Information Systems Audit Research Articles

SCAN: A Case‐Based Reasoning Model for Generating Information System Control Recommendations

AbstractThis paper describes SCAN, a case‐based reasoning model for generating information system control recommendations. The purpose of the paper is to explain how a case‐based reasoner may be used to support inexperienced information system auditors in evaluating controls and proposing audit recommendations. As a case‐based reasoner, SCAN functions by reasoning by analogy to similar past cases. SCAN models audit experience as traces of past cases which are stored in a case knowledge base. In addition to a database of past audit cases, SCAN consists of indices for storing and retrieving cases, a similarity metric for measuring case similarity, and rules for using similar cases to generate control recommendations. SCAN uses past cases to remind the user of previous control failures, to set expectations about case features and controls, to use as a pattern against which to compare a client's controls and to help justify or explain its recommendations. SCAN's recommendations were judged to be more like those of an experienced auditor than either a student or a textbook model.

Set Phasers On Stun, Mr. Spock: Taking Aim at the Control Implications of Wireless Networks

Click to increase image sizeClick to decrease image size Additional informationNotes on contributorsMark HowellsMark Howells, CISA, is senior EDP auditor for Nordstrom, Inc., Seattle WA. He has been an information systems auditor for five years in the retail and financial services industries. Before becoming an auditor, Howells worked in system operations management. The illustrations used in this article were provided by Symbol Technologies, Inc.

Using Flowcharts as an Information Systems Audit Tool

Click to increase image sizeClick to decrease image size Additional informationNotes on contributorsBarbara SimpsonBarbara Simpson, CPA, is an EDP auditor with Mocatta Metals Corp. in New York City. She holds a BS in accounting and graduated cum laude from Quinnipiac College, Hamden CT. Before undertaking her present position, Simpson was a computer programmer in an insurance organization and an EDP auditor with Coopers & Lybrand.

Capital budgeting in information systems development

The results of an empirical study on the current usage of capital budgeting techniques for evaluating, terminating, and auditing information system investments are presented. Findings based on 134 senior MIS personnel and management executives indicate that capital budgeting has little impact on IS investment, and simple techniques such as payback period and cost benefit ratio are preferred over more sophisticated discount cash-flow models. Problems with cost and return estimations are shown to be the key factors that limit their use. It is suggested that the decision authority varies according to the project value and the type of decisions being undertaken.

Object-oriented software for auditing information systems security

Information systems (IS) need permanent attention. Auditors must have effective tools to estimate their level of security and make recommendations to the management, according coherence and optimisation of the resources affected to maintain confidentiality, integrity and availability.Most of the time, risks have various and complex origins. A methodology is needed to analyse the coherence of the factors applied to the security and to suggest appropriate countermeasures, making part of a security policy regarding the objectives of the organization. There is a high demand for improved methodologies supported by software. A methodology for IS risk analysis and optimisation per level named MARION is presented. It has been developed in France from 1984 by APSAD, an association grouping together French insurance companies, and CLUSIF, an association in the area of computer security, MARION works in different contexts: mainframe mono-sites, networks and distributed systems, industrial computing, small and middle sized companies or systems, and microcomputing: involving technical tables, actualized and delivered by APSAD every year. The audit part of the methodology has been implemented in MacMARION , an object-oriented software working on a Macintosh platform, under MacOS operating system and programmed in the C++ language, making adaptation and reusability very easy. Input represents a personal appreciation provided by answer to questions. Output is quantitative and graphical, in the form of tables, roses and differential diagrams, which suggest coherence and relative seriousness with effort to accomplish regarding factors, categories of risks and losses. MacMARION offers an opportunity for self-assessment and a better productivity for auditors who can spend more time for details investigation and higher tasks, detailed investigation of higher or hidden risks.

