- Email: [email protected]
The audit of information
June 1995
Computer Audit Update
potential incompatibilities throughout the system.
which
will echo
The management issues that arise from maintaining a constantly changing environment with this number of variables very quickly becomes beyond any reasonable level of control. Summary The lessons learned from Client/Server to date can be summed up as follows: Client/Server can be a very attractive approach to delivering new systems but the attractions may be swiftly outweighed as the end user population grows.
a single source, but it is limited. A dealer providing a bundle of hardware and software products has little control over the originators of those products. There is however an opportunityfor the service providers to play a far more positive role with a service that provides preconfigured systems with an undertaking to maintain compatibility. To the author’s knowledge no such service is yet available in the UK, it would go a long way to fulfilling the promise of Client/Server.
THE AUDIT OF INFORMATION Hugh Parkes
Security and discipline are hard to achieve in the end user environment. To balance these, New systems can be delivered very swiftly and with very attractive front ends with products such as Windows which encourage end users. Client/Server is therefore likely to provide an attractive option for those systems where time to implementation and speed of delivery is key to success of the project. In addition Client/Server will be at its most successful where a system or a project is contained within a comparatively small end user community. Finally it is those applications that require little or no formality that are likely to produce the biggest benefits. Applications such as electronic mail lend themselves very well to the Client/Server approach whereas those systems that are subject to strict audit are likely to test security and discipline to a high degree. Postscript What has started to emerge is the important role that systems suppliers have to play in the success of Client/Server. There is some value to a ‘One Stop’ approach, buying all products from
12
Today’s audit professional faces an enormous challenge - how to identify the issues that matter amidst a sea of competing priorities. In an increasingly automated world, the auditor has to decide how much time to allocate to the technological environment, the application and system software environment, the communication environment and the information environment. This last - the information environment-is the focus of this article. It is also the context where the greatest value can be provided by an auditor - and yet, paradoxically, it is the least discussed in contemporary audit literature, and, apparently, the least understood by many auditors. So what is information? How do we need to go about auditing it in the future? How will it change what we do now? How will it help the wider audit profession to bridge the assorted expectation canyons we currently face? How will we provide new information-linked services to our customers? And how will information help us to make a dollar? The value of information Information is an intangible asset: it has a definite value, but is hard to touch and sometimes
01995 Elsevier Science Ltd
June 1995
hard to quantify in traditional accounting terms. The raw elements which are usually combined or related together to form information, are called data. Data is only valuable or useful when it can be presented as information.
Computer Audit Update
The auditing of information Reliabirity and quality 1.
1.1 Sufficiency of information for needs (decisions)
Data is derived from business or human activities: its recording and storage, followed by its interpretation (either element by element or in relationship with other elements) provides us with information. Information has a number of other possible properties which are directly relevant to accountants, business people, government, and, indeed, to our entire society. It has a shelf life, it has a currency, it can be right or wrong (wholly or partly), it can be accessed from many different perspectives, it may be complete or incomplete, it is infinitely variable, it may be simple or complex (or anywhere in between), it can be single or multidimensional ... and these are only some of its properties. It may be likened to the sea: everything we do depends upon it, but we are frequently unaware of our dependencies.
1.2 Completeness of data (capture, processing, no redundancy) 1.3 Speed/regularity of refreshes/updates (time criticality) 1.4 Criticality of completeness decision-making 2.
01995 Elsevier Science Ltd
Accuracy
2.2 Accuracy of classification (business and accounting rules, account pointings, point authorization fits information architecture) 2.3 Accuracy of information processing logic through all stages of information chain (mainframe/WAN/LAN server to end user)
If one does not have any information, one can be said to be in a state of ignorance. A natural corollary is that the more information one has and the better its inherent quality, the more likely one is to make fully informed decisions and to initiate informed actions.
Set out below is a summary of the issues auditors should consider in auditing information. So far as the author is aware, this subject has not previously been the subject of audit standards or practice guides anywhere in the world.
for
2.1 Raw data accuracy
Auditing information
Assurance that one has received/is receiving quality information is the fundamental premise associated with the role of an auditor. The value of the assurance provided by the auditor depends on the information obtained and examined by the auditor, supported by the integrity and independence of the auditor.
Completeness
2.4 Edit checks employed (programmed or artificial intelligence rules/procedures) of accuracy/degree of 2.5 Criticality accuracy required (absolute accuracy can be costly) 3.
