Contents:
Although control objectives have generally remained constant, except for some that are technology specific, technology has altered the way in which systems should be controlled. Safeguarding assets, as a control objective, remains the same whether it is done manually or is automated. However, the manner by which the control objective is met is certainly impacted.
Technology has impacted the auditing profession in terms of how audits are performed information capture and analysis, control concerns and the knowledge required to draw conclusions regarding operational or system effectiveness, efficiency and integrity, and reporting integrity.
Initially, the impact was focused on dealing with a changed processing environment. As the need for auditors with specialized technology skills grew, so did the IT auditing profession. Information Integrity, Reliability, and Validity: Importance in Today's Global Business Environment Organizations today operate in a dynamic global multi-enterprise environment with team-oriented collaboration and place very stringent requirements on the telecommunications network. The design of such systems is complex and management can be very difficult.
Organizations are critically dependent on the timely flow of accurate information. A good way to view how stringent the network requirements are is to analyze them in terms of the quality of the telecommunications service. Perhaps, two examples of the world's dependency on IT come as a result of two reported events in the past where IT failure impacted world commerce and communications. In another event, a communication satellite went into an uncontrollable rotation causing pager communication systems worldwide to be "useless," and those companies using this technology for E-account transaction and verification were unable to process credit card information for 24 hours, thus causing their customers to pay cash for their transactions.
The disruption of the paging services caused severe impact to services provided by both private and governmental organizations that depended on this communication. Even today, these types of events are repeated over and over again where organizations dependent on technology encounter failure and disruption to services and business.
In August , the northeast quadrant and part of Canada were still recovering from a massive power outage to the area that shut down ATMs and all electrical services elevators, phone service, street signals, subways, etc. Most telecommunication experts believe the network must be able to reach anyone anywhere in the world and be capable of supporting the sharing of a wide range of information, from simple voice, data, and text messages to cooperative transactions requiring the information updating of a variety of databases.
The chief executive officer CEO and chief information officer CIO want to meet or exceed their business objectives and attain maximum profitability through an extremely high degree of availability, fast response time, extreme reliability, and a very high level of security. This means that the products for which IT provides consumer feedback will also be of high quality, rich in information content, and come packaged with a variety of useful services to meet the changing business conditions and competition. Flexible manufacturing will permit products to be produced economically in arbitrary lot sizes through modularization of the production process.
The unpredictability of customer needs and the shortness of product life cycles will cause the mix of production capabilities and underlying resources required by the organization to change constantly. Organizations must be capable of assembling its capabilities and resources quickly, thereby bringing a product to market swiftly.
To achieve the high degree of organizational flexibility and value-chain coordination necessary for quick market response, excellent product quality, and low cost, the organization will employ a network, team-oriented, distributed decision-making organizational approach rather than a more traditional hierarchical, vertically integrated, command-and-control approach. Organizations will possess a dynamic network organization synthesizing the best available design, production, supply, and distribution capabilities and resources from enterprises around the world and linking them and the customers together.
A multi-enterprise nature will enable organizations to respond to competitive opportunities quickly and with the requisite scale, while, at the same time, enabling individual network participant's cost and risk to be reduced. The network will be dynamic because participant identities and relationships will change as capabilities and resources required change. The global scope of the network will enable organizations to capitalize on worldwide market opportunities. Work will be performed by multidisciplinary, multi-enterprise teams, which will work concurrently and, to reduce production time, be granted significant decision-making authority.
Team members will be able to work collaboratively regardless of location and time zone. Openness, cooperativeness, and trust will characterize the relationships among the organizations in the network and their personnel. Aside from reach, range, and service responsiveness, the network must be highly interconnective so that people, organizations, and machines can communicate at any time, regardless of location. Also, the network must be very flexible because the organization is constantly changing. Finally, the network must be cost effective because low cost is one of the ingredients in the mass-customization strategy.
