Peril Seen Unless Top Execs Help with Systems Planning
Senior-level managers should give personal attention to the planning of their companies' computer systems, a Price Waterhouse& Co. study says.
Without such involvement, technologists may build systems that fail to meet business requirements and are hard to audit, and whose cost is difficult to justify, researchers said.
The study, "Systems Auditability and Control," is an update of a 1977 report by the Institute for Internal Auditors on companies' ability to audit and control computer systems. The data were taken from more than 300 personal interviews and mail surveys of internal auditors and systems executives.
Problem Is Readdressed
The institute, which participated in the recently issued report, saw a need to readdress the audit and control of information systems because of the changes in computers and business over the past decade.
During the 1980s, corporate use escalated from simple automation to complex applications. However, the increased power of technology is a two-edged sword: Better technology can make more companies more competitive but also increases the risk of fraud, embezzlement, and business breakdowns when the systems go on the blink.
Internal auditors, as agents of senior management, must find ways to ensure that computer systems limit those risks and costs, the study's authors said.
Data Security a Problem
"Internal auditors need to be more involved now than in the past," said Hugh Marsh, an independent consultant and project manager for the study. "In the past, you could audit what went in and what came out of the computer. Now auditors need to audit what goes on inside the computers."
Why look inside? One reason is that that's where the chance for fraud is highest.
With companies exchanging more and more information using computers, outsiders may be able to get hold of critical data surreptitiously. The potential for employees to gain unauthorized entry into computer systems is also increasing as more systems make information immediately available. And business units developing their own systems may neglect security and disaster recovery.
Banking, Mr. Marsh said, is generally ahead of other industries in ensuring control over computer systems. But the risks in some areas, such as electronic funds transfer, are high. A bank that transfers funds at the phoned-in request of a customer, for example, risks fraud because a voice can be impersonated. Banks need standard procedures to double-check that the caller is authorized to request a funds transfer.
Internal auditors warn that to reduce risks and use data efficiently, companies must be more watchful about several aspects of computer systems. For example, the auditors said, companies should eliminate unauthorized access or changes to systems or data and should avoid building computer systems that would create compatibility problems.