On the difference and connection between information system audit and traditional audit

The difference between information system audit and traditional audit

The rapid development of science and technology has had a great impact on the economic management activities of the whole society. Information system audit is based on financial audit and management audit of traditional audit, which is produced by the infiltration of science and technology into economic management. However, so far, information system audit is not the third audit branch independent of financial audit and management audit in essence, but a form of audit. The reason is that the complexity of network environment, the complexity of actual operation and the degree of integration with traditional audit all restrict the development of information system audit. This paper aims to separate them organically by comparison, so as to improve the quality of information system audit, expand the depth and breadth of application of information system audit technology and methods in enterprise audit, and promote the application of enterprises in enterprise audit. ?

First,? Information system audit is consistent with traditional audit in many aspects.

(1) The information system audit system is basically consistent with the traditional audit system?

The traditional auditing system is logically structured, and "Basic Principles-Detailed Principles-Practice Guide" is a logical rule from general to detailed, which is the common structure of professional norms and standards such as accounting principles, certified public accountants' authentication business principles, etc., so that it is convenient to find the corresponding principle clauses in the detailed work after the audit and provide convenience for the audit work. The principle framework of "norm-guide-procedure" expressed by information system audit is not much different from the traditional audit system literally. Its specifications reflect the outline of the information system category, the guide is a detailed specification, and the procedures are some working standards, which correspond to the three levels of the traditional audit system one by one. ?

(2) Information system audit and traditional audit are basically the same in basic concepts and procedures?

The basic concepts of traditional auditing, such as "independence and objectivity" and "authority and impartiality", have been well reflected in information system auditing. In addition, the information system audit is independent of the information system itself, the relevant developers and users of the information system, and the information system auditors independently exercise their audit monitoring rights by adopting objective norms according to legal rules, which is exactly the same as the "independence and objectivity" of the audit. At the same time, the International Information System Audit and Control Association (ISACA) has made clear provisions on the implementation of the audit system, the establishment of audit institutions, and the status and rights of audit institutions, so that audit institutions have legal authority and complement each other with fairness. ?

Secondly, there are two innovations in the details of information system audit.

(1) Software testing method and electronic evidence collection method for information system audit?

Audit methods run through the whole audit process, not just a certain audit stage or a certain link. With the enrichment and development of information system audit theory, information system audit processing not only uses traditional audit methods, but also creates a large number of computer science methods for my use. Among them, "software testing method" is one of the important methods of information system audit, and the classic testing methods are black box testing and white box testing. In addition, some accounting data and other information can only exist in electronic form, or can only be obtained at a certain time or period. In information system audit, it is extremely important to obtain these electronic data. It is necessary to ensure that information system auditors dig and collect sufficient and reliable electronic evidence and finally generate audit reports. ?

(2) Safety audit?

In traditional audit, the security of the audited object is rarely touched, but the security of information is related to the survival and development of enterprises and is an important guarantee for the sustainable development of enterprises. In the information system audit, detailed standards are formulated for security audit. The main purpose of security audit is to check the security risks of enterprise information systems and electronic data. It is difficult for an information system with security risks to provide authentic and reliable information for auditors, so security audit is also the premise of authenticity audit. ?

Third, to improve the IT audit system, we should also create our own traditional audit.

(1) Create performance audit in traditional audit to enhance its theoretical feasibility?

Traditional auditing aims at the authenticity, legality and effectiveness of auditing. In order to meet the needs of establishing a market economy, before 200 1, audit institutions mainly engaged in authenticity and legality audit. In the early 1990s, audit institutions began to extend the audit to check the internal control and economic benefits of state-owned enterprises, and the importance of performance audit gradually became prominent. ② IT is difficult for IT performance audit to accurately evaluate the effect of such a comprehensive information system project because of its complex functions, huge structure and long cycle. How to improve the theoretical feasibility of information system performance audit is an important topic before us. ?

Information system performance audit should fully create the characteristics of economy, effectiveness and efficiency in traditional performance audit, and stop developing around these "three characteristics". In the aspect of "economy", in order to obtain a certain quantity and quality of output with the lowest resource consumption, we can improve its saving level through various improvements. For example, the ERP system developed by Gartner Group Inc in the United States has a good level of automation, which improves the scientificity and feasibility of information system performance audit and prevents unnecessary expenses. In the aspect of "effectiveness", we strive to complete the dynamic performance monitoring of information system projects, provide rich management information for enterprises, and play a role in the process of enterprise management and decision-making, dynamically monitor the changes of management performance, and respond and correct problems in time. In terms of "efficiency", improving the efficiency of integrated management of enterprise logistics, capital flow and information flow and being good at managing information systems are the most important aspects of IT performance audit. ?

(2) Create the risk management of traditional auditing and play its restrictive role?

"Basic Standards for Enterprise Internal Control" lists "independent innovation elements such as R&D, technology investment and information technology application" as one of the six elements that enterprises should pay attention to when identifying internal risks. (3) Risks, benefits and opportunities that accompany information systems make information system risk management an important part of enterprise management, and also a part that needs to be improved in information system audit. ?

The process of risk assessment, control and prevention in enterprise risk management is created by traditional audit, which separates the characteristics of IT risk management such as environmental particularity, program complexity and data diversity. Risk management in information system audit should be stopped according to the process of "identifying information assets-quantifying and describing threats-evaluating defects-improving control gaps-managing residual risks". First, determine the business functions of the organization and confirm the information sensitivity of each process. Then, the existing control measures of each component of the process are determined, and the control gaps are classified according to their importance. Finally, through the selection of risk level, cost and effectiveness, the risk baseline is established, so as to re-evaluate the risk regularly in the future. ?

Fourth, summary.

Through the comparative study of information system audit and traditional audit, we find that traditional audit and information system audit are harmonious in basic content, procedure and architecture. The software testing method and electronic forensics method of information system audit are more convenient and advanced than traditional audit.