Validity 3.1 Authorization of (independently procedure or other)
data input programmed
3.2 Degree of segregation of design functions and duties supporting data and information processing validation of data 3.3 Independent (programmed procedures; frequency of such validations)
13
June 7995
Computer Audit Update
conciseness, understandability, many multimedia/graphical/hyperdocument /Executive Information Systems (EIS) options
3.4 Internal validity and continuity of systems between validity (regular/continuous validation of relationships between information/data elements) 4.
Timeliness 4.1 Availability of key information on time 4.2 Timeliness of data processing/ information access (minute/hour/day)
8.
7.3 Criticality of presentation media (useability)
medium/
7.4 Degree of disaggregation (‘drilldown’/EIS)
possible
Links to other Data/Information links 8.1 Logical links/relationships)
4.3 Criticality of timely information for decision making or service to be provided
(continuity
of
8.2 Degree of interdependence required 5.
Security Design characteristics 5.1 Exposure to data corruption/leakage (criticality, sensitivity, insertion, deletion by traceless means, changes to relationships of data/information)
6.
1.
Architectural designs - information, application systems, technology, business, communications
5.2 Existence of multiple data/information mapping algorithms (sourcing, quality, security compromised)
1.1 Efficiency of design of Information Architecture (accessible storage, timely update, fast retrieval)
Consistency
1.2 Suitable application system and technology architectures linking to the information architecture via the communications architecture (degree of fit, design appropriateness to
6.1 Consistency of aggregation and summarization (throughout storage and processing chain)
purpose(s)) 6.2 Consistency of internal logic, business and accounting rules applied (measurement algorithms, program modules) 6.3 Consistency of compilation (criticality of consistency, interlinkage of compilation recipients) 7.
Relevance 7.1 Comprehensiveness of information (complete, relevant, appropriate)
2.
Business/Economic Issues 2.1 Cost vs opportunity cost of generating information (preparation, storage costs vs benefits) 2.2 Cost of storage, retrieval and transmission methods used (linkages information stores/ between repositories, integrity, speed, reliability, processing methods Online Realtime, shadow, batch, ISDN, fibre optic, leased line, microwave, satellite)
7.2 Presentation medium/media used (appropriateness for message, clarity,
14
01995 Elsevier Science Ltd
June 7995
3.
Computer Audit Update
Accessibility
(strategic information, security, completeness, accuracy, sensitivities)
3.1 Centralized availability)
processing
3.2 Distributed availability)
processing
(impact on
(impact on
3.3 Ability to download data (flexibility, security, inferences, continuity of reliability/integrity, download/upload issues, validity, compatibility) location 3.4 Efficient architecture
design
and
3.5 Flexibility of information processing to meet customer/business/management information/costing/operational/financ ial information needs 3.6 Realtime multiple service access at the same time 4.
1.4 Sensitivity of information between systems (access, complex linkages, risks)
DATA PROTECTION:INTO NEXT DECADE
THE
Elizabeth France A Message From the Data Protection Registrar
Generic 4.1 Potential for further uses of this information (normalizing issues, information storage and retrieval) 4.2 Inferential capability inherent in this information (groupings, relationships, knowledge-based inferencing, systems/expert systems)
5.
1.3 Key reconciliation and congruency between systems (reasonableness, relationship continuity)
Recoverability 5.1 Ease with which data can be regenerated/recovered/accessed by alternate distribution channels in the event of accidental/disaster deletion 5.2 Criticality of data and speed of recovery required
Strategic importance 1.1 Strategic importance of data elements, combinations, aggregations 1.2 Strategic importance of links to other platforms/interfaces strategic
01995 Elsevier Science Ltd
Here at the Office, we had been discussing the importance of working alongside professional groups with an audit or compliance role and had taken from our shelves the Institute of Internal Auditors 13th Research Report, Data Protection Guidelines for lnternal Auditors, produced in July 1985. I was impressed, in reading it, by the Institute’s early recognition of the key role which auditors could play in preparing a company for registration under the 1984 Data Protection Act and in defining the procedures to be adopted by an organization to ensure its continued compliance with the Act’s provisions. For the moment let us look at the history of the Act and its development. The 1984 Act owes much to Crowther and to Lindop, but the key driver for the introduction of Data Protection legislation in the UK was a business-led need to ratify the Council of Europe Convention: Treaty 108. It is not privacy legislation, indeed the word ‘privacy’ is to be found in the Treaty but has been lost by the preamble to the 1984 Act. Nevertheless in a country with no privacy legislation it must be seen as a contribution to establishing every individual’s right to private life. It does set out to provide the individual with rights
15
Computer Audit Update
potential incompatibilities throughout the system.
