Information Systems & its Component: Notes (Part - 3) | Financial Management & Strategic Management for CA Intermediate PDF Download

 Page 1


3.65 
INFORMATION SYSTEMS AND ITS COMPONENTS 
 
 
 
 
   
 
 
 
 
 
 
 
 
 
 
 
Page 2


3.65 
INFORMATION SYSTEMS AND ITS COMPONENTS 
 
 
 
 
   
 
 
 
 
 
 
 
 
 
 
 
  
 
ENTERPRISE INFORMATION SYSTEMS 
3.66 
3.5.1 Need for Control and Audit of Information Systems 
Factors influencing an organization toward controls and audit of computers and 
the impact of the information systems audit function on organizations are 
depicted in the Fig. 3.5.1. 
 
Fig. 3.5.1: Factors influencing an organization toward control and Audit of 
computers 
Let us now discuss these reasons in detail (Refer Fig. 3.5.1): 
1. Organizational Costs of Data Loss: Data is a critical resource of an 
organization for its present and future processes. If the data is accurate, its 
ability to adapt and survive in a changing environment increases 
significantly. If such data is lost, an organization can incur substantial losses. 
2. Cost of Incorrect Decision Making: Making high-quality decisions are 
dependent on both – the quality of the data and quality of the decision 
rules that exist within computer-based information systems. While making 
strategic decisions, some errors may be allowed by management 
considering the long-run nature of strategic planning decisions whereas 
highly accurate data would be required while making operational control 
decisions by the managers. These operational controls taken by managers 
involve detection, investigations and correction of the processes. Incorrect 
data can also have adverse impact on the other stakeholders having an 
interest in the organization.  
3. Costs of Computer Abuse: Computer abuse is defined as any incident 
associated with computer technology in which the user suffered or could 
have suffered loss and a perpetrator by intention made or could have made 
gain. Unauthorized access to computer systems, malwares, unauthorized 
physical access to computer facilities, unauthorized copies of sensitive data, 
viruses, and hacking can lead to destruction of assets (hardware, software, 
data, information etc.). 
Page 3


3.65 
INFORMATION SYSTEMS AND ITS COMPONENTS 
 
 
 
 
   
 
 
 
 
 
 
 
 
 
 
 
  
 
ENTERPRISE INFORMATION SYSTEMS 
3.66 
3.5.1 Need for Control and Audit of Information Systems 
Factors influencing an organization toward controls and audit of computers and 
the impact of the information systems audit function on organizations are 
depicted in the Fig. 3.5.1. 
 
Fig. 3.5.1: Factors influencing an organization toward control and Audit of 
computers 
Let us now discuss these reasons in detail (Refer Fig. 3.5.1): 
1. Organizational Costs of Data Loss: Data is a critical resource of an 
organization for its present and future processes. If the data is accurate, its 
ability to adapt and survive in a changing environment increases 
significantly. If such data is lost, an organization can incur substantial losses. 
2. Cost of Incorrect Decision Making: Making high-quality decisions are 
dependent on both – the quality of the data and quality of the decision 
rules that exist within computer-based information systems. While making 
strategic decisions, some errors may be allowed by management 
considering the long-run nature of strategic planning decisions whereas 
highly accurate data would be required while making operational control 
decisions by the managers. These operational controls taken by managers 
involve detection, investigations and correction of the processes. Incorrect 
data can also have adverse impact on the other stakeholders having an 
interest in the organization.  
3. Costs of Computer Abuse: Computer abuse is defined as any incident 
associated with computer technology in which the user suffered or could 
have suffered loss and a perpetrator by intention made or could have made 
gain. Unauthorized access to computer systems, malwares, unauthorized 
physical access to computer facilities, unauthorized copies of sensitive data, 
viruses, and hacking can lead to destruction of assets (hardware, software, 
data, information etc.). 
 
