System audit is defined as “A systematic and independent examination to determine whether activities and related results comply with planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve.
An approach to auditing based on the concept that by studying and assessing the internal control system of an organization an auditor can form an opinion of the quality of the accounting system, which will determine the level of substantive tests needed to be carried out on the items in the financial statements.
The first step in the process of information system audit is the identification of the vulnerability of each application. Where the probability of compu¬ter abuse is high, there is a greater need for an information system audit of that application. The probability of computer abuse would depend upon the nature of the application and the quality of controls.
Most of the threats of compu¬ter abuse are from the people. The information system auditor should identify the people who might pose a threat to the information sys¬tems. These people include system analysts, programmers, data entry operators, data providers, users, vendors of hardware, soft¬ware and services, computer security specialists, PC users, etc.
The next step in the process of information system audit is to identify the occasions, points or events when the information system may be penetrated. These points may be when a transaction is added, altered or deleted. The point of high-risk point may also be the occasion when a data or program file is changed, or the operation is faulty.
The last step in the process is to con¬duct the audit of high potential points keeping the view the activi-ties of the people who could abuse the information system for the applications that are highly vulnerable.
The information system audit may encompass almost all the resources of IT infrastructure. Thus, it will involve evaluation of hard¬ware, application of software, the data resources and the people. How¬ever, one of the most important resources that attract the attention of an information system auditor is the application software.
The application software audit is carried out with the objective of establishing whether or not:
a) The procedure and methods established for developing an application were actually followed;
b) Adequate control were built in to the application software; and
c) Adequate controls are provided in the process of maintenance of software.
The objectives of a detailed review of the application shall be influenced by the method of procurement of the software. It is so because the vulnerability of application software for custom-made software is different from that of ready-made software.
An information system auditor is the link between software de¬velopment team and the management. His role is different from the system analyst who interacts to help in development of appli¬cation software. The information system auditor evaluates the review of every project on behalf of the management.
The infor¬mation system auditor is associated right from the feasibility study of information system development project to the implementation stage. In fact, the information system auditor gives the clearance for implementation after due review and evaluation of software package.