Assume that you are working as a system analyst in a software development company. Your company assigned you in a project to develop information system for XYZ Company. Based on this scenario, answer the following questions.
a) Discuss data and process modeling tools you use during system analysis phase of the information systems development.
b) Why do we need information systems audit? Discuss the phases of information systems audit in detail for the system you develop for XYZ Company.
During analysis phase, a systems analyst uses entity relationship diagram (E-R diagram) as a data modeling tool. A data model is a detailed model that captures the overall structure of organizational data while being independent of any database management system or other implementation consideration. The E-R diagram is a graphical representation that has three basic concepts: entities, attributes, and relationships.
Entity: An entity is a person, place, object, event, or concept in the user environment about which the organization wishes to capture and store data. An entity set is a collection of entities that share common properties or characteristics. For example STUDENT is an entity set. An entity set in E-R diagram is drawn using rectangle.
Attribute: Each entity type has a set of attributes associated with it. An attribute is a property or characteristic of an entity that is of interest to the organization. For example, STUDENT entity set can have Student_ID, Student_Name, Home_Address, Phone_Number, and Major as its attributes. An attribute in E-R diagram is drawn using an ellipse.
Every entity type must have an attribute or set of attributes that distinguishes one instance from other instances of the same type. A candidate key is an attribute or combination of attributes that uniquely identifies each instance of an entity type. Some entity type may have more than one candidate key. In such a case, we must choose one of the candidate keys as the identifier. An identifier (or primary key) is a candidate key that has been selected to be used as the unique characteristic for an entity type.
A multi-valued attribute may take more than one value for each entity instance. We use a double- lined ellipse to represent multi-valued attribute. An attribute that has meaningful component parts is called composite attribute. An attribute whose value can be computed from related attribute values is called derived attribute. We use dashed ellipse to denote derived attribute.
Relationships: A relationship is an association between the instances of one or more entity types that is of interest to the organization. We use diamond to denote relationships. Relationships are labeled with verb phrases. The cardinality of a relationship is the number of instances of one entity type that can (or must) be associated with each instance of another entity type. The cardinality of a relationship can be in one of the following four forms: one-to-one, one-to-many, many-to-one, and many-to-many.
Process modeling involves graphically representing the functions or processes that capture, manipulate, store, and distribute data between a system and its environment and between components within a system. A common form of a process modeling tool is a data flow diagram (DFD). A data flow diagram (DFD) is a tool that depicts the flow of data through a system and the work or processing performed that system. It is also called bubble chart, transformation graph, or process model. There are two different sets of data flow diagram symbols, but each set consists of four symbols that represent the same things: data flows, data stores, processes, and sources/sinks (or external entities).
Process is the work or actions performed on data so that they are transformed, stored or distributed. Data store is the data at rest (inside the system) that may take the form of many different physical representations. External entity (source/sink) is the origin and/or destination of data. Data flow represents data in motion, moving from one place in a system to another.
a) First Part: An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization’s goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. IT audits are also known as “automated data processing (ADP) audits” and “computer audits”. They were formerly called “electronic data processing (EDP) audits”.
The purposes of an IT audit are to evaluate the system’s internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective, or if any breach in security has occurred and if so, what actions can be done to prevent future breaches.
The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization’s information. Specifically, information technology audits are used to evaluate the organization’s ability to protect its information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:
• Will the organization’s computer systems be available for the business at all times when required? (known as availability)
• Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality)
• Will the information provided the system always be accurate, reliable, and timely? (measures the integrity)
Many organisations are spending large amounts of money on IT because they recognise the tremendous benefits that IT can bring to their operations and services. However, they need to ensure that their IT systems are reliable, secure and not vulnerable to computer attacks.
IT audit is important because it gives assurance that the IT systems are adequately protected, provide reliable information to users and properly managed to achieve their intended benefits. Many users rely on IT without knowing how the computers work. A computer error could be repeated indefinitely, causing more extensive damage than a human mistake. IT audit could also help to reduce risks of data tampering, data loss or leakage, service disruption, and poor management of IT systems.
