Computer Audit Update May 1992

staff to identify typical systems processing controls.

• Review of input controls and balancing proce- dures.

• Review of security procedures for system and library access.

• Review of the command language and sys- tem processing procedures.

• Test for compliance with balancing/review procedures, error correction, etc.

Compare the results of the EUC system re- port with product ion data and/or inde- pendently prepared parallel processing.

Charles Le Grand is director of research for the Inst i tute of Internal Auditors and is responsible for administering all the activities of the IIA Research Foundation. Prior to this position he was manager of advanced technology forthe IIA and he has, for more than twenty years, s tudied and par t ic ipated in the design, development, implementation, management, control and auditing of business systems. He has also played a major role in the IIAs Systems Auditability and Control (SAC) research report, upon which this article is based.

European Confederation of Institutes of Internal Audit ing (ECIIA). Speaking on the recent publication of the Systems Auditability and Control (SAC) report, he commented that the new report identifies that the control environment is greatly improved compared with that found in the earlier 1977 report.

SAC shows that internal auditors have expanded their range of computer audit activities over recent years but that they recognize the need to develop and expand their coverage further as the rate of change in technology continues to accelerate. Spoel stressed the importance for auditors of the research report's key finding that the principle challenge of the 90s is to integrate the planning, design, and implementation of complex application systems with the strategy of the organization.

"For the internal audit professional, this means increased responsibility to understand how informat ion techno logy fits into the organization's overall goals and objectives. This can only be achieved if we are also a player at top management level", said Spoel.

He set out the conditions which he believed were necessary requirements for internal auditors to make significant progress towards providing value added audit services:

• Their place in the organization must be close to top management.

COMPACS '92

David Bentley

The 16th COMPACS Computer Audit, Control and Security conference run by the Institute of Internal Auditors - - UK at the Park Lane Hilton, London in March highlighted some of the key issues facing computer auditors.

SAC

The conference opened with a keynote address by Hans Spoel, Chairman of the

• They must have a systematic and managerial approach to their job.

• They must be objective and independent.

They must have an intellectual integration with the business objectives and policies of their organizations.

• They must work on broad information bases and close to the event.

• They must be responsive to critical areas of

14 @1992 Elsevier Science Publishers Ltd

May 1992 Computer Audit Update

the organization which are of top manage- ment concern.

He also spoke of the need for internal auditors to use technology to carry out more effective auditing: "Changing technology creates new control opportunities, but also new audit opportunities. Many systems provide features and functions that can be used as control techniques and as audit tools. The use of information technology in internal audit is no longer an option; it is a necessity."

Expert systems in auditing

The theme of audit automation was also considered by Paul Williams of BDO Binder Hamlyn in a presentation on the use of expert systems in auditing. He considered that expert systems ought to be seen as one part of a total automation strategy, and that they might be used typically for such applications as:

• Audit risk assessment.

Audit strategy generation.

Audit programme generation.

• Internal control evaluation.

• Financial analyses.

• Test result evaluation.

• Generation of management advice.

In considering the justification for expert systems, he summarized the way in which internal control questionnaires and checklists have been used to enable relatively unskilled auditors to ask sensible questions. He warned, however, that this did not mean that sensible answers were being obtained and understood or that sensible recommendations were being made and therefore this led to some uncertainty about the effectiveness of the audit process. He

considered that expert systems offer the potential for overcoming many of these uncertainties through:

• Always asking sensible questions.

Asking only relevant questions through un- derstanding the signif icance of earlier answers and their consequent effect upon later questions.

• Proper and consistent interpretation of re- sults.

• Consistent and appropriate recommenda- tions.

• Full documented justification for all recom- mendations made.

The justification for the costly development of expert systems would be based upon cost reduction and operational efficiency, a reduction in operat ing ski l ls, the creat ion of new opportunities and the elimination of bottlenecks in the audit process.

He considered that audit applications part icu lar ly sui table for expert systems development would probably have certain characteristics:

A decision process that follows logically on an 'if then' format with clearly defined paths to follow.

Decisions required to be repeated in a variety of situations so that economies may be gained from its use.

Decisions which can be made by way of pre-stored menu options, yes/no answers or quantitative responses.

The problem to be solved must be large enough and complex enough that benefits of consistency and accuracy are gained from

@1992 Elsevier Science Publishers Ltd 15

Computer Audit Update May 1992

the use of the expert system, yet the problem should not be so complex that the expert system itself becomes too unwieldy.

Their scope currently is, and will continue to be, in decision support systems to help the auditor to make professional judgements and to help to record the reasons why those judgements were made.

Wi l l iams provided a summary of the availability and use of expert systems in internal and external auditing, this is still in its infancy. Indeed an IIA Research Foundation survey into the use of expert systems in internal auditing in the USA in 1991 revealed that only 1.4% of respondents had a high familiarity with expert systems and 56% had no familiarity at all. He considered, however, that the availability of high powered persona l compute rs and more sophisticated expert systems shells will provide the framework for their further development. As their use increases and documented success stories began to appear, he felt sure that there would be greater impetus for others to proceed.

Systems development and quality issues

Willie List opened the day on systems development in a challenging address on the need for quality. He concentrated his address on the ways to build quality application systems, suggesting that this was the key area of concern, given that, in general, hardware is reliable and of good quality, telecommunicat ions facilities basically work and systems software is of functional quality, although subject to upgrades with alarming regularity.

Among the ideas suggested to improve quality in application systems were:

Ensuring that if there is a formal process, the people who are to operate it clearly under- stand it and the process is capable of man- agement (and possibly internal audit) review.

• Where possible, avoiding complexity by sim- plifying the way of doing business; if this is not

possible, the complex parts must be do- cumented in full detail.

• Being precise- and not making assumptions.

