DEFINITIONS
Any transfer of information throughout the company ends up blurring the message. That is why it is necessary in the future that companies have few management layers, although with great skill in handling information.
For this, we need professionals with updated knowledge, because the information, as you well know, becomes obsolete with incredible speed.
Peter Drucker
As Peter Drucker mentioned, information is often blurred in the journey it has to reach end users, which is why the information systems audit arises. The information systems audit supports us to verify the current state of the company's information systems: but to better understand its function, it is necessary to go to the root of its words and thus define it better, the following diagram shows us: represents the definitions of each of its parts:
So an information system is an organized set of elements, which can be people, data, activities or material resources in general, which interact with each other to generate information and this can serve as a basis for knowledge.
The audit of information systems is based on the way in which these elements are obtained and their security within the system.
In the middle of the information age, companies have realized the importance that information plays within their organization, that is why they will seek the best way to protect them and verify that it is being real and fulfills the function of reporting correctly to the right people. That is why the general audit specialized and gave way to the computerized audit and even more specialized to the audit of the information systems that all the information that interacts in the organization and affects it.
Classification of the audit
All information is important if it is connected to another.
Umberto Eco
The audit is understood as a systematic process that consists of obtaining and objectively evaluating evidence on the relative affirmations, the acts and economic events; in order to determine the degree of correspondence between these statements and the established criteria, that is, to verify the veracity of what is said. The beginnings of the audit were mainly financial accounting, since it was what most interested the owner of a company. The capitalist society of the industrial era, was very concerned about this economic aspect, forgetting other aspects that were contained in the organization, but with the passage of time and technological advances, the ramification of the audit becomes necessary, leaving this generally following way:
Based on this generic classification, we can say that the financial audit was the origin, and later it gave rise to the operation due to the scope and importance that the users of the audit report require on some operational areas of the company, returning to the audit. even more specialized.
Thus, financial auditing examines financial statements in accordance with generally accepted international auditing standards, the corresponding records and operations to determine compliance with generally accepted accounting principles and thus to give a sense of reliability in finances.
On the other hand, operational management is a systematic examination of the activities of an organization (or a stipulated segment thereof) in relation to specific objectives, in order to evaluate behavior, point out opportunities for improvement and generate:
- Recommendations for improvement or enhance the achievement of objectives
Information systems auditing belongs to the branch of operational auditing. And this is in charge of carrying out the evaluation of standards, technical controls and procedures that they have established in a company to achieve reliability, timeliness, security and confidentiality of the information that is processed through the information systems.
Because most of the Information Systems are regulated or supported by technology, this is a main area on which much emphasis is placed, being in coordination with people specialized in computer science that the auditor relies on to achieve a correct evaluation and Thus a good report that provides the necessary information to those interested.
Types of information systems:
There is a principle that resists all information, that resists all investigation, that never fails to keep man in perennial ignorance… It is the principle of dismissing what has not been investigated.
Herbert Spencer
To better understand the various types of information systems, the elements that make up the information system must be understood, which are more detailed in the following diagram:
Thus, we see that information systems can be classified according to the people that comprise it, the type of information that is available and its origin, and the resources or means by which it can be created.
Based on the people we have, they can be grouped by, internal and external, in addition to the following form.
They can also be grouped at the level of information that it provides to decision-making.
We cannot also forget the means that are used within the information system, whether internal or external, are very varied and may be the following:
Advanced information systems
The more information you have, the more mental links you build, and as a consequence, your memory becomes more solid.
Tony Buzan
By advanced information systems in this chapter we are going to refer to all those computer systems that collect information from each of the areas of the company through different processes for their correct application in some systems that are part of the specialized software architecture for decision-making in each area.
An example of the scheme of these advanced information systems is presented in the following image:
We will find a system made up of several layers or levels that overlap each other, and certain risks may occur that must be considered in our analysis, as we will see later. These layers are:
- The first layer is made up of the physical infrastructure
It basically contains the material elements, the hardware: mmainframe, peripheral systems, servers, communications systems, pc, etc. On the previous layer, to make the physical elements and the rest of the software work, the operating systems (OS) are located. The main OS used in medium and large entities are: UNIX-Linux (in its different versions), MS Windows Server (also with several versions) and Windows XP-Vista on workstations. The next layer, which works on the OS, we will call it base IT systems
This term includes a great diversity of possible platforms supporting the applications of the next level. Database management systems - DBMS (the most used are Oracle Database, DB2, MS-SQL Server), integrated application base components and more technical systems such as middleware (SAP Basis, NetWeaver, Oracle Fusion, IBM WebSphere), which allows the integration of many different applications and systems. Business applications or management applications This level contains the automated elements of the entity's processes, the computer applications themselves that support the business processes and the main lines of activity of the entity
Here you can find many applications available on the market, the most common ones are based on Oracle E-Business Suite, SAP R / 3, SAP ERP 6.0 or Microsoft Dynamics.
All of them, both in a standard configuration, as well as adapted or as their own development, work on the DBMS and base components included in the preceding layer. Business processes or management processes: The entity's main processes, presented by activity areas and subdivided into sub-processes and individual activities.
They are supported by the computer applications of the previous level.
As is clear from the schematic and brief explanation of the structure of an information system, the different layers or levels are interrelated, and the risks and weaknesses in one of them can affect the system as a whole and consequently have an impact on the annual accounts. that are the reflection of the economic and financial activity of an entity during a fiscal year.
To minimize these risks, the auditor must thoroughly analyze the entire information system with an appropriate methodology, such as that proposed in this work.