A methodology for developing dependable information systems

This paper presents a mthodology for deciding what controls should be included in a computer based information system (IS). While the paper takes the perspective of the manager responsible for effective resource allocation and who is supported by the IS, the approach it provides is intended for use by the software engineer responsible for system development. The issue of IS controls is most often addressed in documents containing checklists of controls intended to be used for after-the-fact information system audits. The methodology presented here looks at the problem from the front-end of the system development process. It takes into account auditor concerns as well as the cost of including controls in an IS. The approach consists of a quantitative model which facilitates analysis of cost-benefit tradeoffs and methods which can be used to obtain information required by the model. It employs a variety of well-known techniques which have not previously been applied in this context. The major contribution of the paper is that it brings different techniques together into a coherent and feasible methodology which addresses the problem in its entirety.

Book Reviews

Abstract Abstract Expert Systems in Auditing, by Jan van Dijk and Paul Williams. Stockton Press (15 E 26th St, New York NY 10010), 1990; 192 pp. With glossary and bibliography. Price: $143, including shipping; include payment with order, in US funds. Outside the US, order from Globe Book Services, Brunel Rd, Houndmilles, Basingstoke, Hants RG21 2XS, UK; inquire about price. Information Systems Management, Control, and Audit, by Ian Gilhooley. Institute of Internal Auditors (249 Maitland Ave, Altamonte Springs FL 32701–4201), 1991; 507 pp. Price: $68, including shipping; include payment with order, in US funds. Discount for IIA members. Add $40 for orders from outside North America. For checks drawn on non-US banks, add $30 more. Disaster Recovery Planning Manual for Financial Institutions, by Geoffrey Wold and Robert Shriver. (Order Item B141.) The Bank Administration Institute (Probus Publications, 1925 Clybourne St, Chicago IL 60614), 1990; 223 pp. Price: $185 in the US, include payment with order; elsewhere, inquire.

The Role of Information Systems Auditing in Systems Development

The Role of Information Systems Auditing in Systems Development

Book Reviews

Abstract The Practitioner's Guide To EDP Auditing, by Jack Mullen. The New York Institute of Finance (2 Broadway, New York NY 10004–2207), 1990; various paginations; glossary. Price: $98 in US; elsewhere inquire; include payment in US funds with order. Disaster Recovery Planning For Telecommunications, by Leo Wrobel. Artech House (685 Canton St, Norwood MA 02062), 1990, 113 pp; bibliography, glossary. Price: $48 for US orders; $58 elsewhere; include payment in US funds with order. The PC Virus Control Handbook: A Technical Guide to Detection, Disinfection, and Investigation, Second Edition, by Robert Jacobson. Miller Freeman Publications (PO Box T, Gilroy CA 95021), 1990, 164 pp; bibliography. Price: $24.95 for US orders; elsewhere, inquire; include payment in US funds with order. Guidelines for Establishing an Information Systems Audit Function, by Leta Fee Higgins. IIA (249 Maitland Ave, Altamonte Springs FL 32701–4201), 45 pp; bibliography, glossary. Price: $20 for US orders; $23 elsewhere; discount for IIA members; include payment in US funds with order.

How to begin dealing with computer security

Outsourcin~ involves, in effect, the sale of an organization’s computing hardware and software, as well as its data processing staff, to a third party specialist organization that, in turn, will sell various computing services back to the original owner. Some provisions in contracts for such arrangements may limit the organization’s efforts to assure that its information resources are protected adequately. The information systems auditor and the person responsible for computer security should join the organization’s legal counsel to remove any such limitations from the outsourcing contract.

Getting Started in Value-for-Money Auditing of Information Systems

Getting Started in Value-for-Money Auditing of Information Systems

Assessing the Economic Benefits of Information Systems Auditing

As corporate management attempts to extract more end user benefit from information systems department expenditures, interest has grown toward the use of information systems auditing to assure software quality. This research shows that information systems departments are motivated by end users to provide lower quality systems than they would if allowed to pursue their own objectives. The research continues by demonstrating that auditing cannot a priori be assumed to raise the quality of corporate information systems. In fact, auditing tends to establish objectives that lower software quality. It demonstrates that audits are most beneficial in managing unsophisticated information systems departments in which end users are currently dissatisfied with their level of support. Augmenting the systems development process via technologies such as computer aided software engineering and prototyping may more consistently and effectively improve quality than does auditing. Recent developments among the large audit firms indicate that they recognize the importance of new software development technology, and are restructuring their businesses accordingly.

