Visitors, Guests, and Members of the AAA — YOU ARE NOT CURRENTLY LOGGED INTO THE AAACOMMONS!
If you are an AAA member or have already joined the Commons as a guest, click on the "sign in" link above to log in. If you're a visitor to our community, you'll be able to view the publically available content but if you want to actively participate, click the "join" button above, to register as a guest member of our community.
A core element of the accounting information systems domain is information technology (IT) audit. At the Journal of Information Systems we both publish papers on IT audit and seek new papers in this important area. In the world beyond academia, four professional organizations in the USA touch on the IT audit discipline. These are (in alphabetic order) the AICPA (particularly including the Information Management and Technology Assurance Division (IMTA)), Association of Certified Fraud Examiners (ACFE), Institute of Internal Auditors (IIA) and ISACA. Given the importance of IT audit and assurance to ISACA, it is hardly surprising that ISACA provides a range of guidance including the ITAF Information Technology Assurance Framework. The ISACA resource center on IT audit and assurance includes a wealth of support for practitioners and academics with standards, guides and audit programs. Many practitioners of IT audit rely on the IIA’s Global Technology Audit Guides (GTAG®).
The first JIS Conference in March 2015 focuses on IT audit (aaahq.org/calls/JISC2015_call.cfm). We are closely involving practising professionals in the development and assessment of papers submitted to the conference. We are grateful for the support of the IMTA division of the AICPA, professionals from ISACA and Caseware-IDEA. There is, then, quite a range of information for academics on the nature and scope of IT audit. However, going from theory and professional guidance to the practice of IT audit is a little more challenging. In the private sector, IT audit reports produced by internal or external auditors are hidden by the corporate veil. Fortunately, there are quite a number of IT audit reports on local, state and federal governments that are in the public domain.
At the federal level, the U.S. Government Accountability Office (GAO) has a wide range of reports that touch on information technology. At http://www.gao.gov/browse/topic there are 712 reports under Information Management as well as Information Security (381) and Information Technology (1,335). These reports provide an invaluable overview of current issues facing not just federal government agencies but all larger entities. Taking a recent report at random (http://www.gao.gov/products/GAO-14-693R), the GAO reports on Information Systems Controls at the Bureau of the Fiscal Service within the Treasury. Understandably, some of the detailed recommendations in the report are pushed to a confidential report. The public report does, however, contain sufficient information for an interested observer to have an insight on the challenges facing the Bureau and the nature of the IT audit processes. The report notes “14 new information systems general control deficiencies related to security management, access controls, and configuration management.”
The report states that:
In addition, during our follow-up on the status of Fiscal Service’s corrective actions to address
information systems control-related deficiencies and associated recommendations contained in our prior years’ reports that were open as of September 30, 2012, we determined that corrective actions were complete for 7 of the 13 open recommendations and corrective action was in progress for each of the 6 remaining open recommendations related to access controls and configuration management.
These new deficiencies in Fiscal Service’s information systems controls, along with unresolved control deficiencies from prior audits, collectively represent a significant deficiency [emphasis added] in Fiscal Service’s internal control over financial reporting. The potential effect of these new and continuing deficiencies on the Schedule of Federal Debt financial reporting for fiscal year 2013 was mitigated primarily by Fiscal Service’s physical security measures and compensating management and reconciliation controls designed to detect potential misstatements on the Schedule of Federal Debt.
It is interesting to see the GAO use the language of SOX 404. It is also noteworthy that the catalog of issues did not add up to a material weakness in internal control over financial reporting.
Each of the major federal departments and agencies has an Inspector General, a position comparable to the CAE (Chief Audit Executive) in private sector organizations. Most of the reports of the IGs are available on the Web. For example, the Department of Defense IG’s reports are at www.dodig.mil/pubs/index.cfm. Screening the reports for keywords such as Cyber Security or Technology, reveals several unclassified reports and other reports for which a freedom of information request must be filed. For example, a recent report on the Army’s ERP systems is revealingly and delightfully entitled “Army Business Systems Information Technology Strategy Needs Improvement.” This continues the long and rather unedifying history of issues facing the multi-billion dollar rollout of ERP systems across the uniformed and civilian branches of the Department of Defense.
At the state level, most State Auditors-General provide all their reports online. Unfortunately, it can be rather difficult to identify those reports that relate to IT. An exception to this is the manner in which the Auditor-General of the State of Florida provides access to their reports by broad subject area as well as by entity. The IT audit reports are for a broad array of educational organizations, boards, and state agencies. As such, the nature and range of size of organizations touched on by the Auditor-General somewhat mirrors those in the private sector. These high quality reports provide fascinating and sometimes disturbing reading. Risk patterns familiar to all IT auditors frequently recur in these reports. Inadequate perimeter security, and issues with user management, business interruption, and the understanding of stakeholder needs are common themes.
Taken as a whole, the public reports of audit agencies (broadly defined) from the local, state and federal governments provide a rich vein of research and teaching to be mined.