Describe what a Data Flow Diagram is and why it is useful for IT auditing.
One paragraph should describe what a Data Flow Diagram is, and the second paragraph should describe why it is useful for IT auditing.
In one paragraph, what are CAATs and what benefits do they provide to IT auditors?
CAATs are known to assist auditors in defining sample size and selecting a sample for testing purposes.
Describe two techniques used by CAATs to define sample size and select the sample. One paragraph for each technique.
Explain the importance of flowcharting as an audit analysis tool in one paragraph.
Describe what a Data Flow Diagram is and why it is useful for IT auditing.
A data flow diagram is a visual representation of the various data paths that a system takes to satisfy an end user’s request.
This can be used as a visual aid in understanding how a particular application or IT system is created, what data it gathers and processes, who has access to it, and where this information resides in the larger organizational network.
Also included are any systems that are directly linked to the main application or system that has been identified by internal IT auditors.
Data Flow Diagrams are useful for IT auditing because they help to visually illustrate the different data paths of a system and their various junctions, as well as where these paths intersect.
These diagrams can be used to map out how a data breach may have occurred, or if it could ever occur in the future.
They also offer an excellent view of sensitive data and where it resides in store on all systems in the network.
Data flow diagrams can also be used when trying to figure out where sensitive information resides and how it is transferred between systems.
While this is an issue in any organization that has a large network, it is most necessary with data that could have been compromised, such as medical or financial information.
It is also necessary when auditing older computers that do not use current-day security tools and cannot use the operating system’s built-in security tools, such as antivirus software.
Data flow diagrams also help IT, auditors, to understand how an outside entity might be able to access sensitive data and/or systems.
This diagram has both positive and negative effects on an organization in terms of security.
On one hand, a data flow diagram can provide users with detailed information about how their data is used by the network at large, as well as any protection measures that are in place.
What are CAATs and what benefits do they provide to IT auditors?
A Comprehensive Approach to Assessing and Troubleshooting Tools (CAATs) has been around for years.
Now, more than ever, the need for CAATs is growing because technology systems are changing so quickly.
CAATs offer the ability to create a holistic picture of an IT organization’s infrastructure and data security by providing auditors with a 360 view when assessing various IT properties, applications, processes and locations.
CAATs provide a more comprehensive, risk-based approach to assessing technological controls. A CAAT is used to analyze and troubleshoot security controls and technology that is used in an organization.
This helps the IT auditor not only audit the applications, but also the frameworks, configuration settings, architecture and security policies supporting those applications.
The result of a CAAT is a comprehensive compilation of information about technology that can be used by an IT auditor to advise management about security risks in addition to helping them understand implementation issues related to specific technologies.
The information contained in a CAAT can also help management understand the impact any changes to security controls will have on the organization.
Regularly documenting findings from a comprehensive CAAT that analyzes and troubleshoots an organization’s technology infrastructure is an effective way for an IT auditor to demonstrate compliance with regulatory requirements and identify vulnerabilities that may not be eliminated by simply validating compliance with technical requirements.
In addition to the benefits mentioned above, CAATs can also be used by an IT auditor to help management solve technical problems that might impact the effectiveness of the auditors’ testing.
Describe two techniques used by CAATs to define sample size and select the sample
Only a few examples of the many different ways CAATs can be applied; not an exhaustive list.
1. Base line – setting a baseline from which samples are drawn is one way to establish a reasonable sample size.
This technique is helpful in case of outcomes over time vary from the average distribution, but doesn’t assume that there will be sufficient variability to allow for generalizing about any particular data point.
2. Analysis – the process that determines what proportion of sampled data points will be retained is called the “analysis”.
The first step in achieving a random sample is to generate a sample set with as little variability as possible, then analyzing this data to determine how many data points will support the argument.
This method can only be used if the results are similar to what is expected and if there is some type of analysis (e.g., regression) done on the entire data set, rather than just a subset of it.
3. Sampling – using a random sample to gain information about a population is based on the idea that the entire population is irrelevant and its values can not be compared to those in the data set.
It is also important that there be clear criteria for defining an appropriate sample size so that bias and variance are considered in selecting the number of elements sampled from a sufficient number of components.
4. Probability – a probability sample produces better estimates, but costs more and can be less appropriate to use in studies with small samples or rare outcomes.
This methodology is good in situations where one might want to generalize their results beyond the selected group and be confident they are accurate.
Explain the importance of flowcharting as an audit analysis tool
A flowchart is a visual representation of the process steps involved in a task, or methodology.
It is an excellent tool for analyzing and communicating how data is processed or has been used.
When performing audits, you might find yourself scratching your head over inconsistencies you see when reviewing different data sets or documents.
The answer could be as simple as that there was an error in the process flow chart recording who had inputted said data set into the database and where it then went from there.
A flowchart can help you “see” where the flow of the process steps has gone wrong and eliminate some of the headaches when trying to pin point a problem you are trying to solve.
When performing an audit on a company’s financial data, there are usually several points in the audit process where documentation is required.
If there are different people involved in the documentation of the data from different areas such as shipping, receiving, sales and inventory, it can be difficult to understand who actually documents what and how that information is used.
Flowcharts can help you to determine who is responsible for what and how the data flows between areas.
References
Savage A. A. Brannock D. Foksinska A. & John Wiley & Sons. (2022). Accounting information systems connecting careers systems and analytics. Wiley.
Ghalwash A. Z. (2020). Internet of things–applications and future : proceedings of itaf 2019. Springer. Retrieved October 16 2022 from http://whel-primo.hosted.exlibrisgroup.com/openurl/44WHELF_NLW/44WHELF_NLW_services_page?u.ignore_date_coverage=true&rft.mms_id=991057345702419.
Krafft, P. M., Young, M., Katell, M., Lee, J. E., Narayan, S., Epstein, M., … & Barghouti, B. (2021, March). An action-oriented AI policy toolkit for technology audits by community advocates and activists. In Proceedings of the 2021 ACM conference on fairness, accountability, and transparency (pp. 772-781)
Faust, C., Dozier, G., Xu, J., & King, M. C. (2017, November). Adversarial authorship, interactive evolutionary hill-climbing, and author CAAT-III. In 2017 IEEE Symposium Series on Computational Intelligence (SSCI) (pp. 1-8). IEEE.