Information Technology Reference
In-Depth Information
sion detection systems. Software houses have also developed specialized software which
can be used to extract and interrogate data from different databases such as MS SQL, IBM
DB2, Oracle, and MySQL.
An IS auditor will also come across dedicated tools which are used to extract data from
applications systems such as financial or ERP systems. There are free open-source and
commercial versions available on the market. Data can also be extracted from audit trails
or other systems which record user activities on application servers or network operating
systems. Common data extract and analysis tools on the market include ACL, IDEA, and
Excel. There are also many other non-commercial software which can be used.
The purpose of audit software interrogation tools is to extract data so that it can be analysed
and investigated for input and processing errors, data integrity, fraud, and data corruption
among many other reasons. Often IT controls may not be able to identify these errors, and
there is a need to use such software as validation tools.
Data stored on servers and data silos hold a lot of information and can tell a lot of hidden
stories if properly interrogated. It is also the role of the IS auditor to drill down into these
silos and advise management on how business activities are carried out in the enterprise
and whether there are significant issues which need management's attention.
Most applications and operating systems have inbuilt tools which flag off errors and other
unauthorised activities in addition to the use of audit trail tools. It is almost unforgiveable
in any modern enterprise today to implement an ERP system which does not have an audit
trail unless other measures have been put in place to gather similar data or perform the
same function.
Testing and Evaluation
Once the audit has been completed through structured interviews, use of questionnaires,
observations, walk-throughs, and collection of necessary evidence to support management
attestation, the next activity would be to test the information and evidence collected. Before
the testing is performed, it is important that the IS auditor reviews the documents and evid-
ence checklist to ensure that all the necessary information has been collected.
Testing involves validating the responses and evidence the IS auditor collected during the
audit. Compliance testing is the easiest as it involves confirming whether the enterprise is
compliant with various IT policies, procedures, regulations, and laws. The process involves
comparing what is expected and what is obtained on the ground. Where the enterprise is
not compliant, the auditor will take up the issue for discussion with management and pos-
sible inclusion in the final report.
Search WWH ::
Custom Search