In addition, a control structure, which provides assurances of integrity, reliability, and validity, must be designed, developed, and implemented. So how can this be accomplished? The ability to reach anyone anywhere in the world requires global area networks. Clearly, the Internet and global carrier services will be crucial. Also, because the intended receiver need not be in the office or even at home, wireless networks will play a major part. This will be true on-premise, such as with the use of wireless private branch exchanges PBXs or local area networks LANs , and off-premise, with the use of cellular networks, global satellite networks such as Iridium, and Personal Communications Networks.
To support the sharing of a wide range of voice, data, and video information, bandwidth on demand will be required all the way to the desktop as well as the mobile terminal. Also, various collaborative service platforms such as Lotus Notes will be necessary. Finally, perfect service will have to be designed into the network. Speed can be achieved through broadband networking: A Global Concern The events of September 11, , and the collapse of trust in the financial reports of private industry Enron, WorldCom, etc.
The evolution of the economic society parallels the evolution of exchange mechanisms because advancement in the latter allows the facilitation of the former. Society started with the primitive use of the barter system. In this way, individuals were both consumers and producers because they brought to market that commodity which they had in excess and exchanged it directly for a commodity for which they were in need. Simply, society exercised an exchange of goods for goods.
Owing to its numerous inefficiencies and societies' demands to accommodate for the increased population, production, communication, and trading areas, this system was soon replaced by a modified barter exchange mechanism. In the modified barter exchange system, a common medium of exchange was agreed upon. This allowed the time and effort expended in trying to find a trading partner with the need for one's product to be reduced.
In the early stages of economic development, precious metals such as gold and silver gained widespread acceptance as exchange media. Precious metals characterized acceptability, durability, portability, and divisibility, but it gradually played the role of money. Thus, when emerging central governments began minting or coinage of these metals to begin the money-based exchange system, its monetary role was even more strengthened.
As economies became more commercial in nature, the influential mercantile class shaped the new society. The needs of the mercantilists, which included the promotion of exchange and accumulation of capital, led to the development of money warehouses that served as depositories for the safekeeping of funds. A receipt would be issued for those who opened a deposit account, and upon presentation of the receipt, the warehouse would return the specified amount to the depositor.
These warehouses represented an elementary banking system because, like banks of today, they collected fees to cover their costs as well as earned profits for their owners. Soon the warehouses began issuing bills of exchange or their own drafts because of the idea that not all depositors would withdraw their funds at the same time.
This created the fractional reserve banking system in which banks used the deposits not only to back up the receipts that they issued but also to extend credit. The coin, currency, and demand deposit payment mechanism flourished for many decades because of its convenience, safety, efficiency, and widespread acceptance by the public. However, another major change is now at hand for payment mechanisms: They have been around since the s.
T he banking industry is considered to be one of the forerunners in the use of computers. The industry started with mechanizing bookkeeping and accounting tasks, automating transaction flows, implementing magnetic ink character recognition MICR technology, and finally, utilizing online terminals to update depositor's account and record receipt or disbursement of cash.
The advancement of both computer and communication technologies has spurred the phenomenal growth of EFT systems in the past 20 years. As more consumers become familiar and trust electronic financial transactions, EFTs will continue to be more widely used. Today, EFTs have already gone beyond the banking industry and can be seen in almost all retail establishments such as supermarkets, clothing stores, gas stations, and even amusement parks.
EFTs allow the convenience of paying for goods and services without having to use checks or currency.
In today's society of ever more computer-literate individuals, a transition is being witnessed from the traditional cash and check system to electronic payment systems. Future of Electronic Payment Systems The increased used of the Internet has brought with it a new form of exchange: The cashless society that futurists have long forecast is finally at hand, and it will replace today's paper money, checks, and even credit cards. Virtual commerce involves a new world of electronic cash E-cash.
