Today, many managers are not satisfied with the level of automation that has developed in the enterprise. Physically and morally outdated information systems (IS), “patchwork” automation of individual processes are no longer able to provide management with prompt and reliable information so necessary for making informed and timely management decisions.

The imperfection of the management system leads to a decrease in the profitability of the enterprise and an unstable position in the market for goods and services.

The return to the problems of complex automation of enterprises is caused by the interest of enterprise management in creating an effective management structure, and in this matter information support plays an important role. Therefore, the issue of creating corporate information systems was again on the agenda.

But even with successful implementations, enterprise management does not always get the desired effect. The success of an automation project does not automatically mean that significant benefits will be gained from it. Even if project goals are achieved, they may not meet current production requirements. This happens very often.

Failed automation projects, colossal losses of time and money - this picture can be observed at large enterprises. Why does this happen? Why can’t high technology, products, or the authority of well-known companies save us? Why do both ready-made packages and custom information systems fail? Why can't businesses break free from patchwork automation?

The practice of creating systems using the “as is” model has shown that automation without modernizing the existing control system does not bring the desired results. After all, the use of software applications in work is not just a reduction in paper documents and routine operations, but also a transition to new forms of document management, accounting and reporting.

The “patchwork” automation of individual jobs of ordinary performers does not justify itself either. As a result, the manager still receives data prepared manually.

There is an illusion that you can automate an enterprise with “little loss”, using your own employees who already receive a salary.

AUTOMATION of an enterprise is the creation of some auxiliary production, which simplifies decision-making by the management of the enterprise.

Practice shows that in the field of automation, as in the field of audit, attracting outside specialists is economically justified and more effective.

The employee developing the system is cut off for a long time from his direct responsibilities for operating already functioning programs; the project may fail due to the departure of leading specialists. The development of an information system by the enterprise itself can drag on for years, without bringing real benefit to top management.

Considering the problem of the effectiveness of information systems from the standpoint of system analysis, we can highlight the main criteria for assessing effectiveness:

1. Selection of resources. When choosing an information system, it is necessary to proceed from the fact that the use of any resource is advisable only when it gives a positive effect.
2. Dynamics. The time factor should be taken into account; it is important to choose those technologies that will be used for a long time.
3. Stagedness. An information project should be implemented and evaluated in stages so that each step brings specific benefits to the enterprise.

Conclusion: you need to start not with choosing a program, but with assessing the needs and capabilities of the enterprise, with a pre-project survey and creating a technical project. These measures will help determine where investments in information systems can provide the greatest benefits.

Why conduct an information systems audit?

The term audit of an Information System refers to a systematic process of obtaining and evaluating objective data about the current state of the information system, actions and events occurring in it, establishing the level of their compliance with a certain criterion and providing the results to the customer.

Currently, the relevance of auditing has increased sharply, this is due to the increasing dependence of organizations on information and IP. The Belarusian market is saturated with hardware and software; many organizations, for a number of reasons (the most neutral of which is the obsolescence of equipment and software), see the inadequacy of previously invested funds in information systems and are looking for ways to solve this problem. There can be two of them: on the one hand, this is a complete replacement of the IS, which entails large capital investments, on the other, the modernization of the IS. The last option for solving this problem is less expensive, but opens up new problems, for example, what to keep from the existing hardware and software, how to ensure compatibility of old and new IC elements.

In addition, the vulnerability of the information system has increased due to the increased complexity of the elements of this information system, the increase in lines of software code, and new technologies for transmitting and storing data.

The range of threats has expanded. This is due to the following reasons:

• transmission of information over public networks;
• "information war" of competing organizations;
• high (typical for Russia and Belarus) staff turnover with a low level of integrity.

According to some Western analytical agencies, up to 95% of attempts at unauthorized access to confidential information occur on the initiative of former employees of the organization.

