Answer
Auditor involved in reviewing an information system should focus their concerns on the system‘s control aspects. They must look at the total systems environment not only the computerized segment. This requires their involvement from the time that a transaction is initiated until it is posted to the organization‘s general ledger. Specifically, auditors must ensure that provisions are made for:
An adequate audit trail so that transactions can be traced forward and backward through the system.
Controls over the accounting for all data entered into the system and controls to ensure the integrity of these transactions throughout the computerized segment of the system.
Handing exceptions to and reflections from the computer system.
Testing to determine whether the system performs as stated.
Control over the charges to the computer system to determine whether the proper authorization has been given.
Authorization procedures for system overrides.
Determining whether organization and government policies and procedures are adhered in system implementation.
Training user personnel in the operation of the system.
Adequate controls between interconnected computer systems.
Adequate security procedures to protect the user‘s data.
Backup and recovery procedures for the operation of the system.
Technologies provided by different vendors are compatible and controlled.
Databases are adequately designed and controlled to ensure that common definitions of data are used throughout the organization.
Developing detailed evaluation criteria so that it is possible to determine whether the implemented system has met predetermined specifications.