The specialized nature of the information systems audit and the skills necessary to carry out this type of audits, require the development and promulgation of General Standards for the audit of Information Systems.
Information systems auditing is defined as any audit that encompasses the review and evaluation of all aspects (or any portion of them) of automatic information processing systems, including the non-automatic procedures related to them and the corresponding interfaces.
To make an adequate planning of the informatics audit, it is necessary to follow a series of previous steps that will allow to size the size and characteristics of the area within the organism to be audited, its systems, organization and equipment.
Next, the description of the two main objectives of a systems audit, which are evaluations of data processes and computer equipment, with controls, types and security.
Definition of Audit
It is defined as a systematic process that consists of obtaining and objectively evaluating evidence on the affirmations regarding economic acts and events; in order to determine the degree of correspondence between these statements and the established criteria, and then communicate the results to the interested parties.
Types of audit
There are some types of audits among which Systems Audit integrates a parallel but different and peculiar world highlighting its approach to the computing function.
It is necessary to emphasize as an analysis of this table that Systems Audit is not the same as Financial Audit.
Among the main audit approaches we have the following:
Information audit
- It is the verification of controls in the information processing, systems development and installation with the aim of evaluating their effectiveness and presenting recommendations to the Management. The examination and evaluation of the processes of the Automatic Data Processing Area (PAD) and the use of the resources involved in them, to establish the degree of efficiency, effectiveness and economy of computerized systems in a company and present conclusions and recommendations aimed at correcting existing deficiencies and improving them. evaluation of standards, controls, techniques and procedures that are established in a company to achieve reliability, timeliness, security and confidentiality of the information that is processed through the information systems.
Information auditing is a specialized branch of auditing that promotes and applies audit concepts in the area of information systems. The final objective of the auditor is to make recommendations to senior management to improve or achieve adequate internal control in information technology environments in order to achieve greater operational and administrative efficiency.
Information Auditing is a systematic process of determining the information that an organization needs to satisfy its objectives, and thus function properly. Its objective is to ensure that the information that will circulate through the system is the most appropriate for the organization. Through the Information Audit it is intended that the organization only receive that information that is relevant to its interests, thus reducing silence (not obtaining relevant information) and noise (obtaining non-relevant information) and information requirements. of the organization (that is, of the information it needs to function properly).
One of the previous steps to keep in mind before conducting an information audit consists of knowing the organization's objectives and priorities, the organization's structure, the management styles that are carried out and the relationships with the environment.
When the audit occurs from outside the organization, it is essential that its work is supported by the organization's management. Without this support, any measure will fail hopelessly. The main problem is that the information tends to be hoarded by the members of the organization as if it were a resource to treasure.
Given this, information exchange policies should be designed so that facilitating the circulation of information is compensated in some way.
The audit should identify the use, resources, and flow of the information. For this, we must know what are the information resources that the organization has, what use is made of them and the results that are obtained, what equipment is available and who has it, the cost, the value that it contributes to the organization and what type of personnel perform these functions.
In addition, it is essential that the members of the firm are informed of everything they are doing so that they can collaborate to the fullest.
Similarities and differences with traditional auditing
Similarities:
- No new auditing standards are required, they are the same. The basic elements of a good internal accounting control system remain the same; for example, proper segregation of duties. The primary purposes of the study and evaluation of internal accounting control are to obtain evidence to support an opinion and determine the basis, timing and extent of future audit evidence.
Differences:
- Some new audit procedures are established. There are differences in the techniques aimed at maintaining adequate internal accounting control. There is some difference in the way of studying and evaluating internal accounting control. A significant difference is that some processes use programs. The emphasis on the evaluation of manual systems is on the evaluation of transactions, while the emphasis on computer systems is on the evaluation of internal control.
- Seek a better cost-benefit ratio of the automatic or computerized systems designed and implemented by the PAD. Increase the satisfaction of users of computerized systems. Ensure greater integrity, confidentiality and reliability of information by recommending security and controls. Know the current situation of the computing area and the activities and efforts necessary to achieve the proposed objectives. Security of personnel, data, hardware, software and facilities Support of the IT function to the goals and objectives of the organization Security, utility, trust,privacy and availability in the computer environment Minimize the existence of risks in the use of Information Technology Investment decisions and unnecessary expenses Training and education on controls in the Information Systems.
1. Participation in the development of new systems:
- Evaluation of controls Compliance with the methodology.
2. Security assessment in the computer area.
3. Sufficiency assessment in contingency plans.
- Backups, provide what will happen if failures occur.
4. Opinion of the use of computer resources.
- Protection and protection of assets.
5. Modification control to existing applications.
- FraudesControl to program modifications.
6. Participation in the negotiation of contracts with suppliers.
7. Review of the use of the operating system and programs
- Utilities.Control over the use of operating systemsUtility programs.
8. Audit of the database.
- Structure on which applications are developed…
9. Audit of the teleprocess network.
10. Development of audit software.
The ultimate goal of a well-implemented systems audit is to develop software capable of continuously exercising control over the operations of the data processing area.
Reasons for the existence of the information audit function
1. Information is a key resource in the company to:
- Plan the future, control the present and evaluate the past.
