Developing an audit planning framework at a strategic and operational level for implementing continuous auditing and the corresponding continuous auditing procedures for Oracle database management systems

Date
2017-03
Journal Title
Journal ISSN
Volume Title
Publisher
Stellenbosch : Stellenbosch University
Abstract
ENGLISH SUMMARY : Information technology (IT) has become imperative to most modern organisations’ strategic and operational activities. It is for this reason that King III clarified the respective responsibilities of risk committees, audit committees and internal audit functions with respect to IT assurance. King III recommends the use of technology to improve audit coverage and audit efficiency, but does not elaborate on this recommendation. In this research study, a modern audit methodology, namely continuous auditing, was explored as a potential solution to address this recommendation made by King III. Continuous auditing is the ongoing assessment of risks and controls which is enabled by technology. Compared to traditional audit methodologies, continuous auditing is considered a cost-effective method to increase audit efficiency and audit coverage. Despite the stated benefits of this audit methodology, internal auditors are yet to optimise the implementation of continuous auditing in practice. The primary objective of this research was to develop an audit planning framework for internal auditors to implement continuous auditing to ensure ongoing assurance for automated IT controls. The framework consists of strategic planning steps to develop an annual audit plan and to identify areas where continuous auditing could be implemented. The operational elements of this framework focus only on developing continuous auditing for automated IT controls. The secondary objective was to apply this planning framework to compile continuous audit procedures for database management systems, using Oracle Database as an example. The degradation of IT controls is often an early-warning indicator of fraud and error. The implementation of this modern audit methodology for database management systems enables internal auditors to report on control deficiencies within a shorter timeframe to provide real-time assurance. Considering that the most valuable information assets are retained in databases and in view of the increase in data breach incidents involving high-profile organisations, the implementation of continuous controls auditing should be a high priority for internal audit functions.
AFRIKAANSE OPSOMMING : Inligtingstegnologie (IT) het die middelpunt van die meeste hedendaagse organisasies se strategiese en operasionele aktiwiteite geword. Om hierdie rede het King III die onderskeie verantwoordelikhede van risikokomitees, ouditkomitees en interne ouditfunksies met betrekking tot gerusstelling vir IT-stelsels uiteengesit. King III beveel aan dat tegnologie gebruik moet word om die effektiwiteit en dekking van oudits te verbeter, maar brei nie uit op hierdie aanbeveling nie. In hierdie studie word ʼn moderne ouditmetode, naamlik deurlopende ouditering, ondersoek as ʼn potensiële oplossing vir hierdie aanbeveling van King III. Deurlopende ouditering is die voortdurende assessering van risiko’s en kontroles wat deur tegnologie moontlik gemaak word. In vergelyking met tradisionele ouditmetodes, word deurlopende ouditering beskou as ʼn koste-effektiewe metode om oudit-effektiwiteit en dekking te verhoog. Ten spyte van die genoemde voordele van hierdie ouditmetode, het interne ouditeure nog nie deurlopende ouditering optimaal in die praktyk geïmplementeer nie. Die primêre doel van hierdie navorsing was om ʼn oudit-beplanningsraamwerk vir interne ouditeure te ontwikkel om deurlopende ouditering vir IT-stelsels te implementeer. Die raamwerk bestaan eerstens uit strategiese beplanningstappe om ʼn oorhoofse ouditplan te ontwikkel om sodoende areas te identifiseer waar deurlopende ouditering gebruik kan word. Daarna fokus die operasionele elemente van die raamwerk slegs op die implementering van deurlopende ouditering vir outomatiese IT-kontroles. Die sekondêre doel van hierdie navorsing was om hierdie beplanningsraamwerk te gebruik om deurlopende ouditprosedures vir databasis-bestuurstelsels saam te stel, met Oracle Database as voorbeeld. Die agteruitgang van IT-kontroles is dikwels ʼn vroeë aanduider van bedrog en foute. Die implementering van hierdie moderne ouditmetode vir die ouditering van databasis-bestuurstelsels stel interne ouditeure binne ʼn korter tyd in staat om verslag te lewer oor kontrolegebreke, om sodoende deurlopende gerusstelling te bied. Aangesien die waardevolste inligtingsbates in databasisse gestoor word, en in die lig van die verhoging in insidente van datadiefstal by hoëprofiel-organisasies, behoort die implementering van deurlopende ouditering ʼn hoë prioriteit vir interne ouditfunksies te wees.
Description
Thesis (MCom)--Stellenbosch University, 2017.
Keywords
Auditing, Internal, Continuous auditing, Auditing -- Databases -- Quality control, Database management systems, Oracle Database, Auditing -- Methodology, UCTD
Citation