Legislative and security requirements of audit material for evidentiary purpose

This research used the Queensland Police Service, Australia, as a major case study. Information on principles, techniques and processes used, and the reason for the recording, storing and release of audit information for evidentiary purposes is reported. It is shown that Law Enforcement Agencies have a two-fold interest in, and legal obligation pertaining to, audit trails. The first interest relates to the situation where audit trails are actually used by criminals in the commission of crime and the second to where audit trails are generated by the information systems used by the police themselves in support of the recording and investigation of crime. Eleven court cases involving Queensland Police Service audit trails used in evidence in Queensland courts were selected for further analysis. It is shown that, of the cases studied, none of the evidence presented was rejected or seriously challenged from a technical perspective. These results were further analysed and related to normal requirements for trusted maintenance of audit trail information in sensitive environments with discussion on the ability and/or willingness of courts to fully challenge, assess or value audit evidence presented. Managerial and technical frameworks for firstly what is considered as an environment where a computer system may be considered to be operating “properly” and, secondly, what aspects of education, training, qualifications, expertise and the like may be considered as appropriate for persons responsible within that environment, are both proposed. Analysis was undertaken to determine if audit and control of information in a high security environment, such as law enforcement, could be judged as having improved, or not, in the transition from manual to electronic processes. Information collection, control of processing and audit in manual processes used by the Queensland Police Service, Australia, in the period 1940 to 1980 was assessed against current electronic systems essentially introduced to policing in the decades of the 1980s and 1990s. Results show that electronic systems do provide for faster communications with centrally controlled and updated information readily available for use by large numbers of users who are connected across significant geographical locations. However, it is clearly evident that the price paid for this is a lack of ability and/or reluctance to provide improved audit and control processes. To compare the information systems audit and control arrangements of the Queensland Police Service with other government departments or agencies, an Australia wide survey was conducted. Results of the survey were contrasted with the particular results of a survey, conducted by the Australian Commonwealth Privacy Commission four years previous, to this survey which showed that security in relation to the recording of activity against access to information held on Australian government computer systems has been poor and a cause for concern. However, within this four year period there is evidence to suggest that government organisations are increasingly more inclined to generate audit trails. An attack on the overall security of audit trails in computer operating systems was initiated to further investigate findings reported in relation to the government systems survey. The survey showed that information systems audit trails in Microsoft Corporation's “Windows” operating system environments are relied on quite heavily. An audit of the security for audit trails generated, stored and managed in the Microsoft “Windows 2000” operating system environment was undertaken and compared and contrasted with similar such audit trail schemes in the “UNIX” and “Linux” operating systems. Strength of passwords and exploitation of any security problems in access control were targeted using software tools that are freely available in the public domain. Results showed that such security for the “Windows 2000” system is seriously flawed and the integrity of audit trails stored within these environments cannot be relied upon. An attempt to produce a framework and set of guidelines for use by expert witnesses in the information technology (IT) profession is proposed. This is achieved by examining the current rules and guidelines related to the provision of expert evidence in a court environment, by analysing the rationale for the separation of distinct disciplines and corresponding bodies of knowledge used by the Medical Profession and Forensic Science and then by analysing the bodies of knowledge within the discipline of IT itself. It is demonstrated that the accepted processes and procedures relevant to expert witnessing in a court environment are transferable to the IT sector. However, unlike some discipline areas, this analysis has clearly identified two distinct aspects of the matter which appear particularly relevant to IT. These two areas are; expertise gained through the application of IT to information needs in a particular public or private enterprise; and expertise gained through accepted and verifiable education, training and experience in fundamental IT products and system.

