System Audit Basics (Understand The System Auditing Process)

What are the information systems audit basics you should know about?

How do you conduct a system audit?

In this article, we will break down the notion of system audit so you know all there is to know about it.

Ready?

Let’s dive in.

System audit definition

A system audit is an independent and systematic examination of the management controls within an information technology infrastructure.

A system audit is the verification of a company’s IT activities and the verification of the results needed to achieve the intended results.

ISO 19011:2018 defines an audit as:

“systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.”

Another way of looking at a system audit is to independently examine the proper functioning of systems against defined audit criteria.

Importance of system audit

A system audit is important as it allows a company to review the performance of its operational systems.

By performing a system audit, companies can:

Evaluate the actual performance of their operations compared to what was planned
Validate that the objectives pursued by the organization remain relevant
Validate whether or not the company is achieving those objectives
Ensure that the systems used are reliable
Review system records to ensure systems operate based on specifications
Identify vulnerabilities and risks
Allow a company to define a mitigation plan to better achieve its objectives
Monitor its operational systems to ensure they meet the objectives on an ongoing basis

Scope of a system audit

The scope of a system audit can be considered as the normal achievement of the results expected depending on the objectives.

For example, if the scope of the audit is to evaluate the correct calculation of a system, then the audit objective will be to assess if the calculations produce the normal and expected results.

Any deviation from what’s normal will result in an audit finding.

Another example is an audit focusing on data privacy and data protection.

The scope of that audit should be how the company’s systems provide for access restriction, database management, the confidentiality of systems, encryption process and so on.

The normal achievement of the objective is for personal data to be safe and secure.

Any deviations from what’s normally expected will result in an audit finding.

Types of system audit

To better understand the systems audit, let’s look at the type of audits that may be possible.

You can have the following type of systems audit:

Adequacy audit
Compliance audit
Internal audit
External audit
Extrinsic audit
Process audit

An adequacy audit to evaluate a system and assess whether it meets the system requirements and specifications.

A compliance audit is to evaluate how a system is implemented within an organization to comply with certain standards.

The standards can be statutory, regulatory or industry standards, for instance.

An internal audit is carried out by the internal stakeholders within an organization to validate whether or not its systems are properly functioning, effective and achieving their objective.

An internal audit can be performed for any objective important for an organization based on its needs and realities.

This type of audit is referred to as a first-party audit.

An external audit is when the audit is carried out by an outside and independent organization.

The external audit is also called the second-party audit.

An extrinsic audit is when the audit is carried out by an accredited third party.

The extrinsic audit is also called the third-party audit.

A process audit is an audit of company processes as a whole in light of the objectives pursued.

System audit process

A system audit process can be in the following phases:

Audit initiation
Audit preparation
Audit execution
Audit report
Audit closure and follow-up

Let’s look at each of the system audit process phases.

Audit initiation

Audit initiation is the start of the system audit process.

During the audit initiation, the auditor and the client will determine the scope and frequency of the audit.

When deciding on the scope, importance is given to the client’s needs, requirements, objectives and timeline.

A client may want to audit the processes in a specific department to achieve the desired objective.

The frequency of the audit can depend on either the client’s needs but also any regulatory requirements.

If a company is required to perform a systems audit on a yearly basis, that frequency will is expected to be met every year.

The client can choose to do audits at more regular intervals, which will then depend on the client’s needs.

Audit preparation

The audit preparation is when the auditor starts the review of the auditing procedure of the system.

In the preparation phase, the goal is to define an audit plan that typically includes:

Scope of the audit
Individuals involved in the audit process
System standards
Logistics of the audit
Duration of the audit process
Meeting schedules
Expected completion date

Audit execution

The audit execution is the actual process of performing the system audit.

During the audit execution process, the auditor will look at the specifics of the company systems, how they operate, identify what is compliant and what may not be compliant, get clarification from the client and so on.

The audit should cover the entire scope of what was agreed upon.

Any nonconformity must be identified in an independent and objective way.

Audit report

The final phase of the system audit process is the issuance of the audit report.

The auditor’s responsibility is to ensure a report is produced providing an independent evaluation of the audited systems.

The report should be factual and present any discrepancies found along with objective evidence to that effect.

The auditor will also provide his or her judgment as to the company’s compliance with the system standards against which the audit was conducted.

Audit closure and follow-up

According to ISO 19011, an audit is closed when:

“The audit is completed when all the planned audit activities have been carried out, or otherwise agreed with the audit client.”

Once all the audit activities have been carried out, we have reached the end of the audit process.

How to conduct a system audit

Most often, system audits are carried out by IT professionals who are familiar with various information systems and can understand how they are interrelated.

Conducting a system audit requires that organizations audit their system hardware, software, data, material and applications.

A system audit is conducted in the following way:

System review
Vulnerability assessment
Threat identification
Internal controls
Testing

System review

The first step is a systems review.

In this step, the goal is to understand the IT infrastructure, the different layers, the management practices and system integration.

Vulnerability assessment

Next is the verification of each application used by the organization and identify which ones are the most vulnerable.

A company cannot eliminate 100% of its vulnerabilities.

However, if the vulnerable systems are systematically identified and appropriate controls are implemented, a company can ensure it remains in conformity with the intended standards.

Threat identification

The next step is to define the possible threats to the organization.

Companies face the threat of external actors such as hackers, cybercriminals and external threats.

The external actors can also include a company’s vendors, suppliers and service providers.

They also face internal threats from their own users, programmers, system analysts and so on.

