The process of information system audit involves four steps:
• Measuring vulnerability of information system:
The first step in the process of information system audit is the identification of the vulnerability of each application. Where the probability of computer abuse is high, there is a greater need for an information system audit of that application. The probability of computer abuse would depend upon the nature of the application and the quality of controls.
Identification of sources of threat:
Most of the threats of computer abuse are from the people. The information system auditor should identify the people who might pose a threat to the information systems. These people include system analysts, programmers, data entry operators, data providers, users, vendors of hardware, software and services, computer security specialists, PC users, etc.
• Identification of high risk points:
The next step in the process of information system audit is to identify the occasions, points or
events when the information system may be penetrated. These points may be when a transaction is added, altered or deleted. The high-risk point may also be the occasion when a data or program file is changed or the operation is faulty.
• Check for computer abuse:
The last step in the process is to conduct the audit of high risk potential points keeping in view the activities of the people who could abuse the information system for the applications that are highly vulnerable.