E.6 Scope and Objectives of Information System Audits

1. The Practice Review and Internal Audit (PRIA) team can conduct audits of data processing installations, and computerized applications. These audits are conducted to evaluate the quality of the controls and safeguards over the assets of the Office of the Auditor General of Canada (Office), the effective use of data processing resources, adherence to management's policies, and to encourage the design and implementation of adequate controls over computer applications and the computing environments in which they are used.

2. These are the overall objectives:

   1. Evaluate the adequacy of data processing operations, policies, procedures, and controls.

   2. Promoting operational efficiency and effective controls at a reasonable cost considering the risks involved.

   3. Determine the extent the Office’s data processing assets are accounted for and safeguarded from losses of all kinds.

   4. Provide management with recommendations for operating improvements (profit, costs, asset utilization) identified during the course of these audits.

   5. Promote the development of information systems management accountability and self review concepts throughout the Office.

3. These types of audits are explained more fully below.

   Application Systems Audits

   1. Application systems audits are performed to evaluate the controls and documentation over existing computerized applications. The scope of these audits could include an evaluation of the control procedures, data integrity, user training, segregation of duties, records retention, recoverability, access controls, and systems or user documentation. The major accountabilities included in these audits are:  Software Management, Data Access and Recoverability, File Control and Balancing Practices, and Staffing/Training.

   2. The objectives of application systems audits are to identify risks to the integrity and recoverability of the data, the software that has been developed to process the data, the efficient and timely processing of the data, or the timely recognition of incomplete or inaccurate data.

   3. Recommendations from application systems audits might include the need for an additional file control procedure, more timely backup practices, increased data access restrictions, or additional user instructions.

   Systems Development Audits

   1. Systems development audits are performed to evaluate the administrative controls over the authorization, development, and implementation of new computerized applications and review the design of the computerized controls/audit trails over the proposed system.

   2. The scope of these audits could include an evaluation of the administrative controls over the project (e.g. feasibility results, staffing, budgeting, assignment of responsibilities, project plans, status reports, etc.), or an evaluation of the quality of the deliverables from each system development and implementation phase (e.g. an evaluation of the controls design and audit trails, systems test plan and results, user training, systems and program documentation, etc.). The major accountabilities included in these audits are New Systems Development and Installation Projects and Application Change Management.

   3. The objective of a systems development audit is to provide an early identification of those issues that may hinder an on time, within-budget implementation of a computerized system that is controlled, documented, and able to be operated by an adequately trained user community.

   4. Recommendations from systems development audits might include additions to project plans, improvements in file reconciliation and balancing controls, or the need to document test plans and expected test results.

   Other Personal or Departmental Computing Environment Audits

   1. The term "other computing environments” is used to define those areas (away from the traditional computer centre) where a computer is used to store and process data for an individual, group, or department. The significance and level of control of these environments varies depending on the type of data, the impact on the business, the purpose and use of data, etc. Examples of computing environments that might be included in the "other" category are: engineering/scientific computing, personal computing, shop floor/quality data collection, lab test data collection, departmental applications, local area networks, wide area networks, etc.

   2. The scope of these audits could include most of the same topics that would be reviewed in a data centre audit (e.g. the administrative controls over the processing environment, operating personnel, hardware and software management, resource protection, recovery, access controls, and network control).

   3. The objectives of audits of "other" computing environments are to identify risks to the hardware, software, or data and to provide suggestions for reducing these risks in a cost-effective manner.

   4. Recommendations might include improving the data backup practices, segregating duties, documenting processing procedures, establishing program change controls, moving an application to a more controlled computing environment, or complying with software license agreements.

Last modified:

2018-02-22