Definition of an it project portfolio management methodology for a pharmaceutical company

Con la creciente popularidad de las soluciones de IT como factor clave para aumentar la competitividad y la creación de valor para las empresas, la necesidad de invertir en proyectos de IT se incrementa considerablemente. La limitación de los recursos como un obstáculo para invertir ha obligado a las empresas a buscar metodologías para seleccionar y priorizar proyectos, asegurándose de que las decisiones que se toman son aquellas que van alineadas con las estrategias corporativas para asegurar la creación de valor y la maximización de los beneficios. Esta tesis proporciona los fundamentos para la implementación del Portafolio de dirección de Proyectos de IT (IT PPM) como una metodología eficaz para la gestión de proyectos basados en IT, y una herramienta para proporcionar criterios claros para los directores ejecutivos para la toma de decisiones. El documento proporciona la información acerca de cómo implementar el IT PPM en siete pasos, el análisis de los procesos y las funciones necesarias para su ejecución exitosa. Además, proporciona diferentes métodos y criterios para la selección y priorización de proyectos. Después de la parte teórica donde se describe el IT PPM, la tesis aporta un análisis del estudio de caso de una empresa farmacéutica. La empresa ya cuenta con un departamento de gestión de proyectos, pero se encontró la necesidad de implementar el IT PPM debido a su amplia cobertura de procesos End-to-End en Proyectos de IT, y la manera de asegurar la maximización de los beneficios. Con la investigación teórica y el análisis del estudio de caso, la tesis concluye con una definición práctica de un modelo aproximado IT PPM como una recomendación para su implementación en el Departamento de Gestión de Proyectos.

Corporate governance and information technology : findings from an exploratory survey of Australian organizations

An exploratory survey (n = 57) of the Melbourne Chapter of the Information Systems Audit and Control Association was conducted to ascertain the attitudes and practices relating to corporate governance and the corporate governance of Information Technology (CGIT) in Australia. The survey found the respondents had clear views on corporate governance but most were not engaged with it, the organizational approach to corporate governance and its expected benefits was largely conformance oriented, awareness of CGIT management frameworks and associated standards was high but implementation was not widespread, and although the CGIT standard ISOIIEC 38500 was not widely implemented IT practitioners agreed with its principles. We conclude that the value of the CGIT standard has yet to be recognised by executives in Australia.

Auditoria de tecnologia da informação na administração pública: o caso dos municípios do Estado do Rio de Janeiro

A difusão das doutrinas de gerenciamento orientadas para resultados no Brasil tem levado as organizações públicas a realizarem investimentos relevantes em tecnologia da informação como um componente de transparência para as ações governamentais e como suporte para a tomada de decisões pelos gestores públicos. O uso intensivo da informática em um mundo cada vez mais interconectado expõe a administração pública a novos tipos de ameaças e vulnerabilidades. Nesse contexto, as entidades de fiscalização devem ampliar sua forma de atuação, realizando controles mais rigorosos por meio de técnicas próprias de auditorias de tecnologia da informação, que visam assegurar a integridade e segurança dos dados que trafegam pelas redes e sistemas de informação. O objetivo da presente pesquisa consistiu em identificar as principais impropriedades associadas ao uso da informática nas administrações municipais sob a jurisdição do TCE-RJ, por meio do estudo de caso de sua experiência na realização de auditorias operacionais em tecnologia da informação. A pesquisa foi realizada com base na literatura e na análise dos achados das auditorias de sistemas, mostrando que este tipo de auditoria tem contribuído para tornar a gestão pública municipal mais eficiente, eficaz e transparente.

A clinical audit to compare peritonitis rates between peritoneal dialysis delivery systems

Peritonitis is a major problem for patients with end-stage kidney disease undergoing peritoneal dialysis (PD). It is the main cause of failure of PD. Two different PD delivery systems are used across Australia although there is inconsistent evidence comparing the systems. The aim of this retrospective audit is to compare the rates and risk of peritonitis in a cohort of incident patients using two PD delivery systems. All consecutive patients starting PD between 1 August 2010 and 31 March 2012 were included and followed until 30 June 2013. Data relating to accepted risk factors for peritonitis were collected and analysed. There were 50 patients (26 men; 24 women) aged between 30 and 87 years. There were 29 episodes of peritonitis in 17 patients. Rates of peritonitis were 1 episode per 69.19 patient-months compared with 1 episode per 18.67 patient-months. Mean times to first episode of peritonitis were 13.11 months compared to 7.13 months. The relative risk of PD-related peritonitis was twice as high (RR = 2.04, 95% CI = 0.85 to 4.94) for patients using the one system (44.4%) compared to a second system (21.7%). Since this is not a randomised trial no firm conclusions can be drawn. Centres should also monitor peritonitis rates for each system.

