Information system audit is a process of obtaining and evaluating evidence to judge whether an information system can ensure the safety of assets, the integrity of data, the efficient use of organizational resources and the effective realization of organizational goals (defined by ISACA, International Information System Audit and Control Association). At present, there are two main ways for audit institutions to audit information systems. One is to regard information system audit as a part of routine audit and serve the overall goal of the audit project, that is, to combine data audit, information system audit and system internal control audit. Information system audit and system internal control audit serve for data audit, and draw conclusions through auditing data. The other is an independent project that directly audits the security, reliability and effectiveness of the information system itself.
Second, the urgency of carrying out information system audit
As an important work of national audit institutions, information system audit is an inevitable product of the development of informatization to a certain extent.
(A) to carry out information system audit is the requirement of controlling audit risk. When auditing paper accounts in recent years, internal control should also be audited, and false accounts should not be made. Similarly, electronic data cannot be faked. If there are problems in the security, reliability and effectiveness of the information system of the audited entity carrying electronic data, there will be risks in computer data audit. The credibility and reliability of the system is the premise and basic condition of data audit.
(two) to carry out information system audit is the requirement of fully performing audit duties. In the information environment, the audit of electronic data, information system and internal control of the system must be "trinity". In the audit process, these three contents cannot be less. Only in this way can we complete the requirements of "comprehensive audit and highlight key points" and fully perform the audit duties.
(a) Raise the awareness of all auditors on information system auditing.
The view that "auditors will lose their audit qualification if they don't master computer technology" has basically been recognized by 80 thousand auditors. In recent years, computers have been widely used in the field of auditing, and data auditing has been vigorously promoted. However, most people still don't know enough about information system audit, and they don't know enough about the necessity and urgency of carrying out information system audit, and even doubt the feasibility of carrying out information system audit. In order to ensure that the data generated by the information system is true and complete, and the information system is safe, reliable and effective, as long as the information system is used by the audit unit, it is necessary to audit the information system and check the internal control of the system. Only in this way can we prevent false accounts from being audited.
(two) pay attention to the training of computer information system auditors, and constantly improve their audit skills.
The audit of computer information system requires higher professional skills of auditors, which requires auditors to have higher computer skills besides corresponding audit skills. There are two channels to obtain computer information system auditors. One is to take computer skills as a necessary condition when staffing, and constantly cultivate their own audit skills in practical work; The second is to train the existing auditors in computer knowledge to improve their information technology audit ability. Due to the wide range of computer technology, strong technical complexity and rapid development of computer information technology, it is decided that information technology auditors who are obtained in any way should receive continuous follow-up education.
(C) Information system audit should pay attention to three links.
(1) Internal control link.
In the computer system, the following aspects should be checked to prove the effectiveness of the internal control system: 1. Access control system resources. Include physical resources such as terminals, servers, connection boxes, related documents, etc. It also includes logical resources, such as software, system files and tables, data, etc. 2. Control the use of system resources. Users should only operate on the resources authorized to them. 3. Establish a system for allocating resources according to users' functions. Separate important task functions according to users or user groups to reduce unintentional misoperation, abuse of system resources and unauthorized modification of data. 4. Record the usage of the system. Establish usage records in chronological order, which should include exceptions, who triggered security-related events and who completed the creation, modification and deletion of financial information. 5. Confirm the accuracy of the treatment process. Use the generated financial control information to confirm the accurate completion of the treatment process. 6. Management personnel modify the financial information system. It should be ensured that all modifications to the financial information system are authorized, recorded, thoroughly (independently) tested and finally put into use in a controlled manner. 7. Protect financial information systems from computer viruses. A set of control measures must be established to detect viruses and prevent viruses from infecting financial information systems.
(2) Data link.
During the audit, auditors select some transactions for detailed inspection to confirm whether the transaction records meet the overall audit objectives. First, check the accounting information, including its completeness, timeliness, compliance and information disclosure, including whether all transactions related to this accounting year are recorded; Whether all recorded transactions are reasonable and related to this fiscal year; Whether the recorded transactions are accurate in data and calculation: whether the recorded transactions meet the basic and auxiliary legal provisions and the requirements of specific authorities; Whether the recorded transactions are classified correctly and meet the requirements of information disclosure. The second is to check the information of financial statements, including completeness, existence, accounting measurement, ownership and information disclosure, including whether all assets and liabilities are recorded: whether all recorded assets and liabilities exist; Whether the measurement of assets and liabilities is accurate and whether the calculation method meets the requirements of accounting policies formulated according to reasonable and consistent standards: confirm that assets are owned by the audited entity, liabilities should be borne by the audited entity, and whether assets and liabilities are generated by legal economic activities; Whether assets, liabilities, capital and inventory are correctly disclosed. At the same time, the business information provided by the information system should also be analyzed, such as total monthly salary, payment list, order information at a certain stage, etc. , find out the basic transaction situation and trace it back to the source of information. Computer-aided audit technology can be used to analyze the above information, and the data can be summarized, classified, sorted, compared and selected according to specific standards, and various operations can be carried out.
(3) Data transmission and transmission.
In the information system, some data need to be transmitted between two financial information systems or between the financial information system and the business information system, and some problems may occur in this process, especially when it needs to be re-entered manually. Therefore, we should pay attention to the following aspects in the audit: (1) the data may change in the process of transmission; The new account code table may be different from the old one, and it is necessary to establish a complex correspondence between the two financial information systems: the central database may be replaced by some geographically dispersed servers; The data quality in the current financial information system is not good; When replacing the predetermined financial information system with the general information system, many new data need to be supplemented. When checking this link, we must ensure that the output message is approved, complete and accurate, that the output message is accurately sent to the designated recipient within the agreed time, and that the message of the stream is complete, accurate and true.