Logo en.artbmxmagazine.com

Organizational information systems audit

Table of contents:

Anonim

FUNDAMENTALS OF ADMINISTRATIVE ENGINEERING

EVERYTHING UNDER CONTROL

AUDIT

(FCA-UNAM, 2008) explains that the concept of auditing can be understood as the examination of an entity's financial statements, in order for the person responsible to issue an opinion on the reasonableness of the figures that emanate from them.

However, (García, 2001) tells us that frequently the word audit has been used incorrectly and has been considered as an evaluation whose sole purpose is to detect errors and point out flaws, due to which the phrase “has audit ”as a synonym that, before being carried out, faults have already been found and therefore the audit is being carried out.

Therefore, this author indicates that the audit is not only responsible for detecting errors, but is the critical examination that is carried out in order to evaluate the efficiency and effectiveness of a section or an organism, and determine alternative resources for action to improve the organization and achieve the proposed objectives.

On the other hand, this author points out that according to the New Spanish Dictionary Sopena says that the audit is carried out based on norms, procedures and techniques formally defined by institutes established at national and international level; the word audit comes from the Latin "auditorius", and that from this comes "auditor", the one who has the virtue of hearing; precisely defining that the auditor is the "collegiate auditor.

Audit is a systematic, independent and documented process to obtain records, statements, facts or any other relevant verifiable and useful information, to be evaluated in order to determine the extent to which the set of policies, procedures or requirements that are They have as reference to compare the evidence to compare the objective evidence mentioned (Galindo, 2013).

(Brito & Solís, 2008) explain that the main reasons for maintaining an adequate Internal Control System within an organization are the following:

  • Maintain efficient administrative control Comply with government requirements Comply with the responsibility of presenting reliable financial information to third parties.

In conclusion, from the previous definitions of auditing, it can be said that this is a control tool through which a deep and exhaustive review of all the processes, policies and regulations of a company is carried out to verify that they are carried out in a according to the established. This is carried out in order to timely detect errors, evaluate the efficiency and effectiveness of the audited section within the organization. With the audit it is expected that the person in charge of carrying it out will issue recommendations for the organization to work efficiently and thus make its procedures fully suitable for its functions .

CLASSIFICATION OF AUDIT TYPES

(Galindo, 2013) explains that the audit is classified as:

  • AUDIT BY THE AUDITOR'S ORIGIN
  1. External audit Internal audit
  • AUDIT BY ITS AREA OF APPLICATION
  1. Financial auditAdministrative auditGovernment auditComputer audit
  • COMPUTER AUDIT
  1. Audit with the computer Audit without the computer Audit to the computer management Audit to the computer system Audit around the computer Audit of the security of computer systems Audit to the network systems Comprehensive audit to the computer centers Audit to the computer systems Audit of computer science systems

INFORMATION SYSTEMS

(Rodríguez, 2014) argues that information systems have had a profound development from the 1950s to the present day, with the passage of time they have become a valuable tool within organizations, and thus improve efficiency and increasing productivity.

Today there are no public or private companies that do not carry out their activities through the use of a computer. The technological revolution has suggested the need to ensure that such information systems are as accurate and reliable, especially in financial information processing. One of the main challenges of modern auditing is to adequately and efficiently evaluate and control business management using computer tools.

(Brito & Solís, 2008; Rodríguez, 2014) argue that an information system (SI) can be defined as the set of elements or components among which you can enter, store, present information for the timely and efficient taking of decisions. When speaking of information systems, he does not exactly refer to computers or computing.

There are four groups of SI according to the hierarchical levels of the organization:

  1. Operating level systems: directly related to the operational and transactional processes of an organization. Within this level are the transaction processing systems. They are characterized by being easy to use, carry out simple transactional processes, queries and reports are limited in their structure and their users are the employees and heads of the primary level of the organization. Knowledge level systems: they are related to the secondary level of the organization, the purpose of these systems is to help develop, process, order and interrelate the flow of information and new knowledge of the organization. Administrative level systems: focus on monitoring, directing, controlling and decision-making activities of the middle-level bosses,Here are the decision support systems such as cost analysis systems, production analysis, sales analysis, profitability, they are characterized by presenting periodic information for analysis and generally relate internal and external variables to produce results. that help management make effective and timely decisions. Strategic level systems: they support long-term strategic level decision-making, considering the proposed policies and goals related to the external environment of the organization in such a way that they can be make decisions that improve competitiveness. They are easy to use, flexible and do not require the user to have complex computer skills in order to use them.Its main feature is the analysis of data from other systems (transactional and administrative) through the modeling of tables or cubes of information, in which tables and summaries of information are obtained that are easy to use.

The organizations depend on information systems, in such a way that the strategies and the organizational planning will be given based on the growth capacity, flexibility and capacity of their IS.

The incorporation of information technology within the productive processes of an organization can become a competitive advantage, allow them to be more efficient and give them the ability to develop products and services of lower quality.

COMPUTER AUDIT

(Rodríguez, 2014) explains that knowledge management is not something new, there are many companies that in recent years have sought to implement programs in order to achieve this objective, companies have opted for information technologies and the different solutions provided by the software have been giving something to talk about.

