Information Systems Audit (ISA)

ISTN103 Lecture 2

Lecturer:
Simeon Ambrose Nwone
Email: nwones@ukzn.ac.za
Overview of Lecture 2
• Principles governing audits activities
• Independence - Integrity - Objectivity – Confidentiality - Professional competence - Professional behaviour

• Reasons for a need of an auditor

• Assumptions of Auditing
Principles governing audits activities
• The Code of Ethics for Professional Auditors stipulates fundamental
ethical principles that all auditors are required to comply with, and
which are also considered to be critical security requirements for
protecting information assets. These principles are:
• Independence
• Integrity
• Objectivity
• Professional competence
• Confidentiality
• Professional behaviour
• Independence: an auditor has to be independent of the entity being
audited, otherwise the audit may not be valid.
• Integrity: Honest, straightforward, moral
• Objectivity: impartial, fair, not influenced by prejudice or bias
(independent)
• Professional competence: Maintaining professional knowledge and
skill at the required level and performing work diligently.
• Confidentiality: respecting the confidentiality of clients, i.e., ensuring
the privacy of information.
• Professional behaviour: Comply with laws and regulations and avoid
action that discredits the profession.
Reasons for a need of an auditor
ØAuditing uncovers irregularities and restores business integrity.
Whether a business is manually operated built on paper statements,
invoices and receipts, or computerized, an auditor will manually
perform the calculations used to create reports and compare the
results. In computerized environment, an auditor applies his
computing skill and can detect programming errors.
Auditing exercises unravel fraud. Fraud activities ranged from data-
entry clerks changing check payees to programmers making deliberate
rounding errors designed to accumulate cash balances in hidden bank
accounts. As auditors recognized repeating patterns of fraud, they
recommend a variety of security checks designed to automatically
detect and prevent fraud.
 As computers became widespread and more sophisticated, auditors
recognized that they had less findings related to the correctness of
calculations and more of unauthorized access, thereby raising the
importance of information security controls. Nowadays, information
systems audit seems almost synonymous with information security
control testing.
ØThe split between ownership and management
• The need for modern day auditors arose from the shift from owner-
managed businesses into entities owned by people that employed
managers to manage the business. The owners would require that
the managers report to them at regular intervals on their stewardship
(management) of the owners’ money.
• Appointing an independent auditor came as a solution to business
owners since many of them (providers of finance, who were not
involved in managing the business) had neither the time nor the
expertise to determine whether what they were being told by their
managers was a fair representation of the managers’ stewardship.
Therefore, the external auditor’s task became that of evaluating the
managers’ reports, as well as providing an opinion on truthfulness,
correctness and fairness in presentation of such reports.
• As businesses grew and became more complex, so the
responsibilities on management to run the business efficiently and
effectively, as well as to satisfy shareholders’ expectations became
more tedious. Out of this came the birth of the internal audit,
described above as a mechanism to assist management in meeting its
responsibility of running the business efficiently and effectively.
• The other categories of auditors also developed out of the growth in
business. Government passes laws about protecting the environment,
hence the environmental audit. Businesses suffer fraud, hence the
forensic audit.
ØConfidence in business information and its finances
• Maintaining the confidence of those who invest in business, whether they
are members of the general public or investment companies, requires
assurance that the business reports and financial statements by a
particular organization are reliable and credible. It is the auditor who
provides this assurance (credibility).
• The success of the world’s capital markets hinges on whether investors
are confident that they can rely on business reports and financial
statements to make investment decisions. Auditors (professional
accountants) play a crucial role in inspiring this confidence by expressing
opinions as to the fair presentation of financial information.
ØAccountability
• Though the "auditing" profession has flourished over the years, the
emergence of internal auditing, government auditing, forensic
auditing and environmental auditing have been a major force that
has propelled this growth. The principal reason for this is that the
world at large requires accountability.
• Directors must be held accountable for the way in which they run
their businesses, the government must be held accountable for the
way it spends taxpayers' money, and companies whose activities
affect the environment must be held accountable for the way in
which they adhere to environmental regulation and legislation.
• This has created a need for the auditing profession to provide an
independent service which assesses and evaluates whether directors,
governments, etc. are meeting their responsibilities.
Assumptions of Auditing
Ø Assumption 1: There is a need for an audit
The need for an audit can arise for a number of different reasons-
(i) A relationship of accountability between two or more parties (i.e. that
one party owes a duty of acceptable conduct to another).
(ii) An imposed audit (companies, government and charities have a
responsibility of accountability to shareholders, citizens and the general