 
3.67 
 
INFORMATION SYSTEMS AND ITS COMPONENTS  
 
4. Value of Computer Hardware, Software and Personnel: These are critical 
resources of an organization, which has a credible impact on its 
infrastructure and business competitiveness. The intentional or 
unintentional loss of hardware, the destructions or corruption of software, 
and non-availability of skilled computer professionals in some countries; an 
organization might be unable to continue their operations seamlessly. 
5. High Costs of Computer Error: In a computerized enterprise environment 
where many critical business processes are performed, a data error during 
entry or process would cause great damage. For example - small data error 
during an operational flight can lead to loss of human lives; an error in any 
financial system can make an organization liable for penalty etc. 
6. Maintenance of Privacy: Today, data collected in a business process 
contains private information about an individual too. These data were also 
collected before computers but now, there are many instances in which 
privacy of individuals has been eroded beyond acceptable levels. 
7. Controlled evolution of computer Use: Use of Technology and reliability 
of complex computer systems cannot be guaranteed and the consequences 
of using unreliable systems can be destructive. Governments, professional 
bodies, pressure groups, organizations and individual persons all must be 
concerned with evaluating and monitoring how we deploy computer 
technology. 
Information Systems Auditing is defined as the process of attesting objectives 
(those of the external auditor) that focus on asset safeguarding, data integrity and 
management objectives (those of the internal auditor) that include effectiveness 
and efficiency both. This enables organizations to better achieve some major 
objectives that are depicted in the Fig. 3.5.2. 
 
 
 
 
 
Fig. 3.5.2: Impact of Controls and Audit influencing an Organization 
Page 4


3.65 
INFORMATION SYSTEMS AND ITS COMPONENTS 
 
 
 
 
   
 
 
 
 
 
 
 
 
 
 
 
  
 
ENTERPRISE INFORMATION SYSTEMS 
3.66 
3.5.1 Need for Control and Audit of Information Systems 
Factors influencing an organization toward controls and audit of computers and 
the impact of the information systems audit function on organizations are 
depicted in the Fig. 3.5.1. 
 
Fig. 3.5.1: Factors influencing an organization toward control and Audit of 
computers 
Let us now discuss these reasons in detail (Refer Fig. 3.5.1): 
1. Organizational Costs of Data Loss: Data is a critical resource of an 
organization for its present and future processes. If the data is accurate, its 
ability to adapt and survive in a changing environment increases 
significantly. If such data is lost, an organization can incur substantial losses. 
2. Cost of Incorrect Decision Making: Making high-quality decisions are 
dependent on both – the quality of the data and quality of the decision 
rules that exist within computer-based information systems. While making 
strategic decisions, some errors may be allowed by management 
considering the long-run nature of strategic planning decisions whereas 
highly accurate data would be required while making operational control 
decisions by the managers. These operational controls taken by managers 
involve detection, investigations and correction of the processes. Incorrect 
data can also have adverse impact on the other stakeholders having an 
interest in the organization.  
3. Costs of Computer Abuse: Computer abuse is defined as any incident 
associated with computer technology in which the user suffered or could 
have suffered loss and a perpetrator by intention made or could have made 
gain. Unauthorized access to computer systems, malwares, unauthorized 
physical access to computer facilities, unauthorized copies of sensitive data, 
viruses, and hacking can lead to destruction of assets (hardware, software, 
data, information etc.). 
 
 
3.67 
 
INFORMATION SYSTEMS AND ITS COMPONENTS  
 
4. Value of Computer Hardware, Software and Personnel: These are critical 
resources of an organization, which has a credible impact on its 
infrastructure and business competitiveness. The intentional or 
unintentional loss of hardware, the destructions or corruption of software, 
and non-availability of skilled computer professionals in some countries; an 
organization might be unable to continue their operations seamlessly. 
5. High Costs of Computer Error: In a computerized enterprise environment 
where many critical business processes are performed, a data error during 
entry or process would cause great damage. For example - small data error 
during an operational flight can lead to loss of human lives; an error in any 
financial system can make an organization liable for penalty etc. 
6. Maintenance of Privacy: Today, data collected in a business process 
contains private information about an individual too. These data were also 
collected before computers but now, there are many instances in which 
privacy of individuals has been eroded beyond acceptable levels. 
7. Controlled evolution of computer Use: Use of Technology and reliability 
of complex computer systems cannot be guaranteed and the consequences 
of using unreliable systems can be destructive. Governments, professional 
bodies, pressure groups, organizations and individual persons all must be 
concerned with evaluating and monitoring how we deploy computer 
technology. 
Information Systems Auditing is defined as the process of attesting objectives 
(those of the external auditor) that focus on asset safeguarding, data integrity and 
management objectives (those of the internal auditor) that include effectiveness 
and efficiency both. This enables organizations to better achieve some major 
objectives that are depicted in the Fig. 3.5.2. 
 
