Audit report issue

The audit report completes the audit process of a computer system. According to auditing standards, the audit report must contain a clear written expression of the opinion on the audited entity. The auditor, through the audit report, will conclude on each of the nonconformities identified, and may express: unqualified audit report, unqualified audit report with explanation, qualified report, qualified report with disclaimer, qualified report with and adverse opinion.

The audit report is the standard document by which it is formally communicated the audit findings and conclusions on the actual situation of the audited system. Informally, these findings are discussed with those responsible for these findings to be properly understood, accepted and to define appropriate measures to maintain control of major risks of computer applications.

2. ANALYSIS OF THE CONTROL ENVIRONMENT

The success of the IT audit process is subject to the planning quality, quality that mainly depends on the analysis of the control environment

COSO - Committee of Sponsoring Organizations of the Tread way Commission, defines internal control as a process, influenced by an entity’s board of directors, management, and other personnel, that is designed to provide reasonable assurance in the effectiveness and efficiency of operations, reliability of financial reporting, and the compliance of applicable laws and regulations. The auditor evaluates the organization’s control structure by understanding the organization’s five interrelated control components. This includes:

- control environment, refers to the system, the operating style and the management philosophy;

- control activities, by which it is monitored whether employees follow the management instructions. Types of control activities that an organization should implement are:

preventive controls (control that are intended to stop the occurrence of an error), detective controls (controls that are intended to detect whether an error has occurred), and mitigating controls (control activities that can mitigate risks associated with key control not operating effectively);

- information and communication, identifies how the organization obtains relevant information and communicate them internally and to business partners.

- monitoring, review the out of the control activities and conducts evaluations.

Cristian AMANCEI, Traian SURCEL

Understanding the control components of the organization is essential for what is to follow in continuing audit process, namely the assessment of general controls and application controls of the organization.

Analysis of audit control environment, allow the auditor to form an image on the significance and complexity of computing environment, the accessibility of data for audit.

Analysis of the control environment takes into consideration the following:

ƒ organizational structure of the computing environment;

ƒ complexity and automate processing importance of each significant application. A computer application can be considered complex when:

• the volume of transaction is seen by application users as difficult for errors identification and correction during processing;

• application can generated significant automated transaction or can provide inputs to significant input to other applications;

• the complexity of the arithmetic calculations;

• transactions are exchanged electronically with other organizations, which implies additional controls associated with the communication channels.

ƒ data availability. In a paperless environment, certain information requested by the auditor may exist only for a shot period and / or only in electronic form. In this regard it should be analyzed the vulnerability of data / information storage media.

ƒ use of computer assisted audit techniques to increase performance of audit procedures.

Analysis of the control environment for IT systems should be consistent with the fact that IT systems support the information and the calculation procedures for financial accounting systems, more often subjected to audit. For this reason, IT audit is often a corollary of the financial audit and therefore we must regard as a paperless environment, the extent of risk taken another dimension. Nature of these new risks is influenced by:

ƒ Information density is much higher than conventional systems based on paper. Magneto-optical storage media which are used to save the large volume of information, totaling tens of thousands of pages of paper, can be subject of a more discreet theft, thereby generating fraud or at least affect the confidentiality of such information

ƒ The transparency of documents relating to the conduct of operations:

a) the absence of the input documents – the data can be entered into the system without the justifying documents – the example of online transaction systems.

b) the absence of visible “traces” from transactions – although in practice, for manual processing any transaction can be traced – in automatic processing, the route of a transaction there may be a limited period in an electronic format.

c) lack of visible output – certain transactions or results, especially when they represent details, can retrieved stored in the application database (not in a printed form also).

ƒ Transaction authorization. In a paperless environment it is include the ability the computer system to initiate and execute automatically some transactions. The design of the computer application usually involves the incorporation of certain implied authorization and automatic generation functions.

ƒ Uniform processing of transactions. A computer application process similar transactions uniformly, with the same instruction program. In this way, writing errors associated with manual processing are eliminated. Conversely, programming errors may lead to incorrect processing of transactions, so that auditors will focus on accuracy and consistency of output.

ƒ Unauthorized access to data, files or databases, can be performed with greater ease, which implies a large potential for fraud and error.

Problems of Control Environment and Audit Risk Analysis in IT Systems Audit

ƒ Retention of data storage media, after having been removed, the media storage can be a sure way to take possession of valuable information.

ƒ Strong systems integration occurs as a consequence of improving forms of communication and the proliferation of computer networks and ERP system.

3. RISK ANALYSIS

IT risk manifest itself through its own components: threats, vulnerabilities and impact.