public)
(iii) Statutory audits are assurance engagements which must be conducted
because an Act of parliament (statute) requires them, e.g. The
Companies Act currently states that all companies, both private and
public must undergo an annual audit. Most financial institutions e.g.
banks, are regulated by the Financial Institutions Act which also requires
institutions under its regulation to undergo an annual audit.
(iv) Non statutory audits arise out of other obligations or requirements
(not in terms of an Act), or a request from an entity which may require
an assurance engagement.
For example, many partnerships and close corporations build into their
partnership/association agreements that the entity must undergo an
annual audit.
A provider of finance may require that a business entity requiring
finance present audited statements in support of its loan application,
or a regulatory body may require some assurance on one of its
member’s compliance with corporate governance requireements.
(v) A ‘voluntary audit’ (for example, partnerships, companies who
engage environmental auditors.
(vi) A ‘public interest audit’ (for example, academic audits designed to
test the robustness of the systems employed by educational
establishments in delivering services to their students.
ØAssumption 2: The subject matter is too remote, too complex or too
important to accept without an audit.
• Remoteness: those relying on information may not physically be able
to check the validity of the information themselves, perhaps because
they are remote from the company.
• Complexity: the nature of the subject is so complex that it requires
special expertise to investigate. For example, most ordinary
shareholders do not possess sufficient business management
knowledge and accounting skills to conduct the audit themselves.
• Significance: the matter under audit has such economic significance
that an audit is required to lend it credibility.
ØAssumption 3: An audit must be conducted with independence and
without constraints either over conduct or in reporting findings.
• If an audit is to add credibility, then it must be done independently,
without bias or prejudice.
ØAssumption 4: The subject matter of an audit can be verified by
collection of evidence.
• Auditors report the results of their investigations. Without evidence
they have nothing, on which to base their report, to make judgments
or criticisms. An audit is impossible if evidence is not available or
cannot be obtained.
ØAssumption 5: Standards of accountability, performance, etc., can
be set and actual performance can be measured against these
standards.
• Parties to an accountability relationship must agree on what is
acceptable performance. Without this, auditors have nothing to go by.
They cannot set their own standards since these may be rejected by
either party. In company auditing some of these standards have been
set down (by statute or by professional guidance), but grey areas still
remain. What constitutes a ‘true and fair view’? What should auditors
do when they discover a client has committed an illegal act?
ØAssumption 6: The purpose of the audit is sufficiently clear that its
results can be communicated clearly.
• The purpose of an audit is to add value to information. If the nature
or purpose of the information itself is not clear, it cannot be audited.
If the audit findings cannot be communicated effectively then
inevitably the value of the audit will be diminished.
ØAssumption 7: An audit produces an economic or social benefit
• Since audit is a social control mechanism it should only be undertaken
if the benefits outweigh the costs. Auditors are expected to provide
the benefit at minimum cost. In most audit situations the major part
of the work involves the collection of evidence. There is a point at
which the marginal benefit of obtaining additional evidence is
exceeded by the marginal cost. The direct costs of auditing are known
but the benefits are not so easily measured.
Summary
• Code of Ethics for Professional Auditors stipulates fundamental ethical
principles that all auditors are required to comply with, these are;
Independence, Integrity, objectivity, professional competence,
confidentiality, and professional behaviour.
• Reasons for a need of an auditor: auditing uncovers irregularities and
restores business integrity, the split between ownership and management,
Confidence in business information and its finances, and Accountability
• Assumptions of Auditing 1) There is a need for an audit; relationship of
accountability between two or more parties; an imposed audit (companies,
government and charities have a responsibility of accountability); Statutory
audits which ensures that all companies, both private and public must
undergo an annual audit; Non statutory audits e.g. provider of finance may
require a business entity requiring finance to present audited statements in
support of its loan application;
• 2: The subject matter is too remote, too complex or too important to
accept without an audit.
• 3: An audit must be conducted with independence and without constraints
either over conduct or in reporting findings. If an audit is to add credibility,
then it must be done independently, without bias or prejudice
• 4: The subject matter of an audit can be verified by collection of evidence.
Auditors report the results of their investigations. Without evidence they
have nothing, on which to base their report, to make judgments or
criticisms.
• 5: Standards of accountability, performance, etc., can be set and actual
performance can be measured against these standards. Parties to an
accountability relationship must agree on what is acceptable performance.
• 6: The purpose of the audit is sufficiently clear that its results can be
communicated clearly.
END