Online Article: Rising Need to Review Computer Systems
Rising Need to Review Computer Systems
22 November 2006
Computer systems are ubiquitous in today’s business environment compared to 20 years ago. With improved production process and advancement in technology, the cost of computer systems will continue to come down. Affordability is therefore no longer an issue. The old image of prestige of having ownership of computer systems diffuses silently amidst this backdrop.
Owning computer systems is now a must have for organisations to compete. Many manual business processes can now be automated due to advancement in programming languages and skills. Many once isolated applications are being integrated to form powerful business systems. ERP software is a case in point. Servers that run the applications are linked up via complicated networks to provide seamless data flows. And, middleware is used to “glue together” many different applications, across departments and cities, so that they can “talk” to one another.
Today, business processes are heavily depended on IT to support their activities. Reverting to manual operation is no longer viable in term of time and efficiency, of which, arguably, the two main factors behind mass computerisation by corporations.
Interruptions (such as power outage, virus/worm attacks, hardware failure etc.) that lead to system downtime can therefore severely affect business operations. The degree will depend on how fast the system can be recovered. The business impact to the company can be financial and/or non-financial in nature. The latter refers to reputation loss, dissatisfied customers, human casualty etc. The severity of the impact depends very much on the duration of the downtime.
The shortcoming
Traditional approach of reviewing just financial records and the related internal controls no longer seem sufficient in today’s business operating environment. The increasing reliance on computer systems to replace manual processes, from data input to the final updating of financial records, exposes the inadequacy and shortcoming of present auditing approach. Imagine the risk that external auditors would bear when giving a true and fair view on the going concern of a company based on review of financial records alone, while ignoring the fact that the company concerned lack the critical contingency plan for the computer system that stored all those records.
Auditing of computer systems is therefore an important aspect of internal controls evaluation that can no longer be avoided or satisfied with around-the-system review. The automation of manual processes also means that once physical documents that can be touched and felt are now being replaced with digital documents. Therefore, the traditional audit process should be extended to include review of computer systems, to provide management with added internal control assurance as well as satisfying requirements of good corporate governance.
The role of IT auditors
Auditors, specialise in IT auditing, are often referred to as “IT auditors”. They play an important role in providing assurance to the management that computer systems that manned the business processes is sufficiently resilient to sustain continuity in business activities. They provides assurance that there are adequate security measures over computer systems and protection over the integrity of information stored therein.
In reviewing computer systems, the IT auditors should design the audit programme to ascertain that the following three primary management control objectives are in place. Namely,
- The application system is adequately secured to protect the confidentiality and integrity of transactions, and privacy of information stored.
- Business transactions and information captured, processed and reported are complete, accurate, valid and timely.
- The continuity in operational capability of application system and other related supporting activities.
The IT auditors should bear in mind that the computer systems are used to support business activities. Thus, it is vital that the IT auditors gain a good understanding of the underlying workflows of these business activities. It is from here that one gauges the relative importance of the different processes and the information capture into the computer system. This procedure will help to determine the adequacy of existing controls in protecting the integrity of the processes and the information stored therein in subsequent assessment.
The relevance of COBIT
As with traditional audit, COSO is a good framework for evaluating internal controls. Likewise, for IT auditing, COBIT is a good source that IT auditors should research for guidance in developing the management control objectives that support the review of computer systems. The control principles promulgated by COBIT is closely linked to business requirements. The use of COBIT would thus ensure that the review is conducted with business requirements/objectives in mind.
The latest version of COBIT, version 4.0, has been substantially fine-tuned to better relate IT control objectives to business objectives. COBIT will provide a good framework for any aspiring IT auditors to contribute to their organisations. Toward this end, IT auditors should therefore be well-versed with COBIT as the main guidance in conducting IT audit assignments of any organisations!
By George Chan, Director of Research & Publicity, ISACA Malaysia Chapter.
He can be reached at research@isaca.org.my
|
