Information System Audit
As technology continues to advance and become more prevalent in our lives and in businesses, along comes an increase of IT threats and disruptions. These impact every industry and come in different forms such as data breaches, external threats, and operational issues. These risks and need for high levels of assurance increase the need for IT audits to check businesses IT system performances and to lower the probability and impact of technology threats and disruptions.
IT system audits is an examination of management controls within IT infrastructure as per guidelines of various regulatory entities such as RBI, IRDA, NPCI etc. It not only examines physical security controls but also the business and financial controls that involve information technology systems.
The following principles of an audit should find a reflection:-
· Timeliness: Only when the processes and programming is continuously inspected in regard to their potential susceptibility to faults and weaknesses, but as well with regard to the continuation of the analysis of the found strengths, or by comparative functional analysis with similar applications an updated frame can be continued.
· Source openness: It requires an explicit reference in the audit of encrypted programs, how the handling of open source has to be understood. E.g. programs, offering an open source application, but not considering the IM server as open source, have to be regarded as critical. An auditor should take an own position to the paradigm of the need of the open source nature within crypto logic applications.
· Elaborateness: Audit processes should be oriented to certain minimum standard. The recent audit processes of encrypting software often vary greatly in quality, in the scope and effectiveness and also experience in the media reception often differing perceptions. Because of the need of special knowledge on the one hand and to be able to read programming code and then on the other hand to also have knowledge of encryption procedures, many users even trust the shortest statements of formal confirmation. Individual commitment as an auditor, e.g. for quality, scale and effectiveness, is thus to be assessed reflexively for yourself and to be documented within the audit.
· The financial context: Further transparency is needed to clarify whether the software has been developed commercially and whether the audit was funded commercially (paid Audit). It makes a difference whether it is a private hobby / community project or whether a commercial company is behind it.
· Scientific referencing of learning perspectives: Each audit should describe the findings in detail within the context and also highlight progress and development needs constructively. An auditor is not the parent of the program, but at least he or she is in a role of a mentor, if the auditor is regarded as part of a PDCA learning circle (PDCA = Plan-Do-Check-Act). There should be next to the description of the detected vulnerabilities also a description of the innovative opportunities and the development of the potentials.
· Literature-inclusion: A reader should not rely solely on the results of one review, but also judge according to a loop of a management system (e.g. PDCA, see above), to ensure, that the development team or the reviewer was and is prepared to carry out further analysis, and also in the development and review process is open to learning and to consider notes of others. A list of references should be accompanied in each case of an audit.
· Inclusion of user manuals & documentation: Further a check should be done, whether there are manuals and technical documentations, and, if these are expanded.
· Identify references to innovations: Applications that allow both, messaging to offline and online contacts, so considering chat and e-mail in one application – as it is also the case with Gold Bug – should be tested with high priority (criterion of presence chats in addition to the e-mail function). The auditor should also highlight the references to innovations and underpin further research and development needs.
· The use of IT systems and AI techniques on financial audits is starting to show huge benefits for leading accounting firms. Leading auditing firms are making enormous investments with the goal of increasing productivity and therefore revenue through the development or outsourcing of IT systems and AI techniques to assist in financial audits.
· Different types of IT systems and AI techniques that firms can develop and implement to achieve increased revenue and productivity are:-
v The first system is by created in a way that technology systems that play a supplemental role in the human auditors decision-making. This allows the human auditor to retain autonomy over decisions and use the technology to support and enhance their ability to perform accurate work, ultimately saving the firm in productivity costs.
v Systems with problem solving abilities are imperative to producing the most accurate results. Increased margin for error due to unintended biases, and thus the need for creating systems that are able to adapt to different scenarios. This type of system requires decision making to be shared between the human auditor and the IT system to produce the maximum output by allowing the system to take over the computing work that could not be one by a human auditor alone
v There are scenarios where technology needs to have the autonomy of decision making and act independently. This allows human auditors to focus on more important tasks while the technology takes care of time consuming tasks that do not require human time.
What KSC offers:-
· Provide adequacy of internal controls
· Promote best practices for controls
· Ensure compliance with policies and regulations
· Identify operational inefficiencies and waste
· Review IT projects, systems, and technology
· Provide objective insight
· Assess efficient and responsible use of resources
· Identify potential cost savings
· Assist management in addressing complex, cross-functional issues