2. The company's operations increasingly depend on systematization.
3. The risks tend to increase, due to:
- Loss of information Loss of assets Loss of services / sales.
4. The systematization represents a significant cost for
- The company in terms of: hardware, software and personnel.
5. Problems are identified only at the end.
6. The permanent technological advance.
- Considerable and unjustified increase in the budget of the PAD (Department of Data Processing) Lack of knowledge at the managerial level of the computer situation of the company. Total or partial lack of logical and physical assurances that guarantee the integrity of personnel, equipment and information. fraud carried out with the computer. Lack of computer planning. Organization that does not work correctly, lack of policies, objectives, standards, methodology, assignment of tasks and adequate administration of the Human Resource. General dissatisfaction of users due to non-compliance with deadlines and poor quality From the results.
- Comprehensive and comprehensive understanding of the business, its key points, critical areas, economic, social and political environment. Understanding the effect of systems on the organization. Understanding the objectives of the audit. Knowledge of the company's computing resources. Knowledge of systems projects.
Control for information auditing
In an information audit, the control and verification processes must also be established.
The result of these processes can consist of a report or even a certificate confirming that everything is correct or that includes recommendations for improvement. It should be borne in mind that the information resources map, or documentary map, may constitute one of the main results of the information audit process.
In the case of the documentary map, it details which documents are found within the organization, to what type of functions are they linked and respond, who has responsibility and access to those documents, in what medium are they available, where and how they are accessible and what relationship or level of integration they have with the rest of the organization's information systems. The location of all documents within the standards and procedures of the organization is also established, as well as their value for corporate knowledge.
General classification of controls
They are those that reduce the frequency with which the causes of the risk occur, allowing a certain margin of violations.
Examples: "No Smoking" sign to safeguard facilities
Access key systems.
They are those that do not prevent the causes of the risk from occurring but detect them after they have occurred. They are the most important to the auditor. In a way they serve to evaluate the efficiency of preventive controls.
Example: Files and processes that serve as audit trails
Validation procedures
They help the investigation and correction of the causes of risk. Proper correction can be difficult and inefficient, requiring the implementation of detective controls over corrective controls, since error correction is itself a highly error-prone activity.
Particular controls in both the physical and logical parts are detailed below
Authenticity: They allow to verify the identity
- PasswordsDigital signatures
Accuracy: Ensures consistency of data
- Validation of fields Validation of excesses
Totality: They avoid the omission of records as well as guarantee the completion of a shipping process
- Record Counting Control Figures
Redundancy: Avoid data duplication
- Batch Cancel Sequence Verification
Privacy: They ensure data protection
- Encryption Compaction
Existence: They ensure the availability of data
- Status Log Asset Maintenance
Asset Protection: Destruction or corruption of information or hardware
- Passwords fire extinguishers
Effectiveness: They ensure the achievement of the objectives
- Satisfaction surveys Measurement of service levels
Efficiency: They ensure the optimal use of resources
- Monitor programs Cost-benefit analysis
Frequency of change of access codes
Changes to the access codes to the programs must be carried out periodically.
Normally, users get used to keeping the same key that they initially assigned.
Not changing the keys periodically increases the possibility that unauthorized people know and use the keys of users of the computer system.
Therefore it is recommended to change passwords at least quarterly.
Alphanumeric combination in access codes
It is not convenient that the key is made up of employee codes, since an unauthorized person through simple tests or deductions can find this key.
To redefine keys it is necessary to consider the types of keys that exist:
- Singles
They belong to a single user, therefore it is individual and personal. This key allows at the time of making transactions to register those responsible for any change.
- Confidential
Confidentially, users must be formally instructed regarding the use of passwords.
- Not significant
The keys must not correspond to sequential numbers or names or dates.
- Use security software on microcomputers
Security software allows you to restrict access to the microcomputer so that only authorized personnel can use it.
Additionally, this software allows reinforcing the segregation of functions and the confidentiality of the information through controls so that users can access only the programs and data for which they are authorized.
Programs of this type are: WACHDOG, LATTICE, SECRET DISK, among others.
Information audit methodologies
We must say that today there is no standard methodology for conducting an information audit, however we can develop a series of activities and techniques that can help us carry them out:
Physical inventory
It is the process of identifying and categorizing information resources in a systematic way. In this way, a photograph of what the organization has in terms of information resources at a given time is provided.
Information massification
It is a graphic way of representing the information resources that exist in the organization and the interrelationships between them. The resource map indicates to what extent information resources are basic, how they are positioned (geographically, departmentally, from a technical point of view), how they interact, who uses them, who is responsible, etc.
Analysis of information needs
Its main purpose is to determine what information is required by the employees and the management of the organization to develop their roles and achieve the objectives.
Graphics of processes and workflows.
Process charts together with workflows can be a good working tool in the field of information audits.
Role of auditing in information controls
The main role of auditing in the information system of any entity is of utmost importance, below we mention some of greater importance.
The enormous possibilities that current computer systems offer us to access large amounts of information and process large volumes of documentation have not always had an equivalent response in the productivity of a large part of professional firms, nor have they translated into visible improvements in the documentary management of organizations.