More and more often, clients are asking system integrators, design organizations, and equipment suppliers the following questions:

1. What's next? (The presence of a strategic plan for the development of the organization, the place and role of IP in this plan, forecasting problem situations.)
2. Does our IP align with business goals and objectives? Has business become an appendage of the information system?
3. IS malfunctions, how to identify and localize problems?
4. How are security and access control issues addressed?
5. Contractors carried out delivery, installation, commissioning. How to evaluate their work? Are there any disadvantages, if so, what are they?
6. When is it necessary to upgrade hardware and software?
7. Why are additional equipment being purchased all the time?
8. Employees of the OASU department are constantly learning something, is there a need for this?
9. What actions to take in the event of an emergency?
10. What risks arise when placing confidential information in an organization's IP? How to minimize these risks?
11. How to reduce the cost of IP ownership?
12. How to optimally use existing IP when developing a business?

These and other similar questions cannot be answered instantly. Only by considering all the problems as a whole, the relationships between them, taking into account the nuances and shortcomings, can one obtain reliable, well-founded information. For this purpose, consulting companies around the world have a certain specific service - Information System audit.

For safety's sake...

Just as a theater begins with a coat rack, so almost any organization begins with security. Somewhere they make do with retired military personnel who write down the names of visitors in a notebook, somewhere they make do with clever security systems that even a mouse can’t get through, if only because it doesn’t have an access card.

But security officers provide only physical security, while much more resources have to be spent on information security. The scope of this task can vary widely depending on the value of the information contained within the organization. Some people just need to protect themselves from “novice hackers,” while others need to protect themselves from industrial espionage from competitors.

To ensure the effectiveness of an existing or newly created information security system, it is best to contact an IS auditor.

Experts often emphasize that an audit is just a check of a system for compliance with any requirements - standards, regulations, etc. They prefer to call a more detailed and in-depth check a survey. This is more complex work, which includes the analysis of information flows, business processes, analysis of the adequacy of information security systems, the criticality of information... That is, this is a deep analysis with reference to a specific organization.

However, for simplicity, we will call this an IP audit.

When is it advisable to resort to an information security system audit?

• Before starting to develop an information security system - to know the current state and understand what to do.

Why conduct an information systems audit?

Sergey Guzik, JetInfo

Definition and objectives of audit

The term audit of an Information System is understood as a systematic process of obtaining and evaluating objective data about the current state of the information system, actions and events occurring in it, establishing the level of their compliance with a certain criterion and providing the results to the customer.
Currently, the relevance of auditing has increased sharply, this is due to the increasing dependence of organizations on information and IP. The market is saturated with hardware and software; many organizations, for a number of reasons (the most neutral of which is the obsolescence of equipment and software), see the inadequacy of previously invested funds in information systems and are looking for ways to solve this problem. There can be two of them: on the one hand, this is a complete replacement of the IS, which entails large capital investments, on the other, the modernization of the IS. The last option for solving this problem is less expensive, but opens up new problems, for example, what to keep from the existing hardware and software, how to ensure compatibility of old and new IC elements.
A more significant reason for conducting an audit is that when modernizing and introducing new technologies, their full potential is not realized. IP audit allows you to achieve maximum return on the funds invested in the creation and maintenance of IP.
In addition, the vulnerability of the information system has increased due to the increased complexity of the elements of this information system, the increase in lines of software code, and new technologies for transmitting and storing data.
The range of threats has expanded. This is due to the following reasons:
transmission of information over public networks;
"information war" of competing organizations;
High staff turnover with low levels of integrity.
According to some Western analytical agencies, up to 95% of attempts at unauthorized access to confidential information occur on the initiative of former employees of the organization.
Conducting an audit will allow you to assess the current security of the functioning of the information system, assess risks, predict and manage their impact on the organization’s business processes, and correctly and reasonably approach the issue of ensuring the security of the organization’s information assets, the main of which are:
ideas;
knowledge;
projects;
results of internal examinations.
Currently, many system integrators declare the delivery of a complete, complete solution. Unfortunately, at best, it all comes down to the design and delivery of hardware and software. The construction of information infrastructure “remains behind the scenes” and is not included in the solution.
Let us make a reservation that in this case, information infrastructure is understood as a well-functioning system that performs the functions of maintenance, control, accounting, analysis, and documentation of all processes occurring in the information system.
More and more often, system integrators, design organizations, and equipment suppliers are being asked the following questions:
What's next? (The presence of a strategic plan for the development of the organization, the place and role of IP in this plan, forecasting problem situations).
Does our IP align with business goals and objectives? Has business become an appendage of the information system?
How to optimize investments in IP?
What happens inside this "black box" - the organization's IP?
IS malfunctions, how to identify and localize problems?
How are security and access control issues addressed?
Contractors carried out delivery, installation, commissioning. How to evaluate their work? Are there any disadvantages, if so, what are they?
When is it necessary to upgrade hardware and software? How to justify the need for modernization?
How to install a unified IS management and monitoring system? What benefits will it provide?
The head of the organization, the head of the department of medical and technical equipment must be able to receive reliable information about the current state of the information system in the shortest possible time. Is this possible?
Why are additional equipment being purchased all the time?
NICU staff are constantly learning something, is there a need for this?
What actions to take in the event of an emergency?
What risks arise when placing confidential information in an organization's IP? How to minimize these risks?
How to reduce the cost of IP ownership?
How to optimally use existing IP when developing a business?
These and other similar questions cannot be answered instantly. Only by considering all the problems as a whole, the relationships between them, taking into account the nuances and shortcomings can one obtain reliable, well-founded information.
For this purpose, consulting companies around the world have a certain specific service - Information System audit.

