13.6 Legal Aspects

1
Chapter 8

• 13.6 Legal Aspects
• Part 2

Audit
2
Legal Aspects - the syllabus says
Audit requirements Understand that many
information systems are subject to audit.
Understand the impact of audit on data and
information control. Describe the need for audit
and the role of audit management/software tools
in an IS. Understand the function of audit
trails and describe applications of use, e.g.
ordering systems student tracking police
vehicle enquiries.
3
What is an Audit?

• An audit is a check by an independent observer
  (auditor) to ensure that the data transactions of
  a company have complied with all laws and
  regulations.
• Ensures no fraud has taken place.
• Also checks company has procedures in place that
  provide protection against the misuse of ICT
  systems and data.
• An audit happens on a regular basis. Eg annual
  stock audit.
• Any discrepancies in totals must be investigated
  using monitoring systems and audit trails.

4
Audit package facilities

• Verification of control totals
• Random selection of records for checking eg
  records over a certain value, overdue accounts..
• Analysis of file contents eg debts by age,
  payments by size to check in normal proportions.
• Comparisons of similar transaction files to
  highlight differences.

5
Audit trails

• Is a computer generated record made of any
  transaction carried out by the computer system.
• This can trace any activity relating to a piece
  of information from the time it enters the system
  to the time that it leaves.
• Eg a stock control system must keep a computer
  generated transaction record each time stock
  numbers are changed. Each transaction contains
  product code, transaction type (adding or
  deleting stock), quantity of product, date and
  time of transaction, userId of person who carried
  out the transaction.
• A trail will tell an auditor who altered the
  data, when it happened, and how it happened. This
  trail can be compared with corresponding paper
  source documents if requested this way. Telephone
  requests and updates via a WAN may not have a
  paper trail so the computer generated transaction
  record is even more important.

6
Online audit trail of user activity

• This trail can detect if an employee is breaking
  the Code of Practice and hence the Corporate IS
  Security Policy.
• Need an audit trail that will keep a log of all
  the user activity on the network. Not specific to
  one application.
• Whenever the user accesses the network a
  transaction record is automatically generated
  containing UserID, address of the workstation
  used, data and time of login and the period of
  use, number of login attempts, all applications
  and data accessed.

7
Overheads generated by computer audit trails

• Additional computer storage is needed to hold the
  extra data for the trails in each system.
• An audit record is automatically produced each
  time an update occurs causing extra processing.
  This may well slow the application down.

8
Audit Question and Answer

• For each of the following examples, state two
  items of data and describe how they may be used
  in the audit of the system
• (a) a companys stock control system 3m
• (b) a companys network security system. 3m
• A) Items of data ( any 2 x 1)
• User ID (1) Function reference such as update,
  read, add (1) Date Time (1)
• Product code of item (NOT name/description)
  (1) No of items (1)
• How used (any 1)
• to identify the ups and downs of stock
  usage/able to know when reorder level reached
• to reconcile stock levels during a stock take
• to identify who accessed the data, when and
  what for.
• (b) Items of data ( any 2 x 1)
• User ID (1) Terminal/workstation ID (1) Date
  Time (1) Time spent logged on (1)
• Number of login attempts (1) Applications
  accessed (1) Data or Files accessed (1)
• How used (any 1)
• to identify who was connected, when, where and
  for how long to monitor for malpractice
• what system resources were accessed and used,
  for accounting purposes in a company that has
  internal accounting systems