File Name: information system control and audit .zip
Internal control , as defined by accounting and auditing , is a process for assuring of an organization's objectives in operational effectiveness and efficiency , reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.
- Follow the Author
- [+]The best book of the month Information Systems Control and Audit: United States Edition [NEWS]
- The Information Systems Audit
Please note that you can subscribe to a maximum of 2 titles. Book Details. This book provides the most comprehensive and up-to-date survey of the field of information systems control and audit written, to serve the needs of both students and professionals.
Follow the Author
Information System Audit will examine and evaluate the planning, organizing, and directing processes to determine whether reasonable assurance exists that objectives and goals will be achieved. Such evaluations, in the aggregate, provide information to appraise the overall system of internal control.
The audit policy should lay down the responsibilities as follows: 1 The policy should lay out the periodicity of reporting and the authority to whom the reporting is to the made. The auditor may also carry out such tests to gather additional information necessary to form an audit opinion. This section does not apply to any information which is automatically generated solely for the purpose of enabling an electronic record to be dispatched or received.
Moreover, this section does not apply to any law that provides for the retention of documents, records or information in the form of electronic records. Disgruntled Employees:A disgruntled employee presents a threat since, with access to sensitive information of the organization, he may cause intentional harm to the information processing facilities or sabotage operations.
Errors:Errors which may result from technical reasons, negligence or otherwise can cause significant integrity issues. A wrong parameter setting at the firewall to "allow" attachments instead of "deny" may result in the entire organization network being compromised with virus attacks. Malicious Code:Malicious code such as viruses and worms, which freely access the unprotected networks, may affect organizational and business networks that use these unprotected networks.
Abuse of access privileges by employees:The security policy of the company authorizes employees based on their job responsibilities to access and execute select functions in critical applications. Theft or destruction of computing resources:Since the computing equipment forms the back-bone of information processing, any theft or destruction of the resources can result in compromising the competitive advantage of the organization.
Downtime due to technology failure: IS facilities may become unavailable due to technical glitches or equipment failure and hence the computing infrastructure may not be available for short or extended periods of time. However, the period for which the facilities are not available may vary in criticality depending on the nature of business and the critical business process that the technology supports. Thus, a data dictionary is a computer file about data.
Each computer record of a data dictionary contains information about a single data item used in a business information system. Data dictionary contains the information about the identity of the computer programs or individuals permitted to access the data item for the purpose of file maintenance, upkeep or inquiry.
It also maintains the identity of the computer programs or individuals, not permitted to access the data items. Because of maintaining above mentioned information, a data dictionary is useful for the security e. Accountants and auditors can also make good use of a data dictionary. For example, a data dictionary can help establish an audit trail because it can identify the input sources of data items, the computer programs that modify particular data items, and the managerial reports on which the data items are output.
When an accountant is participating in the design of a new system, a data dictionary can also be used to plan the flow of transaction data through the system.
Finally, a data dictionary can serve as an important aid when investigating or documenting internal control procedures. This is because the details about edit tests, methods of file security, and similar information can be stored in the dictionary.
It provides an important detective control to help and accomplish security objectives. Many operating systems allow management to select the level of auditing to be provided by the system. This determines which events will be recorded in the log. Detecting unauthorized access to the system: Detecting unauthorized access can occur in real time or after the fact. The primary objective of real-time detection is to protect the system from outsiders who are attempting to breach system controls.
A real-time audit trail can also be used to report on changes in system performance that may indicate infestation by a virus or worm. Depending upon how much activity is being logged and reviewed, real-time detection can impose a significant overhead on the operating system, which can degrade operational performance. After-the-fact detection logs can be stored electronically and reviewed periodically or as needed.
When properly designed, they can be used to determine if unauthorized access was accomplished, or attempted and failed. Reconstructing Events: Audit analysis can be used to reconstruct the steps that led to events such as system failures, security violations by individuals, or application processing errors. Knowledge of the conditions that existed at the time of a system failure can be used to assign responsibility and to avoid similar situations in the future.
Audit trail analysis also plays an important role in accounting control. For example, by maintaining a record of all changes to account balances, the audit trail can be used to reconstruct accounting data files that were corrupted by a system failure.
Personal Accountability: Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a preventive control that can be used to influence behavior. Individuals are less likely to violate an organization's security policy if they know that their actions are recorded in an audit log. Audit trail are used to measure the potential damage and financial loss associated with application errors, abuse of authority, unauthorized access by outside intruders.
