07-02-2013

Chapter 14
Evaluation and Audit of e-Business

Learning Objectives
To understand the purpose and need of auditing Information Technology and e-business the principles and basics of auditing e-business various methods and parameters used for auditing e-business security and infrastructure audit of e-business performing IT audit and action items for the same

Oxford University Press 2012. All rights reserved.

E-Business

Oxford University Press 2012. All rights reserved.

E-Business

Introduction
What is Audit? Examination and analysis of the records or processes for the purpose of verification Why it is needed? for the purpose of verification of consistency and for determining whether the system and processes are performing the desired task Types of Audit? Financial, Security etc.
Oxford University Press 2012. All rights reserved.
E-Business

Why Audit in e-business? - E-business involves number of business transactions over the Web - Financial transactions through payment gateways - Effective security processes and infrastructure need to be in place in order to ensure all activities run smoothly

Oxford University Press 2012. All rights reserved.

E-Business

Health Indicators of an e-business

Health indicators of an e-business are the indicators that contribute to value creation, customer satisfaction and business financials; and the effectiveness and efficiency of business activities. Following are some of the indicators 1. Availability of the system for end users 2. Response time of a system for internal and external customers 3. Accessibility of the system 4. Human factor engineering
Oxford University Press 2012. All rights reserved.
E-Business

Health Indicators of an e-business Cont..

5. Customer services 6. Privacy 7. Illegal usage and its analysis 8. Copyright infringement 9. Security indicators 10. Various controls and how they are established 11. Other factors such as infrastructure, connectivity, etc: These factors also indicate the overall business health.
Oxford University Press 2012. All rights reserved.
E-Business

07-02-2013

E-business Audit & documents

E-business auditing involves examination of the overall processes and systems which include the audit of
- the network - Infrastructure - system behaviour - processes

Need for e-business audit and evaluation

E-business audit is necessary for the following key reasons: Building customer faith Improved safeguarding of assets Improved data integrity Improved system efficiency Improved customer satisfaction Once the processes are established, there is the need for time-to-time review and improvement of these processes, with the revelation of every new fact.
Oxford University Press 2012. All rights reserved.
E-Business

The supplementary documents facilitating auditing include different diagrams and documents, as
- Network diagrams - System diagrams - Staff relationship Diagram - Responsibility diagrams - Point of exposure analysis - Infrastructure list and positions - Material and information flow diagrams
Oxford University Press 2012. All rights reserved.
E-Business

Auditing guidelines
Comprised of the recommended course of action needed to perform a quality audit Should satisfy the following basic criteria Evaluating and prioritizing action items based on the significance of every part of the audit Accuracy and reliability of audit findings Impartial and non-prejudiced judgement that is not based on outdated or irrelevant data Scope and timeliness of the audit Clarity, efficiency, and effectiveness of the audit
Oxford University Press 2012. All rights reserved.
E-Business

Major aspects of e-business Audit

The four major aspects of e-business audit are Understanding and verifying roles Identifying and understanding processes Evaluation with reference to benchmark or expected roles, and Deriving inputs for enhancement with reference to gaps. An audit matrix has four parameters: Investigation - Evaluation Measurement - Learning
Oxford University Press 2012. All rights reserved.
E-Business

Indicators of Audit Objectives

Two important indicators of audit objectives Value creation and Achieving business objective E-business auditing guidelines can be mapped to 4 heads The General Guidelines and the Framework for Auditing The Guidelines for Financial Auditing The Guidelines for Performance Auditing The Guidelines for Corporate Control
Oxford University Press 2012. All rights reserved.
E-Business

Conducting e-business audit

An e-business audit starts with an analysis of the following aspects General business overview The business system and its key components IT infrastructure and architecture Different processes and standards followed Staff and management Security devices, policies, architecture, & implementation Business alignment of e-initiatives Extended organization, service providers, and external devices used
Oxford University Press 2012. All rights reserved.
E-Business

07-02-2013

Controls in e-business audit

Control refers to a system that prevents, detects, and corrects unlawful events. Implementation of reliable controls is required to keep things in place And also to make sure that processes, people, and management are working effectively towards the business goal. The controls are not limited for security purpose, but cover the entire system Controls can be classified into preventive controls, detective controls, and corrective controls.
Oxford University Press 2012. All rights reserved.
E-Business

Controls in e-business Audit Cont..

Controls cover the entire system, to Ensure that appropriate processes are in place Ensure that the processes are being followed properly Check whether the necessary infrastructure is in place Understand the need of enhancement The purpose of controls is to minimize the losses by prevention of activities causing losses

Oxford University Press 2012. All rights reserved.

E-Business

An External Auditing System

External auditing system analysis comprises Interviews of employees, customers, and managers A system study Analysis of the results The steps involved in conducting an audit include Steps to obtain clarity about the controls and understanding of the controls Assessment tests of the controls Tests to detect the irregularities in controls Review procedures
Oxford University Press 2012. All rights reserved.
E-Business

Steps involved in an e-business Audit

Oxford University Press 2012. All rights reserved.

E-Business

E-Auditing Parameters

Risks associated with Audit

The most challenging task in the planning phase is to judge the level of risk associated with each segment of the audit. To decide on the level of risk, one needs to analyse the internal controls - Control environment and activities - Risk assessment, Monitoring - Information and communication - Control establishment and personnel - Use of technologies

Oxford University Press 2012. All rights reserved.