 
 
 
 
Fig. 3.5.2: Impact of Controls and Audit influencing an Organization 
  
 
ENTERPRISE INFORMATION SYSTEMS 
3.68 
Let us now discuss these objectives in detail. Refer Fig. 3.5.2. 
a.  Asset Safeguarding Objectives: The information system assets like 
hardware, software, facilities, people, data files, system documentation, 
information etc. must be protected by a system of internal controls from 
unauthorized access. These assets are often concentrated in one or a small 
number of locations, such as single disk. Therefore, asset safeguarding is an 
important objective for many organizations to achieve. 
b.  Data Integrity Objectives: It is a fundamental attribute of IS Auditing. Data 
has certain attributes – completeness, reliability, transparency, and accuracy. 
The importance to maintain integrity of data of an organization is required 
all the time, else an organization may suffer loss of competitive advantage. 
It is also important from the business perspective of the decision maker, 
competitive and the market environment. 
c.  System Effectiveness Objectives: Evaluating effectiveness implies 
knowledge of user needs. Effectiveness of a system is done to evaluate 
whether a system reports information in a way that facilitates its users in 
decision- making or not. Auditors must be aware of the characteristics of 
users and decision-making environment so that objective of the system to 
meet business and user requirements is met. 
d.  System Efficiency Objectives: An efficient information system uses 
minimum resources to achieve its required objectives, therefore the use of 
various information system resources like machine time, peripherals, system 
software and labor must be optimally utilized along with the impact on its 
computing environment. Before upgradation of the systems are done, 
Auditor assist management in knowing whether available capacity of the 
resources is exhausted or not.  
3.5.2 Tools for IS Audit  
Today, organizations produce information on a real-time, online basis. Real-time 
recordings need real-time auditing to provide continuous assurance about the 
quality of the data that is continuous auditing. Continuous auditing enables 
auditors to significantly reduce and perhaps to eliminate the time between 
occurrence of the client’s events and the auditor’s assurance services thereon. 
Errors in a computerized system are generated at high speeds and the cost to 
correct and rerun programs are high. If these errors can be detected and 
corrected at the point or closest to the point of their occurrence the impact 
thereof would be the least. Continuous auditing techniques use two bases for 
Page 5


3.65 
INFORMATION SYSTEMS AND ITS COMPONENTS 
 
 
 
 
   
 
 
 
 
 
 
 
 
 
 
 
  
 
ENTERPRISE INFORMATION SYSTEMS 
3.66 
3.5.1 Need for Control and Audit of Information Systems 
Factors influencing an organization toward controls and audit of computers and 
the impact of the information systems audit function on organizations are 
depicted in the Fig. 3.5.1. 
 
Fig. 3.5.1: Factors influencing an organization toward control and Audit of 
computers 
Let us now discuss these reasons in detail (Refer Fig. 3.5.1): 
1. Organizational Costs of Data Loss: Data is a critical resource of an 
organization for its present and future processes. If the data is accurate, its 
ability to adapt and survive in a changing environment increases 
significantly. If such data is lost, an organization can incur substantial losses. 
2. Cost of Incorrect Decision Making: Making high-quality decisions are 
dependent on both – the quality of the data and quality of the decision 
rules that exist within computer-based information systems. While making 
strategic decisions, some errors may be allowed by management 
considering the long-run nature of strategic planning decisions whereas 
highly accurate data would be required while making operational control 
decisions by the managers. These operational controls taken by managers 
involve detection, investigations and correction of the processes. Incorrect 
data can also have adverse impact on the other stakeholders having an 
interest in the organization.  
3. Costs of Computer Abuse: Computer abuse is defined as any incident 
associated with computer technology in which the user suffered or could 
have suffered loss and a perpetrator by intention made or could have made 
gain. Unauthorized access to computer systems, malwares, unauthorized 
physical access to computer facilities, unauthorized copies of sensitive data, 
viruses, and hacking can lead to destruction of assets (hardware, software, 
data, information etc.). 
 
 
3.67 
 
INFORMATION SYSTEMS AND ITS COMPONENTS  
 
4. Value of Computer Hardware, Software and Personnel: These are critical 
resources of an organization, which has a credible impact on its 
infrastructure and business competitiveness. The intentional or 
unintentional loss of hardware, the destructions or corruption of software, 
and non-availability of skilled computer professionals in some countries; an 
organization might be unable to continue their operations seamlessly. 
5. High Costs of Computer Error: In a computerized enterprise environment 
where many critical business processes are performed, a data error during 
entry or process would cause great damage. For example - small data error 
during an operational flight can lead to loss of human lives; an error in any 
financial system can make an organization liable for penalty etc. 
6. Maintenance of Privacy: Today, data collected in a business process 
contains private information about an individual too. These data were also 
collected before computers but now, there are many instances in which 
privacy of individuals has been eroded beyond acceptable levels. 
7. Controlled evolution of computer Use: Use of Technology and reliability 
of complex computer systems cannot be guaranteed and the consequences 
of using unreliable systems can be destructive. Governments, professional 
bodies, pressure groups, organizations and individual persons all must be 
concerned with evaluating and monitoring how we deploy computer 
technology. 
Information Systems Auditing is defined as the process of attesting objectives 
(those of the external auditor) that focus on asset safeguarding, data integrity and 
management objectives (those of the internal auditor) that include effectiveness 
and efficiency both. This enables organizations to better achieve some major 
objectives that are depicted in the Fig. 3.5.2. 
 