Covering all aspects of the system - - includ- ing confidentiality, resilience and any im- posed limitations on possible solutions.

Writing the requirements documents simply so that those who need to approve the system really understand what they are approving.

• Designing systems so that they are flexible enough to handle future change.

• Building procedures intothe system which will identify errors before they cause damage.

Exercising strong control over the testing, training, conversion and implementation stages.

He stressed that a quality process does not guarantee a quality product although it will aid its production. A positive attitude to achieving quality is necessary for all concerned in the process - - good enough is not enough. In conclusion, he stressed the need for internal auditors involved in the development process to help developers of systems to master new development techniques and apply them cost effectively to supporting profitable business ventures.

SAC and systems development

Charles le Grand, director of research for the IIA, considered the findings of the SAC report on the systems development process. These stressed the need for internal auditors to understand the risks related to the business application of the technologies involved, to be able to identify the control objectives related to risks, and to be able to specify the auditability features of the system as the user of those features.

16 ©1992 Elsevier Science Publishers Ltd

May 1992 Computer Audit Update

The SAC research project showed that 40% of survey respondents indicated that one of the highest risks in systems development is the potential that the system does not meet the business needs. Respondents considered that the most effective controls to mitigate this risk are the use of systems development methodologies and tools, long range systems planning and management supervision. The report also showed that internal auditors have played an increasing role in systems development audits and intend to increase this role.

Le Grand said, "Internal auditors have historically had difficulty providing sufficient competent human resources to participate in sys tems deve lopment . With sys tems development expanding into the realms of end-user and departmental computing, electronic data interchange, networking, knowledge-based systems, and the many other frontiers of progress, it is even more important that internal auditors find the means for assuring that control and audit objectives will be met in all systems regardless of the availability of skilled auditors to participate in systems development, It is also imperative that auditors understand how new development methodology tools can themselves be used to provide and support audit functions."

"It should be the goal of auditors to assure, as we move towards an integrated systems planning and development framework, that the object ives of auditabi l i ty and control are recognized as integral components of systems and processes, and as the responsibility of all who part icipate in systems planning and development."

Performance and value for money issues

COMPACS '92 ended with an afternoon in which Chris Hurford of the Audit Commission considered the measuring of performance in the IT function, and consultant John Mitchell explored the potential for value for money audits in a computer environment for internal auditors.

Hurford opened his presentat ion by identifying how the pressures of economic conditions, the European market, the use of ITfor competitive advantage and quality of customer

service have shifted attention to economy, efficiency and effectiveness issues. Research conducted by the Audit Commission found a number of reasons for dissatisfaction including:

• Investment not being targeted at the greatest need.

The inefficiencies which can arise from the disorganized acquisition of facilities where departments decide to 'go it alone'.

Development delays.

The pressures brought by the need to comply with new legislation within tight timetables.

• Skills shortages, particularly in the public sec- tor.

• Failure to appreciate the potential of IT.

This, argued Hurford, puts IT costs under the microscope and invites questions of the value of each pound spent on IT and on how far the performance of the technology and service it provides can be measured. Before the auditor can begin to look at performance measures, there is a need to understand how IT is viewed by the organization and the role it is expected to fill. Knowing the strategy for the use of IT can help the understanding of the nature of the problems which might be occurring.

Hurford summarized the key questions to consider:

• What do the customers think about the IT service?

• Are the management processes appropriate for delivering the services required?

• What indicators are needed to measure per- formance?

The auditor needs to establ ish what measurement tools are used by the organization

@1992 Elsevier Science Publishers Ltd 17

Computer Audit Update May 1992

to measure ha rdware per fo rmance and utilization, application and systems software and the performance of the network. The use of these should be evaluated to assess the quality of the information available and the review processes undertaken to measure performance. The measurement of the performance of staff is also important.

One of the most difficult tasks is to try to identify key performance measures, which can be compared with experience elsewhere or over time. The selection of measures should be appropriate for the organization and will be influenced by the data which is available. He identified the following examples, to illustrate the possibilities:

• Percentage of development projects com- pleted on time.

• Training policy.

• The appropriateness of service levels.

• Communications costs.

• Machine upgrades.

• Facilities management.

• Disaster recovery.

Mitchell considered that gaining acceptance and commitment from top management was an important prerequisite of a successful value for money review. Such reviews could, however, bring immense benefits to the organization and enhance the reputation of internal auditors.

• Percentage of development projects com- pleted within budgets.

• Percentage of staff time on maintenance.

• Volume of outstanding development work.

• Analyst/programmer productive time.

In the final presentation of the conference on 'Value for Money Audits of IT', John Mitchell stressed the need for auditors to first perform an initial study or 'analytical review' to determine whether the area under consideration is worthy of more detailed review. Areas recommended for consideration as IT value for money exercises included:

Mainframe equipment maintenance contracts (one such study had saved £750 000 per annum).

Micro equipment maintenance.

Software rental/purchasing policies.

NEWS

BSA sweep on Benelux region

The Business Software Alliance (BSA) has announced the filing of legal actions against the Belgian company, ISS Servisystem; and the Dutch companies, Daiwa Europe and Scansped, for suspected software copyright infringement. The announcement fol lows court-ordered searches of the companies during the past month. A further action filed against the Belgian company, Chemical Corporation VEL, has been terminated after an agreement was reached with BSA. VEL admitted that unauthorized copies of sof tware be long ing to Lotus, Microsof t , WordPerfect, Symantec and Central Point Software, were discovered on its computers during a search of its offices. The management of VEL recognizes the illegality of such activity, and has immediate ly adopted measures necessary to address the situation, including the destruction of the unauthorized software and its replacement with legitimately acquired original programs. In addition, VEL has agreed to pay compensation for all damages caused to BSA by

18 ©1992 Elsevier Science Publishers Ltd