CHAPTER 1
Overview of Systems Audit

IN THIS CHAPTER WE discuss why an information systems audit would be conducted. The chapter also identifies the challenges that an auditor will face while auditing a computerized system. Critical differences between computerized and noncomputerized systems have also been identified. Upon completion of this chapter, the reader will have an understanding of the salient features of a computerized system that an information systems auditor must keep in mind.

Information Systems Audit

An information systems audit is an examination of various controls within an information systems infrastructure. It is the process involving collection and evaluation of evidence of the design and functions of controls designed and implemented in information systems, practices, and operations. The auditor, subsequent to evaluation of the evidence, forms an opinion on whether the information systems safeguard assets, maintain data integrity, and operate effectively and efficiently in order to achieve the agreed-upon goals and objectives of the entity. An information systems audit can be performed independently of or along with an audit of financial statements. More often than not, it remains an independent function used during testing of controls.

Information Systems Auditor

Under the existing practices in various countries, any person having a recognized qualification in information systems audit can conduct an information systems audit. To be a recognized qualification, it must be awarded by an institution that is acknowledged by the laws of the country. These institutions can be academic or professional bodies. The qualification can also be designated by membership of an association or body of person on the basis of their internal norms of qualification for such membership. Usually such membership is renewable annually by paying a membership fee. Qualifications from academic institutions usually do not involve any recurring membership cost. It is important to note whether the regulatory authorities recognize the qualification of an information systems auditor for conducting an information systems audit in a specific country. Industries are free to recognize qualifications awarded by institutions other than those mentioned earlier.

It may be noted that, unless specified by the auditee or regulatory authorities, there is no requirement of any additional qualification other than that of an information systems auditor, in order to conduct an information systems audit.

Legal Requirements of an Information Systems Audit

More often than not, an information systems audit is a best practice or an ethical exercise rather than a legal requirement. However, the audit may be legally required in some countries, such as under the Sarbanes-Oxley Act of 2002 in the United States.

Major requirements of the Sarbanes-Oxley Act with relation to information systems audit are provided in the following sections.

The Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act came into force in 2002 to ensure better regulation of financial practices and corporate governance and requires a number of compliances. The act is named after Senator Paul Sarbanes and Representative Michael Oxley, who were its main architects.

Form 10-K

Form 10-K is the name of the form that every domestic issuer in the United States has to submit to the Securities and Exchange Commission. The form provides a comprehensive overview of the business of the filer, along with the business's financial condition and audited statements.

Securities and Exchange Commission

Better known by its acronym, SEC, the Securities and Exchange Commission is the apex regulator responsible for enforcing all of the laws and regulations of the securities industry in the United States.

1. Section 302 assigns corporate responsibility for accuracy of financial statements and operational activities to the chief executive officer (CEO) and chief finance officer (CFO). The signing officers certify that they have reviewed the reports and that they are free of untrue statements, material omissions, or misleading statements. This can be assured only if an information systems audit has reviewed the operation of the software and systems involved in producing the financial statements.
2. Section 404(b) calls for certification from auditor on management assessment of internal control. The assessment seeks to ensure that adequate controls are established and maintained for financial reporting. Naturally an information systems audit is useful for such an assessment.
3. Section 409 requires immediate disclosure of changes in financial position and operations in real time. An information systems audit can assess the readiness of an organization in this regard.
4. Section 802 requires retention of electronic records that have an impact on assets or performance of a company. An information systems auditor reviews the preparedness of any organization to prevent willful or accidental destruction of such records.

Following is a sample certification from the 10-K filing of Kraft Foods Inc. with the Securities and Exchange Commission.

CERTIFICATION

I, Irene B. Rosenfeld, certify that:

1. I have reviewed this annual report on Form 10-K of Kraft Foods Inc.;
2. Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;
3. Based on my knowledge, the financial statements, and other financial information included in this report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this report;
4. The registrant's other certifying officer(s) and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:

   Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;

   Designed such internal control over financial reporting, or caused such internal control over financial reporting to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;

   Evaluated the effectiveness of the registrant's disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and

   Disclosed in this report any change in the registrant's internal control over financial reporting that occurred during the registrant's most recent fiscal quarter (the registrant's fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant's internal control over financial reporting; and

5. The registrant's other certifying officer(s) and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant's auditors and the audit committee of the registrant's board of directors (or persons performing the equivalent functions):

   All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the registrant's ability to record, process, summarize and report financial information; and

   Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant's internal control over financial reporting.

Date: February 28, 2011

/s/ IRENE B. ROSENFELD

Irene B. Rosenfeld

Chairman and Chief Executive Officer

The audit under Statement on Auditing Standards (SAS) No. 70, developed by the American Institute of Certified Public Accountants (AICPA), is another example of statutory and quasi-statutory needs to perform information systems audits.

Statement on Auditing Standards

Usually referred to as SAS, these standards narrate generally accepted auditing practices that an auditor should follow while conducting an audit and issuing the audit report. These are issued by the Auditing Standards Board of the American Institute of Certified Public Accountants in the United States. Most countries have their independent accounting and auditing body, which issues such standards.

The standard identifies the factors that an independent financial auditor of an organization should consider when auditing the financial statements of an entity that uses a service organization to process certain transactions. Since the evaluation is based essentially on examination of...