However, most of these programs have focused on the implantation of intranets that try to facilitate communication between people and document all the processes of the organization. In addition to making the evaluation statistics and indicators available to two employees.

It is clear that knowledge is very difficult to manage, but the information that is available can be managed. For this reason, information has a relevant role and is made by a base knowledge management strategy.

Proper information management is an essential element. Companies have incorporated information technologies as part of their axis of information systems, to the extent of comparing it with a company computer system, however, it has rarely been carried out correctly.

Information or Computing Audit is a process that helps detect, control and evaluate the information existing in an organization and its flows, the use they make of the information and the adaptation to the needs of the personnel. In this way the uncertainty of what the organization has and where it is established will be resolved, this will help to:

  • Duplications: refers to the units of the same organization that sometimes keep the same information independently. Deficiencies: sometimes if the information is not shared, gaps are found that are detrimental to the proper functioning of certain business units within the entity.Inconsistencies: keeping the same information independently can lead to disparate information.

The audit also makes it possible to diagnose what use is made of the information and, ultimately, the importance given to it. This will give the possibility of knowing who uses it in each case and for what purpose, thus identifying critical points in the value chain where the use of this information is essential.

On the other hand, (Brito & Solís, 2008) argue that computerized internal control is a subsystem within the organization's internal control system and includes all the administrative and systematized processes within an organization, the objective of which is to guarantee control and security of computer resources for efficient, effective and economic operational management.

The objectives of the computerized internal control could be divided into general and specific.

Among the general objectives we have:

  • Compliance with the policies and procedures established by senior management and other legal regulations related to the use of technology Serve as support to senior management for the control of computer resources and as audit trails for the internal audit function or external auditors. Ensure adequate management of the PED function, the quality of the IT service and user satisfaction.

While among the specific objectives we have:

  • Compliance with the organization's computer planning. Maintain control of changes made to the Information Systems. Ensure access to information only to authorized personnel. Ensure the quality of development and maintenance of information systems. Protect the systems. against computer attacks from the internet (hackers) and minimize the risk of virus infection. Keep licenses and contracts in order for the use of systems and applications.

There are various methodologies for the implementation of computer controls, based on different international standards, they can be classified into two large groups: quantitative and qualitative.

  1. Quantitative methodologies: they are based on the use of mathematical models for risk analysis, in which a probability of occurrence is assigned to each risk. Then, using sophisticated simulations, the degree of risk to which the organization is exposed and the controls to be implemented to reduce risk can be established. Qualitative methodologies: they are based on the experience and capacity of the professional in charge of implementing computer controls. It uses unsophisticated statistical methods to identify potential threats within the organization and then select mechanisms for responding to such threats.

In conclusion, the computer audit is the systematized review of the computer systems, hardware, software and information of an organization, as well as the environment: work area, networks and telecommunications, with the purpose of safeguarding the integrity of the data. The auditor in charge of carrying out this type of audit must be an expert in the area of ​​computer systems who assesses and verifies the most complex computer controls and procedures, developing and applying audit techniques to verify the efficacy, utility, reliability and safety of equipment and information.

PHASES OF THE INFORMATION AUDIT

(Serrano & Zapata, 2003) describe the phases of the information audit as follows:

  1. Planning: in this stage the objectives are defined, the starting point and how far you want to go, the tasks carried out in this stage include identifying the key people, the magnitude of the project and the location of resources, developing the action plan for implementation, a strategic plan and a business plan Data collection: at this stage the information to be received is prepared, databases are developed, interviews, etc. Data evaluation: gaps are found and duplicates, will serve to interpret the flow of information, assess problems, make recommendations, and develop an action plan for change. Once the previous stage is over, the recommendations to attend to the irregularities detected and explain the work carried out must be communicated,Thus, the organizational and corporate environment will have information on the results. Implement the recommendations: an implementation program must be developed, changes in the formal plans must be incorporated and the post-implementation strategy must be developed. Once the changes have been made, you must be aware of the need for continuous monitoring, measure and assess the changes, and plan a cyclical information audit cycle.measure and assess changes and plan a cyclical information audit cycle.measure and assess changes and plan a cyclical information audit cycle.

COMPUTER AUDIT IN ORGANIZATIONS

(Galindo, 2013) argues that the computerized internal control and its audit make it possible to manage and make profitable the information systems in the most efficient way, optimizing, in short, results.

The author mentions that there are currently three types of Computer Audit methodologies:

  1. OA (RISK ORIENTED APPROACH) designed by Arthur Andersen.CHECKLIST or questionnaires PRODUCT AUDIT (for example, Windows NT Local Network; DB2 Database Management systems; RAFC security package, etc.).

The three methodologies are based on the minimization of risks, which would be achieved based on the existence of controls and that they work. In consequence, the auditor should review these controls and their operation.

Of these three methodologies, the most suitable for SME Auditing is CHECKLIST. In conclusion, it is necessary that in order to achieve homogeneous results it is important that the most expert personnel in the subject of auditing adapt or take into account the audit points in order to achieve the expected homogeneous result.

