15.0 Auditing in a computerised system

Auditing in a computerized system, often referred to as IT auditing or computer-assisted auditing, involves assessing the controls, processes, and risks associated with the use of information technology in an organization. Here are some key aspects of auditing in a computerized system:

1. Understanding the IT Environment: The auditor needs to gain a thorough understanding of the organization’s IT environment, including the hardware, software, databases, network infrastructure, and IT policies and procedures.
2. Assessing IT General Controls (ITGCs): ITGCs are controls that govern the overall IT environment and provide the foundation for the effectiveness of application controls. They include controls related to system security, change management, user access management, backup and recovery, and segregation of duties. The auditor evaluates the design and operating effectiveness of these controls to assess the reliability and integrity of the computerized system.
3. Testing Application Controls: Application controls are specific controls within the computerized system that ensure the completeness, accuracy, and validity of data processing. The auditor tests these controls to determine their effectiveness in mitigating risks associated with transaction processing, data input, data processing, and output generation.
4. Data Analytics: Auditors can leverage data analytics techniques to analyze large volumes of data and identify patterns, anomalies, or unusual trends. This helps in detecting errors, fraud, or other irregularities in the system. Data analytics can also be used for continuous monitoring and auditing, allowing auditors to perform real-time assessments of the system’s controls and identify potential issues promptly.
5. IT Audit Trail: The computerized system often generates audit trails, which record the activities and transactions performed within the system. The auditor examines these audit trails to trace transactions, identify potential control weaknesses, and reconstruct events if necessary.
6. System Security and Data Protection: Auditors assess the security measures implemented within the computerized system to protect data from unauthorized access, alteration, or destruction. This includes reviewing access controls, encryption mechanisms, firewall configurations, and other security measures.
7. Compliance with Regulatory Requirements: Auditing in a computerized system involves ensuring compliance with applicable laws, regulations, and industry standards related to data privacy, information security, and IT governance.
8. IT Risk Assessment: The auditor conducts a comprehensive IT risk assessment to identify and prioritize the risks associated with the computerized system. This includes assessing risks related to system availability, data integrity, unauthorized access, and IT governance.
9. Documentation and Audit Evidence: The auditor documents the audit procedures performed, findings, and conclusions in the working papers. Audit evidence may include system-generated reports, system configurations, test results, and other relevant documentation.
10. Continuous Monitoring and Auditing: Auditing in a computerized system is not limited to a one-time event but can involve continuous monitoring and auditing. This allows auditors to provide ongoing assurance on the effectiveness of controls and the integrity of the system’s operations.