Virtual transactions work very much like physical cash but without the physical symbols. Although the use of E-cash has its positive aspects such as more convenience, flexibility, speed, cost savings, and greater privacy than using credit cards or checks on the Internet, it also has negative ramifications. Uncontrolled growth of E-cash systems could threaten bank and government-controlled payment systems, which would fuel the growth of confusing and inefficient systems.
Also, current technology has not yet deemed E-cash to be more secure than bank money because money stored in a personal computer PC could be lost forever if the system crashes. In addition, E-cash could permit criminal activity such as money laundering and tax evasion to hide behind cyber dollars.
Counterfeiters could also design their own mints of E-cash that would be difficult to differentiate from real money. Finally, criminals such as computer hackers could instantaneously pilfer the wealth of thousands of electronic consumers. Therefore, many companies have been compelled to develop electronic payment systems that will solve these consumer concerns.
In , it represented about 40 percent of the online population. This grew to 63 percent by There is a definite need for the security and privacy of payments made over the Internet, as millions of transactions occur daily and will be increasing at a rapid pace in the future. With this increase of E-commerce, the likelihood of fraud increases as well.
E-commerce depends on security and privacy because, without them, neither consumers nor businesses would have an adequate level of comfort in digital transmission of transaction and personal data. In the newly revolutionized economy, it is a necessity for companies to conduct business online and reach out to customers through the Internet. The primary areas of concern with E-commerce are confidentiality, integrity, nonrepudiation, and authentication. These areas are addressed through several ways such as encryption, cryptography, and the use of third parties.
In addition, the credit card industry has been motivated to find secure technology for E-commerce. Organizations like these are only a fraction of the massive experiments that will transform the way people think about money. This is a worldwide commerce movement, and not just a U. E-cash is the next inevitable payment system for an increasingly wired world. Economic history has once again reached another crossroads.
Just as the mercantile class transformed the money exchange system to one of money warehouses, E-commerce trade on the Internet will be a revolutionary opportunity for global society to transform today's traditional system of exchange into a system of electronic payments. Thus, the need for auditability, security, and control of IT has become a worldwide issue. In addition to this, the advancements in network environments technologies have resulted in bringing to the forefront issues of security and privacy that were once only of interest to the legal and technical expert but which today are topics that affect virtually every user of the information superhighway.
The Internet has grown exponentially from a simple linkage of a relative few government and educational computers to a complex worldwide network that is utilized by almost everyone from the terrorist who has computer skills to the novice user and everyone in between. Common uses for the Internet include everything from marketing, sales, and entertainment purposes to e-mail, research, commerce, and virtually any other type of information sharing. Unfortunately, as with any breakthrough in technology, advancements have also given rise to various new problems that must be addressed, such as security and privacy.
These problems are often being brought to the attention of IT audit and control specialists due to their impact on public and private organizations. Current legislation and government plans will effect the online community and, along with the government's role in the networked society, will have a lasting impact in future business practices.
Federal Financial Integrity Legislation The Enron-Arthur Andersen LLP financial scandal continues to plague today's financial market as the trust of the consumer, the investor, and the government to allow the industry to self-regulate have all been violated. The Sarbanes-Oxley Act of will be a vivid reminder of the importance of due professional care. T he Sarbanes-Oxley Act prohibits all registered public accounting firms from providing audit clients, contemporaneously with the audit, certain non-audit services including internal audit outsourcing, financial-information-system design and implementation services, and expert services.
All other services, including tax services, are permissible only if preapproved by the issuer's audit committee and all such preapprovals must be disclosed in the issuer's periodic reports to the SEC. The act requires auditor not audit firm rotation. Therefore, the lead audit partner and the concurring review partner must rotate off the engagement if he or she has performed audit services for the issuer in each of the five previous fiscal years.
The act provides no distinction regarding the capacity in which the audit or concurring partner provided such audit services. Any services provided as a manager or in some other capacity appear to count toward the five-year period.
