Critical Thinking Exercise: Performing IS Audits Review

Let's Dive into the Oregon Secretary of State's Audit Division Report!

1. Can you explain the difference between audit objectives and audit procedures using examples from the report?

2. What are some things the OLCC should have done before contracting with Franwell?

3. What is the purpose of interface controls according to the report?

4. How was the evidence provided that test data was not properly managed?

5. Choose an element from the Methodology section and explain what the auditor might have done to evaluate or test the listed control practices.

Exploring the Oregon Secretary of State's Audit Division Report Findings!

Critical thinking involves systematically applying concepts in different situations. Today’s exercise will apply some of the "Performing IS Audits" concepts by reviewing a recent IS audit conducted by the Oregon Secretary of State's Audit Division. Thinking through the case can help you master course material. Perhaps interestingly, three of the auditors are OSU College of Business grads including Jessica Ritter who took this course a few years ago.

The OLCC audit introduces many topics we will cover this term. We will talk about only a few of them in this assignment. But if you have a few minutes, read the rest of the report.

Before you begin answering the questions, review the following:

• The summary page with the highlights.
• Pages 5 and 6 which present the audit plan.
• The findings sections labelled:
  • OLCC lacks processes to monitor some third-party service providers (p 12)
  • Interface reconciliation processes non-existent (p 13)
  • Test data in Marijuana Licensing System production environment (p 13)
  • User account management processes lacking (p 14)

Difference between audit objectives and audit procedures:

Audit objectives refer to the specific goals or outcomes that an auditor aims to achieve during an audit. These objectives are established to assess the effectiveness, efficiency, and reliability of an organization's systems, processes, and controls. They provide a framework for the auditor to evaluate the overall performance and compliance of the audited entity.

On the other hand, audit procedures are the detailed steps and techniques employed by the auditor to gather evidence and obtain sufficient information to support the audit objectives. Audit procedures are specific actions taken by the auditor to obtain and evaluate data, test controls, and identify any potential issues or deficiencies within the audited organization.

Example from the report: In the OLCC audit report, one of the audit objectives was to assess the effectiveness of user account management processes. The corresponding audit procedures included reviewing user account creation and termination procedures, examining access controls and permissions, and analyzing user activity logs to ensure proper segregation of duties and prevent unauthorized access.

Things OLCC should have done before contracting with Franwell:

- Conducted a thorough due diligence process, including evaluating Franwell's reputation, financial stability, and previous experience with similar projects.

- Conducted a comprehensive risk assessment to identify and mitigate potential risks associated with the partnership.

- Ensured that proper contractual agreements and service level agreements were in place to clearly define expectations, responsibilities, and performance metrics.

Purpose of interface controls:

According to the report, interface controls are designed to ensure the accurate and complete transfer of data between different systems or applications. These controls aim to validate the integrity, accuracy, and reliability of data transmitted or shared through interfaces, preventing errors, omissions, or unauthorized alterations.

Evidence of improper test data management:

The report states that test data was found in the production environment of the Marijuana Licensing System. This indicates a lack of proper segregation between test and production environments, which increases the risk of unauthorized access, data corruption, and inaccurate results. The presence of test data in the live environment suggests inadequate controls and insufficient management of data migration or system testing processes.

Example of an audit procedure from the Methodology section:

One of the elements mentioned in the Methodology section is "Review interface documentation and reconciliation procedures." To evaluate this control practice, the auditor might have reviewed the documented interface specifications and reconciliation procedures to ensure that they are adequately defined, documented, and followed. The auditor may have also selected a sample of interface transactions and reconciled them to verify the accuracy and completeness of data transfer between systems. This audit procedure assesses the effectiveness of interface controls and ensures the proper reconciliation of data between systems.