Audit logs also provide valuable evidence or accessing both the adequacies of controls in place and the need for additional controls. Answer a Implementation of ERPERP implementation is a special event, which integrates different business functions, different personalities, procedures, ideologies and philosophies together, brings worthwhile and beneficial changes throughout the organization. It involves considerable amount of time, effort, and valuable resources. The consultants should understand the needs of the users, understanding the business realties and design the business solutions keeping in mind all these factors.
It is the users who will be driving the implementation and therefore their active involvement at all stages of implementation is vital for the overall success of implementation.
Implementing such change is known as customization. It is always better to satisfy user requirements and overall objectives within the available framework of the existing package because any change in any functional module will have an adverse impact on the functioning of the other modules of the package. The employees will have to accept new processes and procedures laid down in the ERP system. At the same time, these process and procedures have to be simple and user friendly.
The above are the main issues that should be covered while drafting a contract. These issues are often poorly specified in reciprocal agreements. Moreover, they can be difficult to enforce under a reciprocal agreement because of the informal nature of the agreement. Answer a Some of the advantages of continuous audit techniques are given as follows: i Timely, comprehensive and detailed auditing -Evidence would be available more timely and in a comprehensive manner.
The entire processing can be evaluated and analysed rather than examining the inputs and the outputs only. This brings in the surprise test advantages. The framework addresses the issue of control from three vantage points, or dimensions as discussed below: Business objectives:To satisfy business objectives, information must conform to certain criteria that COBIT refers to as business requirements for information.
The criteria are divided into seven distinct yet overlapping categories that map into the COSO objectives namely, effectiveness relevant, pertinent, and timely , efficiency, confidentiality, integrity, availability, compliance with legal requirements, and reliability.
IT resources which include people, application systems, technology, facilities, and data. IT processes which are broken into four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring. COBIT, which consolidates standards from 36 different sources into a single framework, is having a big impact on the information systems profession.
It is helping managers learn how to balance risk and control investment in an information system environment. It provides users with greater assurance that the security and IT controls provided by internal and third parties are adequate. It guides auditors as they substantiate their opinions and as they provide advice to management on internal controls. This view will have to be taken strictly on the technical point of view and has to focus on the available measures that can prevent such happening.
Finance has its own set of revenue numbers, sales has another version, and the different business units may each have their own version of how much they contributed to revenue. ERP creates a single version of the truth that cannot be questioned because everyone is using the same system. By having this information in one software system, rather than scattered among many different systems that can't communicate with one another, companies can keep track of orders more easily, and coordinate manufacturing, inventory and shipping among many different locations simultaneously.
ERP systems come with standard methods for automating some of the steps of the manufacturing process. Standardizing those processes and using a single, integrated computer system can save time, increase productivity and reduce headcount.
It can lead to reduced inventories of the materials used to make products work-in-progress inventory , and it can help users to better plan deliveries to customers, thereby reducing the finished good inventory at the warehouses and shipping docks. To really improve the flow of the supply chain, one needs supply chain software, but ERP helps too.
ERP can fix that problem. For instance, what general direction should the company take? Or what type of advertising campaign will best promote the new product line? These types of decisions are not as clear-cut as deciding how to debug a computer program or how to deal with an overdue account balance.
Also, it is not always obvious which data are required or how to weigh available data for reaching at a decision. For example, how does an executive assess the future direction of the economy if the six sources on which that person typically depends for information, each forecasts something different? Even the portfolio of decisions that need to be made by the executive is an open issue. Should time be spent, for instance, considering new businesses to enter-or should the company concentrate on looking for new markets for existing products?
For example, when the Arab oil embargo hit in the mids, no such previous event could be referenced for advice. Executives also work in a decision space where results are not scientifically predictable from actions. If prices are lowered, for instance, product demand will not automatically increase.
As conditions change, organizations must change also. It is the executive's responsibility to make sure that the organization keeps pointed toward the future. Some key questions about the future include: "How will future technologies affect what the company is currently doing? What will the competition or the government do next? What products will consumers demand five years from now?
[+]The best book of the month Information Systems Control and Audit: United States Edition [NEWS]
aspects of Information Control and Security. Taking the initiative in dealing with these problems, the professional Organization I.S.A.C.A. (Information Systems Au.
The Information Systems Audit
GAO published a manual to provide auditors guidance for evaluating internal controls over the integrity, confidentiality, and availability of data maintained in computer-based information systems. The manual's sections provide detailed guidance on evaluation and testing computer-related controls, including guidance on: 1 identifying the auditee's significant computer-supported operations, assessing the risk associated with these operations, and identifying the controls to be tested; 2 control objectives and commonly used control techniques, as well as audit procedures; and 3 common application control objectives and United States.