Tailor-made auditing of information systems for the detection of fraud

The extent and incidence of computer-related fraud and the risk it poses to all organizations using computers is now widely documented and reported. Auditors are, however, generally better at naming the disease and at observing in fine detail its symptoms than at finding and applying curative and preventive measures. This paper addresses how, as part of an integrated policy, relatively straightforward and established audit techniques can be used in audits tailor made for detecting fraud in information systems.

Management audit of information systems

Periodic review of the information systems function is necessary to determine if costs are in line with services provided, if the users are satisfied with services, and if computer power is effectively used to meet the demands of management. The purpose of this paper is to propose and introduce a new concept: Management Audit of Information Systems. An audit is defined as an "official" examination or review implying reference to some standard such as Generally Accepted Practice (GAP) as is used by accountants. Since there are no proposed or official standards in information processing, the term review is used instead of audit. As a result, conclusions reached in a review tend to be subjective and reflect the emphasis of the reviewer. A methodology is proposed for performing a standardized review (e.g., audit) of Information Systems with a view toward development of Information Systems Standards which could be adopted and promulgated by an appropriate professional organization. A Management Audit of Information Systems could then be conducted by qualified individuals to determine the extent of compliance with Generally Accepted Practice.

A Rule-Based Expert System for Auditors

Click to increase image sizeClick to decrease image size Additional informationNotes on contributorsDavid B. DunmoreDavid B. Dunmore is Director of Information Systems Audit for Marriott Corporation in Washington, D.C. Prior to joining Marriott, he was an associate consultant with Touche Ross and before that a Marine Corps data processing officer. He is a frequent speaker at EDP audit and security conferences. Mr. Dunmore is writing a book on systems development auditing which should be available in 1988.

How to supervise and control I/S Security Officers and Auditors

Information system Security Officers ( ISSO) and Information System Auditors ( ISA) can have similar capabilities with respect to asset access. Their supervision and control requires special consideration by management because they may literally have the keys to all of the organization's information and physical assets. The managers of each of those employees must be directly accountable for the individual's supervision. The same suggestions which are described for ISSO supervision apply to ISA supervision. Further, each is in a unique position to audit the activities of the other. Recommendations are provided to accomplish this “audit of the auditors.”

ACL/PC Audit Software for Personal Computers

Click to increase image sizeClick to decrease image size Additional informationNotes on contributorsHart J. WillHart J. Will is currently Professor of Accounting, Auditing, and Management Information Systems in the School of Public Administration at the University of Victoria, BC, Canada. He has worked on ACL since 1972 and has been one of the first academics involved in EDP auditing, both in North America and in Europe. He has published extensively in the field and has been the editor of The EDP Auditor, a director of The EDP Auditors Association, a trustee of The EDP Auditors Foundation, the founding president of the Vancouver Chapter and a founding board member of the Victoria Chapter of the EDPAA. Dr. Will serves currently on the National Sciences and Engineering Research Council of Canada and on the Canadian Multiculturalism Council.

Book Review

Abstract Abstract CONTROL AND AUDIT OF MODERN INFORMATION SYSTEMS, by J.C. Ford. Proceedings of the 1st NACCA Conference, April 1985. Juta and Co, Ltd., P.O. Box 123, Kenwyn 7790, Republic of South Africa. 1985; 154 pages. Reviewed by Donald L. Adams.

Applying Control Matrices to Application Systems Development

Click to increase image sizeClick to decrease image size Additional informationNotes on contributorsJeff GibbsJeff Gibbs is a staff auditor at Hewlett-Packard in Palo Alto, California. Before that he was a senior systems auditor with NCR Corporation. He is a Certified Information Systems Auditor and a Certified Management Accountant.

Microcomputers in the Audit Function

Click to increase image sizeClick to decrease image size Additional informationNotes on contributorsLawrence BeitmanLawrence Beitman is Executive Vice President of SECUREWARE, a consulting firm specializing in EDP auditing, located in Wheeling, Illinois. He has had many years of experience in both data processing and EDP auditing and has written extensively on information systems auditing.