CHECKLIST METHODOLOGY

(Galindo, 2013) explains that the checklist or checklist is one of the simplest, most comfortable and easiest methods of compiling and evaluating audits, due to the simplification of its preparation, the convenience of its application, and the ease of finding deviations, which makes it one of the most reliable and usable tools for any revision of computer systems; likewise, it is applied both for the systems area, for administrative management or for any other IT function.

This tool consists of the preparation of an ordered list, in which all the aspects to be reviewed of the operation of a system, its components, the development of an activity, the fulfillment of an operation or any other aspect are noted. related to the evaluation with the systems area; This list is complemented by one or more columns in which compliance with the evaluated aspect is rated. Compliance is usually pigeonholed, noncompliance crossed out, or left blank. With this, compliance or non-compliance with the evaluated aspect is identified at a glance.

The checklist can be designed in two columns: the concept and compliance or non-compliance, or in several columns: one for the concept and the other to choose a rating represented in each column according to the degree of compliance with the concept.

The checklist is a widely used technique in the field of computer auditing. It is nothing more than a checklist or questionnaire, which follows certain guidelines depending on what we are evaluating or what objectives we want to achieve.

The auditor creates a checklist to evaluate a computer system (be it a company, a business, an individual…) and draw conclusions, guided by the responses that the client has given through the questionnaire or checklist.

There are mainly two types of checklists, depending on the type of response that must be given to the questions that are asked.

  1. Rank Checklist: In the answers, the client will have to enter a number within a given range, such as, for example, the question that if they are satisfied with the work of the company's employees, they must answer with a score that will be between a minimum and a maximum. The response range may vary, depending on the auditor or the question that is asked (In our tool, 0 if you are not at all satisfied and 5 the maximum). Binary checklist: This type is true and false answers (1 and 0 respectively). Only those two values ​​can be answered regardless of the question (Computer Audit, 2007).

In conclusion, the checklist is a tool designed for the collection of information, which helps the auditor to simplify and easily find deviations in the review of the computer systems area. This type of method consists of the elaboration of an ordered list of all the aspects that have to be reviewed of the operation of a system such as: the review of its components, the development of an activity, the fulfillment of an operation or any Another aspect related to the evaluation of the systems area.

A checklist can be designed in two types of format, the first is a two-column format or also called a binary checklist and the second is a multi-column format, also known as a range checklist, which are intended to collect information.

CHECKLIST METHODOLOGY EXAMPLES

Verify the proper functioning and compliance of the computer network, as well as the inclusion of its components, its application and use.

Concept description Complies
The network installation is flexible and adaptable to the needs of the company.
The network component list contains all the hardware required for proper operation.
The network component list contains all the software required for proper operation.
The computer network is used to the maximum in the company.
The configuration of network resources is the best for the correct use of the company's computer systems.
There are levels and security in the network.

Figure: Example of a Two Column Check Source: (Galindo, 2013)

Verify security in the computer center and rate each concept according to its degree of compliance.

Concept description 100% excellent 80%

Complies

60%

Minimum

40% Poor
1.- Assessment of security in access to the system
Evaluate system access attributes
Assess system access levels
Evaluate system password management
2.- Assessment of security in access to the physical area
Evaluate staff access to the center of
calculation
Evaluate the access of users and third parties to the computer center
Evaluate the administration of the physical access log to the systems area.

Figure: Example of Multi-column Check. Source: (Galindo, 2013)

CONSULTED REFERENCES

  • Brito, J., & Solís, G. (2008). Analysis and Use of Information Systems for an efficient management control audit. Retrieved from https://www.dspace.espol.edu.ec/bitstream/123456789/1901/1/3786.pdfFCA-UNAM. (2008, August). Computer Audit. Retrieved from http://fcasua.contad.unam.mx/apuntes/interiores/docs/98/8/audi_infor.pdfGalindo, MA (2013). The computer audit in SMEs. Recovered from http://cdigital.uv.mx/handle/123456789/34459García, JAE (2001). Computer audit. McGraw-Hill, Rodríguez, N. (2014). Organizational Information Systems Audit. Retrieved from http://www.auditorescontadoresbolivia.org/archivos/3.auditoriadelossistemasdeinformacion organizacionalimportancia.pdfSerrano, S., & Zapata, M. (2003). Information audit,starting point of knowledge management. The Information Professional, 12 (4), 290–297.
Download the original file

Organizational information systems audit
Administration

Editor's choice

Features of radical innovation

Features of radical innovation

Characteristics of the best companies to work mept

Characteristics of the best companies to work mept

Characteristics of probability and non-probability samples

Characteristics of probability and non-probability samples

Features of one to one or one to one marketing

Features of one to one or one to one marketing

Roots and beacons of the leader's light

Roots and beacons of the leader's light

Characteristics of the microentrepreneur

Characteristics of the microentrepreneur

© Copyright en.artbmxmagazine.com, 2024 October | About site | Contacts | Privacy policy.