Continuous monitoring of enterprise risks: A delphi feasibility study

A constantly evolving regulatory environment, increasing market pressure to improve operations, and rapidly changing business conditions are creating the need for ongoing assurance that organizational risks are continually and adequately mitigated. Enterprises are perpetually exposed to fraud, poor decision making and/or other inefficiencies that can lead to significant financial loss and/or increased levels of operating risk. Increasingly, Information Systems are being harnessed to reinvent the risk management process. One promising technology is Continuous Auditing, which seeks to transform the audit process from periodic reviews of a few transactions to a continuous review of all transactions. However, the highly integrated, rapidly changing and hypercompetitive business environment of many corporations spawns numerous Enterprise Risks that have been excluded from standard risk management processes. An extension of Continuous Auditing is Continuous Monitoring, which is used by management to continually review business processes for unexpected deviations. Using a Delphi, the feasibility and desirability of applying Continuous Monitoring to different Enterprise Risks is studied. This study uncovers a significant relationship between the perceived business value of Continuous Monitoring and years of experience in Risk Management and Auditing, determines that all key architectural components for a Continuous Monitoring system are known, and indicates that Continuous Monitoring may be better suited for monitoring computer crime than monitoring strategic risks such as the loss of a competitive position

Audit of Financial Information Systems: a risk-based approach and fuzzy logic

Nowadays, business is exposed to information system risks and threats. This justifies the growing inquiry, of investors and shareholders, on their business security. Information systems auditing has strong tools and techniques, which can assist organizations in minimizing these risks and threats. But the fast-changing and growth of information systems makes the audit missions more complex and surrounded by uncertainty, related to audit quality parameters like experience, knowledge, and others. In line with this, the auditors may be faced with discrepancies during auditing, with each anomaly typically triggering a binary evaluation of significance. In this paper, we develop a fuzzy expert system framework, which evaluates the level of significance in the audit by allowing a discrepancy to have a level between 0 and 1. Such a framework enables the auditor to have increased accuracy and more flexibility in evaluating the appropriate level of significance, and provides a better understanding of the scope of subsequent audits and examinations. As results, we show that a fuzzy expert system has the potential to assist the auditor in the process of including qualitative information in the frivolous level and identifying the anomalies that may be most worthy of investigation. The fuzzy expert system standardizes the process of auditing by providing a formal model structure. This may facilitate reporting within the audit organization and improve the coherence of the audit process between auditors, missions over time.   JEL Classification: C67, M15, M42 Paper type: Empirical researchNowadays, business is exposed to information system risks and threats. This justifies the growing inquiry, of investors and shareholders, on their business security. Information systems auditing has strong tools and techniques, which can assist organizations in minimizing these risks and threats. But the fast-changing and growth of information systems makes the audit missions more complex and surrounded by uncertainty, related to audit quality parameters like experience, knowledge, and others. In line with this, the auditors may be faced with discrepancies during auditing, with each anomaly typically triggering a binary evaluation of significance. In this paper, we develop a fuzzy expert system framework, which evaluates the level of significance in the audit by allowing a discrepancy to have a level between 0 and 1. Such a framework enables the auditor to have increased accuracy and more flexibility in evaluating the appropriate level of significance, and provides a better understanding of the scope of subsequent audits and examinations. As results, we show that a fuzzy expert system has the potential to assist the auditor in the process of including qualitative information in the frivolous level and identifying the anomalies that may be most worthy of investigation. The fuzzy expert system standardizes the process of auditing by providing a formal model structure. This may facilitate reporting within the audit organization and improve the coherence of the audit process between auditors, missions over time.   JEL Classification: C67, M15, M42 Paper type: Empirical researc

Web Vulnerability Study of Online Pharmacy Sites

Consumers are increasingly using online pharmacies, but these sites may not provide an adequate level of security with the consumers’ personal data. There is a gap in this research addressing the problems of security vulnerabilities in this industry. The objective is to identify the level of web application security vulnerabilities in online pharmacies and the common types of flaws, thus expanding on prior studies. Technical, managerial and legal recommendations on how to mitigate security issues are presented. The proposed four-step method first consists of choosing an online testing tool. The next steps involve choosing a list of 60 online pharmacy sites to test, and then running the software analysis to compile a list of flaws. Finally, an in-depth analysis is performed on the types of web application vulnerabilities. The majority of sites had serious vulnerabilities, with the majority of flaws being cross-site scripting or old versions of software that have not been updated. A method is proposed for the securing of web pharmacy sites, using a multi-phased approach of technical and managerial techniques together with a thorough understanding of national legal requirements for securing systems

Audit and security issues with expert systems;

https://egrove.olemiss.edu/aicpa_guides/1016/thumbnail.jp

The Impact of Information and Communication Technology on Internal Control’s Prevention and Detection of Fraud

This study explores the Impact of Information and Communication Technology (ICT) on internal control effectiveness in preventing and detecting fraud within the financial sector of a developing economy – Nigeria. Using a triangulation of questionnaire and interview techniques to investigate the internal control activities of Nigerian Internal Auditors in relation to their use of ICT in fraud prevention and detection, the study made use of cross-tabulations, correlation coefficients and one-way ANOVAs for the analysis of quantitative data, while thematic analysis was adopted for the qualitative aspects. The Technology Acceptance Model (TAM) and Omoteso et al.’s Three-Layered Model (TLM) were used to underpin the study in order to provide theoretical considerations of the issues involved. The study’s findings show that Nigerian Internal Auditors are increasingly adopting IT-based tools and techniques in their internal control activities. Secondly, the use of ICT-based tools and techniques in internal control positively impacts on Internal Auditors’ independence and objectivity. Also, the study’s findings indicate that Internal Auditors’ use of ICT-based tools and techniques has the potential of preventing electronic fraud, and such ICT-based tools and techniques are effective in detecting electronic fraud. However, continuous online auditing was found to be effective in preventing fraud, but not suited for fraud detection in financial businesses. This exploratory study sheds light on the impact of ICT usage on internal control’s effectiveness and on internal auditors’ independence. The study contributes to the debate on the significance of ICT adoption in accounting disciplines by identifying perceived benefits, organisational readiness, trust and external pressure as variables that could affect Internal Auditors’ use of ICT. Above all, this research was able to produce a new model: the Technology Effectiveness Planning and Evaluation Model (TEPEM), for the study of ICT adoption in internal control effectiveness for prevention and detection of fraud. As a result of its planning capability for external contingencies, the model is useful for the explanation of studies involving ICT in a unique macro environment of developing economies such as Nigeria, where electricity generation is in short supply and regulatory activities unpredictable. The model proposes that technology effectiveness (in the prevention and the detection of fraud) is a function of TAM variables (such as perceived benefits, organisational readiness, trust, external pressures), contingent factors (size of organisation, set-up and maintenance cost, staff training and infrastructural readiness), and an optimal mix of human and technological capabilitie

Auditing IT Governance

Effective IT governance helps ensure that IT supports business goals, optimizes business investment in IT, and appropriately manages IT-related risks and opportunities. Organizations that realize the IT is no longer a support process and embeds value and risks need a structured approach for better managing Information Technology, enable its capability to deliver added value enterprise wide and for setting up a risk management program to address new risks arising for usage of IT in business processes. In order to assess if IT Governance is in line with industry practices, IT Auditors need a good understanding of processes and applicable standards, particular audit work programs and experience in assessing potential problem indicators.IT Governance, Audit, ISACA, CGEIT, Val IT, Value Governance, Portfolio Management, Investment Management