What is an IS audit?
An IS audit reviews the controls in and around the information systems that produce a company’s financial information. It typically covers:
- IT general controls (ITGCs) — access management, change management, operations, system development.
- Application controls — input, processing and output controls within ERPs and core financial applications.
- ICFR controls — per Section 143(3)(i) and SA 315 audit framework.
- Cybersecurity hygiene — perimeter, identity, endpoint, monitoring.
Who commissions an IS audit
Companies with ICFR reporting under Section 143(3)(i) (listed companies and prescribed unlisted companies). Banks and NBFCs subject to RBI IS audit guidelines. Companies migrating to a new ERP and wanting an independent go-live readiness review. Subsidiaries reporting under group ICFR programmes (e.g., SOX-equivalent). PE-owned companies with internal IS audit mandates. SaaS / IT companies preparing for SOC 2 or ISO 27001 certification.
Governing references
The relevant references:
- SA 315 (Revised) — identifying and assessing risks, including IT-driven risks.
- Section 143(3)(i) of the Companies Act — ICFR auditor reporting.
- ICAI Standards on Information System Audit (SIA).
- RBI Master Direction on Outsourcing of IT Services (banks / NBFCs).
- ISO 27001:2022 — ISMS controls.
- SOC 2 Trust Service Criteria, where applicable.
How we run an IS audit
- IT environment understanding — ERP / core systems landscape, integration map, data flows, third-party dependencies.
- Risk assessment — financial-statement-level risks driven by IT.
- Control identification — key ITGCs and application controls relevant to those risks.
- Design effectiveness testing — walkthroughs, documentation review.
- Operating effectiveness testing — sample-based testing for the audit period.
- Reporting — control deficiencies, severity classification, remediation roadmap.
- Coordination with the financial statement audit team for ICFR sign-off.
What we’ll ask for
- List of in-scope financial systems and integrations.
- User-access master list with role mapping.
- Change-management ticketing system extracts.
- Backup & recovery procedures and last-test results.
- Privileged-account inventory and review evidence.
- Application configuration documentation.
- Past internal / external IS audit reports for follow-up.
How long it takes and what it costs
A standard IS audit for a single ERP environment runs 5–7 weeks. Multi-system, multi-location reviews go to 10–14 weeks. We bill on a milestone basis. Where ICFR is the trigger, we align with the financial-statement audit calendar.
Frequently asked questions
Is IS audit mandatory for non-listed companies?
Not blanket-mandatory, but if Section 143(3)(i) ICFR applies, the financial auditor relies on IS audit-equivalent procedures. For banks, NBFCs and certain regulated entities, it is mandatory.
Can the same firm do statutory audit and IS audit?
Yes — ICAI permits this for non-listed entities. For listed companies, the position depends on independence rules. We typically run a Chinese wall.
Do you cover SOC 2 / ISO 27001 readiness?
Yes. The work overlaps significantly. We can scope the engagement to deliver both an IS audit report and a readiness document for the certification audit.
What’s tested for cybersecurity?
Identity & access, perimeter controls, endpoint hygiene, monitoring & response, vendor / outsourcing controls. We don’t do penetration testing in-house — we partner where pen-testing is required.
Talk to a partner.
A 30-minute call with a partner — no deck, no follow-up email blasts. Just a read on whether we’re the right team to run your IS audit.