E-Business

Oxford University Press 2012. All rights reserved.

E-Business

07-02-2013

Security and Security Risk Assessment Steps with reference to e-business

Tests of Controls Collecting Auditing Data

The testing of controls offers an insight into their functioning and provides the necessary data. Verification of management controls Iterative evaluation of controls Once the management controls are found reliable, the weaknesses of controls at every level are investigated This includes verification of controls at the levels of operator, accountant, individual employees, etc.

Oxford University Press 2012. All rights reserved.

E-Business

Oxford University Press 2012. All rights reserved.

E-Business

Audit Programs
The audit program is based on the organizations own reference guide. The program consists of steps to deduce the efficiency. The points to be considered while forming an audit program
The standards used and general guidelines followed by an organization

Audit and Testing

An audit needs to analyze the system from various angles and perspectives, with the help of multiple controls and a variety of combinations of these controls. It includes interviewing employees, testing, and assessment of documents. Depending on the complexity of the system, the testing plan for an audit is decided.

Oxford University Press 2012. All rights reserved.

E-Business

Oxford University Press 2012. All rights reserved.

E-Business

Audit Reporting
Audit reports help organizations identify the gaps and develop guidelines for bridging the gaps observed during audit. An e-business audit report should cover IT functionality report IT process auditing report, Responsibilities and management response A document addressing users about the need of the correction in processes.
Oxford University Press 2012. All rights reserved.
E-Business

Audit Report heads

The report must be organized under relevant heads as Customer interaction processes Information gathering and analysis processes Delegation of authority Internal reporting, Escalation processes, Financial processes, Contracting processes, etc. The controls along with the observation and possible ways of improvement Information related to the performance indicators used for auditing.
Oxford University Press 2012. All rights reserved.
E-Business

07-02-2013

Audit of Performance Indicators

Performance indicators should be chosen appropriately Should indicate the performance of the system accurately. E-business audit made up of Performance indicators, efficiency indicators, and effectiveness indicators. Efficiency indicators are associated with the resources contributing towards the efficiency of business processes. Effectiveness indicator provides an insight into the overall effectiveness of business processes. Workload indicators indicate the amount of work performed.
Oxford University Press 2012. All rights reserved.
E-Business

E-business Balanced Score-card

Oxford University Press 2012. All rights reserved.

E-Business

E-business Audit Controls and Parameters

E-business is audited for various parameters. The important control heads with reference to audit of e-business are Systems development management controls E-business transaction management controls Security management controls Quality assurance management controls Input controls Operations management controls Programming management controls Financial management controls Supply chain management controls Database management controls
Oxford University Press 2012. All rights reserved.
E-Business

Scope of Audit Work

Oxford University Press 2012. All rights reserved.

E-Business

Concurrent Auditing for E-business

Concurrent auditing is collecting data and evidence from all audit sources. Allows to capture and track the audit trail online Provide means for tracking and early warning to minimize losses resulting from anomalies Helps identify irregularities quickly Irregularity propagates quickly across the systems and results in information and material losses

Steps of concurrent auditing

The steps followed for concurrent auditing are Perform feasibility study Analyze the of impact of concurrent auditing Analyze and take related technical decisions Plan and design Implement Carry out post audit cost benefit analysis

Oxford University Press 2012. All rights reserved.

E-Business

Oxford University Press 2012. All rights reserved.

E-Business

07-02-2013

Advantages of Concurrent Auditing

The advantages of concurrent auditing with reference to e-business are Alternative to traditional post auditing Gives capability to auditors to track processes Gives test capability to auditors and information system and business staff Can be used for training new users and to give insight into the system and business

Security Audit
Security audit includes
audit for physical security data transmission security, and data storage security

along with security aspects of system administration and application development. It covers the following aspects: 1. Security of computers, servers, and network devices 2. Availability of hardware 3. Physical measures for information and data security
Oxford University Press 2012. All rights reserved.
E-Business

Oxford University Press 2012. All rights reserved.

E-Business

Security Audit
4. Backup policies 5. Handling of sensitive information 6. Transmission and encryption of important data 7. Server handling and configuration handling 8. Anomaly detections and identifying violations 9. Disaster recovery and business contingency plans 10. System privilege and access control 11. Information and source code handling 12. Testing strategies 13. Security policies to handle viruses, intrusions, and information corruption
Oxford University Press 2012. All rights reserved.
E-Business

Components of an e-business Security Audit

Monitoring Contingency plan Recovery and reconciliation Transaction integrity Incident monitoring and handling User authentication

Oxford University Press 2012. All rights reserved.

E-Business

Infrastructure Audit
The purpose is to identify whether the required infrastructure is in place and being used properly and efficiently. Essential for security as well as efficiency reasons Includes listing of the available infrastructure such as Hardware assets Operating systems along with patches and versions Software installed on various machines Network analysis (connectivity and requirements) Servers etc.
Oxford University Press 2012. All rights reserved.
E-Business

Infrastructure Audit Cont..

Also includes analyses of security and backup systems. The infrastructure audit deals with Checking whether the required infrastructure is in place The quality of infrastructure Scalability and security aspects of the infrastructure Optimal use of infrastructure Connectivity and communication Processes related to infrastructure
Oxford University Press 2012. All rights reserved.
E-Business