| < Day Day Up > |
|
Auditors are charged with evaluating the reliability and operational effectiveness of controls. Controls are broadly categorized as systems that prevent, detect, or correct policy violations, unlawful or abusive events.
The overarching purpose of controls is to reduce risks occurring in the organization adversely affecting critical assets. Preventive controls may be exemplified as instructions contained in a data input field where the user will not be allowed to incorrectly input data. Preventive controls reduce the probability of harmful events occurring in the first place. Detective controls are systems where errors in the system are identified. For example, a data input program identifies erroneous data entered into the system and notifies administrators.
Corrective controls are typified by a program using special instructions to correct data that has been altered during transmission between the data entry point and the storage facility. Auditors have the responsibility of ascertaining if controls are in place and functioning adequately. Their task extends to seeing that at least one control addresses each prohibited event in the context of it possibly occurring.
There are harmful events not addressed by controls, as they are not cost-effective. This is where the judgment of the auditor comes into play. If the cost of the control exceeds the value of the critical asset, it is not cost-effective to implement the control. It is not the auditor's responsibility to make this decision. The matter is reported and left to the determination of the senior managers. If the auditor has performed her task with professional due diligence and reported her findings adequately, the audit findings resolution rests with senior management. Auditors are within their authority to make operational recommendations but if these recommendations are not followed, the responsibility is shifted to senior management.
Even if a prohibited action or event is addressed by a control, auditors must determine if the control is functioning effectively and efficiently. Frankly, it is not sufficient to merely identify a control; it must be verified that this control is functioning properly. This functional verification process is known as "testing." If an auditor does not make accurate and timely decisions, it is possible the risks to the organization will become unmanageable.
Auditors usually take the first step to understanding a complex system by dividing it into its subsystems. Subsystems are the basic components of the greater-system that perform a function needed by the business in achieving its goals. This process is commonly known as factoring. Basically, subsystems are defined by the function they perform. Auditors look first for the system functions that have been performed, and then factor those functions as they relate to the different subsystems. For example, an insurance company has as one of its primary functions the processing of claims. A subsystem of the claims processing system is the data entry from claims filed by policyholders and received by the company by mail. The fashion in which the auditor chooses to factor systems may vary according to the auditor and the system. However, auditors frequently factor systems in two basic forms, managerial functions and application functions. Exhibit 1 is an example of managerial functions performed in a system.
Exhibit 1: Management Functions
Senior management | Senior managers ensure the information system is well managed; responsible for overall profitability |
Information systems managers | Have responsibility for planning, implementing, and control of all information technology systems; advises senior management in appropriate matters |
Systems development managers | Responsible for information systems design, implementation, and maintenance |
Data administration management | Responsible for planning, addressing, and related issues of the organization's data |
Operations management | Responsible for planning and operation of day-to-day operation of the information technology systems |
The second factor considered by auditors is application functions needed to ensure reliable data processing. Information technology systems can be considered from a business-process point of view. These steps are going to vary widely depending on the industry, location, and whether public or private sectors. Typically, organizations will have some form of the following application-related business processes such as sales, account collections, payroll and human resources management, acquisitions, accounts payable, inventory, warehousing, and financial accounting. In the organization, application systems are factored into subsystems related to the business process. Exhibit 2 is a table reflecting application subsystems.
Exhibit 2: Application Functions
Outside boundary | Components that interface between the user and the information technology system |
Data input | Components that capture, process, and enter commands and data into the information technology system |
Processing | Components that form the architecture for decision making, ordering, classification, and organization of data |
Database | Components that define, add, modify, and delete data |
Communications | Components that transmit data between inside and outside information technology systems |
Output | Components that collect and present data to users |
| < Day Day Up > |
|