IS Audit (Information System Audit) - is a system process, according to the audit standards and procedures, receiving
and evaluating objective data on the IS current position, studying system events in order to verify their accuracy and
compliance with the requirements, giving the Audit results to the customer.
Will audit assessment provided by well-known companies such as PricewaterhouseCoopers, Ernst & Young, Deloitte & Touche
etc. be sufficient? These companies perform complex audit but concentrate on the financial audit. Information
technologies audit is realized quite formally, and specialists who are employed for this works are mostly foreign
(Russian) employees and they do not know Ukrainian legislation.
For a long period of time IS Audit was considered as a separate independent service. Big and midsize audit companies
have established IS audit associations, which create and accompany the IT audit standards. As a rule, they are private
Such an approach is contrary to one of the main rules of audit: the audit results should be objective, independent and
they can be repeated and reproduced by any audit, including external audit that will use the same audit plan.
Unlike corporate audit standards, there are open IS standards, which ISACA (Information Systems Audit and Control
Association) deals with.
ISACA was established in 1969 and now it unites over 35,000 members from over 100 countries, including Ukraine. ISACA
coordinates the activity of over 12,000 IS auditors.
The main aim of the association is investigation, development, publication and spreading knowledge and experience in
the areas of audit and IS governance, standardized set of documents on IT governance and using them by IS
administrators and auditors.
In order to help professional auditors, managers, administrators and all users, the ISACA and the specialists invited
from the well-known consulting companies have developed the standard CoBiT (Control Objectives for Information and
CoBiT - is an open standard. Edited first in 1996, it made the professional auditors' work with IT easier. The standard
is a way to bridge the communication gap between IT functions, the business and auditors, and to unite a lot of other
standards and criteria into a unified resource, which allows getting some idea about the tasks and aims of the IS and
managing them on an up-to-date level. CoBiT takes into account practically all features of the IS of any complexity and
CoBiT is based on the ISAСА audit standards and also includes other international standards, taking into account
earlier approved standards and other regulations:
IS criteria and process description;
requirements and recommendations;
bank service requirements, systems of electronic trade and production requirements.
Main functions of the IS audit:
analysis of the business processes, IS technologies and structures, and their risks;
correspondence of the institution risk management policy with existing risks;
effectiveness of the risks monitoring system and risks controlling system;
independent evaluation of risks, unbiassed check-out of the risks self assessment results realized by the business
identification of the potential problems and risks;
independent audit of problem situations and the effectiveness of solving them;
monitoring report and control analysis aimed at improving the existing practice with the risks management;
analysis and providing a company with a complete profile on the risks and conclusions on the risks management
strategies, procedures and methods.
Risk-based audit considers existing and potential risks. One of the most significant groups of risks is named as the
"operational risk", which has the following definition: "loss risk that is a result of an inadequate or unsuccessful
internal process, system or people operations or a result of the external actions". The audit deals with the following
operational risk (security risks; system projecting, realization and maintenance risks; end user risks etc.);
Legislative risk (doubtful or ambiguous applying the laws and regulations; providing the client with inadequate
information; errors/repudiation of the client's confidentiality protection; under the foreign jurisdiction);
Reputation risk (the system's significant faults; significant security violations; problems with the incorrect usage of
the same or similar system or products by others);
System risk, and other risks.
Independent risk analysis by the auditors should include:
evaluation the company practice in terms of identifying and evaluating the risks; responsibility for the risk according
to its profile;
efficiency of the risk management and its elements;
monitoring and reporting systems including the data on the operational expenses and other indicators of the potential
security control, examination and checkup process that ensures integrity of the risk management process and control
efficiency of consequences minimization in case of risk events, identifying the inefficiency reasons.
Actions of the auditors, the ISACA members, are also regulated by the ISACA Code of Professional Ethics.
Additionally the IS Audit enables solving the following questions:
Establishing the procedure for decision making in IS (strategic plan for the company development, role of IS in this
plan, forecasting the problem situations);
Does the IS correspond with aims and tasks of the bank? How to optimize the investments in IS?
What is happening inside this "black box" - IS organization?
The IS operating errors, how to define and localize the errors, minimize the losses?
How are the questions of IS security solved? Are the security measures sufficient?
How to estimate the work of contracting organizations in the filed of IS? Are there any week points?
Is it necessary to upgrade the hardware and software?
Why is there a constant purchase of the additional equipment and/or software?
The employees of the IT companies are constantly developing their professionalism, is it so vital, what exactly should
What should be done in force majeur? What are the possible losses?
What are the risks concerning confidential information in the IS organization? How to minimize the risks?
How to optimally use the IS for business development?
The aforesaid questions should be studied taking into account the risks.
At this moment the company "AMB" group. employs 8 ISACA members and 4 of these employees have more than 10 years
of experience in the field of bank systems information security. We also cooperate with ISACA members from other
organizations in Ukraine in the field of professional audit. "AMB" group. offers our services to all
organizations interested in the high-quality IS audit and/or training (further professional development) of their own
internal audit specialists.