Management and program audit of the Illinois State Board of Investment and the five State retirement systems.

Mode of access: Internet.

A tudásmenedzsment és az IT audit kapcsolódási pontjai - a tudásmenedzsment-rendszerek auditja (Connection points of knowledge management and IT audit – audit of knowledge management systems)

A cikkben a szerzők megvizsgálják a tudásmenedzsment komplex rendszerfejlesztési projektekben és az informatikai auditban játszott szerepét. Fő céljuk, hogy a tudásmenedzsment-rendszerek fejlesztéséhez kapcsolódó audit támogatására értékelési modellt készítsenek. Cikkükben megvizsgálják a tudásmenedzsmentnek az IT-auditban játszott általános szerepét, az auditban érintett tudásvagyon védelmének kérdését, a tudásmenedzsment-folyamatok szerepét a rendszerfejlesztésben (auditszempontból), a kontrollok implementálását, valamint a tudásmenedzsment és az IT-audittal kapcsolatos szabványok, módszertanok kapcsolatát. Az eredmények illusztrálására egy az Európai Unió 7. keretprogramjából finanszírozott nemzetközi projekt (GUIDE, IST–2003–507498) szolgál. ________________ Authors investigate the role of knowledge management in complex system development projects and IT audit. The primary goal is to provide an evaluation framework for an assessment of the development of special knowledge management solutions. On the other hand IT audit itself is a knowledge-dependent activity. The paper analyses the role of knowledge management in IT audit in general, the protection of knowledge assets during an audit, the role of knowledge management processes during system development (from audit point of view) and in the implementation of controls, the relationship of knowledge management with audit standards. Authors investigate the specialities of KM developments from audit point of view (particularly important aspects of audit, specific control objectives) A case study, based on experiences gained from GUIDE project (IST-2003-507498 funded by the European Commission’s 6th Framework Programme) illustrates the findings.

Audit report on the Regional Utility Service Systems Commission for the year ended June 30, 2015

Audit report on the Regional Utility Service Systems Commission for the year ended June 30, 2015

Transaction mining for fraud detection in ERP Systems

Despite all attempts to prevent fraud, it continues to be a major threat to industry and government. Traditionally, organizations have focused on fraud prevention rather than detection, to combat fraud. In this paper we present a role mining inspired approach to represent user behaviour in Enterprise Resource Planning (ERP) systems, primarily aimed at detecting opportunities to commit fraud or potentially suspicious activities. We have adapted an approach which uses set theory to create transaction profiles based on analysis of user activity records. Based on these transaction profiles, we propose a set of (1) anomaly types to detect potentially suspicious user behaviour, and (2) scenarios to identify inadequate segregation of duties in an ERP environment. In addition, we present two algorithms to construct a directed acyclic graph to represent relationships between transaction profiles. Experiments were conducted using a real dataset obtained from a teaching environment and a demonstration dataset, both using SAP R/3, presently the predominant ERP system. The results of this empirical research demonstrate the effectiveness of the proposed approach.

Internal audit department characteristics/activities and audit fees : some evidence from Hong Kong firms

This study provides preliminary support for the notion that internal audit function assists in reducing external audit effort and fees. Data on internal audit characteristics and activities are obtained from survey respondents of Hong Kong companies and audit fee model data are acquired from their annual reports. The results of this study suggest that the external auditor of firms in Hong Kong rely on the internal audit function and subsequently charge a lower fee. Lower external audit fees are associated with a larger internal audit department and certain activities carried out by the internal audit. Specifically, lower external audit fees are associated with more internal audit effort spent on activities relating to financial statements, systems development and maintenance, operating efficiency and effectiveness, fraud investigations and unlimited access to internal auditors’ working papers. The results of this study suggest that the contribution of the internal audit may substitute for some substantive external auditing processes and lower monitoring costs.