Regulation 17 — REGULATIONS_AUDIT
Original Rule Text
Key aspects of IT systems that are important from an audit perspective include:
(i) IT governance and management, which is the overall framework that guides IT operations in an organization to ensure that it meets the needs of the entity today and that it incorporates plans for future needs and growth.
(ii) Control criteria or attributes applicable to information, namely, effectiveness, efficiency, confidentiality, integrity, non-repudiability, availability, compliance and reliability.
(iii) IT resources or assets, which can be categorized into IT applications, information, infrastructure and people
(iv) Controls, which are the policies, procedures, practices and organisational structures designed to provide reasonable assurance that organisational/ business objectives will be achieved and undesired events will be prevented or detected and corrected. Controls may be either manual or programmed/ automated. Controls can be categorized as general controls, which are controls which relate to the environment within which computer-based application systems are developed, maintained and operated, and application controls, which are specific controls unique to each computerised application.
(v) Information security, which is the protection of information and system resources with regard to confidentiality, integrity, nonrepudiability and availability. As the potential, complexity and role of information technologies grow, information security becomes an increasingly important topic of audits of IT systems.
17. Audit of IT Systems (1) Audit of IT systems is the process of deriving assurance on whether the development, implementation and maintenance of IT systems meets organizational goals, safeguards information assets and maintains data integrity. In other words, it is an examination of the implementation of IT systems and IT controls to ensure that the systems meet the organisation’s business needs without compromising security, privacy, cost, and other critical business elements. It crucially also determines areas such as whether, and to what extent, the data can be relied upon as a single source of truth, for purposes of audit.
(vi) End-to-end processes for managing IT could be categorized into the domains of planning and organization; acquisition and implementation; delivery and support; and monitoring and evaluation of information systems and services. (3) Aspects that may be covered as part of the audit scope could illustratively include:
(i) IT governance and management and planning for IT systems;
(ii) Acquisition, development and implementation of an IT system;
(iii) Application controls for an IT system;
(iv) Operations and maintenance (including change management) of an existing IT system;
(v) IT outsourcing (including addressing vendor lock-in and exit management);
(vi) Information security and risk management for IT systems;
(vii) Disaster recovery and business continuity planning for IT systems; (4) Audit may examine IT systems at various stages of the IT systems lifecycle for various validations, such as planning and feasibility study; requirements specification; procurement and contracting; design and development; testing and implementation; operations & maintenance etc. This may also include audit of an IT system which is under development or implementation. (5) Substantive testing of controls in an IT system (to derive assurance about their adequacy and effectiveness) may be undertaken using a combination of IT tools for inquiry, extraction and data analysis/ analytics, and detailed scrutiny of supporting documentation and records (electronic and manual). (6) An auditable entity is required to maintain complete documentation related to all stages (planning, acquisition, design, development and implementation, delivery and support, monitoring and evaluation) of an IT system. It is also required to document all changes made in its IT systems. Their absence in part or full, is to be reported by audit, along with the implications.
(7) The auditable entity is required to ensure that all requirements for the purpose of facilitation of audit are incorporated in the IT system, and audit of IT systems should comment on the absence/shortcomings in this regard, if any. (8) Audit may, at periodic intervals, call for information from the auditable entity about various IT systems or platforms (including mobile apps etc.) in use or being developed and the auditable entity shall provide the requisite details. (9) Depending on Audit’s risk assessment and prioritization, Audit of IT system
(s) would be necessary, when it is a newly implemented system or it has been subject to significant changes since the last audit so as to establish the integrity, non-repudiability and reliability of data.