An information system (IS) audit or information technology (IT) audit is an examination of the controls within an entity’s Information technology infrastructure. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. It is the process of collecting and evaluating evidence of an organization’s information systems, practices, and operations. Obtained evidence evaluation can ensure whether the organization’s information systems safeguard assets, maintains data integrity, and are operating effectively and efficiently to achieve the organization’s goals or objectives.
An IS audit is not entirely similar to a financial statement audit. An IS audit, on the other hand, tends to focus on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. An IT audit may take the form of a “general control review” or a “specific control review”. Regarding the protection of information assets, one purpose of an IS audit is to review and evaluate an organization’s information system’s availability, confidentiality, and integrity by answering the following questions:
- Will the organization’s computerized systems be available for the business at all times when required? (Availability)
- Will the information in the systems be disclosed only to authorize users? (Confidentiality)
- Will the information provided by the system always be accurate, reliable, and timely? (Integrity).