Banks, corporate houses and government offices, among other organizations, are undergoing Information Systems Audit (IS Audit) in Nepal, which is a good sign that our society is moving towards information management and data security. But many are still unaware about the idea and evidently, fail to understand why they need it.
What is ‘IS Audit’?
IS Audit deals largely with the monitoring of information flow and advocates its management within an organization. All sources of information that ranges from written to digital and even the information that can be acquired from human resources are under the audit’s scrutiny. Monitoring of company policy and procedures as well as efficiency and capability checking of company’s HR regarding information management also falls under IS Audit. Furthermore, IS Audit helps to explore information upgrade and identify the possibility of information manipulation.
Software/Application Audit, Database Audit, Policy Audit and PKI Audit are some of the basic forms of IS audit that are in practice now.
Real time encounter
Over the time, we have come across organizations that lack proper strategies, policies, procedures and monitoring system. Also, there are organizations with big IT infrastructure, but not enough skilled manpower to handle and maintain the resources.
We have also come across banking organizations that have had their core banking system compromised. Other times, we have seen a fully compromised network system that puts the whole organization under threat.
Another organization had 14 of its firewall systems compromised, which was a serious issue, but the organization was not entirely aware about its consequences. Apart from that, we have also seen compromised system in organizations dealing with payment gateways, mobile wallets, share market, e-ticketing, and even in personal mails through social engineering.
It is commonly believed that IS Audit is required only when an organization faces a crisis, or on many other occasions, they choose to conduct IS Audit only when regulatory bodies force them to. They are not aware that every bit of information needs to be protected equally. Another misconception is that once they conduct IS Audit, they think they are secure from all types of vulnerabilities or cyber-crimes in future.
IS is often misunderstood with Information Technology (IT) Audit, but IT Audit is only a part of IS Audit. IT Audit deals with digital information and evaluates technological policies, operators, operations and infrastructures of an organization where the latter checks information on each level of governance in an organization.
Why is it important?
Companies, either small or big, deal with an array of information for their short or even long-term planning and proposition. A company needs to conduct IS Audit in order to ensure six main aspects of the information—Confidentiality, Integrity, Availability, Authenticity, Authority and Non-Repudiation.
As no information is 100 percent secured, it encourages the organization to set up an information recovery system by understanding the business requirements and size of the organization, among others. It also checks the information recovery system and its processes for business continuity. Recovery system is essential when a crisis strikes putting the company at risk.
So, auditing the system will familiarize any organization with the gap between current information architecture, its handling mechanism and the desired state. It helps to plot what changes should be made, be it in the process or plans and policies, for better information management and also plots a responsibility matrix to ease out the fixations of audit findings.
So, IS Audit can result in better and healthy organization that has proper strategy on plans, policies and procedures, coupled with skilled human resources and supportive technology. Even if your organization is not in the vulnerable spot, audit will familiarize you with the parts where you are lacking.
Don’t hesitate to take that advice and don’t ever wait for a crisis to hit you. Keep ‘IS Auditing’ as your annual priority and stay informed about how data and information is being regulated throughout your organization.
The writer is the founder/director of Eminence Ways.