A Quantitative Approach to Information Systems Audit in Small and Medium Enterprises

Abstract

An Information Systems (IS) Auditor performs several audit related functions in a Small and Medium Enterprise (SME) such as preparation of a written IS audit procedure, comparison of actual IS configuration with documented configuration standards, assess whether IS assets are secure, check the access rights for users and system services, check for the presence of IS security procedures and finally analyze transactions in an information system. The current work focuses on a quantitative approach to measure the effectiveness of the IS audit functions in selected small and medium enterprises. The variations in KPI scores between sectors and regions are analyzed for the sample SMEs. Finally, the operational best practices for IS Auditors working in SMEs are suggested.Keywords: Information Systems (IS), IS Audit, Key Performance Indicator (KPI), Small and Medium Enterprise (SME), Maturity Level Index1 IntroductionAn enterprise is mainly involved in economic activities. It can be categorized as Large, Medium or Small depending on the limits for investment, number of employees, balance sheet and total turnover. SMEs are contributing for economic development across the world. Information Systems Audit plays an important role in SMEs for running computer based application systems. Information Systems Audit ensures protection of IS assets and maintains data integrity. It also helps in achieving organizational goals and facilitates efficient usage of resources [1]. SMEs in the modern environment extensively make use of information system resources. This will ensure smooth flow of information between various sub systems and improves the business processes as well. An Information Systems (IS) Auditor performs several audit related functions in a Small and Medium Enterprise (SME) such as preparation of a written IS audit procedure, comparison of actual IS configuration with documented configuration standards, assess whether IS assets are secure, check the access rights for users and system services, check for the presence of IS security procedures and finally analyze transactions in an information system.2 ObjectivesThe objectives of the present work can be stated as follows:1) To assess the existence of IS Audit expertise in SMEs with reference to the KPI- Maturity level Index.2) To study the variations in the KPI scores between the sectors and regions.3) Suggest operational best practices for IS Auditors with respect to Information Systems Audit in SMEs.3 Related WorkThe article by Tommie W. Singleton [2] analyses the four phases of the Controls Development Life Cycle, viz., design, implementation, operational effectiveness and monitoring. The design phase involves IS controls pertaining to Top Management, Quality Assurance Management, Operations Management, Security Management, Systems Development Management, Data Resources Management, Programming Management and User Applications Management. The implementation phase should carry out the controls listed in the design phase. The operational effectiveness phase is concerned with ability of the controls to perform their goals (e.g. prevent a material misstatement). The monitoring phase involves continuous auditing on the controls and proper review of the change management procedures.The monograph by Khabib [3] gives an overview of controls for applications, data centre operations and access security. It also gives an overview of computer based audit techniques to independently test computer data. Jim Kaplan proposed [4] a simplified representation of the enterprise information environment. He gave an overview of IS audit process, accuracy, consistency and reliability of data, controls for the core processes and application systems.The fourth annual Information Systems Audit Benchmarking Survey conducted by Information Systems Audit and Control Association (ISACA and Protiviti in 2014 [5] highlights the challenges and concerns relating to computer and internet security, IS staffing and resources, IS risk assessment and IS audit reporting structure. …