The Informatics Audit

- basic concepts -
Drd . Sergiu CAPISIZU
[email protected]
Dr. Gheorghe NOCA
[email protected]
The Association for Development through Science
and Education, Bucharest
Dr. Marius POPA
[email protected]
Academy of Economics Studies, Bucharest

Abstract
The demand for qualitative and reliable information in order to support decision-making is continuously
increasing. On the other hand, the cost of software production and maintenance is raising
dramatically as a consequence of the increasing complexity of software systems and the need for
better designed and user friendly programs. The huge amount of data the organizations face needs
human, financial, and material resources to collect, checks, analyze and use it. All these aspects impose to
develop activities in order to obtain better outcomes with less resources. The Informatics Audit is one of
such kind of activities. This paper presents some Informatics Audit basic concepts

1. Introduction
The nowadays society is dramatically dependent of the information technologies, and this dependece is
continous increasing. Information System (IS) is a very complex application, made up of many
subsystems, processing data regarding: human, financial, and material resources, accounting tasks.
Having in view the necessary humans and financial resources to develop an IS, it is compulsory to
develop some activities in order to achieve the proposed objective, within budget and schedule, and the
established quality level [1].
The Information Systems Audit is one of the most important activity, both for developers, and users. The
IS Audit is a branch of the General Audit that is dealing with the control of the Information and
Communications Technologies. The IS Audit checks systems and network computers from the point of
view of the technical and procedural control efficiency in order to minimize the risks. The IS auditing
includes talks with peoples who are responsible for establishing the specifications, develop, test, manage,
and use the IS [2].

2. The Informatics Audit characteristics

The IS Audit is an essential activity for verifying weather an IS is capable to achieve the expected
objective. The domain, stages, content and methods of the IS audit are specified by standards. The IS
Audit domain includes auditing activities for specifications, IS projects, software, databases, the software
life cycle specifics activities, informatics applications, IS for Management, complex portals and virtual
organization.
The Informatics Audit adress an IS as a whole, taking into consideration data, as in-puts, software, and
outcomes as data processed acording to the organization needs.
An IS audit must take into consideration the characteristics of the organization taht is using the system.
One of the most importnat characteristics is the organization stability. The organizations stability is hard
to achieve, and more difficult to maintain in the the world economy characteristics. This situation has
generated a new kind of organizations called emerging organizations.
The emerging organizations are characterized by a permanently traying to adapt to the changing
environment, but never achieving the expected stability [2]. Having in view the globalization in almost all
the areas, the large majority of the organizations are in this situation. The IS development takes place
within a changing enviromnent. This imposes the necessity either to permanently adapt the IS developing
technics and methods to the new enviorenment, or to develop new methods and concepts.
Taking into consideration the characteristics of the stabile, respectively emergent organizations, the ISs
development processes are different.
The development of the IS for stabile organization has in view the following objectives [3]:
- the economical benefits of an deep analysis;
- users satisfaction;
- abstract requirements;
- complete and unambiguous specifications.
The objectives for emerging organizations are:
- dynamic analysis;
- requirements dynamic negotiation;
- incomplete and ambiguous specifications;
- continuous re-engineering.
All these aspects must be taken into account in the audit process.
The Informatics Audit is developed according to system characteristics. There are specific techniques and
methods for statistical applications, optimization programms, and application using databases [5].
Auditing, in general, is described as the independent examination of records and other information in
order to form an opinion on the integrity of a system of controls and recommend control improvements to
limit risk [2]. Analyzing this definition, we can note:
- the auditors are independent.; they are not be directly involved with the operations or
management of a function being audited, and report to a separate line of management and be
free to state the facts of a situation;
- auditing involved the gathering and assessment of information from various sources, in
order to make an examination; it is important that the formal outputs of the auditing process are
traceable to valid information sources.
- auditors need to refer to information regarding the business processes and systems under
review, such as completed data-entry forms, system-generated reports an, the people involved
in doing or managing the relevant business processes; auditors normally interview staff in the
business areas under review and may use other observational techniques to examine business
processes in action.
- auditors provide both objective facts and subjective opinions on a given situation;
although subjective, their opinions are based on an interpretation of the facts and are open to
legitimate challenge.
- -integrity means completeness, accuracy and trustworthiness; a control system which is
only partially effective may be better than nothing, or it may give a false sense of security;
- system of controls have in view that different types of control operate at many
levels; computer auditors work with technical controls built-in to the computer systems, but
also procedural controls, legal controls, Human Resources controls etc. These controls may be
preventive, detective or corrective in nature.
- auditors generate audit recommendations but they have the authority to implement
suggested changes nor can we force management to do so.
The Informatics Audit is, also, a mechanism for examining the effectiveness of organizations, systems,
processes, risks and controls. Audits enable management and other stakeholders to [2]:
- discover what is really going on at a point in time;
- find out about potential problems, before it is too late to fix them;
- evaluate business situations objectively;
- face up to the truth and make informed, if difficult decisions;
 - implement corrective actions, changes and improvements where needed.
The Informatics Audit is not a Financial Audit. The IS are not tested from financial documents point of
view in order to establish the completeness, rights and obligations, evaluations and allocations etc.
The IS audit implies:
- a set of tests in order to ensure that the IS is under control;
- general controls;
- informatics applications control.
General control refers to the computers environment, and consists of:
- computer resources management;
- back-up copies and archives;
-changes management in the computers programm;
- operating system control.
Informatics Application control is an application specific control:
- specific data acceptance;
- complete and correct processing:
- the completeness and believability of the outcomes.
The application controls are based on the general controls.