ISACA (Information Systems Audit and Control Association)

The approach to conducting an IP audit, as a separate independent service, has been streamlined and standardized over time.
Large and medium-sized audit companies have formed associations - unions of professionals in the field of IP auditing, which are engaged in the creation and maintenance of auditing standards in the IT field. As a rule, these are closed standards, carefully protected know-how.
However, there is an association called ISACA that is dedicated to open standardization of IP auditing.
The ISACA association was founded in 1969 and currently unites about 20 thousand members from more than 100 countries, including Russia. The association coordinates the activities of more than 12 thousand information systems auditors.
The main declared goal of the association is the research, development, publication and promotion of a standardized set of documents on information technology management for daily use by administrators and auditors of information systems.
To help professional auditors, PICU managers, administrators and interested users, the ISACA association and attracted specialists from the world's leading consulting companies have developed the CoBiT standard.

CoBiT (Control Objects of Information Technology)

CoBiT - Information Technology Test Objects is an open standard, first edition, which was sold in 98 countries around the world in 1996 and has made the work of professional information technology auditors easier.
The standard connects information technology and the actions of auditors, combines and harmonizes many other standards into a single resource that allows you to authoritatively, at a modern level, gain insight into and manage the goals and objectives solved by IS. CoBiT takes into account all the features of information systems of any scale and complexity.
The fundamental rule underlying CoBiT is that IS resources must be managed by a set of naturally grouped processes to provide the organization with the necessary and reliable information (Figure 1).

