What is Information Systems (IS) Audit?

IS audit is a systematic process of objectively obtaining and evaluating evidence/information regarding the proper implementation, operation and control of information and the Information System resources.

Information systems are like a heart of an organization. The success of the organization is now majorly dependent upon its methodologies and their processes which can provide maximum competitive advantages in today’s competitive environment.

Why IS Audit?

The deployment of Information Technology in Broking institutions, both in the front and back office operations, has facilitated greater systemic efficiency in the Broking sector. It has, at the same time, introduced new areas of risk. Risk is inherent in the traditional activities. However, risk in a computerized and networked environment is multifarious such as operational risk, reputational risk, legal risk, credit risk, liquidity risk, etc. Let us have a look at few of them –

• Operational risk arises out of the problems concerning the reliability and integrity of the Information Systems. The extent of such risks depends on the security features, design and implementation of security policies and procedures, adopted in an electronic banking system. Network security, database security, data integrity, appropriateness of the security policies and practices and the likely misuse of the information and information resources by the employees, customers and third parties are some of the factors, which require to be addressed for risk measurement in a computerized and networked environment.
• Reputational risk is very closely intertwined with the other kinds of risks. Failures, frauds, lack of proper delivery or non-delivery of information to customers, monetary loss to customers, lack of personal touch and litigation are some of the factors which cause loss of reputation to an organization. Lack of reputation is a very serious problem for any business and the broking institution is no exception. Lack of reputation is usually due to serious security loopholes and lapses in the information systems, lack of fast and efficient delivery channels for services. The occurrence of external and internal attacks on an organization’s information and Information Systems may cause serious damage to public confidence in the organization.
• Legal risk emanates from various factors such as the lack of adequate legal framework, inappropriate, ineffective, irrelevant and inapplicable Information Technology Act, inappropriate customer secrecy obligations on the part of the institutions, inadequate privacy policy for the customers, Certification Authority risk, etc.

Here in such scenarios, Audit is one of the major controls for monitoring management activities. In a computerized environment, IS audit is a very effective and necessary activity. Hence IS audit will require to be done by a team of specially trained internal or external auditors. However, it is preferable to have the IS audit conducted with the help of suitable external agencies with the required skills and expertise to ensure independent nature of audit.

In case of development and deployment of the IT systems by third parties, the IS audit requires to be conducted by trusted auditor/s with skills and expertise, required for the purpose. IS audit assumes greater significance because a large number of critical and strategic financial operations in the broking & financial sector are wholly or partly being handled by the computerized systems.

Both the major exchange houses BSE & NSE made IS Audit mandatory and the last date for submitting the IS Audit report is 31^st July each year.