 
 
 
 
Fig. 3.5.2: Impact of Controls and Audit influencing an Organization 
  
 
ENTERPRISE INFORMATION SYSTEMS 
3.68 
Let us now discuss these objectives in detail. Refer Fig. 3.5.2. 
a.  Asset Safeguarding Objectives: The information system assets like 
hardware, software, facilities, people, data files, system documentation, 
information etc. must be protected by a system of internal controls from 
unauthorized access. These assets are often concentrated in one or a small 
number of locations, such as single disk. Therefore, asset safeguarding is an 
important objective for many organizations to achieve. 
b.  Data Integrity Objectives: It is a fundamental attribute of IS Auditing. Data 
has certain attributes – completeness, reliability, transparency, and accuracy. 
The importance to maintain integrity of data of an organization is required 
all the time, else an organization may suffer loss of competitive advantage. 
It is also important from the business perspective of the decision maker, 
competitive and the market environment. 
c.  System Effectiveness Objectives: Evaluating effectiveness implies 
knowledge of user needs. Effectiveness of a system is done to evaluate 
whether a system reports information in a way that facilitates its users in 
decision- making or not. Auditors must be aware of the characteristics of 
users and decision-making environment so that objective of the system to 
meet business and user requirements is met. 
d.  System Efficiency Objectives: An efficient information system uses 
minimum resources to achieve its required objectives, therefore the use of 
various information system resources like machine time, peripherals, system 
software and labor must be optimally utilized along with the impact on its 
computing environment. Before upgradation of the systems are done, 
Auditor assist management in knowing whether available capacity of the 
resources is exhausted or not.  
3.5.2 Tools for IS Audit  
Today, organizations produce information on a real-time, online basis. Real-time 
recordings need real-time auditing to provide continuous assurance about the 
quality of the data that is continuous auditing. Continuous auditing enables 
auditors to significantly reduce and perhaps to eliminate the time between 
occurrence of the client’s events and the auditor’s assurance services thereon. 
Errors in a computerized system are generated at high speeds and the cost to 
correct and rerun programs are high. If these errors can be detected and 
corrected at the point or closest to the point of their occurrence the impact 
thereof would be the least. Continuous auditing techniques use two bases for 
 
 
3.69 
 
INFORMATION SYSTEMS AND ITS COMPONENTS  
 
collecting audit evidence. One is the use of embedded modules in the system to 
collect, process, and print audit evidence and the other is special audit records 
used to store the audit evidence collected. 
Types of Audit Tools: Different types of continuous audit techniques may be 
used. Some modules for obtaining data, audit trails and evidences may be built 
into the programs. Audit software is available, which could be used for selecting 
and testing data. Many audit tools are also available; some of them are described 
below: 
(i) Snapshots: Tracing a transaction is a computerized system can be 
performed with the help of snapshots or extended records. The snapshot 
software is built into the system at those points where material processing 
occurs which takes images of the flow of any transaction as it moves 
through the application. These images can be utilized to assess the 
authenticity, accuracy, and completeness of the processing carried out on 
the transaction. The main areas to dwell upon while involving such a system 
are to locate the snapshot points based on materiality of transactions when 
the snapshot will be captured and the reporting system design and 
implementation to present data in a meaningful way. 
(ii) Integrated Test Facility (ITF): The ITF technique involves the creation of a 
dummy entity in the application system files and the processing of audit 
test data against the entity as a means of verifying processing authenticity, 
accuracy, and completeness. This test data would be included with the 
normal production data used as input to the application system. In such 
cases the auditor must decide what would be the method to be used to 
enter test data and the methodology for removal of the effects of the ITF 
transactions. 
(iii)  System Control Audit Review File (SCARF): The SCARF technique involves 
embedding audit software modules within a host application system to 
provide continuous monitoring of the system’s transactions. The 
information collected is written onto a special audit file- the SCARF master 
files. Auditors then examine the information contained on this file to see if 
some aspect of the application system needs follow-up. In many ways, the 
SCARF technique is like the snapshot technique along with other data 
collection capabilities.  
(iv) Continuous and Intermittent Simulation (CIS): This is a variation of the 
SCARF continuous audit technique. This technique can be used to trap 
exceptions whenever the application system uses a database management