In a more graphic way, although substantially similar, to the diagram represented in the figure
Objective of the information systems audit
Information is an art. How to capture. How to discard. Because there is in the news, in the rumor, in all those things an action on which you have to decide. It is necessary to isolate what is not convenient and to send only what is convenient for it to arrive, because otherwise error and false appreciation are being induced.
Juan Domingo Perón
The final objective of the systems auditor is to make recommendations to senior management to improve or achieve adequate internal control in information technology environments in order to achieve greater operational and administrative efficiency. All this through the following specific objectives
Participation in the development of new systems; looking for an evolution in coordination with new technologies and their protection and efficiency supports in the field
Security assessment in the computer area; From data entry to concentration of information, pear generates knowledge to users.
Sufficiency evaluation in contingency plans: based on their capacity and reaction and their ability to adapt.
Backups, seeking to anticipate what will happen if failures occur.
Opinion of the use of computer resources. Based on company policies and auditor criteria
Protection and protection of assets. Verifying the allocation of places and managers in this area
Modification control to existing applications.
Fraud
Control of program modifications.
Participation in the negotiation of contracts with suppliers.
Review of the use of the operating system and the
Utilities programs.
Control over the use of operating systems
Utility programs.
Database audit.
Structure on which applications are developed…
Specific objectives of the systems audit
Audit of the teleprocess network.
Development of audit software. The ultimate goal of a well-implemented systems audit is to develop software capable of continuously exercising control over the operations of the data processing area.
Where the union of objectives
Steps to implement a systems audit
Communication does not involve understanding. Information, if it is well transmitted and understood, carries intelligibility, the first necessary condition for understanding, but not sufficient.
Edgar Morin
Like the financial audit, this must have a scheme that is based on the generic audit and to simplify the steps are the following:
But as a standard we will analyze the four basic phases of a review process:
- Preliminary study Review and evaluation of controls and securities Detailed examination of critical areas Communication of results
- Preliminary study.- It includes defining the work group, the audit program, making visits to the computer unit to find out its details, preparing a questionnaire to obtain information to preliminarily evaluate internal control, requesting an activity plan, Policy manuals, regulations, Interviews with the main officials of the PAD. Review and evaluation of controls and assurances. - Consists of the review of the process flow diagrams, testing of compliance with the assurances, review of applications of critical areas, Review of historical processes. (backups), Review of documentation and files, among other activities. Detailed examination of critical areas.-With the previous phases the auditor discovers the critical areas and on them makes a study and in-depth analysis in which he will concretely define his work group and its load distribution, establish the reasons, objectives, scope Resources to be used will define the work methodology, the duration of the audit,It will present the work plan and analyze in detail each problem found with everything previously analyzed. Communication of results.- The draft report will be prepared to be discussed with the company executives until reaching the final report, which will be presented schematically Matrix, tables or simple and concise wording that highlights the problems found, the effects and the recommendations of the Audit.
The report must contain the following:
- Audit Reasons Objectives Scope Organic-Functional Structure of the IT area Hardware Configuration and Installed Software Internal Control Audit Results
Control of information systems
When information is organized, ideas arise.
Jim Rohn
The purpose of application controls in a computerized environment is to establish specific control procedures for business applications in order to reasonably ensure that all transactions are authorized and recorded, and that they are fully, appropriately and timely processed.
Seeking thereby the implementation of the appropriate controls for each area, as well as the security and rigor that each of them will carry, depending on the risks involved in a certain activity or the speed in which the information is required, as well as the knowledge that it is expected to be public or private.
Visually we can see with the following examples the effects of a good control of information and another type of control
Comparing the controls of the systems with the images that are presented, we can say that we are looking for a correct implementation of the controls, which is not heavy, in order to protect the information that we have.
COBIT
A good design for a computer engineer may not be as good for a non-systems person. Many engineers don't recognize that and problems arise.
Jakob Nielsen
CobiT (Control Objectives for Information and Related Technology) is a conceptual framework for the good governance of information technologies, which was originally developed in 1994 by ISACA.
CobiT version 4.1 was released in 2005 by the IT Governance Institute (ITGI). CobiT is an internationally accepted reference for internal control over computer processes.
It is used as a methodology to define and monitor the internal control related to the information systems of the entities and also as an audit methodology.
It defines processes related to the computer function as well as the elements of control, good practices, management and auditors.
From a practical point of view, it has to be "adapted" according to the size and mission of the organization. The Court of
The general CobiT framework is shown graphically in the following figure, with the CobiT process model consisting of four domains containing 34 generic processes, managing IT resources to provide information to the business according to business and business requirements. government and any other user.
Bibliography
- DE, D. (sf). DEFINITION OF. Retrieved on September 20, 2011, from DEFINICION.DE: http://definicion.de/
GARCIA, JA (sf). COMPUTER AUDITING. MC GRAW HILL.GARCIA, JR, & URAN, ME (2003). FROM THE MANAGEMENT OF INFORMATION TO THE MANAGEMENT OF KNOWLEDGE. LIBRARY INVESTIGATION, 54-69. CHETUMAL INSTITUTE OF TECHNOLOGY. (sf). CHETUMAL INSTITUTE OF TECHNOLOGY. Retrieved on 2011-10-10 from www.itchetumal.edu.mx/ROY, AM (2010). THE AUDIT OF INFORMATION SYSTEMS INTEGRATED IN THE FINANCIAL AUDIT, THE PERSPECTIVE OF THE PUBLIC SECTOR. VALENCIA: GENERALITAT VALENCIANA.
