As an information systems auditor, you will be performing a lot of different types of audits. But first we need to understand the auditing in general. Broadly speaking, there are following three types of audits and then we can further dig down to each of these.
- Internal audit
- External Audit
- Third Party Audit
What is Internal Audit
According to the Institute of Internal Auditors, an internal audit is a type of audit which is focused on evaluating the risk management process, control environment and governance processes in an organization. As an internal auditor you are part of the organization, however, your reporting structure is generally up to very highest tiers of management to ensure independence and objectivity of the audit function.
What is External Audit
External auditors are totally independent of the management structure and their functions are the same i.e evaluating the risk management, control structure and governance process. But they enjoy full independence because they are not reporting to the management regarding their function. This is also mandated mostly by law.
Third Party Audit
This might be an audit jointly engaged by two or more parties to ensure that the common functions or agreements are being honored and respected. Or that these are working satisfactorily. An example might be an audit of a software interface between two different companies.
Types of Information Systems Audits
As an IS auditor, you might be engaged to do any of the above three basic types of audits. You might well work as an employee of a company and perform independent audits. Or you may perform IS audits as an external auditor. And it is also possible that you are engaged to perform a third party audit or what you may call an independent audit. For example, you might audit an implementation of a payment gateway by a company as an independent auditor.
The field of information systems auditing is so vast but mainly your work will fall in any of the following sub-types of Information Systems Audits:
- General Controls Audit : Your work may be to review the generally accepted controls across all information systems implementation. This might involve systems development, systems operation, maintenance of systems and application security. It might also include a general control review of operating systems, data center security review and policies and procedures compliance.
- Application Controls Audit: This type of IS audit is focused on a particular application. Your work will revolve around evaluating the input, processing and output controls of that particular application or software. The ancillary issues related to the application for example communication, change control and issues related to integrity and quality of data will also be considered during this type of Applications Control audit.
- Systems Development Audit: This type of IS audit focuses on software or systems development. You will be auditing all the processes of system development ranging from requirement gathering to the final product in production systems. Of particular interest is the change management and super users review in such a situation.
- Integrated Audit: This type of audit involves working with other auditors or teams like financial auditors or performance auditors.
- Forensic Audit: You may also be asked to perform an audit of a particular system after unusual and suspicious activity is observed and reported.
The work of an information systems auditor is very challenging and multi-dimensional. What makes it more interesting is the rapidly change happening in Information Technology all the time.