The provision starts as soon as the firm is registered, therefore, absent guidance to the contrary, the audit and concurring partner must count back five years starting with the date in which Public Company Accounting Oversight Board registration occurs. This provision has a definite impact on small accounting firms. The SEC is currently considering whether or not to accommodate small firms in this area; currently, there is no small-firm exemption from this provision.
This act is a major reform package mandating the most far-reaching changes Congress has imposed on the business world since the Foreign Corrupt Practices Act of and the SEC Act of the s. It seeks to thwart future scandals and restore investor confidence by, among other things, creating a public company accounting oversight board, revising auditor independence rules, revising corporate governance standards, and significantly increasing the criminal penalties for violations of securities laws.
Private industry has in the past been reluctant to implement these laws because of the fear of the negative impact it could bring to a company's current and future earnings and image to the public. The passage of the Homeland Security Act of and the inclusion of the Cyber Security Enhancement Act will have a substantial impact on private industry. An example of a number of past laws in place is as follows. The government's response to network security and network-related crimes was to revise the act in under the Computer Abuse Amendments Act to cover crimes such as trespassing unauthorized entry into an online system, exceeding authorized access, and exchanging information on how to gain unauthorized access.
Although the act was intended to protect against attacks in a network environment, it does also have its fair share of faults. The IT auditor must be aware of it significance. Under this act, penalties are obviously less severe for "reckless destructive trespass" than for "intentional destructive trespass. However, the impact of such terminology appears to possibly create some confusion in prosecuting the trespasser because it resides in such a "gray area. United States, it was determined that "intent" applied to access and not to damages.
The implication here would be that if the "intentional" part of the violation was applied to access and not the damage, then the culprit could possibly be prosecuted under the lesser sentence.
For example, if an individual intentionally intended to release a virus over a network, it would seem difficult for prosecutors to prove the motive for the violation. What if the individual stated that he or she was conducting some type of security test as Morris contested and "accidentally" set off a procedure that released a virus over the network? Intentional could refer to access to a system but it may not apply to damage. In this case, the lesser penalty of "reckless destructive trespass" may be applied.
Within the courts, this is a matter that must be contemplated on a case-by-case basis, observing the facts of each individual case. In some instances, however, it would appear that even "intentional" trespass could be defended by claims that the violation was due to negligence and therefore falls under the less severe of the two circumstances. This legislation has been helpful as a legal tool for prosecuting crimes involving some of the aforementioned intruders and violators of system security, but it also seems to have a loophole in certain cases.
Unfortunately, this loophole may be large enough for a serious violator of the act to slip through and be prosecuted under a lesser penalty by virtue of having to prove intent. All states have closed a portion of that loophole through statutes prohibiting harassment or stalking, including "e-mail. The Computer Security Act of Another act of importance is the Computer Security Act of , which was drafted due to congressional concerns and public awareness on computer security-related issues and because of disputes on the control of unclassified information.
A Case Study 7. Auditing Responsibilities Prescribed by Regulatory Agencies 2. Structure and Standards of Internal Audit 3.
Internal Audit Functions 4. Failures in Auditing Internal Control 5. Outsourcing Internal Audit 6. External Audit Functions 7. Unqualified and Qualified Reports by External Auditors 8. Membership of the Board of Directors 2. Committees of the Board 4. Corporate Governance and Nominating Committee 5. The Audit Committee 6. Snapshots of IT Audits 2. Procedure of an IT Audit 4.
Auditing Fraud Cases 6. Auditing Technology Risk 7. Auditing the Overall System Concept 8. Goal of a Strategic Audit 2. A Lopsided System Design 8. Capitalizing on the Strengths of the Institution 2. Opportunities and Problems of Strategic Planning 3. A New Technology Strategy 4.
Instituting a Risk Management System 7. Return on Investment and the Technology Budget 8. Mismanagement of Client Accounts Revealed by an Audit 5. Wrong Approach to Risk Control: Too Much Manual Work 6. Qualifications for Auditing Specific Technical Issues 2. System Response Time 3. System Expansion Factor 4.