BPOs
are 100% computerised. While this has led to speeding up processes and to ease of operations, it has also lead to the slow but sure disappearance of paper based audit trails and internal controls as existed in the manual environment.
Hence an urgent need for Auditors/Chartered Accoun- tants to understand answers to various questions like:
• What is systems audit?
• How to audit various aspects of information systems?
• How to check the existence and reliability of internal controls on computer based systems?
• What would be impact of computer failure on business continuity?
The need for information systems audit has been more than emphasized by almost all regulatory bodies both in India and abroad.
“The Annual Policy Statement of April 2006 encouraged banks to ensure compliance with the findings of information systems audit on a time- bound basis in order to maintain robustness of IT systems”- Information Systems Security and Audit: Security of IT-based Delivery Channels. This set off CISA in India.
IRDA has initiated systems audit for Insurance Companies since December 2008 and very recently IS Audit has been made mandatory for Mutual Funds as well. For Stock brokers, BSE, NSE , MCX have mandated yearly systems audit. It is only a matter of time before Systems Audit will become mandatory for all listed companies. (Thanks to developments like Clause 49).
How Does Certified Information Systems Auditor
(CISA) course help in this regard?
CISA has been recognised as one of the top 10 security certifications worldwide. It has also recently been accred- ited by American National Standards Institute (ANSI) and Department of Defence (DoD). Almost all regulators as well as private sector companies consider this an essential qualification for allotting assignments in the field of infor- mation security audits.
“Further, the Information Systems Audit has to be per- formed by persons with suitable skills/expertise thereof, say CISA (Certified Information Systems Auditor) or CISSP (Certified Information Systems Security Professionals) personnel” Information Systems Security Guidelines for the Banking and Financial Sector, RBI.
CISA equips the auditor to understand the controls in a computerised environment and judge the reliability of digital evidence. This helps him form an Audit Opinion.
Overview of CISA course
The overview of the CISA Course is as follows:
• There are 5 Topics/Domains:
– The Process of Auditing Information Systems (14%)
– Governance and Management of IT (14%)
– Information Systems Acquisition, Development and
– Information Systems Operations, Maintenance and
– Protection of Information Assets (30%)
• Course consists of One exam for 4 hours- single sitting- paper based exam conducted by ISACA (USA)
• 200 Multiple choice questions
• No negative mark for wrong answer
• Will be declared successful on obtaining 450+ (on a common scale of 200-800)
The exams are held twice a year: June and December at various centres (Most of the metros in India covered).
Who should attend?
This course is intended for:
• Chartered Accountants in practice with clients in thefinancial and manufacturing sector.
• Chartered Accountants in Industry who are looking for a shift in carrier/upward mobility