Previous | Table of Contents | Next |
Technology is widely perceived as having permanently changed the business environment that we once knew. Yet there is a basic idea that appears immobile against this irresistible technological force: companies that deliver more true value to the customer survive.
The audit function continues to provide assurance services to internal and external customers. External audit fees may continue to fall under competitive press uses, while internal audit staff sizes may continue to shrink in concert with the constant movement toward a leaner organization and increasing shareholder value, but the questions to be answered are not similarly diminished.
If we take a revenue cycle perspective, then we might consider the following questions:
Technologys impact is in the answers, not the questions. Therefore, we should assert that they continue to be asked and answered on some periodic basis. This guide to evaluating controls in todays AASs is intended to facilitate highly effective reviews of these controls.
The prior main volume of SACA was oriented more toward the general or financial auditor than toward the IT auditor. This volume was built on the assumption that most, if not all, of the potential issues should be raised for discussion.
The need to include the entire audit community is clearly reflected in the continuing growth of the Information Systems Audit and Control Association and in the significant percentage of the Institute of Internal Auditors resources, courses, and column inches devoted to technology issues. These comments are not intended to further the debate over IIA issues ISACA. We are trying to highlight the internal audit reality that almost every review done places some reliance on an application and the hardware that supports it.
The 1998 edition of SACA includes more workpapers dedicated to specific applications and systems, while always returning at least one fully generic workpaper set to facilitate each subscribers customization requirements. There are even alternative formats for a simple type of workpaper like an audit program. This was done to reflect differences between internal auditors, their situations, their needs, and their preferences.
This volume is divided into five main parts. First is an overview of the issues potentially inherent in any AAS review. Second is a review of the audit planning process. Third is a guide to evaluating the general controls that determine the reliability of the underlying hardware and operating environment. Fourth is an approach for evaluating the process used to develop new AASs, along with the logic for applying that process knowledge to evaluating the basic development process or to the actual development of a single AAS. Last are the procedures for evaluating an AAS that is already in a production environment.
There are also things discussed which the auditor must guard against, whether an IT, financial, operational, or other. Some of those items are listed below:
Fully indexed files are included on the enclosed CD so that any item that may be useful can be readily accessed. Where appropriate, logical relationships have been established between the forms, such as audit programs and working papers.
Notes
1. This author uses the term effective under the premise that efficient is a necessary, but not sufficient, condition of anything that might be considered effective.
2. The distinction being made here may not seem significant when it is. The auditor must understand that almost every field where data is entered has more than one possible valid value. If there were only one valid value, why would anyone have to enter it? Data relationships may be established to reduce the number of valid customer-product combinations, for example, although this only increases the probability that the data entered is correct. It never guarantees it.
3. The author was involved in a review with the external auditors, who recommend a new feature for a system to address the potential risk that certain end users responsible for reacting to exception reports were not actually doing so. The external auditors wanted to program a digital sign-off that would require each of these users to click that box each day to indicate their review procedure was completed. When they were reminded that the end user could simply click without reviewing anything (at a development cost exceeding $40,000 USD), they insisted that having to click that box would cause them to review the exception reports. Readers are welcome to reach their own conclusion. The author was dubious.
Previous | Table of Contents | Next |