Computer Assurance

Home Services Audit and assurance Computer assurance

Our computer assurance review is designed to give clients...

....an independent assessment of the adequacy of their Information Systems.

While we aim to provide some assurance that systems are safe and secure, this is often not possible in which case we will recommend improvements to controls which will mitigate or eliminate the weaknesses which render the system insecure. The result of such a review is normally a brief report outlining:

  • the main findings
  • the main information security risks
  • the main controls and weaknesses identified in relation to those risks
  • recommendations on possible improvements to controls.

Such a review cannot be expected to cover every aspect of information security or risk management in detail, but by adopting a top down approach, we expect to identify the major areas of concern quickly and then to concentrate on those.

When carrying out a Computer Assurance Review we will normally start by speaking with the person in overall charge (probably the Managing Director or Chairman) to identify what, if any, concerns the chief executive has.

Next step is to gain an overview of the Information Systems in place including the main hardware, operating systems and software -- both accounting and operational. This process may involve interviews with financial or operations staff as well as IT specialists but the key contact will usually be the IT manager or equivalent.

If particular applications are deemed critical, we may identify the key transaction streams and data files in those applications and identify the key controls over those transactions. This process should enable us to identify whether the system is adequate for its intended purpose or whether it needs to be improved or even replaced. If the applications are particularly complex, and cannot be reviewed adequately within the time available, a more detailed review will be recommended as a separate assignment.

If no particular application is deemed critical, we proceed directly to the general controls over the Information Systems. These are the controls designed to ensure the confidentiality, integrity and availability of systems and may, in some cases, involve similar controls (eg password controls and batch controls) to those required to ensure completeness, accuracy and authorisation of transactions within particular applications:

  • segregation of duties (between accounts and IT, between operations and programming and, in larger IT departments, between other functions as well)
  • physical and logical access controls (locks, passwords, firewalls etc)
  • environmental controls (air conditioning, fire precautions, cabling etc)
  • disaster recovery planning (backup procedures, locations of backups, planning, testing of plans, third party contracts, insurance etc)
  • management and supervisory controls (budgeting and monitoring, project management, staff recruitment, training etc)
  • program change control (from identification of the need for a program, through specification, programming, testing, user acceptance, training, documentation and live implementation)
  • network security and implications of use of the Internet.

Detailed testing of these above controls is outside the scope of the Computer Assurance Review but can be offered as an extra service if required.
 
Description Needed

Contact us

Contact us to find out more information about how Grant Thornton can help you.
 
Services

Audit and Assurance, Business Advisory, Tax, Corporate Services
 

© 2009 Grant Thornton – All rights reserved. Malta member firm of Grant Thornton International Ltd.