And now a little clarification about what resources and criteria for their evaluation are used in the CoBiT standard:
Labor resources - labor resources mean not only the employees of the organization, but also the management of the organization and contract personnel. Staff skills, task understanding, and job performance are reviewed.
Applications are application software used in the work of an organization.
Technologies - operating systems, databases, control systems, etc.
Equipment - all hardware of the organization's IS, taking into account their maintenance.
Data - data in the broadest sense - external and internal, structured and unstructured, graphic, audio, multimedia, etc.
All these resources are assessed by CoBiT at each stage of IS construction or audit according to the following criteria:
Efficiency is a criterion that determines the relevance and compliance of information with business objectives.
Technical level is a criterion for compliance with standards and instructions.
Security - information protection.
Integrity - accuracy and completeness of information.
Suitability - availability of information to required business processes in the present and future. As well as the protection of necessary and related resources.
Consistency is the implementation of laws, instructions and agreements that affect the business process, that is, external requirements for the business.
Reliability - consistency of information provided to the organization's management, implementation of appropriate funding management and consistency of job responsibilities.
CoBiT is based on the ISA and ISACF auditing standards, but also includes other international standards, including taking into account previously approved standards and regulations:
technical standards;
codes;
IP criteria and process descriptions;
professional standards;
requirements and recommendations;
requirements for banking services, e-commerce systems and manufacturing.
The standard was developed and analyzed by employees of the relevant departments of leading consulting companies and is used in their work along with their own developments.
The use of the CoBiT standard is possible both for conducting an audit of an organization’s IP and for the initial design of an IP. The usual version of direct and inverse problems.
If in the first case it is the compliance of the current state of the IS with the best practice of similar organizations and enterprises, then in the other it is an initially correct project and, as a consequence, upon completion of the design, an IS striving for the ideal.
In the future, we will consider an IS audit, implying that at any stage it is possible to solve the inverse problem - designing an IS.
Despite its small size, the developers tried to ensure that the standard was pragmatic and responsive to business needs, while maintaining independence from specific manufacturers, technologies and platforms.
The basic block diagram of CoBiT shows the sequence, composition and relationships of the basic groups. Business processes (at the top of the diagram) place their requirements on IS resources, which are analyzed using CoBiT assessment criteria at all stages of construction and audit.
Four basic groups (domains) contain thirty-four subgroups, which, in turn, consist of three hundred and two control objects. Objects of control provide the auditor with all reliable and relevant information about the current state of the IP.
Distinctive features of CoBiT:
1. Large coverage area (all tasks from strategic planning and fundamental documents to analysis of the operation of individual IS elements).
2. Cross-audit (overlapping areas of inspection of critical elements).
3. Adaptable, scalable standard.
Let's consider the advantages of CoBiT over numerous Western and Russian developments. First of all, this is its sufficiency - along with the possibility of relatively easy adaptation to the peculiarities of domestic IP. And, of course, the fact that the standard is easily scaled and expanded. CoBiT allows you to use any developments from hardware and software manufacturers and analyze the data obtained without changing the general approaches and its own structure.

IP audit practice

Shown in Fig. 2 flowchart reflects, although not in detail, the key points of an IS audit. Let's take a closer look at them.
At the stage of preparing and signing the initial permitting documentation, the boundaries of the audit are determined:
The boundaries of the audit are determined by the critical points of the IS (elements of the IS), in which problem situations most often arise.
Based on the results of a preliminary audit of the entire IS (to a first approximation), an in-depth audit of the identified problems is carried out.
At the same time, an audit team is created and responsible persons on the Customer’s side are identified. The necessary documentation is created and agreed upon.
Next, information is collected about the current state of the IS using the CoBiT standard, the control objects of which receive information about all the nuances of the functioning of the IS both in binary form (Yes/No) and in the form of detailed reports. The detail of the information is determined at the stage of developing the initial permitting documentation. There is a certain optimum between the costs (time, cost, etc.) of obtaining information and its importance and relevance.
Conducting analysis is the most critical part of conducting an IP audit. The use of unreliable, outdated data in the analysis is unacceptable, therefore it is necessary to clarify the data and in-depth collection of information.
Requirements for the analysis are determined at the information collection stage. Information analysis methods exist in the CoBiT standard, but if they are lacking, it is not forbidden to use ISACA-authorized developments from other companies.
The results of the analysis are the basis for developing recommendations, which, after prior agreement with the Customer, must be checked for feasibility and relevance taking into account the implementation risks.
Monitoring the implementation of recommendations is an important stage that requires continuous monitoring by representatives of the consulting company of the progress of implementation of the recommendations.
At the stage of developing additional documentation, work is carried out aimed at creating documents, the absence or shortcomings of which may cause failures in the operation of the information system. For example, a separate in-depth consideration of IP security issues.
Constant auditing guarantees the stability of the functioning of the information system, therefore the creation of a schedule for subsequent audits is one of the results of a professional audit.

