Information Systems Audits
From Appalachian State University Policy Manual
1.1 The Information System Audits Policy provides a description of an Information Systems Audit as conducted by the Office of Internal Audits and the steps that management should take regarding replying to an Information Systems Audit Report.
2.1 This policy applies to all departments at Appalachian State University. The Office of Internal Audits provides internal auditing for the University, its auxiliaries and subsidiaries. In accomplishing the mission of the office, the Chief Audit Officer is authorized full, free and unrestricted access to all University functions, property, personnel and records maintained by all units of the University.
4 Policy and Procedure Statements
4.1 Information Systems Audits
4.1.1 The Office of Internal Audits examines and evaluates the adequacy and effectiveness of the systems of management control provided by the University to direct its activities toward the accomplishment of its objectives in accordance with the mission of the University. Included is an audit of the University’s major systems and controls, including:
- Accounting systems and controls;
- Administrative systems and controls; and
- Information technology systems and controls.
4.1.2 Reviews may be done of the design and development of financial systems to ensure that uniform and timely information assisting the decision making process of management of the University is available. This is accomplished through analysis of existing financial systems, internal control, and making recommendations for changes as applicable.
4.1.3 As new and/or modified systems become operational, the staff may conduct system audits of computer applications and major administrative systems. Attention is given to the system requirements to insure that adequate internal controls are incorporated, that procedures are followed in processing the system, that system documentation is complete and accurate, and the needs of user areas are met.
4.1.4 At the completion of the review, an audit report will be issued to the director or manager of the user area with copies going to appropriate University administrators. This report will outline weaknesses and/or deficiencies in the system and operational problems noted.
4.2 Reply to Information Systems Audit Report
4.2.1 To ensure that consistent practices and procedures are followed regarding deficiencies and operational problems in information systems, the following policies are applicable:
4.2.2 The manager or director of the user area will respond to the audit report and recommendations contained in the report. A written reply to the deficiencies and/or operational problems noted in the audit report should be addressed to the Chief Audit Officer. The written reply to the information systems audit report is due within fifteen (15) days of the date of the report. The reply should consist of the action taken or planned with regard to the recommendations contained in the report. Where applicable, it should also give attention to changes in operating procedures, etc., that would alleviate operational problems in the future. If it is felt that the reply to the information systems audit report is unsatisfactory in corrective action, it will be resolved through consultation with all parties concerned. This process also may include a determination that senior management and/or the board have assumed the risk of not taking corrective action on reported observations.
5 Additional References
7 Contact Information
8 Original Effective Date
9 Revision Dates
- January 23, 2014