which
will echo
The management issues that arise from maintaining a constantly changing environment with this number of variables very quickly becomes beyond any reasonable level of control. Summary The lessons learned from Client/Server to date can be summed up as follows: Client/Server can be a very attractive approach to delivering new systems but the attractions may be swiftly outweighed as the end user population grows.
a single source, but it is limited. A dealer providing a bundle of hardware and software products has little control over the originators of those products. There is however an opportunityfor the service providers to play a far more positive role with a service that provides preconfigured systems with an undertaking to maintain compatibility. To the author’s knowledge no such service is yet available in the UK, it would go a long way to fulfilling the promise of Client/Server.
THE AUDIT OF INFORMATION Hugh Parkes
Security and discipline are hard to achieve in the end user environment. To balance these, New systems can be delivered very swiftly and with very attractive front ends with products such as Windows which encourage end users. Client/Server is therefore likely to provide an attractive option for those systems where time to implementation and speed of delivery is key to success of the project. In addition Client/Server will be at its most successful where a system or a project is contained within a comparatively small end user community. Finally it is those applications that require little or no formality that are likely to produce the biggest benefits. Applications such as electronic mail lend themselves very well to the Client/Server approach whereas those systems that are subject to strict audit are likely to test security and discipline to a high degree. Postscript What has started to emerge is the important role that systems suppliers have to play in the success of Client/Server. There is some value to a ‘One Stop’ approach, buying all products from
12
Today’s audit professional faces an enormous challenge - how to identify the issues that matter amidst a sea of competing priorities. In an increasingly automated world, the auditor has to decide how much time to allocate to the technological environment, the application and system software environment, the communication environment and the information environment. This last - the information environment-is the focus of this article. It is also the context where the greatest value can be provided by an auditor - and yet, paradoxically, it is the least discussed in contemporary audit literature, and, apparently, the least understood by many auditors. So what is information? How do we need to go about auditing it in the future? How will it change what we do now? How will it help the wider audit profession to bridge the assorted expectation canyons we currently face? How will we provide new information-linked services to our customers? And how will information help us to make a dollar? The value of information Information is an intangible asset: it has a definite value, but is hard to touch and sometimes
01995 Elsevier Science Ltd
June 1995
hard to quantify in traditional accounting terms. The raw elements which are usually combined or related together to form information, are called data. Data is only valuable or useful when it can be presented as information.
Computer Audit Update
The auditing of information Reliabirity and quality 1.
1.1 Sufficiency of information for needs (decisions)
Data is derived from business or human activities: its recording and storage, followed by its interpretation (either element by element or in relationship with other elements) provides us with information. Information has a number of other possible properties which are directly relevant to accountants, business people, government, and, indeed, to our entire society. It has a shelf life, it has a currency, it can be right or wrong (wholly or partly), it can be accessed from many different perspectives, it may be complete or incomplete, it is infinitely variable, it may be simple or complex (or anywhere in between), it can be single or multidimensional ... and these are only some of its properties. It may be likened to the sea: everything we do depends upon it, but we are frequently unaware of our dependencies.
1.2 Completeness of data (capture, processing, no redundancy) 1.3 Speed/regularity of refreshes/updates (time criticality) 1.4 Criticality of completeness decision-making 2.
01995 Elsevier Science Ltd
Accuracy
2.2 Accuracy of classification (business and accounting rules, account pointings, point authorization fits information architecture) 2.3 Accuracy of information processing logic through all stages of information chain (mainframe/WAN/LAN server to end user)
If one does not have any information, one can be said to be in a state of ignorance. A natural corollary is that the more information one has and the better its inherent quality, the more likely one is to make fully informed decisions and to initiate informed actions.
Set out below is a summary of the issues auditors should consider in auditing information. So far as the author is aware, this subject has not previously been the subject of audit standards or practice guides anywhere in the world.
for
2.1 Raw data accuracy
Auditing information
Assurance that one has received/is receiving quality information is the fundamental premise associated with the role of an auditor. The value of the assurance provided by the auditor depends on the information obtained and examined by the auditor, supported by the integrity and independence of the auditor.
Completeness
2.4 Edit checks employed (programmed or artificial intelligence rules/procedures) of accuracy/degree of 2.5 Criticality accuracy required (absolute accuracy can be costly) 3.