Audit results

The results of an organization's IP audit can be divided into three main groups:
1. Organizational - planning, management, document flow of IS functioning.
2. Technical - failures, malfunctions, optimization of the operation of IS elements, continuous maintenance, infrastructure creation, etc.
3. Methodological - approaches to solving problem situations, management and control, general orderliness and structuring.
The audit will allow you to reasonably create the following documents:
Long-term IP development plan.
Organization's IP security policy.
Methodology for working and fine-tuning the organization's IS.
IP recovery plan in an emergency.

Requirements for submission of information

The ISACA Association has developed and adopted requirements for the presentation of information during an audit. The application of the CoBiT standard guarantees compliance with these requirements.
The main requirement is the usefulness of the information. For information to be useful, it must have certain characteristics, including:
1. Clarity. Information should be understandable to a user who has a certain level of knowledge, which does not mean, however, that complex information should be excluded if it is necessary.
Relevance. Information is relevant or relevant if it influences users' decisions and helps them evaluate past, present, future events or confirm and correct past assessments.
The relevance of information is affected by its content and materiality. Information is significant if its absence or incorrect assessment could influence the user's decision. Another characteristic of relevance is timeliness of information, which means that all relevant information is included in the report in a timely manner without delay and that the report is provided on time.
A certain analogue of the principle of appropriateness in domestic practice can be the requirement for the complete reflection of transactions for the accounting period, although the requirement for the reflection of all information is not identical to the requirement for the reflection of essential information.
Credibility, reliability. Information is reliable if it does not contain significant errors or biased assessments and truthfully reflects business activities. To be reliable, information must meet the following characteristics:
- truthfulness;
- neutrality - information should not contain one-sided assessments, that is, information should not be provided selectively in order to achieve a certain result;
- prudence - readiness to take into account potential losses rather than potential profits and, as a result, the creation of reserves. This approach is appropriate in a state of uncertainty and does not mean creating hidden reserves or distorting information;
- sufficiency of information - includes such a characteristic as the requirement for completeness of information, both in terms of its materiality and the costs of its preparation.

The need of the domestic market for this service

When assessing the need for an IS audit, it is necessary to focus on the following points (see Table 1):
the complexity of the problems being solved - a constant increase, both quantitative and qualitative, of problems solved by IS;
IS ramifications - difficulty in servicing, territorial distribution;
business prospects - new directions, markets, working conditions;
management of an organization - the ability and desire of managers to think strategically, to see the prospects opened up by a standardized approach, based on best practices.
Who is interested in conducting an audit? First of all, these are commercial or budgetary organizations and enterprises to justify investments in IS, system integrators, IT companies to assess the impact of IS on the main business process and expand the range of services offered.
For companies conducting financial audits, IP audit is an additional service that can increase the company's rating in the market.
General contractors will be interested in the opportunity to evaluate the work of IT subcontractors.
And also conducting an IP audit according to the CoBiT standard will be of interest to any enterprises and organizations that have or are planning to create IP and that are interested in receiving answers to the questions given in the introduction of this article.

Table 1. Results of the audit.

Your company has already implemented an information system, which, it would seem, should facilitate routine operations and optimize work, but in reality it turns out that the processes have become even more confusing, and management and constant adjustments of the information system require more and more resources. What is the reason? What was done wrong? Does your company need IP at all, and if so, what kind? What tasks should your information system solve? These and other questions can only be answered by a competent comprehensive audit, research into existing systems and the specifics of your business.

Before developing a corporate information system, an audit of management, planning, accounting, reporting, document flow, etc. systems is carried out. The goal is to find growth points and optimize the customer’s business. Taking into account the analysis data, specialists develop a CIS (corporate information system) for each specific enterprise. The information systems already operating at the enterprise are also analyzed, the degree of their effectiveness and the feasibility of using these particular solutions.

