Module six - part 2 updated version
Download
Report
Transcript Module six - part 2 updated version
Information system
Control and Audit
Module 6 – Part 2
1
Information Systems Auditing Defined
Process of collecting and evaluating evidence to
determine whether a computer system safeguards assets,
maintains data integrity, allows organizational goals to
achieved effectively and users resources efficiently.
Ensuring that an organization complies with some
regulation, rules or condition.
E.g. A bank might have to comply with a government regulation
about how much it can lend.
A force that enables organizations to better achieve four
major objectives: (i) Improve safeguarding of assets, (ii)
Improved data integrity (iii) Improved system
effectiveness (iv) Improved system efficiency
2
Assets Safeguarding Objective
Information system assets of an organization include:
Hardware, Software, facilities, people(knowledge), data files, system
documentation and supplies.
All assets must be protected by a system of internal control.
E.g.
3
Hardware - can be damaged maliciously.
Proprietary software and the content of data files – can be stolen or
destroyed.
Supplies of negotiable forms needs to be control.
All these assets are often concentrated in one or a small number of
locations, such as a single disk – safeguarding becomes an especially
important objective for many organization.
Data Integrity Objectives
Data integrity is a fundamental concept in information system
auditing.
It is a state of implying data has certain attributes:
completeness, soundness(reliable), purity and veracity(reality).
If data integrity not maintained, an organization no longer has a
true representation of itself or of events.
If the integrity of an organization’s data is low, it could suffer
from a loss of competitive advantage.
Maintaining data integrity only at a cost. The benefits obtained
should exceed the costs of the control procedures needed.
4
Data Integrity Objectives
Three major factors affect the value of a data item to an
organization and thus the importance of maintaining the
integrity of that data item:
The value of informational content of the data item for the individual
decision.
The extent to which the data items is shared among decision makers
The value of the data item to competitors
5
If data is shared, corruption of data integrity affects not just one user but
many. - The maintenance of data integrity becomes more critical.
If the data is valuable to a competitor, its loss might undermine an
organization’s position in the marketplace. Competitor could exploit the
profitability of the organization and to bring about bankruptcy, takeover
or merger.
System Effectiveness Objectives
Evaluating effectiveness implies knowledge of user needs.
To evaluate whether a system reports information in a
way that facilitates decision making by its users.
auditors must know the characteristics of users and the
decision –making environment.
Effectiveness auditing often occurs after a system has
been running for sometime.
Post audit is conducted to determine whether the system
is achieving its stated objectives.
6
This evaluation provides input to the decision on whether to
scrap the system, continue running it, or modify it in some way.
System Effectiveness Objectives
Effectiveness auditing also can be carry out during the
design stages of a system.
7
Reasons are:
Users often have difficulty identifying or agreeing on their needs.
Communication problems often occur between system designers and
users.
System is complex and costly to implement
Management might want auditor to perform an independent
evaluation of whether the design is likely to fulfill user needs.
System Efficiency Objectives
An efficient information system uses minimum resources to
achieve its required objectives.
Information system consume various resources: machine, time,
peripherals, system software, and labor.
These resources are scarce and different application systems
usually compete for their use.
There is no clear-cut answer whether a system is efficient.
The efficiency of any particular system cannot be considered in
isolation from other systems.
Problems of sub-optimization occur if one system is “optimized” at
the expense of other systems.
8
Dedication of a printer for a particular system.
System Efficiency Objectives
System efficiency becomes especially important when a
computer no longer has excess capacity causing the
performance of the application system degrades.
Management must then decide whether efficiency can be
improved or extra resources must be purchased.
Extra hardware and software is a cost issue, management needs to
know whether available capacity has been exhausted because
individual application systems are inefficient or because existing
allocations of computer resources are causing bottlenecks.
Auditor are perceived to be independent, management might
ask them to assist with or even perform this evaluation.
9
Effects of computers on internal controls
The goals of assets safeguarding, data integrity, system effectiveness
and system efficiency can be achieved only if an organization’s
management sets up a system of internal control.
Traditionally, major components of an internal control system
include:
Separation of duties
Clear delegation of authority and responsibility
Recruitment and training of high-quality personnel
A system of authorization
Adequate documents and records
Physical control over assets and records
Management supervision
Independent checks on performance
Periodic comparison of recorded accountability with assets.
10
Foundation of Information Systems Auditing
Recognition of the need for an information system audit
function comes from two directions:
Auditors realized that computer had affected their ability to
perform the attest function.
Both corporate and information system management
recognized that computers were valuable resources that
needed controlling like any other key resource within an
organization.
Information system audit has been shaped by knowledge
obtained from four other disciplines:
11
Traditional Auditing, Information System Management, Behavioral
science and computer science.
Foundation of Information Systems Auditing
Traditional Audit
Brings to information systems audit a control philosophy.
The philosophy involves examining information systems with a
critical mind, always with a view to questioning the capability of
an information system to safeguard assets, maintain data
integrity, and achieve its objectives effectively and efficiently.
12
Foundation of Information Systems Auditing
Information Systems Management
The early history of computer-based information systems shows
some spectacular disasters.
Massive cost overruns occurred and many systems failed to achieve their
stated objectives.
Researchers have been concerned with identifying better ways of
managing the development and implementation of information
system.
Some important advances have been made.
13
E.g. Techniques of project management have been carried across into the
information systems area with considerable success. Documentation,
standards, budgets and variance investigation are now emphasized.
Better ways of developing and implementing systems have been
developed.
Foundation of Information Systems Auditing
These advances affect information systems auditing because
they ultimately affect assets safeguarding, data integrity, system
effectiveness and system efficiency objectives.
Behavioral Science
14
Computer systems sometimes fail because their designers do
not appreciate the difficult human issues that are often
associated with the development and implementation of a
system.
E.g. Behavioral resistance to an information system can seriously
undermine efforts to meet assets safeguarding, data integrity , system
effectiveness, and system efficiency objectives.
E.g. Disgruntled users could try to sabotage the system or to
circumvent controls.
Foundation of Information Systems Auditing
Auditor must understand the conditions that can lead to
behavioral problem and as a result, possible system failure.
Behavioral scientists, especially organization theorists, have
contributed much to our understanding of the “people
problems” that can arise within organizations.
Computer Science
Computer scientists also have been concerned with how asset
safeguarding, data integrity, system effectiveness, and system
efficiency objectives might be better achieved.
15
Scientists conducted research on how to prove the correctness of
software formally, build fault-tolerant computer systems, design secure
operating systems and transmit data securely across a
communications link.
Foundation of Information Systems Auditing
Technical knowledge that has been developed with the
discipline of computer science provides both benefits and
problems for auditor’s work.
Auditors can now be less concerned about the reliability of
certain components in a computer system.
If this technical knowledge is used improperly, auditors might
have difficulty detecting the abuse.
16
E.g. If a skills system programmer decides to perpetrate a fraud, it
might be almost impossible for auditors to detect the fraud unless
they have extensive knowledge of information system technology.