Validity 3.1 Authorization of (independently procedure or other)
data input programmed
3.2 Degree of segregation of design functions and duties supporting data and information processing validation of data 3.3 Independent (programmed procedures; frequency of such validations)
13
June 7995
Computer Audit Update
conciseness, understandability, many multimedia/graphical/hyperdocument /Executive Information Systems (EIS) options
3.4 Internal validity and continuity of systems between validity (regular/continuous validation of relationships between information/data elements) 4.
Timeliness 4.1 Availability of key information on time 4.2 Timeliness of data processing/ information access (minute/hour/day)
8.
7.3 Criticality of presentation media (useability)
medium/
7.4 Degree of disaggregation (‘drilldown’/EIS)
possible
Links to other Data/Information links 8.1 Logical links/relationships)
4.3 Criticality of timely information for decision making or service to be provided
(continuity
of
8.2 Degree of interdependence required 5.
Security Design characteristics 5.1 Exposure to data corruption/leakage (criticality, sensitivity, insertion, deletion by traceless means, changes to relationships of data/information)
6.
1.
Architectural designs - information, application systems, technology, business, communications
5.2 Existence of multiple data/information mapping algorithms (sourcing, quality, security compromised)
1.1 Efficiency of design of Information Architecture (accessible storage, timely update, fast retrieval)
Consistency
1.2 Suitable application system and technology architectures linking to the information architecture via the communications architecture (degree of fit, design appropriateness to
6.1 Consistency of aggregation and summarization (throughout storage and processing chain)
purpose(s)) 6.2 Consistency of internal logic, business and accounting rules applied (measurement algorithms, program modules) 6.3 Consistency of compilation (criticality of consistency, interlinkage of compilation recipients) 7.
Relevance 7.1 Comprehensiveness of information (complete, relevant, appropriate)
2.
Business/Economic Issues 2.1 Cost vs opportunity cost of generating information (preparation, storage costs vs benefits) 2.2 Cost of storage, retrieval and transmission methods used (linkages information stores/ between repositories, integrity, speed, reliability, processing methods Online Realtime, shadow, batch, ISDN, fibre optic, leased line, microwave, satellite)
7.2 Presentation medium/media used (appropriateness for message, clarity,
14
01995 Elsevier Science Ltd
June 7995
3.
Computer Audit Update
Accessibility
(strategic information, security, completeness, accuracy, sensitivities)
3.1 Centralized availability)
processing
3.2 Distributed availability)
processing
(impact on
(impact on
3.3 Ability to download data (flexibility, security, inferences, continuity of reliability/integrity, download/upload issues, validity, compatibility) location 3.4 Efficient architecture
design
and
3.5 Flexibility of information processing to meet customer/business/management information/costing/operational/financ ial information needs 3.6 Realtime multiple service access at the same time 4.
1.4 Sensitivity of information between systems (access, complex linkages, risks)
DATA PROTECTION:INTO NEXT DECADE
THE
Elizabeth France A Message From the Data Protection Registrar
Generic 4.1 Potential for further uses of this information (normalizing issues, information storage and retrieval) 4.2 Inferential capability inherent in this information (groupings, relationships, knowledge-based inferencing, systems/expert systems)
5.
1.3 Key reconciliation and congruency between systems (reasonableness, relationship continuity)
Recoverability 5.1 Ease with which data can be regenerated/recovered/accessed by alternate distribution channels in the event of accidental/disaster deletion 5.2 Criticality of data and speed of recovery required
Strategic importance 1.1 Strategic importance of data elements, combinations, aggregations 1.2 Strategic importance of links to other platforms/interfaces strategic
01995 Elsevier Science Ltd
Here at the Office, we had been discussing the importance of working alongside professional groups with an audit or compliance role and had taken from our shelves the Institute of Internal Auditors 13th Research Report, Data Protection Guidelines for lnternal Auditors, produced in July 1985. I was impressed, in reading it, by the Institute’s early recognition of the key role which auditors could play in preparing a company for registration under the 1984 Data Protection Act and in defining the procedures to be adopted by an organization to ensure its continued compliance with the Act’s provisions. For the moment let us look at the history of the Act and its development. The 1984 Act owes much to Crowther and to Lindop, but the key driver for the introduction of Data Protection legislation in the UK was a business-led need to ratify the Council of Europe Convention: Treaty 108. It is not privacy legislation, indeed the word ‘privacy’ is to be found in the Treaty but has been lost by the preamble to the 1984 Act. Nevertheless in a country with no privacy legislation it must be seen as a contribution to establishing every individual’s right to private life. It does set out to provide the individual with rights
15