A modern IS (information system) represents a complex set of interconnected schemes and algorithms, and the efficiency of the entire enterprise directly depends on the literacy of its construction. Conducting an information system audit allows you to provide answers to such important questions as:

• compliance of the IP with the pursued goals and specifics of the company’s activities;
• level of data protection from internal and external negative factors;
• the degree of integration of information technology into the business processes of the enterprise.

An IS audit also includes an analysis of the efficiency of the IT service, the degree of automation of processes carried out at the enterprise, and an assessment of the quality of document flow and logging. Its implementation provides an opportunity to obtain the most complete information about possible risks and the state of the company’s IT infrastructure.

An IS performance audit involves the following activities:

• IT infrastructure inventory (the equipment and software used in the company is checked);
• determination of load indicators on IT objects;
• assessment of statistical data, as well as information obtained during the inventory;
• establishing the degree of compliance of IS functionality with business requirements;
• writing a report on the audit results;
• development of recommendations aimed at optimizing IS;
• formalization of the NSI fund.

Results of the information systems audit:

• identifying the true reasons for the low efficiency of the used information system;
• the ability to make an informed decision to increase its productivity, be it purchasing more modern equipment, improving a previously used IS, or replacing it with a new one;
• making forecasts regarding how the information system will behave in the event of changes in information flows (increase in the total number of operations, users, etc.);
• obtaining accessible and well-founded recommendations regarding improving the work of IT departments, optimizing information technology costs, as well as identifying activities designed to improve the quality of IT service.

There are no universal information systems that suit all enterprises without exception. Taking the 1C or Oracle platform as a basis, you need to perform a number of settings, add the necessary functionality, disable unnecessary ones - make an ideal adjustment of all information mechanisms for your business. The first step to finding optimal solutions can be an audit of the enterprise information system or, as it is commonly called, the corporate information system.

An IT audit allows you to obtain up-to-date information about the current level of system functioning and develop measures to improve its efficiency. The main purpose of an IT audit is to compare the state of affairs in an organization with a reference model: standards, regulations, sets of best practices, regulations of a third-party company. In other words, an information systems audit allows you to understand and record the difference between the norm and existing routines in the IT department.

Providing business processes necessary for the functioning of enterprises in various industries involves the implementation of local and global information systems. The significant role of data transmission systems in the activities of companies necessitates the development and achievement of an optimal level of functionality of the IT infrastructure. The operation of IT systems is subject to a number of requirements, such as quick access to resources, ease of configuration, flexibility and scalability, security and high reliability.

Among the most popular standards that Aplana specialists use in their work are: the body of knowledge on project management PMBok, the maturity model of software development processes in organizations CMMI, the approach to managing and organizing IT services ITIL/ITSM.

Key advantages of IT audit with us

Many business executives from various business sectors have long been using our services to ensure high performance and reliable operation of information systems. We act as independent consultants who study the situation from different angles and help identify existing imperfections in the system.

You should contact Aplana specialists if you need to find out the reason for the slow development of certain systems or their inability to cope with assigned business tasks. The most difficult task is restructuring investments in information technology. We help the manager understand how rationally investments are made in various areas of IT, and whether their redistribution is possible.

The cost of conducting an IT audit in an organization depends on each specific case. By entrusting services to Aplana specialists, you can always be sure that you will receive a number of advantages:

Free yourself from the internal staff of analysts and do not need the long and costly development of competent specialists

Receive independent expert assessment from professionals in the field

You receive a ready-made plan for comprehensive optimization of information processes

Conduct a “dress rehearsal” before certification audits, for example, according to the ISO standard

Types of audit

• Comprehensive IT audit – a complete and comprehensive analysis of the work of software development and support departments, identifying ineffective elements, practices, techniques, and non-compliance with certain criteria and specified standards.
• Process audit in IT departments - analysis of technologies and software production processes in comparison with reference models.
• Audit of an information system for the correctness of its use in comparison with specified standards or best global practices.
• Audit of the organizational structure - identifying gaps and problems in the personnel structure of the IT department.​
• Audit of quality control processes – expert assessment of the state of testing processes according to the TMMI model standard.

