Audit Requirements

An audit is a process of checking that the security controls within a system are sufficient and that they are being properly implemented. An audit should therefore detect:

• If the security controls outlined in the IT security policy are sufficient to protect the system or whether they are inadequate
• If the security controls are being properly operated by the staff
• If fraud or misuse is taking place - due to inadequate protection or circumvention of the controls.

In some applications - particularly when an organisation handles financial transactions for clients, audit may be required by law. Even when there is no legal requirement for audit, an organisation will usually want to ensure that its IT operation is secure.

The large amount of data and the complexity of processing present a major problem in the audit of Information Systems. An auditor will probably need to use software to help in the audit of the system.

An audit package will allow the auditor to extract samples of data from files, perform a large variety of calculations (e.g. interest due, discount etc.) on selected categories of record, and basically to view and process the data in a variety of ways that will allow the auditor to check the validity of the processing that has been carried out.

One of the tasks that an auditor will carry out is to follow the flow of selected transactions through the system, assessing at each stage of the processing whether the necessary controls have been implemented. This can only be done if an audit trail is created for each transaction as it occurs. The recording of an audit trail must be designed into the system. It will store sufficient detail to allow the auditor to follow any transaction through all its stages within the system from the original source data to final output. Collecting and storing audit trail data obviously provides an overhead for the system. It is likely to slow processing down and to increase the storage requirements.

© LEV