Second Part: There are four phases in information systems audit: audit planning, risk assessment and business process analysis, performance of audit work, and reporting. The same shall be used to audit the system developed for xyz company.
Audit Planning – In this phase we plan the information system coverage to comply with the audit objectives specified the Client and ensure compliance to all Laws and Professional Standards. The first thing is to obtain an Audit Charter from the Client detailing the purpose of the audit, the management responsibility, authority and accountability of the Information Systems Audit function as follows:
1. Responsibility: The Audit Charter should define the mission, aims, goals and objectives of the Information System Audit. At this stage we also define the Key Performance Indicators and an Audit Evaluation process;
2. Authority: The Audit Charter should clearly specify the Authority assigned to the Information Systems Auditors with relation to the Risk Assessment work that will be carried out, right to access the Client‘s information, the scope and/or limitations to the scope, the Client‘s functions to be audited and the auditee expectations; and
3. Accountability: The Audit Charter should clearly define reporting lines, appraisals, assessment of compliance and agreed actions.
The Audit Charter should be approved and agreed upon an appropriate level within the Client‘s
In addition to the Audit Charter, we should be able to obtain a written representation (―Letter of Representation‖) from the Client‘s Management acknowledging:
1. Their responsibility for the design and implementation of the Internal Control Systems affecting the IT Systems and processes
2. Their willingness to disclose to the Information Systems Auditor their knowledge of irregularities and/or illegal acts affecting their organization pertaining to management and employees with significant roles within the internal audit department.
3. Their willingness to disclose to the IS Auditor the results of any risk assessment that a material misstatement may have occurred
• Risk Assessment and Business Process Analysis:Risk is the possibility of an act or event occurring that would have an adverse effect on the organisation and its information systems. Risk can also be the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss of, or damage to, the assets. It is ordinarily measured a combination of effect and likelihood of occurrence.
More and more organizations are moving to a risk-based audit approach that can be adapted to develop and improve the continuous audit process. This approach is used to assess risk and to assist an IS auditor‘s decision to do either compliance testing or substantive testing. In a risk based audit approach, IS auditors are not just relying on risk. They are also relying on internal and operational controls as well as knowledge of the organisation. This type of risk assessment decision can help relate the cost/benefit analysis of the control to the known risk, allowing practical choices.
The process of quantifying risk is called Risk Assessment. Risk Assessment is useful in making decisions such as:
1. The area/business function to be audited
2. The nature, extent and timing of audit procedures
3. The amount of resources to be allocated to an audit
• Performance of Audit Work: In the performance of Audit Work the Information Systems Audit Standards require us t o provide supervision, gather audit evidence and document our audit work. We achieve this objective through:
1. Establishing an Internal Review Process where the work of one person is reviewed another, preferably a more senior person.
2. We obtain sufficient, reliable and relevant evidence to be obtained through Inspection, Observation, Inquiry, Confirmation and recomputation of calculations
3. We document our work describing audit work done and audit evidence gathered to support
the auditors‘ findings.
Based on our risk assessment and upon the identification of the risky areas, we move ahead to develop an Audit Plan and Audit Program. The Audit Plan will detail the nature, objectives, timing and the extent of the resources required in the audit.
Based on the compliance testing carried out in the prior phase, we develop an audit program detailing the nature, timing and extent of the audit procedures. In the Audit Plan various Control Tests and Reviews can be done. They are sub-divided into:
1. General/ Pervasive Controls
2. Specific Controls
• Reporting: Upon the performance of the audit test, the Information Systems Auditor is required to produce and appropriate report communicating the results of the IS Audit. An IS Audit report should:
1. Identify an organization, intended recipients and any restrictions on circulation
2. State the scope, objectives, period of coverage, nature, timing and the extend of the audit work
3. State findings, conclusions, recommendations and any reservations, qualifications and limitations
4. Provide audit evidence