Main tasks

• Identification of bottlenecks and identification of ineffective use of the system. As a result, the client receives a ready-made set of recommendations to correct identified shortcomings.
• Estimation of the cost and duration of the process to eliminate deficiencies.
• Determining the need for resources of different categories: financial, production, intellectual, etc.
• Selection of optimal tools for implementing the proposed changes, taking into account the internal specifics of the company.

An audit of development processes is carried out by Aplana specialists in order to document the difference between existing software development processes and the selected standard ones. One of the key features in the provision of services is the focus on the main business objectives of the company. This allows you to more accurately formulate recommendations for increasing the efficiency of IT systems, taking measures to reduce and eliminate possible risks, optimizing costs together with improving the quality of work of developers.

The audit does not depend on other IT consulting services and can be carried out at any stage of the company’s development. As a rule, the development of the methodology is based on the results of the audit.

Introduction

Automated information technologies in auditing activities

Information technology software for auditing activities

Conclusion

References

Introduction

The reform of the Russian economy has necessitated the creation and development of new economic institutions that regulate the relationships between various business entities, among which the institution of audit, which is an integral part of market relations, should take its rightful place. The experience of the formation and development of Russian audit has shown the impossibility of directly transferring the methodology of developed capitalist countries to the reorganized economy of the post-Soviet period. Therefore, active work is currently underway to create a concept for the development of auditing and auditing activities in general for Russian conditions.

The main goals of creating this concept are to build a model of audit functioning that is adequate to the needs of the Russian economy, to improve the forms and methods of conducting audits, taking into account the development of auditing in Russia and the requirements of international standards for accounting and auditing.

In modern conditions, the formation of audit and auditing activity in general should be, first of all, aimed at implementing and strengthening the control function of the audit, which can only be achieved as a result of the transition from a confirmatory model to a system-oriented audit model. This approach requires the active use of means and methods of scientific knowledge, and especially the modeling method, using the powerful tools of modern mathematics and information technology. Information modeling will allow us to study the features, properties, relationships of auditing activities, trends in its development in Russia and abroad. Information and mathematical modeling of audit activity should become the basis for the process of constructing a model of the functioning of Russian audit.

Tasks of a computer information system for auditing activities

In the practice of designing a computer information system for audit activities (CIS AD), two fundamentally different approaches to their creation can be traced.

1. Using a set of tests (worksheets) aimed at entering ascertaining information about compliance with certain accounting rules. In this case, the client’s accounting information is completely or partially ignored. This path can lead to a significant risk of missing errors, so the second approach is more promising.

2. Focus on the client’s primary information, which reflects business transactions at a synthetic and analytical level. In this case, a significant amount of time is required to enter customer data.

Within the second approach, there are two possible ways to create a CIS AD:

1)system of computerization of audit by stages;

2) a system for computerizing audits for complexes of tasks.

The stage-by-stage audit computerization system involves the use of a network architecture and storage of all data in a single database, to which system users must have authorized access at the appropriate level. Users are given different rights to work with the system, which in a simple version are divided into two levels: the head of the audit and the auditors. All information recorded in the database must be available simultaneously to all members of the audit team.

There are three stages of auditor work technology in the conditions of CIS AD:

1) preparatory stage;

2) conducting an inspection;

3) final stage.

At the preparatory stage, information about the client, general ledger data, accounting indicators and other information are studied and recorded in the database. The auditor's examination of the audited entity's accounting and internal control system is determined by the computer data processing system (CDS) he uses.

When conducting an audit in the KOD system, the purpose and main approaches to determining the methods of conducting an audit are preserved. However, the CCD affects the auditor's examination of the entity's accounting and internal control systems. This is due to the fact that the sources of information for the auditor are accounting documents on machine-readable media, permanent regulatory and reference information is stored in the computer memory, and an automated form of accounting is used.