Internal controls

In evaluating the internal controls, a company is evaluating the effectiveness of its internal controls against the standards or threats.

If the internal controls do not work as they are intended, the company will need to implement the proper checks and balances to ensure it achieves its objectives.

Testing

The final step is to test and evaluate the various elements of the management system to ensure they meet their objectives and comply with the standards.

Different tests can be carried to identify systems that do not work as intended or produce the needed results.

System audit report

The system audit report represents the auditor’s faithful assessment of the company’s systems and whether or not the systems work as intended in light of the standards or defined objectives.

Audit fieldwork

An audit fieldwork is the process where the auditor identifies the processes, systems and technologies expected based on the defined control activities.

An auditor’s job is to consider the standards or audit objectives and identify the systems and processes implemented by the company to achieve the needed results.

Compensating controls

In some cases, the auditors will find the specific processes or technologies needed to achieve the control objective.

In some other cases, they do not find what they are looking to find.

If that happens, a company can point the auditor to other controls or other systems that they use to achieve the same result.

This is referred to as compensating controls.

A compensating control is a new system or process found by the auditor that compensates for the absence of the controls they were originally looking to find.

Audit findings

If the auditor looking for a system control objective and is unable to identify a compensating control or cannot find evidence to support the existence of the control, it will issue a “finding”.

A documented finding provides for a factual description of what control objective was evaluated by the auditor.

When there is an audit finding, the auditor will provide for the reasons it believes that the condition impairs the management’s ability to achieve the control objectives, what is the potential root cause, what can be the risk and what must be done.

Auditors must stay objective when issuing a finding.

Auditor’s report

At the end of the audit process, the auditor will issue its audit assessment report.

The audit report is the overall assessment of the auditor of a company’s management system and compliance with the standards or objectives.

Generally, the auditor will outline the audit objectives and describe the methodology used to issue the report.

The auditor will also outline any possible findings it has identified along with possible recommendations on what the organization should do to remedy the finding.

Remediation

Generally, following the issuance of the systems audit report, a company should consider remediating any deviations or discrepancies discovered by the auditor.

Prepare a remediation plan and executing the plan to eliminate the root cause of what triggered a “finding” is crucial.

Frequently asked questions

In this section, we will look at a few questions frequently asked about system audits.

What are the three types of audits?

Generally, there are three types of audits:

Process audit
Product audit
System audit

A process audit is intended to evaluate and audit the processes to ensure they are working as intended.

A product audit is the evaluation of a specific product or a service against the required specifications or performance standards.

A system audit is an audit on a management system to validate whether or not the elements of the system are effective and properly implemented to meet the objectives or standards.

What is a system-based audit?

According to the Oxford Reference, a system-based audit is:

“An approach to auditing based on the concept that by studying and assessing the internal control system of an organization an auditor can form an opinion of the quality of the (…) system, which will determine the level of substantive tests needed to be carried out”

This is a type of audit where the auditor’s focus is the internal control system of the organization as a base to determine the type of tests and verifications needed to be carried out.

A system-based audit as opposed to a risk-based audit approach the considers risk factors and evaluates the internal controls systems based on those risks.

What is the difference between a system audit and process audit?

A system is a coherent unification of activities, methods, equipment, systems, information or measures.

An audit to verify the conformity of a management system is typically called a system audit.

It’s the audit of how the systems interrelate and interact to achieve specific and defined objectives.

On the other hand, a process is a sequential series of steps that lead to a change.

Companies are able to achieve a result or perform a change through the implementation of processes.

A process audit allows a company to identify inefficiencies and achieve improvements beyond the limited control elements defined in a particular standard.

While a system audit considers the rules and then validates the interrelation of the systems against those rules, the process audit looks at the process and determines if the end result meets the rules.

A system audit can reveal conformity or nonconformity while a process audit can reveal inefficiencies and areas of improvement.

What is a process audit?

A process audit is a verification of a company’s processes implemented to achieve a result.

A process audit is aimed at identifying inefficiencies while a system audit is aimed at identifying nonconformance.

For example, a system can produce the right output when given a specific output.

That’s a system audit.

A process audit is to look at a company’s operations, activities, resources, individual and system behaviour and the use of technology and systems to achieve an end result.

The process audit will look at the organizational process and determine whether it is managed properly and the activities are organized in the most efficient way to achieve the needed result.

What are the system audit objectives

System audits are carried out for many objectives.

The following represents a few objectives pursued by organizations:

To ensure that a company’s systems operate in accordance with system standards
To assess whether or not the company’s systems are in conformity with the system standards
The evaluate the effectiveness of the company’s systems to achieve its objectives
Allow for system improvement opportunities
Comply with statutory and regulatory requirements

Useful terminology

In the context of an audit process, there are some terms and terminology worth reviewing.

Here is a brief description of terms you may come across:

Effectiveness
Findings
Noncompliance
Noncomfornace

Effectiveness refers to how well the systems are working based on objective evidence and in light of defined standards.

A “finding” refers to an issue discovered by the auditors during the system audit requiring remediation or resolutions.

A finding can be critical where there appears to be evidence that the systems are significantly deviating from standards or the system is not functional.

A finding can be minor as well.

That’s when there is a problem that needs to be attended to or perhaps there is an area of improvement.

Noncompliance is when there appears to be objective evidence that a company is not complying with a statute, regulation or standard and where such compliance is mandatory.

Nonconformance is when there is evidence to show that a process or system does not conform to what’s required or the supporting documentation.

Takeaways