3. The Informatics Audit phases and activities

The IS Audit includes the activities to collect and evaluate some samples in order to establish weather the
IS is secure, mantains the processed date integrity, support the organization to achieve its strategical
objectives and efficiently uses the informational resources [1].
The most frecuently activities during the Informatics Audit are the vorification and evaluation of [4]:
risks, system control, hardware components, system management, informatics applications, computers
network security, plans and procedure for emergent situations and for recovering in disasters case, data
integrity.
There are some development ways in the informatics audit area. The software audit main
objective is to evaluate the degree of concordance between specifications and the software products. The
databases audit is a very complex activity that takes into consideration and evaluates both data and
software application used within databases. The data audit has in view the data quality
requirements such are: completeness, accuracy, homogeinity, comprehensibility, timeless, reproducibility.
The auditor certifies if data set are valuable in-puts for applications in order to obtain correct outcomes. .
The Informatics Audit may, also, refers to security risks, logical security, configuration
management, and can evaluate the strategically aspects concerning Information Systems quality [5].
The audit organizations have different ways to perform Informatics Audit, and the auditors have their
preferred methods. An audit must realize equilibrium between quantity and quality. It is strongly
recommended that the audit resources be used to critical business areas.
The processes and products examined by an audit will vary depending on the objective of the
audit. The objective of the audit can vary, and is determined by the organization that called for the audit.
A general audit provides a comprehensive overview, while a limited audit might be an examination of
certain procedures [6],
Depending on the organization of origin of the auditors, an audit may be internal or external. An internal
audit is an audit conducted by the people within developing organization in order to detect problems
before they become major. It is preventive.
An external audit is one performed by an independent auditor who is outside of the developing
organization. External audits tend to be more comprehensive in nature than internal audits, and usually
encompass a broad area of the development activity. Such audits usually are requested because the
acquirer is uncertain of the effectiveness of the internal program or because of lack of information and
fears about the quality of performance on the part of the developer. An advantage of an external audit is
that the auditor may be more objective about a project than an internal auditor may; however, an external
auditor must spend more time learning about the project and its development process.
 An informatics audit has four phases: planning and preparation, the fieldwork visit, reporting, and
follow-up [6]. During the planning and preparation phase, the auditor gains an understanding of the
project. Based on the scope of the audit, the auditor determines the specific questions that need to be
answered, as well as the persons to be interviewed and the records and products to be examined to answer
the questions. The interviews are conducted, and records and products are examined during the
fieldwork. The reporting phase consists of the exit debriefing of the audited project, the preparation of a
written report on the audit, and clarifying issues and providing related information as needed. Follow-up
is done by the project, as the problems and deficiencies found in the audit are remedied. Follow-up may
include re-auditing to assess the adequacy of the remedies.
The activities conducted during the phases vary depending on the life cycle phase of the project
being audited and the scope of the audit. The activities also vary depending on whether the audit is
external or internal; an external audit requires preparation that is more extensive and should examine a
more comprehensive sample of material than an internal audit.

4. Conclusions
Information system audit is increasingly becoming the focal point of the independent audit, compliance
audit, and operational audits. An information system audit assists an organization to:
- improve system and process controls
- prevent and detect errors and fraud;
- reduce risk and enhance system security ;
- plan for contingencies and disaster recovery ;
- manage information and developing systems ;
- evaluating the effectiveness and efficiency related to the use of resources.
The Audit Informatics must be planned in such way in order to obtain the expected results by both the
auditors and the audited organization. Planning the audit, the auditor must to understand the IS, its
complexity.

References
1. Capisizu, S.: Cerinele auditului informatiei economcie, Referat doctorat, A.S.E., Bucureti,
Octombrie 2001

2. Hinson, G.:Frequently Avoided Questions about computer auditing,

http://www.isect.com/html/ca_faq.html

3. Alatalo, T., Oinas-Kukkonen, H., Kurkela, V., Siponen, M.: Information systems development In
emergent Organizations. Empirical findings, http://hytec.oulu.fi/
4. Brnda, C.: Auditul sistemelor informatice de gestiune, note de curs, Facultatea De tiine Economice,
Universitatea de Vest, Timioara, 2004
5. Ivan, I., Capisizu, S., No;ca, Gh.: Auditul Informatic, ASE, Bucure;ti, 2005
6. NASA: Software Quality Assurance Audits Guidebook, http://www.nasa.gov/