Nowadays, every business requires computers. Since many people can have access to computer data and resources, a system, however small, can be difficult to control. The success of the Internet and emergence of mobile workers, remote offices and collaborative business models have increased the risk of computer crime. As a result, unauthorised access to confidential information and the deliberate modification or damage of data have become growing concerns for many organisations. This worry about information security has given rise to an increasingly important profession - system audit.
System auditors are professionals with both audit and risk assessment competence. Their major duty is to spot non-compliance and mismanagement in the use of information systems and to ensure that the IT procedures and policy set by a company's management are properly implemented.
Their prime objective is to identify and minimise potential risks but they also check the effectiveness of internal system controls and the maintenance of business continuity. This is essential for business operations, says Danny Ha, a consultant at Security Consulting Services Ltd.
Traditionally, system audit was one of the duties of financial auditors but, according to Mr Ha, "Since information systems are now so critical to business processes, the task of system audit has become more important and more complicated. It is necessary to keep it separate." He adds that system auditors should maintain a high degree of independence and usually report directly to senior management.
"You have to be responsible to yourself, your company and clients, your profession and society"
Mr Ha started his own career as a system administrator in a bank. With a strong interest in information security and realising it was an emerging trend, he focused on this area and later became a full-time professional system auditor.
If hoping to enter the field, graduates would do well to have studied information technology and possess two to three years' practical experience. This would allow them to start as a trainee auditor.
Opportunities exist as in-house system auditors or as external audit consultants. For either role, a professional qualification is essential for advancement, says Mr Ha. "This reflects an acceptable level of knowledge, experience and professionalism in system audit, something basic for long-term career development."
The Certified Information System Audit (CISA) programme, established in 1978 by the Information Systems Audit and Control Association, is a widely recognised qualification required by employers looking for a system audit professional.
Other qualifications like the Certified Information System Security Professional (CISSP) and Certified Risk Planner (CRP) are also relevant. A CISA mainly observes a company's daily operations focusing on the business process and carrying out a full system audit every year or two. In contrast, a CISSP is involved in day-to-day investigations of system security and a CRP deals mainly with risk and crisis management setting up preventive measures and planning for disaster recovery.
Further information about the qualifications can be found at www.isaca.org (for CISA) and www.icrmasia.com (for CRP).
The IT Training and Development Centre of the Vocational Training Council offers courses to help practitioners prepare for the CISA exam. This comprises one paper covering seven aspects of system audit including management, planning and organisation of information systems, the system audit process and continuity planning.
Ethics and integrity
It is essential to uphold the highest code of professional ethics, says Mr Ha. "It is not just about integrity, but ethics in general. You have to be responsible to yourself, your company and clients, your profession and society."
As an information systems audit professional, one should keep abreast of all business developments, new threats and the latest technology for information security and controls. CISAs must renew their professional qualifications annually with a continuing education requirement of at least 20 hours a year and 120 hours every three years.
Strong communication skills are important for handling counter suggestions or objections when carrying out an audit.
Good presentation and language abilities also help when dealing with senior management and directors.
While system audit work is tough and challenging, it does provide rewards. "It offers wide exposure, a rare opportunity to understand a company's full operations and, in particular, the most critical areas," says Mr Ha. "As a result, it gives you scope to move up to a senior management position."
Since there is increasing awareness of security threats, the opportunities for system auditors continue to grow. The opening of the China market is bringing a requirement for more formal, standardised business practices. Although system audit is not yet mandatory, it has already been implemented by multinational corporations in mainland China, according to Mr Ha. At present, there are about 1,300 CISAs in Hong Kong but fewer than a hundred in China. Mr Ha predicts that demand will remain much greater than supply in the years to come.
However, system audit work in China is far more challenging. "Because of different languages and cultures, it can be more difficult to do system audit in a mainland operation. Greater resistance is expected but with better recognition of the importance of proper procedures and controls, we can expect greater acceptance as time goes by," Mr Ha advises.