Regulation 17 — This regulation provides a comprehensive framework

# 17. Audit of IT Systems

(1) Audit of IT systems is the process of deriving assurance on whether the development, implementation and maintenance of IT systems meets organizational goals, safeguards information assets and maintains data

Regulations on Audit and Accounts 2020 14

integrity. In other words, it is an examination of the implementation of IT systems and IT controls to ensure that the systems meet the organisation’s business needs without compromising security, privacy, cost, and other critical business elements. It crucially also determines areas such as whether, and to what extent, the data can be relied upon as a single source of truth, for purposes of audit.

Key aspects of IT systems that are important from an audit perspective include:

(i) IT governance and management, which is the overall framework that guides IT operations in an organization to ensure that it meets the needs of the entity today and that it incorporates plans for future needs and growth.

(ii) Control criteria or attributes applicable to information, namely, effectiveness, efficiency, confidentiality, integrity, non-repudiability, availability, compliance and reliability.

(iii) IT resources or assets, which can be categorized into IT applications, information, infrastructure and people

(iv) Controls, which are the policies, procedures, practices and organisational structures designed to provide reasonable assurance that organisational/ business objectives will be achieved and undesired events will be prevented or detected and corrected. Controls may be either manual or programmed/ automated. Controls can be categorized as general controls, which are controls which relate to the environment within which computer-based application systems are developed, maintained and operated, and application controls, which are specific controls unique to each computerised application.

(v) Information security, which is the protection of information and system resources with regard to confidentiality, integrity, nonrepudiability and availability. As the potential, complexity and role of information technologies grow, information security becomes an increasingly important topic of audits of IT systems.

Regulations on Audit and Accounts 2020 15

(vi) End-to-end processes for managing IT could be categorized into the domains of planning and organization; acquisition and implementation; delivery and support; and monitoring and evaluation of information systems and services. (3) Aspects that may be covered as part of the audit scope could illustratively include:

(i) IT governance and management and planning for IT systems;

(ii) Acquisition, development and implementation of an IT system;

(iii) Application controls for an IT system;

(iv) Operations and maintenance (including change management) of an existing IT system;

(v) IT outsourcing (including addressing vendor lock-in and exit management);

(vi) Information security and risk management for IT systems;

(vii) Disaster recovery and business continuity planning for IT systems; (4) Audit may examine IT systems at various stages of the IT systems lifecycle for various validations, such as planning and feasibility study; requirements specification; procurement and contracting; design and development; testing and implementation; operations & maintenance etc. This may also include audit of an IT system which is under development or implementation. (5) Substantive testing of controls in an IT system (to derive assurance about their adequacy and effectiveness) may be undertaken using a combination of IT tools for inquiry, extraction and data analysis/ analytics, and detailed scrutiny of supporting documentation and records (electronic and manual). (6) An auditable entity is required to maintain complete documentation related to all stages (planning, acquisition, design, development and implementation, delivery and support, monitoring and evaluation) of an IT system. It is also required to document all changes made in its IT systems. Their absence in part or full, is to be reported by audit, along with the implications.

Regulations on Audit and Accounts 2020 16

(7) The auditable entity is required to ensure that all requirements for the purpose of facilitation of audit are incorporated in the IT system, and audit of IT systems should comment on the absence/shortcomings in this regard, if any. (8) Audit may, at periodic intervals, call for information from the auditable entity about various IT systems or platforms (including mobile apps etc.) in use or being developed and the auditable entity shall provide the requisite details. (9) Depending on Audit’s risk assessment and prioritization, Audit of IT system

(s) would be necessary, when it is a newly implemented system or it has been subject to significant changes since the last audit so as to establish the integrity, non-repudiability and reliability of data.

What This Means

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Key Points

• 1IT audit examines whether IT systems meet organizational goals and safeguard data
• 2Key areas: IT governance, controls, information security, and data reliability
• 3Controls are categorized as general controls and application controls
• 4Audit may examine IT systems at any stage of the lifecycle — from planning to operations
• 5The entity must maintain complete documentation for all IT system stages
• 6Audit requirements must be incorporated into IT systems by design
• 7Audit can periodically request information about all IT systems in use or under development

Practical Example

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.

Frequently Asked Questions

This explanation was generated with AI assistance for educational purposes. Always refer to the official gazette notification for authoritative text.