The overall quality of various internal controls facilitates to a great extent the internal auditing of business systems applications in general. An IT audit can be performed for small-sized systems by auditing the end products, assuming that the internal controls are well placed. In large and complex systems, auditors may need to collect further evidence of the quality of the internal control systems (both operational and application) in order to vouch for the data integrity, system efficiency and effectiveness, and asset safeguarding objectives of IT audit. If the internal control system is intact, the internal auditor can have more confidence in the quality of the application systems being evaluated.
The evaluation of the internal control system is facilitated if the auditor conceptualizes controls over IT in different ways. Generally speaking, two major bases are considered for classifying IT controls: (1) management and software system (application) controls, and (2) preventive and detective controls. The classification of IT controls on the basis of management controls and application controls is effective for various reasons. First, it is considered to be relatively efficient for an auditor to evaluate management controls before the evaluation of application controls. Second, within this context, IT controls can be organized further to provide an orderly basis for conducting the IT audit. Third, as the following discussion will make apparent, a useful conceptualization of controls within a computer system is that the system is like an onion, where the layers of skin constitute various levels of management and application controls. Various forces that may be eroding the data integrity, efficiency, and effectiveness of a system must penetrate through these layers. If the outer layers of control are intact, then it is likely that the inner layers are also intact.
Management controls ensure that the development, implementation, and operation of IT processes proceed in a planned and controlled manner. There are many levels of management controls corresponding to the hierarchy of the organization and the major functions performed within the system environment. Top management must ensure that the implementation of IT integration and convergence is well managed, keeping in mind long-term policy decisions on how IT will be put to use in the organization. Information systems management has the overall responsibility for the planning and control of the integration of IT-related activities and provides input to top management regarding long-term policy decision making. IT management also translates long-term policies into short-term goals and objectives and is responsible for the design, implementation, and maintenance of the entire spectrum of enterprise wide integrated systems.
The absence of management controls is a serious concern for the internal auditor, as these controls are basic in nature and apply across the integration of systems and applications. In a situation where weakness exists in the management controls, it may not be worthwhile to review and evaluate various enterprise controls. Thus it is most efficient to evaluate management controls first. Software system controls. The software system controls ensure that every software component of the integrated system safeguards the assets of the entity, maintains data integrity, and processes data efficiently. These controls are exercised at different stages in the flow of data through the system, as follows:
* At the data capture stage, controls ensure that all transactions are recorded and that the transactions are authorized, complete, and accurate.
* Controls over system access ensure that only authorized personnel gain access to the computing resources.
* Input controls ensure that all data entered into the system is authorized, accurate, and complete. These controls also ensure that identified errors are corrected.
* Networking controls ensure that the data sent between two points in a computer system is authorized, accurate, and complete.
* Controls over processing ensure that programs process all data entered into the system and that processing is authorized, accurate, and complete.
* Output controls ensure that output produced by the system is authorized, accurate, complete, distributed to the right personnel, and properly stored.
* Audit trail controls ensure that data can be traced through a system from its source to its final destination, and vice versa, and that the integrity of a corrupted audit trail can be restored.
* Backup and recovery controls ensure that the physical existence of data can be restored if the data is lost or its integrity is corrupted.
Software system controls are horizontal in nature: These controls cut across lines of organizational authority and follow the data flow through the organization. Management controls, on the other hand, are considered to be vertical in nature as they follow the hierarchical lines of the organizational structure.
Preventative and detective controls: Another basis of classifying controls in integrated systems-as preventive and detective-is useful for the internal auditor as it highlights when the controls are exercised during the flow of data through a computer system. Various controls, such as good form design and separation of duties, are called preventive or general controls and are exercised at an early stage in the flow of data. Their generality often allows them to respond robustly to changes in the systems where they are used. However, being general, preventive controls can allow many types of errors to occur.
Detective controls identify errors after they have occurred: These include input validation controls. Such controls are specific in nature and quite often are found embedded in the system itself. Error identification, prevention, and correction can also be done through the use of intelligent software agents’ technology to continuously monitor the processes of complex information systems. This is also a component of continuous auditing.
Steps in an IT audit
The algorithmic steps shown in Exhibit 1 represent an attempt to clarify the recommended approach to an IT audit. The algorithmic steps can further be grouped into different phases of a typical IT audit:
1. The preliminary review phase;
2. The detailed review phase;
3. The compliance testing phase;
4. The testing and review of user control phase; and
5. The substantive testing phase.