School of Information Systems

IT and IS Audit Objectives

It/IS Audit is a process of monitoring and controlling the overall Infrastructure related to Information Technology in the company. IT Audit usually run together with financial audit and internal audit.

IT audit focuses on the computer-based aspects of an organization’s information system; and modern systems employ significant levels of technology.

For example : transaction processing is automated and performed in large part by computer programs. Similarly source documents, journals, and ledgers that traditionally were paper-based are now digitized and stored in relational databases. As we will see later, the controls over these processes and databases become central issues in the IT audit process.

IT/IS Audit Objectives

            Companies which Data is stored in the relational database need an IT Audit to make sure that the information stored in the database is accurate. Therefore there are 3 main objectives of IT/IS Audit :

  1. Ensure the System have the adequate Security to support the Infrasturctures in the Company.
    There are a few components in the system that are needed to be audit such as  1. System Operating System  Security

           The System Operating System Security must be able to :

  • Protect the System from user.
  • Protect user from each other.
  • Protect user from themselves.
  • Protected from itself.
  • Protected from its enviroment.
  1.   Network Security

System Network consists of Intranet and Internet, both of them need to protected from their own risk.

  • Intranet Risk :
    • Interception of Network Messages
    • Unathorized Access to Corporate Database
    • Privelege abuse
  • Internet Risk :
    • IP Spoofing
    • Denial of Service Attack
    • Syn Flood Attack
    • Smurf Attack
    • DDOS
  1. Database Security

         To ensure the Database Security several controls need to be performed such as :

  • Concurency Control :
    • Ensure Database atomicity
    • Ensure Database isolation
    • Serializability of concurrent transactions
  • Access Control :
    • Control User View
    • Protect Database authorization table
    • Data Encryption
    • Biometric Devices
    • Inference Control
  1. Ensure the System Design and Implementation Suitable to Business Objectives in the Company.

Auditor will seek the most efficient way to Design a new System and Implementation without reducing the quality of the System, also they need to maintain the System to servers the company business objectives. Therefore several part of System Development Life Cycle (SDLC) need to be controlled.

  • Controlling New System Development
    • System Authorization Activities
    • User Specification Activities
    • Technical Design Activities
    • Internal Audit Participation
    • User Test and Acceptance Procedures
    • Audit Objectives Related to New Systems Development
    • Audit Procedures Related to New Systems Development
  • The Controlling Systems Maintenance
    • Maintenance Authorization, Testing, and Documentation
    • Source Program Library Controls
    • The Worst-Case Situation: No Controls
    • A Controlled SPL Environment
    • Audit Objectives Related to System Maintenance
    • Audit Procedures Related to System Maintenance
  • Controlling new System Development
    • Systems Authorization Activities
    • User Specification Activities
    • Technical Design Activities
    • Internal Audit Participation
    • User Test and Acceptance Procedures
  • Controlling System maintenance
    • Maintenance Authorization, Testing, and Documentation
    • Source Program Library Controls
  1. Determine the Accuraccy and Integrity from Transaction Process,Report and Record

      To Determine the Accuracy and Integriy, there are 2 types of tests that are needed to be performed.

  1. Test of Control
  • The objective of the tests of controls phase is to determine whether adequate internal controls are in place and functioning properly.
  • Consists of manual techniques and specialized computer audit techniques
  • Assess the quality of the internal controls by assigning a level for control risk
  1. Substantive Test
  • Substantive Test involves a detailed investigation of specific account balances and transactions through.
  • These tests are needed as evidence to support the assertion that the financial records of an entity are complete, valid, and accurate.
  • Substantive tests can be physical, labor-intensive activities, such as counting cash, counting inventories in the warehouse, and verifying the existence of stock certificates in a safe.

Overall the IT/IS Audit  will determine the quality of the services that are given to users and the company can give their best support quality that will affect company’s profit directly or indirectly so it will support the growth of the company.


Alvian Shanardi