Overview of IS Controls, Auditing, and Security Fall 2005

IS Auditing Versus Controls  An organizational function to assess whether computer systems safeguard assets, maintain data integrity, and help organizations achieve their goals efficiently and effectively  Controls are measures for assuring the above; auditing verifies the effectiveness of the controls  Controls are “the plan of organization and all the methods and measures to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies” (AICPA, USA)  They can be preventive, detective or corrective  They can be manual or automated

Auditing  Auditing can be defined as “a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users”  Auditing deals with assessing the reliability of controls  IS auditing deals with controls over information processing operations

Traditional Control mechanisms  separation of duties  controlling access to assets (e.g., lock and key)  audit trail (capture of materials and data)  capture and storage of events in multiple locations and time periods (duplication)  Too many controls will reduce efficiency; too few controls will reduce effectiveness

Effect of computers on controls and auditing  No clear separation of duties many different activities are placed in the same location, done at the same time, by the same unit (program). multiple users use the program decline in accountability (analyst?, programmer?, quality assurance?, user?)  Access to assets threatened information systems concentrate the organizational assets (centralization) several users (functional managers, technical people such as system administrators and programmers) have access; high potential for abuse greater exposure of data assets due to communication networks

Effect of computers on controls and auditing  Tighter integration as opposed to duplication Databases workflow automation (ERP) systems  Changes to evidence collection and evaluation procedures query languages, cryptography, system design methods

IT control principles  Focus should be on prevention than detection because detection is expensive in a complex IT environment; also, the loss due to an error is significant emphasis should be placed on the design stage testing prior to production should be rigorous  use IT and its capabilities to tailor control procedures to the business process manual control and audit procedures are likely to be ineffective in a sophisticated IT driven system

IT control principles  Processes that make extensive use of paper inputs and outputs are not less risky than more complex integrated computer based systems; a properly constructed computer based system can be far less risky than the former loosely connected systems have more input and outputs that need to be checked than a tightly integrated system  an electronic audit trail is as effective as or more effective than a paper-based audit trail.  It is better to “build-in” controls rather than “build- on” top of existing process structure.

IT Controls  General (Management) Controls Relate to the policies and procedures of data, program, hardware, security, and administrative management  Application Controls Relate to the mechanisms embedded in application systems, e.g., data validation controls

Auditing around or through the computer  Auditing around the computer Forming an audit opinion through examining inputs and outputs of applications Applications are treated as black boxes  Auditing through the computer Forming an audit opinion by examining the processing logic, and controls used by the application, and by limited testing of the inputs and outputs  Open question: Assume that a firm uses an off the shelf packaged software. Discuss which method is appropriate under what circumstances?

IT Security  IT Security mechanisms are a subset of control mechanisms  They address primarily compromise on one or more of the following dimensions of information: Availability Accuracy - free from mistake or error Authenticity - being genuine or original Confidentiality Integrity - being whole, complete, uncorrupted Utility - state of having value for some purpose Possession - having ownership

Case 1 (Due on 8/29/2005)  Consider the following summary of a Business Week Commentary (Source: “Maybe We Should Call them Scammers,” Business Week, January 16, 1995, p. 32) Which is more accurate, humans or machines? Although technology is capable of 100% accuracy, some stores average as low as 85% accuracy, according to investigators who are researching the accuracy of scanning technology. Retailers argue that the systems are more accurate than human clerks and many retailers argue that issue is being blown out of proportion. Retailers say the problems are primarily attributable to the failure to enter data into scanner computers, especially when prices change  To do: Suggest at least two control policies and procedures that retailers could implement to reduce the problem alluded to in the above description. For each control, discuss the salient strengths and weaknesses.  Solutions that offer automated and preventive control mechanisms will get higher points