IS/IT Audit


An IT audit is the examination and evaluation of an organization’s information technology infrastructure, policies and operations. Information technology audits determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business’s overall goals. IT auditors examine not only physical security controls, but also overall business and financial controls that involve information technology systems.

Information and communication Technology (ICT) has participated its best in the development and growth of any industry or organization, however, it has also created significant and unprecedented risks. Information System (IS) can be referred to any processes, activities or set of tasks that safeguards the integrity, confidentiality and accessibility of information.

Internet is global and in the internet, almost all are interconnected and able to reach data at different geographical locations. This has been boon to mankind to be able to live in an era where information in no matter of time can be obtained but at the same time it also opens up the risks of sabotage, fraud, malicious or mischievous acts which could lead to several problems such as privacy issue. Financial loss etc. these risks have to controlled and minimized. There are several ways of applying security techniques. The application of security techniques solely depends on the nature of risks. It becomes priority to identify the potential risks before techniques are selected to provide the identify the potential risks before techniques are selected to provide the security for the data or the system or organizations. Audit is inspection or assessment of the process or outcome against defined standards or guidelines. Information System Audit (IS-A) is the assessment of Information System against the standards or guidelines.


The purposes of an IT audit are to evaluate the system’s internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective, or if any breach in security has occurred and if so, what actions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased observers. These observers are performing the task of information systems auditing. In an Information Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs, and processing.

The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization’s information. Specifically, information technology audits are used to evaluate the organization’s ability to protect its information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:

There are many different types of Audits:

  1. Financial audits
  2. Operational audits
  3. Integrated audits
  4. Administrative audits
  5. IT audits
  6. Specialized audits
  7. Forensic audits

IT Audit Process

The below provided are the basic steps in performing the Information Technology Audit Process.

  1. Planning IN
  2. Studying and Evaluating Controls
  3. Testing and Evaluating Controls
  4. Reporting
  5. Follow-up
  6. Reports

Emerging Issues

Today’s world is moving towards the world of data, everything are stored in the form of data.

There are also new audits being imposed by various standard boards which are required to be performed, depending upon the audited organization, which will affect IT and ensure that IT departments are performing certain functions and controls appropriately to be considered compliant will the organization’s computer systems be available for the business at all times when required? (known as availability) Will the information in the systems be disclosed only to authorize users? (known as security and confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity) In this way, the audit hopes to assess the risk to the company’s valuable asset (its information) and establish methods of minimizing those risks.

IT audits are also known as Information Systems Audit, ADP audits, EDP audits, or computer audits.

2. Objectives

The main objective of this research is to study security and challenges of Information system Audit and its importance. The researcher shall conclude its current status in Nepal.

3. Literature Review

Information System Audit helps in auditing risks and thus improves the organization security system by evaluating system processes of organization and controls against a baseline. Audits are planned and designed to give an independent evaluation and assessment. Audits may also provide a gap analysis or operating effectiveness of the internal controls.

  1. General Discussion of System Auditing

Continuous IT systems auditing can be broken into two parts.

Traditional auditing vs continuous auditing methodologies (Chan, et al, 2011)

Multi – tenancyInfrastructure/  data segregation
Ever Developing RiskContinuing risk assessment program, CSO/CISO, Assessment
Relaxation of SecurityPeriodic assessment/ audit
Service Provider TiersContract pass – through, coordinated security assessment
Contractor AccessBackground checks, contracts, Segregation, Surveillance
DisastersSLA, Multi, Facility Provisioning
External PhysicalSecure Facility, Escort, Surveillance
External LogicalIPS, Firewalls, WAF, Secure Coding, Secure Architecture, Host Hardening
IncidentsFacility & Per Customer Incident Response Team
Application HugsLayered Security, Patching, secure coding practices, Assessments, Segregation
Data LeakageEncryption (at rest & in-flight), Segregation, Assessment, Host Hardening

Information System Audit:

Information System Audit is a process of assessing risks so that its security can be enhanced. Audits are independent assessment which could also provide gap analysis on the internal controls effectiveness of an IS.

International Organization for Standardization has defined:

  • ISO27000 series is on IS Security and ISO27008 for Information and Security Management Auditing that focuses on ISMS Latter rather than specific controls.
  • ISO31000 for Risk Management.
  • ISO/IEC27033 – I as the concept of network security for information system security assurance.
  • ISO17799:2005 as specification of audit process for information system security assurance
  • ISO190111:2003 as flow of Management of Audit Program.

Audit Program Management Process Flow

Upon identification of purpose, responsibilities and scope of an auditor, resources supporting audit program and procedures that specify operations to be followed to reach the goal the audit program Audit program can be established.

MANS: Measure Audit Network System

This section will illustrate the audit network system.


This research uses explanatory method and has been conducted by observing phenomena, behaviors or problems to seek answers on how audit on IS can be conducted. The data for this research has been collected through published research papers and articles. Furthermore Questionnaire, Interview and company visit will also be included as a method of data collection.

Quantitative research methodology has been used in this research. The research theory of this paper has been to construct knowledge and meaning from researchers experience, that is, constructivism, which has direct application to education. The research theory indicated technological constructivism.

Primary data was collected by means of online survey where professionals from different areas of ICT were chosen. Secondary data was collected from several comparative studies of different research papers/ journals which helped to gather information on international level.


The audit model as in figure for IS Audit has been proposed by researcher where the audit has been broken into three major sections – Study, Assessment, Corrective Actions and Recommendations.

Thank You

Leave a Comment

Your email address will not be published. Required fields are marked *