This occurs because most of the time, investments in information systems (computer and communication hardware and software) are made without the necessary prior analysis of the real information needs of the professional consulting or office. Very few firms hire file and documentation experts or engage trained professionals to identify:
- Information needs of the professionals or key departments of the consultancy. Documentation generated by the organization itself. The resources or sources of external information existing in the market. Documentary flows or circuits. There is a tendency for the functions and responsibilities entailed by the Document management are distributed among different people or departments, without any of them assuming the mission of adequately taking advantage of the synergies that occur between each and every one of the functions affected.
The analysis of the problem must be started by perceiving what has a more pressing interest and which is usually the closest. It is common to detect a series of signs:
- The lack of response to the request for documents during imprecise periods of time (no documents are found or when the response occurs it arrives with excessive delay). The information used does not reach the required quality level (insufficient documentation is used, unreliable or poorly presented). The accumulation of documentation is very high, both in file repositories and on work tables (documentation is scattered throughout the office without knowing where to find it). Everyone agrees in that the documentation management does not work correctly and that it is necessary to remedy this situation.
Some of the administrative documentation management problems may lie in:
- The administrative tradition. The management of administrative documents is carried out by different people and each of them does it in their own way. It is common for the replacement of a department head or the head of a business area to cause drastic changes in the treatment of documents. The lack of awareness that document management is another part of administrative management. This lack leads to the inconsistency of the documentary circuits, the lack of coordination among the personnel who share the processing of a document, unequal workloads, poorly established work priorities. These insufficiencies are reflected in the particular and immediate need to resolve pressing issues. to the detriment of an integral management of the documentation that includes all the consultancy (in the day to day I organize myself).
Trends affecting information systems
When considering an Information System as a set of rules and general processes of a given one, some negative and positive points that directly affect the system should be considered, for example:
It refers to the fact that the information systems of any company must be periodically reviewed; not with a continuous frequency, but rather spaced, bi-annual reviews are recommended (It is not recommended that it be updated in a company gradually, for example the software, statistical tables, it is recommended within a year to change it, all that is machines and software; because if we did not do this, the entire organizational structure of it would be changed).
(It can be a restructuring with the same positions). An organizational restructuring with any company, implies changes always in view to seek a better operation, avoid bureaucracy, streamline procedures or processes, the restructuring can be of various types, for example. Increase or decrease departments, positions, objective restructuring, etc. The restructuring always affects the information systems of the company.
(It is not for the good but also for the bad)
The revision and revaluation of the ranking is expected to affect in favor of the information systems of the companies, if the effect is contrary, the auditor should issue an employee report to the employees (specifically from departments), who are boycotting the information of the company.
(Data for the Information system)
It refers to the change of data flow exclusively in the computer area, this directly affects the computer system and therefore the information system. Regarding IT Audit, the effect can be positive and negative, depending on the results obtained in terms of data processing (less security, more security, backup). For example:
The flow of information in the accounting area has been changed, to generate the monthly roles (From the beginning of the role it was carried out by the secretary, who entered the stocks, faults, arrears, etc.; determining an amount to be discounted. A gross amount and a final salary, this was passed to the accountant so that it especially justifies fines, it was rectified in some cases, and the paper was sent to print. It is considered a new flow of information, in which data is entered into a computer system, and according to the parameters and regulations of the company, the system gives a liquid salary to be collected, automatically generates the report, checks and the accountant only approves this report).
(An example is when there is data migration, the information migrates or is changed to a more sophisticated system).
Conceptual basis
On the basis of the information system, the auditor will carry out its study and analysis following any work methodology, but without deviating from the conceptual basis of the information system of the audited company.
If for any reason the auditor perceives and at least has the idea that he took parameters that are not present in the information system, he must necessarily start again.
Conceptually, Information Systems are based on some important aspects within any company:
- Economic aspects
should be considered resources of the enterprise, crises, control, etc.Aspectos technology
refers to the hardware within the company, you should consider increasing the changes, either software or social hardware.Aspectos
is refers to improvements aimed at company employees, for example, courses, training, etc. Legal political aspect
Refers to the norms and laws in force for companies, both internal and external, the legal aspect must be taken care of, especially in the Software. Administrative Aspect
It refers to the relationship at the management level, greater confidence in taking positions, decisions or fortunes, always in favor of companies.
conclusion
Mainly, with the completion of this work, the main conclusion that we have been able to reach is that any company, public or private, that has moderately complex Information Systems, must submit to a strict control of evaluation of effectiveness and efficiency. Today, 90 percent of companies have all their information structured in Computer Systems, hence the vital importance that information systems work correctly.
The company today must be computerized. The success of a company depends on the efficiency of its information systems.
A company may have a staff of top people, but it has a bug-prone, slow, vulnerable and unstable computer system; If there is no balance between these two things, the company will never get ahead.
Regarding the work of the audit itself, we can point out that a great knowledge of Computing, seriousness, capacity, thoroughness and responsibility is required; the information audit must be done by highly trained people, a poorly done audit can have drastic consequences for the audited company, mainly economic.
