The purpose of auditing an information system is to assess,
amongst others
for the organizations' management, that the system functions in
the way it
was intended. Because of the speed of technology developments and
the
increasing complexity of infrastructures and information systems,
auditing
information systems is becoming more and more difficult.
Knowledge of many
aspects of information technology is required in order to give an
opinion on
the quality of information systems. Since it is nearly impossible
to combine
all this expertise in one person, cooperation between several
disciplines is
necessary. This paper will give an introduction to the different
aspects of
it-auditing in general and will demonstrate the difficulties that
it-auditors
face when, for example, auditing an electronic commerce
information system.
It will be concluded by discussing trends in information
technology, control
theories and it-auditing and by suggesting solutions for the
problems that
auditors face.
CV:
Since 1993, Leon Strous is edp-auditor in the internal
auditing
department of De Nederlandsche Bank (DNB), the central bank of
the
Netherlands. Before joining DNB he worked eight years for the
Philips
Electronics company in different functions in the administrative
organization, internal control and information security area. He
is a member
of NOREA (Dutch Association of Registered Edp-Auditors), NGI
(Dutch Computer
Society), ISACA (Information Systems Audit and Control
Association) and the
ACM (Association for Computing Machinery). He is the country
representative
for the Netherlands in IFIP TC-11 (the technical committee on
security of the
International Federation for Information Processing) and chairman
of working
group 11.5 on Integrity and Internal Control in Information
Systems. He is
also chairing an NGI working group on security evaluation
criteria.