The scope of an information systems audit still does cover the entire life-cycle of the technology under scrutiny, including the correctness of computer calculations. The word “scope” is prefaced by “normal” because the scope of an audit is dependent on its objective. Audits are always a result of some concern over the management of assets. The concerned party may be a regulatory agency, an asset owner, or any stakeholder in the operation of the systems environment, including systems managers themselves. That party will have an objective in commissioning the audit. The objective may be validating the correctness of the systems calculations, confirming that systems are appropriately accounted for as assets, assessing the operational integrity of an automated process, verifying that confidential data is not exposed to unauthorized individuals, and/or multiple combinations of these and other systems-related matters of importance. The objective of an audit will determine its scope.

• High-level systems architecture review
• Business process mapping (e.g. determining information systems dependency with respect to user business processes)
• End user identity management (e.g. authentication mechanisms, password standards, roles limiting or granting systems functionality)
• Operating systems configurations (e.g. services hardening)
• Application security controls
• Database access controls (e.g. database configuration, account access to the database, roles defined in the database)
• Anti-virus/Anti-malware controls
• Network controls (e.g. running configurations on switches and routers, use of Access control lists, and firewall rules)
• Logging and auditing systems and processes
• IT privileged access control (e.g. System Administrator or root access)
• IT processes in support of the system (e.g. user account reviews, change management)
• Backup/Restore procedures