Threats exploit vulnerabilities of a system causing the impact and, in essence, the combination of three elements determines the size of risk. The risk level of an organization cannot be eliminated, it will always exist, the company management is responsible for reducing it to an acceptable level. In this regard, Figure 1 gives the correlation of different elements that need to be considered for risk reduction.

Figure 1: Components of IT risk, adapted after INTOSAI [6]

In general, the risks associated with a computer system, that must be taken into consideration and evaluated by the auditor (in this case the technique is commonly used questionnaire), in order to assess the system address:

ƒ Physical security risk will be assessed according to information collected on: the existence of security systems, fire detection and alarm systems, protection systems against power failure, equipment protection against theft, protection against natural disasters (floods, earthquakes ) physical protection of storage media;

ƒ Communication risk can take different facets, depending on availability of the system to the public network, situation in which the auditor is required to consider security measures: the existence of a firewall, firewall configuration, analyzing the data transmission through the public network (using encryption techniques, the existence of a virtual private network - VPN). Confidentiality concerns not the storage on workstations or servers, but also the communication lines.

ƒ The risk of data integrity and transaction involves all the risks associated with the authorization, completeness and accuracy of data.

Impact on organization

Vulnerabilities

Confidentiality Integrity Availability Security measures

Threats

Information system components IT risks

Protects against Exploit

Increase

Increase Decrease

Limited by Expose

Increase Impact

Cause Evaluated through

Cristian AMANCEI, Traian SURCEL

ƒ Access risk refers to risk associated with inappropriate access to the system, data or information. The implications of this are major, as the risk addresses data privacy, integrity of data or data bases and their availability. In this respect, the auditor's actions involve an analysis of the management of passwords within the organization, an investigation of unauthorized attempts to access the system, an analysis workstation protection.

ƒ The risk of antivirus protection that requires an analysis of antivirus programs used by the entity, at the server and workstations level, update of these programs (manually or automatically). Fighting viruses is essential but not easy. Despite the large number of existing antivirus software is required on an analysis of program characteristics: real-time scanning or continuous monitoring of its system, e-mail scanning, manual scanning.

ƒ Risk related to information security documentation. The general documentation of an information system consists on the one hand from the network and operating system documentation, and on the other hand, the documentation of the installed application. This documentation may be different for administrators, users and operators so as to assist in the installation, operation, management and use of the product. Risks associated documentation may refer to the fact that it does not reflect reality in terms of system, is not comprehensible, or it is accessible to unauthorized persons and is not updated.

ƒ Employee risk can be analyzed in terms of the following criteria:

• Organizational structure on the IT department will consider how the tasks and responsibilities are distributed within it. Assigning too many responsibilities at a single person or a group of people is a sign of a poor internal organization.

• The practice of selecting employees. On the basis of an appropriate control environment are staff competence and integrity, which involves a review by auditors of the employing organization's policies and procedures, specialization, performance evaluation and promotion of employees.

ƒ Infrastructure risk is reflected in the fact that the organization lacks an effective information technology infrastructure (hardware, networking, software, people and processes) to support its needs.

ƒ Risk management for contingency situations (risk of availability) is the risk associated with natural hazards, disaster, system failure that can lead to permanent loss of data, applications, in the absence of monitoring procedures of activity, and recovery plans in case of disasters.

Risk analysis requires an assessment based on quantitative and qualitative methods, starting a classification as the one presented in this paper, which can be only one point of view to be developed and improved in accordance with environmental features and specific control processes audited.

REFERENCES:

1. Cristian Amancei, Traian Surcel, Increasing the Efficiency of IT Audit Methodology by Using the Organizations Tolerance to IT Systems Availability, Revista de Informatică Economică, Vol.14. No.

1/2010, pp. 49-56

2. IT Governance Institute Control Objectives for Information and related Technology v 4.1, 2007, http://www.itgi.org

3. Mikhael FELKER, Analysis of FFIEC Guidance: Technologies and Decisions on Authentication, Information Control Systems Journal, Vol. 6, 2007, pp. 52-57

4. M. Akerman, B. Rucker, A. Wells, J. Wilson and R. Wittman, IT Strategic Audit Plan, în Journal of Technology Research, Vol 1/2009, http://www.aabri.com

5. S Senft, F Gallegos, Information Techology Control and Audit, 3rd edition, CRC Press, 2009 6. IT Audit Monography Series I, Information Technology Audit – General Principles,

http://www.intosaiaudit.org

Scientific Bulletin – Economic Sciences, Vol. 9 (15) - Information technology -

DATA WAREHOUSE AND DATA MINING – NECCESSITY OR USELESS