Introduction
This article talks about the topic of Information Systems Auditing. The topic begins by defining what Audit is and some of the types that exist. Later, information systems are discussed in organizations, their characteristics, the process they follow and the classification they manage.
Once the bases of these two parts have been established, they come together to create the definition of Information Systems Auditing in organizations. The objectives that this process pursues are mentioned, as well as reasons to implement it in a company.
Mention is made of organisms that have standardized this process and finally a general method for carrying it out is proposed.
Information systems audit
Before starting to talk about what is the Audit of Organizational Information Systems, I consider it necessary to define concepts separately, in this way we will start from the general to get to the most specific and obtain a clearer vision of the subject.
Audit
The first term to define is Audit. According to ISO 19011, Audit is: “the systemic, independent and documented process to obtain evidence and evaluate it objectively in order to determine the extent to which the established criteria are met” (ISO, 2012).
There are audits of different types that are applied to companies, each of which is regularly done by area. For example, there are tax, accounting, financial, social, quality, operations audits, among others.
Organizational Information System
The second definition to mention is that of an Information System, known by its initials as SI. An information system is a set of elements that are interrelated that serves to process data and that these can be useful in the activities of organizations.
Within an SI there is an interaction between people, data, software, hardware; and if they are not available, physical databases that function as registers, in addition to other means of communication and technology, accompanied by company rules and regulations.
The process carried out by an information system consists of four phases:
- Input Storage Storage Output
Data entry occurs when the desired data is recorded. Storage refers to the activity of storing data in a database either physically or electronically (computer). The next phase is data processing, in which the data is transformed into useful information. Finally the exit is found, this phase is required to get the information that will be used for decision making.
The data alone does not contain any value for companies until they are analyzed and processed, the information obtained generates important knowledge. For this reason, information systems must be of quality.
The main characteristics that the information must have in a business support system are the following:
- It refers to the fact that the information must be available at the desired time, neither before nor after, in order to be able to use it without delay, which means that the information must always be real, without alterations and without errors.. That the information is protected, and is managed by trusted people.
Due to the great usefulness of Information Systems, they are implemented with different objectives within a company.
They exist for commercial, production, financial and administrative purposes. Examples of each of them are:
- Business system: used to plan purchases, sales and inventory control. Production system: purchase of materials, contact with suppliers, planning of orders, manufacturing costs. Accounting system: to make projections, budgets, financial reasons, fiscal control. System payroll: integrates payroll, IMSS, afore, insurance.
Organizational Information Systems Audit
This activity is defined as: "The verification of controls in information processing, systems development and installation with the aim of evaluating their effectiveness and presenting recommendations to Management" (Naranjo, 2005).
It consists of verifying and evaluating controls, but also systems and processes for the treatment of company information.
goals
The objectives of this audit are:
- Safeguard useful assets for data processing, avoiding theft, destruction, inappropriate uses, maintain the integrity of the data, through the contribution of information that is handled in the company, achieve organizational goals.
Reasons to implement an audit
Situations that could indicate the need for an audit are (Ynfante, 2010):
- Considerable and unjustified increase in the budget of the PAD (Department of Data Processing) Lack of information in areas of the company. Total or partial lack of logical and physical safeguards that guarantee the integrity of personnel, equipment and information. Discovery of fraud carried out with the Computer Lack of planning due to lack of timely information. Discontent of customers due to deadlines and poor quality of results.
The bodies that deal with the control and audit of SI
Some of the main bodies that serve as sources of standards for conducting audits are:
- ISACA - Information Systems Audit and Control Association ISO - International Organization for Standardization NIST - United States National Institute of Standards and Technology.
Methodology
There are currently three types of audit methodologies, ROA. (risk oriented approach, Checklist or questionnaires and product auditing).
The methodology presented below is the most widely used and general. The whole process is divided into three parts: Planning, execution and opinion.
The planning of the audit of the information system of a company consists of identifying the origin of the audit, that is to say where it will be the place from which it has to start, after which a preliminary visit of the area should be made. Then we continue to establish the objectives that we want to achieve, determine the points that will be evaluated in the audit and prepare plans, programs and budgets for their implementation. Then, the methods, tools, instruments and procedures necessary for the audit must be identified and selected, and the resources and systems that will be useful for the audit must be assigned.
The second part consists of the execution, here the actions programmed for the Audit are carried out, the established instruments and tools are applied and, if required, documents of opportunities for improvement found are prepared and the analysis of the information obtained is continued.
Among the techniques and tools that can be used are: observation, interviews, questionnaires, surveys, checklists and inventory controls.
The third and last part is the opinion. In this phase the results obtained are presented.
conclusion
The audit of Organizational Information Systems is very important, unfortunately many of the companies view this process as a mandatory requirement that makes them waste time and money, when the reality is that this process helps organizations to stay on track towards their objectives. The information that a system provides is a key resource in the company to plan the future, control the present and evaluate the past.
The information systems audit can be carried out by a person external to the company or by some internal employee, as long as it complies with being objective.
It is important that at the end of the audit, the results obtained are followed up, since if the problem is not sought to be solved, the objective of carrying it out would not be met.
Some multinational companies, such as Toyota, use the audit process periodically, since they are interested in keeping their Information System working properly, a failure would mean losses of customers and the good reputation they have achieved.
References
- ASF. (2014). Retrieved on September 7, 2015, from the Superior Audit of the Federation: http://www.asf.gob.mx/INCAP. (2011). Retrieved on September 7, 2015, from INCAP: http://www.incap.int/sisvan/index.php/es/acerca-de-san/conceptos/sistema-de-vigilanciaISO. (2012). Retrieved on September 7, 2015, from the Spanish Association for Quality: http://www.aec.es/web/guest/centro-conocimiento/une-en-iso-19011 López, A. (2013). Retrieved on September 7, 2015, from UV: http://www.uv.mx/personal/artulopez/files/2012/10/07-Auditoria-de-SI.pdfNaranjo, A. (2005). Systems audit. Retrieved on September 7, 2015, from galeon.com: http://anaranjo.galeon.com/Solarte, F. (2011). Retrieved on September 6, 2015, from Systems Auditor: http://auditordesistemas.blogspot.mx/Yañez, C. (October 2011).Retrieved on September 7, 2015, from OLACEFS: http://www.olacefs.com/wp-content/uploads/2014/08/1erlugar.pdfYnfante, R. (2010). Retrieved on September 7, 2015, from monografías.com:
