The main advantage of an IT audit and data management is to establish with a certain level of assurance that an information system is functioning effectively, e.g., that it processes inputs into outputs properly, that only concerned officials can access particular records and execute specific programmes, and that data are saved appropriately and securely. Moreover, the purpose of IT auditing is to evaluate whether or not an information system is fulfilling company's objectives and to make sure that the system is not creating risk for the business. It is one of the pre requisites of every organisation to build an Information system which can supply guaranteed, verified and well managed data for audit. The vital gain from IT audits is a better confidence in the financial statements of the organisation and in the investment environment in general.
In this context, as Xenia Ley Parker (2006) emphsises that the most remarkable advantage that should be achieved by a comprehensive IT audit system is the classification and documentation of productive audit means for information system, or raising perception of the need of ample and befitting controls. Adequate order and command over enterprise methods and the information system that support these methods is sound. The documentation of these controls should permit management to assess the tradeoffs between command obligations and operational effectiveness, where they live, and to make better ends for setting up befitting command mechanisms.
Furthermore, IS for control is actually about utilising Information technology in a way that makes an association more productive and effective in its activities and decision making. Information technology if mismanaged or utilised without taking essential security precautions can outcome in great difficulties. In the viewpoint of Xenia Ley Parker (2006), IT audit has changed how we do business pragmatically and like any system if it is correctly performed and designed can give outstanding benefits to businesses.
The aim of this piece is to see the Infrastructure, importance, requirements, and drawbacks of an IT audit system in the organisation. In today's business environment, as Gallegos, F. (2003) articulates, it is getting harder and harder for organisation to not only survive but to compete against other organizations. Information technology plays a big part in helping companies compete and survive. Companies that have branches or franchises need to make sure that they can communicate with the head office so that each and every step could be carefully taken.
Information Systems and Networked Computers have critical importance in the operation of most organizations. All organisations, from manufacturers to banks, are highly reliant on information for their routine operations. The huge amount of information is needed that large companies and government bureaus need to operate.
The role of IT audit has changed and amplified business activities. The area of Information System has obtained an equitable amount of consideration in recent times. IS Professionals usually acquiesced that we need ample ground directions to govern the use of Information Technology (Gallegos, F. 2003). And we have identified for numerous years the need to incorporate experiments into IS curricula. Current means which try to make IS professionals and scholars more perceptive to the ethical anxieties inside IT and IS may be too firmly concentrated in periods of both matters and assembly, particularly in the lightweight of the fast expansion of Internet use.
IT audit system, for instance Frederick Gallegos , Daniel P. Manson and Sandra Allen-Senft (1999 pp.194-197), presents data to all economic managers inside and outside an organization. It updates economic & operational data from multiple sources. Information System for audit eases investigation by supplying very fast data. It endows professionals from different aspects; product, customer, staff. With the help of IT audit, one can analyse past and present data. Also one can supervise use of funds. Few examples or purposes of Information Technology in enterprise are Costing, P&L describing, Auditing, Funds administration, etc.
Framework for IT Audit (IT environment)
All the companies, for instance IBM or Sun system, create a system that helps managers and executives in an organisation to understand the complex computerized information systems. Computers are networked to access top to down positions within organisation and all the clients outside the organisation. This point is accurately elaborated by Hermanson, D. R., M. C. Hill, and D. M. Ivancevich. (2000). That, IT audit guides the managers for understanding and documenting both the manual and computerized aspects of an information system. Documentation of the client's system is facilitated by the inclusion, within Systematic, of a step by step module. IT audit includes a database of controls that can be used to mitigate risks typically found in computer based systems.
The points for IT audit for effective business has been postulated by Hermanson, D. R., M. C. Hill, and D. M. Ivancevich. In their opinion, IT audit applies the techniques which have been used successfully for:
- Computerised audit program development;
- Networked Computers for Internal control evaluation; and
- IT based risk management.
The principal advantages of Information technology for audit system appear to be:
- Increased audit efficiency;
- Consistency among decision makers;
- Effectively dealing with large amounts of information; and
- The ability to communicate relationships as well as facts.
Information technology based systems for audit planning are designed to describe the various areas where systems are currently being developed or are in use; to indicate the advantages and disadvantages of these systems as they relate to audit planning; and to lay the foundation for determining the factors that indicate which audit tasks are most likely to be enhanced by an information system.
The system prompts the managers for the needed information in, generated by David Loshin (2001), two major phases: (i) essential data collection and (ii) method selection. For instance, the auditor first identifies the accounts used by the client from a system provided major list of possible accounts in the essential information-gathering phase and then the relevant client applications from another system-provided list. The auditor is then required to input internal control evaluation information for each application. The Information technology based system analyzes all audit assertions and ties the accounting controls to the relevant audit procedures.
Data Management System
Information System applications for IT Audit
For IT Audit, the main requirement, described by Jeffrey A. Hoffer, Mary B. Prescott and Heikki Topi (2008), is records management systems and technologies support organization's basic internal and external compliance requirements. It means that the Information System provides ways to track and audit retention management and it automates and enforces records destruction policies. And it fulfills security requirements, such as access control and tracking with recording and audit for physical and electronic records, and security for modification and deletion rights with tracking.
For IT Audit, the major need is record administration system and technologies support the organisation's internal and external compliance requirements. It means that the Information System presents ways to track and audit management. And it automates and enforces record decimation policies. It also fulfills security obligations, for example get access to command and following with data and audit for physical and electronic records, and safety measures for variation and deletion rights with tracking.
An Information System, as Popa, M. and Paraschiv, A. (2009) express, is an organisation structure comprises ofmodels that recount how a unit functions today and how it proposes to function in the future; it furthermore encompasses a design for transitioning to this future state. More specifically, it recounts the enterprise in ordered periods (such as interrelated enterprise methods and enterprise directions, information needs and flows, and work positions and users) as well as in technical periods (such as hardware, programs, figures and numbers, communications, and security attributes and presentation standards). It provides these perspectives both for the enterprise's present environment and for its goal, as well as a transition design for moving from one to the other. In short, it is a proposal for organizational change.
For any organization that depends on information systems and computer networks to carry out its business, information security is a critical consideration. It is important for audit department of the organisation, where maintaining the clients' trust is essential. Information security covers a wide range of controls, including general controls that apply across information systems (such as access controls and contingency planning) and business process application-specific controls to ensure the completeness, accuracy, validity, confidentiality, and availability of data.
As far as security of data is concerned, for any organisation that counts on information systems and computer networks, to carry out its business activities, data security is a critical consideration. Popa, M. and Paraschiv, A. (2009 pp. 827 - 832) emphasise that it isimportant for audit department of the management, wheremaintaining the clients' trust is essential. Information security covers a broad variety of audit, encompassing general controls thatapply over data system (such as get access to controls andcontingency planning) and business method application-specific controls to double-check the completeness, correctness, validity, confidentiality, and accessibility of data.
Develop disaster recovery and business continuity plans (BCP)
Securing Data and Resuming Activities
Managing an organisation to retrieve from a data disaster and be expert tofunction securely, the business need apparently comprehensive business continuity plan(BCP) and a disastrous recovery plans (DRP). Executive administration has the major function in the prioritisation of enterprise methods, making affiliated risk evaluations, and in the designing and development of continuity designs for the organization. While the IT infrastructure, for instance Kothari, P. (2007 pp. 25-26), should play an important function in the development anddesign of data recovery plans to rendezvous business needs. IT auditors play an importantrole in supplying audit oversight over BCP and DRP by individually assessing the methods for managing,testing, and establishing these plans. The IT Audit function should therefore work with boththe business sides of the organisation. IT system should recognise continuity of difficulties and to control the BCP system to attain an acceptable level of the risk.
For this purpose, to carry out business plans safely, Kothari, P. (2007) suggests a secured data center. The research has proved that institutionalising a set of interrelated information system capabilities is key to an organisation's success in modernizing its IT audit systems. These capabilities include, but are not limited to
- well planned information system to describe an organization's audit system, the strategies it will use to achieve desired output, and performance measures;
- developing and using an updated IT architecture, or modern design, to guide and constrain IT investments;
- establishing and following a successful and tested system; and
- implementing information security management that ensures the integrity and availability of information.
