Information Systems Audit




An information technology audit or information systems audit is an examination of the management controls within an information technology infrastructure and IT processes.

The potentially catastrophic events such as loosing data, loss of systems for extended period of time, malware, hackers, etc. pose a serious threat to organizations that are investing billions of dollars in their computer systems, databases, etc. This dependence on complex computing and large-scale data schemes has led organizations around the globe to recognize how IT auditors can help them understand the constantly shifting risks of the information age. IT auditors follow all the same ethical and independence parameters as financial auditors, but their focus is on the governance of IT systems and processes.



Information systems (IS) is the combination of strategic, managerial and operational activities involved in gathering, processing, storing, distributing and using information and its related technologies. Information systems are distinct from information technology (IT) in that an information system has an IT component that interacts with the process components.

Standard is a mandatory requirement, code of practice or specification approved by a recognized external standards organization, such as International Organization for Standardization (ISO). Guideline is a description of a particular way of accomplishing something that is less prescriptive than a procedure.

IS auditing is the formal examination, interview and/or testing of information systems to determine whether:

> Information systems are in compliance with applicable laws, regulations, contracts and/or industry guidelines.
IS data and information have appropriate levels of confidentiality, integrity and availability.
> IS operations are being accomplished efficiently, and effectiveness targets are being met.

During audit planning, the IS auditor must perform or review a risk analysis to identify risks and vulnerabilities in order to determine the controls needed to mitigate those risks. IS auditors are often focused on high-risk issues associated with confidentiality, integrity and availability of sensitive and critical information. Using risk assessment to determine areas to be audited:

Enables management to effectively allocate limited audit resources
> Ensures that relevant information has been obtained from all levels of management
> Establishes a basis for effectively managing the audit department
> Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plans

Risk Based Auditing


Source: ISACA, CISA Review Manual 26th Edition

■ Contact us on #737 333 4273 or email to know how eInnosec team could assist performing assessments, risk based audits, compliance audits, PCI audits, framework based assessment, etc. Please check our case studies or email to get more information on Information Security Audit projects. Please do not forget to leave your comments below.

Next Blog – Audit Programs and Audit Methodology

Leave a Reply

Your email address will not be published. Required fields are marked *