Information system Control and Audit Module 6 – Part 2 1 Information Systems Auditing Defined Process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, allows organizational goals to achieved effectively and users resources efficiently. Ensuring that an organization complies with some regulation, rules or condition. E.g. A bank might have to comply with a government regulation about how much it can lend. A force that enables organizations to better achieve four major objectives: (i) Improve safeguarding of assets, (ii) Improved data integrity (iii) Improved system effectiveness (iv) Improved system efficiency 2 Assets Safeguarding Objective Information system assets of an organization include: Hardware, Software, facilities, people(knowledge), data files, system documentation and supplies. All assets must be protected by a system of internal control. E.g. 3 Hardware - can be damaged maliciously. Proprietary software and the content of data files – can be stolen or destroyed. Supplies of negotiable forms needs to be control. All these assets are often concentrated in one or a small number of locations, such as a single disk – safeguarding becomes an especially important objective for many organization. Data Integrity Objectives Data integrity is a fundamental concept in information system auditing. It is a state of implying data has certain attributes: completeness, soundness(reliable), purity and veracity(reality). If data integrity not maintained, an organization no longer has a true representation of itself or of events. If the integrity of an organization’s data is low, it could suffer from a loss of competitive advantage. Maintaining data integrity only at a cost. The benefits obtained should exceed the costs of the control procedures needed. 4 Data Integrity Objectives Three major factors affect the value of a data item to an organization and thus the importance of maintaining the integrity of that data item: The value of informational content of the data item for the individual decision. The extent to which the data items is shared among decision makers The value of the data item to competitors 5 If data is shared, corruption of data integrity affects not just one user but many. - The maintenance of data integrity becomes more critical. If the data is valuable to a competitor, its loss might undermine an organization’s position in the marketplace. Competitor could exploit the profitability of the organization and to bring about bankruptcy, takeover or merger. System Effectiveness Objectives Evaluating effectiveness implies knowledge of user needs. To evaluate whether a system reports information in a way that facilitates decision making by its users. auditors must know the characteristics of users and the decision –making environment. Effectiveness auditing often occurs after a system has been running for sometime. Post audit is conducted to determine whether the system is achieving its stated objectives. 6 This evaluation provides input to the decision on whether to scrap the system, continue running it, or modify it in some way. System Effectiveness Objectives Effectiveness auditing also can be carry out during the design stages of a system. 7 Reasons are: Users often have difficulty identifying or agreeing on their needs. Communication problems often occur between system designers and users. System is complex and costly to implement Management might want auditor to perform an independent evaluation of whether the design is likely to fulfill user needs. System Efficiency Objectives An efficient information system uses minimum resources to achieve its required objectives. Information system consume various resources: machine, time, peripherals, system software, and labor. These resources are scarce and different application systems usually compete for their use. There is no clear-cut answer whether a system is efficient. The efficiency of any particular system cannot be considered in isolation from other systems. Problems of sub-optimization occur if one system is “optimized” at the expense of other systems. 8 Dedication of a printer for a particular system. System Efficiency Objectives System efficiency becomes especially important when a computer no longer has excess capacity causing the performance of the application system degrades. Management must then decide whether efficiency can be improved or extra resources must be purchased. Extra hardware and software is a cost issue, management needs to know whether available capacity has been exhausted because individual application systems are inefficient or because existing allocations of computer resources are causing bottlenecks. Auditor are perceived to be independent, management might ask them to assist with or even perform this evaluation. 9 Effects of computers on internal controls The goals of assets safeguarding, data integrity, system effectiveness and system efficiency can be achieved only if an organization’s management sets up a system of internal control. Traditionally, major components of an internal control system include: Separation of duties Clear delegation of authority and responsibility Recruitment and training of high-quality personnel A system of authorization Adequate documents and records Physical control over assets and records Management supervision Independent checks on performance Periodic comparison of recorded accountability with assets. 10 Foundation of Information Systems Auditing Recognition of the need for an information system audit function comes from two directions: Auditors realized that computer had affected their ability to perform the attest function. Both corporate and information system management recognized that computers were valuable resources that needed controlling like any other key resource within an organization. Information system audit has been shaped by knowledge obtained from four other disciplines: 11 Traditional Auditing, Information System Management, Behavioral science and computer science. Foundation of Information Systems Auditing Traditional Audit Brings to information systems audit a control philosophy. The philosophy involves examining information systems with a critical mind, always with a view to questioning the capability of an information system to safeguard assets, maintain data integrity, and achieve its objectives effectively and efficiently. 12 Foundation of Information Systems Auditing Information Systems Management The early history of computer-based information systems shows some spectacular disasters. Massive cost overruns occurred and many systems failed to achieve their stated objectives. Researchers have been concerned with identifying better ways of managing the development and implementation of information system. Some important advances have been made. 13 E.g. Techniques of project management have been carried across into the information systems area with considerable success. Documentation, standards, budgets and variance investigation are now emphasized. Better ways of developing and implementing systems have been developed. Foundation of Information Systems Auditing These advances affect information systems auditing because they ultimately affect assets safeguarding, data integrity, system effectiveness and system efficiency objectives. Behavioral Science 14 Computer systems sometimes fail because their designers do not appreciate the difficult human issues that are often associated with the development and implementation of a system. E.g. Behavioral resistance to an information system can seriously undermine efforts to meet assets safeguarding, data integrity , system effectiveness, and system efficiency objectives. E.g. Disgruntled users could try to sabotage the system or to circumvent controls. Foundation of Information Systems Auditing Auditor must understand the conditions that can lead to behavioral problem and as a result, possible system failure. Behavioral scientists, especially organization theorists, have contributed much to our understanding of the “people problems” that can arise within organizations. Computer Science Computer scientists also have been concerned with how asset safeguarding, data integrity, system effectiveness, and system efficiency objectives might be better achieved. 15 Scientists conducted research on how to prove the correctness of software formally, build fault-tolerant computer systems, design secure operating systems and transmit data securely across a communications link. Foundation of Information Systems Auditing Technical knowledge that has been developed with the discipline of computer science provides both benefits and problems for auditor’s work. Auditors can now be less concerned about the reliability of certain components in a computer system. If this technical knowledge is used improperly, auditors might have difficulty detecting the abuse. 16 E.g. If a skills system programmer decides to perpetrate a fraud, it might be almost impossible for auditors to detect the fraud unless they have extensive knowledge of information system technology.