Just like information technology has affected almost every field of life, it has also impacted the auditing functions as well. The records have been digitized, the processes have been built into the systems and financial transactions and other key critical information is being processed through information systems.
Prior to arrival of information systems, the auditors will examine the record on papers and report their opinion, based on this examination, to the stakeholders like management and shareholders and board etc. However, the information systems changed this situation significantly.
Though it is still statutory requirement to be audited by paper as well but it was felt quite early that the skills that paper auditors had were not helping in auditing those entities where systems have been implemented. Without knowledge of the information systems, these auditors were clueless about how the records were being kept and whether they were being maintained as per management’s and statutory directions.
Based on this need, it was felt that the auditors need to be trained on auditing these information systems. And from this the field of information systems auditing emerges which is broadly a mix of auditing principles, information systems governance and management principles and information security.
Though all the job practice areas of an information systems auditor are important but most critical is the internal controls review of the systems. How the controls have been designed and implemented in the information systems. And this is an area where security, manual controls and automated controls all converge. So an Information systems auditors has to be knowledgeable about all these aspects beside being an auditor who follows an audit process.
Broadly speaking an Information Systems Auditor does the following types of work as part of an internal audit or external audit assignment. As part of the internal audit assignments, he or she may also be in an advisory capacity to the management but of course he is never going to be a solutions implementer because that will generate a conflict of interest.
What Does a CISA Auditor Do?
- Internal and external audit assignments
- Advice at the solutions designing stage
- Risk based audits
- Risk analysis and risk assessment
- Information technology and governance audits
- Work as a support for the financial audit team regarding information systems audit
- IT management audit
- Systems and application security audit
- Information systems internal control review
- Business continuity and data center security review and audit
- Operating systems review
- Penetration testing
- Database administration review
- Physical and logical security review
- Post implementation systems review
- And a host of other very exciting and challenging things.
Since information technology is an ever changing field, an IS auditor has to be at the top of his skills and knowledge when it comes to information systems. In brief IS auditors work everywhere, ranging from big four audit firms to information security companies. They also work in the government sector. Their work and skills are always in demand because of the increasing use of information systems in every sphere of life.
Another good way to know about what an IS auditor does is to go through the knowledge statements at the beginning of all four chapters of CISA Review Manual. One key thing to remember is that taking remedial measures or being part of the remedial measures team is not job of the CISA auditor because then the auditor will compromise the objectivity and independence which are essential for all types of audits.