Working in the COD environment, the auditor studies the organizational form of data processing, the form of accounting and its automated sections, the use of local or network data processing options, and ensuring data archiving and storage. The auditor must also describe the technical, software, and technological support of the code. He evaluates the capabilities of the computer system in terms of its flexible response to changes in business legislation, the generation of management reporting, the conduct of analytical procedures, as well as the degree of qualification of accounting personnel in the field of information technology.

During an audit of a client’s code system, the auditor must perform the following tasks:

1. It is necessary to become familiar with the organizational form of data processing and the level of automation of management tasks, including accounting tasks. In small businesses, where data processing is performed by one accountant, the accounting software and information base are concentrated on one computer. When there is more than one person in the accounting department, we are talking about multi-user systems that implement the work of several users with the accounting information base. The auditor must understand the main differences between these technologies, as this affects the audit procedures he determines and the risk of the audit performed.

2. The auditor must assess the correctness of the choice of automation tasks and express an opinion on the tasks, accounting areas, and the work of departments where the use of computer data processing technology will give the greatest effect. First of all, the work of the most overloaded departments that slow down the work of the enterprise should be automated. First of all, you should automate the accounting and analysis of accounts receivable.

3. During the audit, the auditor should study and evaluate the organization’s document flow system: the procedure for the formation, registration, storage, processing of documents and transformation of primary documents into a system of records on accounting accounts. It is necessary to find out where primary information originates and the extent of its collection and registration. To do this, the auditor must familiarize himself with the layout of automated workstations for management employees at the enterprise.

4. The auditor must characterize the methods of data entry and the generation of records of business transactions. Automated and automatic generation of accounting records and transactions based on standard transactions and electronic forms of documents allows you to avoid many errors that are inevitable when manually entering and generating transactions. The error may also be in standard wiring or electronic forms that need to be verified. It is necessary to study the organization of storing information about business transactions and the possibility of quickly obtaining information about business transactions, documents and printing it out.

A mandatory audit procedure is testing the data entered into the accounting code system. This procedure involves testing the completeness of documents in the “paper” version and testing the compliance of paper documents with their electronic copies entered into the system. The absence of this compliance is a signal that the reporting is unreliable.

6. The auditor must ensure the safety of information system data, ease of access to data and restriction of unauthorized access to it.

7. Particular attention is paid to checking the reliability of internal controls in the COD environment. The auditor is obliged to identify weaknesses in the control of computer accounting systems: consider hardware and software controls, organizational measures (data archiving, virus checking). He needs to analyze ways of organizing control over the completeness and correctness of entering primary information into the information base, monitoring, processing and selecting data, and assess their sufficiency and effectiveness. In multi-user network systems, the focus must be on the data transfer process.

8.The auditor must carefully check the correctness of the calculation algorithms.

An error embedded in a calculation algorithm that is repeatedly applied to repeated business transactions can distort the result of business activities.

After completing these tasks, based on the information received, a preliminary financial analysis is carried out, an assessment of the level of materiality and audit risk is carried out, a general audit plan is developed and responsibilities are distributed among the members of the audit team.

When determining the auditor's risks arising during an audit of financial statements due to the influence of the code, one should be guided by the rule (standard) "Risk assessment and internal control. Characteristics and accounting of the computer and information system environment."

Audit planning in the CODE system is carried out in accordance with the rule (standard) “Audit Planning”.

When planning an audit using computers, the following must be taken into account: the provision of the audit organization with the equipment necessary both for conducting the audit and for providing services related to the audit using computers; the start date of the audit, which must correspond to the date of presentation of data to the auditor in the form agreed with the economic entity; the fact of involving experts in the field of information technology; knowledge, experience and qualifications of the auditor in the field of information technology; the feasibility of using tests performed without the use of a computer; the effectiveness of using a computer when conducting an audit. When drawing up a general plan and audit program, one should take into account the degree of automation of the processing of accounting information and the information technologies used by the economic entity.