It has been observed that without these types of capabilities, organisations increase the risk that system modernisation will (1) face disasters and halts in business activities and (2) lead to systems that are unnecessary and unacceptable.
They also risknot accomplishing such aims as expanded interoperability and effectiveinformation sharing. As a result, technology may not competently andpowerfully support organisational jobs and help realizestrategic task outcomes and goals. Secured and modernised information system is crucial to create an organisation's IT audit system and help manage its data resources with its business strategiesand other decision.
Critical Analysis and Recommendations
Challenges to ITS Audit and Recommendations
It's very difficult in today's technological oriented world that an organisation could function without computers. Gallegos, F. (2003) describes that networked computers from outside the organisation are linked to business computers and financial networks, and they are all are linked together via the Internet or other networks. As Information Technology becomes basic need to business, lots of persons are networked through internet or office based system. Considering the banks in UK, lots of clients are connected electronically. The transactions travel through internet every day, and every piece of information is stored on a computer that is at risk to attack. On any client's or information system's computer, there are many important information or data are saved. Things such as: the financial statements of a company, or maybe something that is very secret which only the top management can see. These all kinds of data can be hacked any time.
Companies are becoming more aware and scared by the fact that their computers are prone to attack. Virus scanners are becoming requirements on every machine. When it comes to installing such programs and monitoring these virus scanners, it usually takes tremendous amount of time and more money. Many systems are made to solve the organisation's problems. Which monitor the computer use of the employees in a company on the network but it also monitors memory and file usage. A well-trained system administrator, suggested by Gallegos, F. (2003), can usually be able to tell by the amounts of memory being used and the file usage if something is going on that should not be. When a virus is found, system administrators can usually pinpoint the user who put the virus into the network and investigate and determine whether or not if it was done intentionally.
Today, businesses are evolving more aware and scared by the fact that their computers can be attacked any time. Scanners are becoming dire need on every machine. When it arrives to establishing such programs and supervising these virus scanners, it generally takes lots of time and more money. Many systems are made to explain the organisation's problems. Which supervise the computer use of the workers in a business on the network but it also monitors recollection and document usage. Well-trained system managers can generally be able to notify by the allowances of recollection being utilised and the date usage if certain thing is going on that should not be. When a virus is discovered, system administrators can generally locate the person who put the virus into the network and enquire about that activity (Wendy Robson 1997)
Information Technology is inevitable and irresistible for businesses. But it is very important and valuable to realize that a networked system, no matter how much of precaution you take, it will never be completely safe. As technology is increasing and putting higher security on protection software (Black Ice, Norton, MacAfee, etc), so are the hackers who are trying their very best to get into your system. Now that doesn't mean that you are completely hopeless and all your files are going to be seen and hacked.
IT professionals today are researching and are coming up with new ideas and are testing them on different kind of computer security systems but no one can prove or say that this is the best unbreakable security system or software, because that would be considered false. Because if you just think about it if one can create a software or computer security system then surely someone out there could possibly crack that software system. Many specialists in the technology field suggest the updating information system. So therefore, to conduct the IT audit operations successfully it is necessary to update the systems and keep safe from the risks.
The drawback is developing and maintaining large information systems are very difficult to manage. But there are several factors can facilitate the business activities. First, substantial improvements in professionals' efficiency should be possible. Second, there should be large potential administrators for different areas of business. Third, through the distribution of data, the information system should present the potential for increases in auditor efficiency and effectiveness by reducing the skill and experience levels necessary for task completion.
The IT audit measures take to more reliable business methods, cost effective, and greater positive outputs. This would in turn, let companies to lift entry-level reimbursement, making the occupation more appealing to students. The large scale utilization of IT auditing in an organisation and expanded study of economic systems would bring new comers' perception of IT auditing as a widely accepted profession.
Critical success factors for IT audit are smooth integration into the decision process and development of information systems in various business areas. An information system provides certain assistance to make an organisation more worthy. For all the business activities, data management modules are certainly helpful. Information technology employs methods to develop information system for audit to achieve accurate and large data in a click. Day by day, Information technology based systems are successfully used for audit planning tasks, and risk free systems are generated.