Designing a Generic Information Systems Audit Framework to Improve the Quality of Audit in Higher Education

Please download to get full document.

View again

of 9
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Similar Documents
Information Report
Category:

Fashion & Beauty

Published:

Views: 0 | Pages: 9

Extension: PDF | Download: 0

Share
Description
There are some similarities between Financial Statement Audit (FSA) and Information Systems Audit (ISA). FSA is an examination of the reliability and integrity of financial statement records, whereas ISA is a review and evaluation of the controls,
Tags
Transcript
    © 2019 Elfadil A. Mohamed, Elgilani El. Elshareif and Omer Ishag Eldai Mohamed. This open access article is distributed under a Creative Commons Attribution (CC-BY) 3.0 license.    Journal of Computer Science Original Research Paper Designing a Generic Information Systems Audit Framework to Improve the Quality of Audit in Higher Education 1 Elfadil A. Mohamed, 2 Elgilani El. Elshareif and 3 Omer Ishag Eldai Mohamed   1  Department of Information Technology, College of Engineering and Information Technology, Ajman University, Ajman, UAE 2  Faculty of Management, Canadian University, Dubai, UAE 3 College of Computer Science and Engineering, University of Hafr Al-batin, Hafr Al-batin KSA  Article history Received: 01-09-2018 Revised: 07-04-2019 Accepted: 09-05-2019 Corresponding Author: Elfadil A. Mohamed Department of Information Technology, College of Engineering and Information Technology, Ajman University, Ajman, UAE Email: fadil_ali@yahoo.com Abstract:  There are some similarities between Financial Statement Audit (FSA) and Information Systems Audit (ISA). FSA is an examination of the reliability and integrity of financial statement records, whereas ISA is a review and evaluation of the controls, risks and system development within an information systems infrastructure to ensure that the safeguards protect against abuse, protect assets, maintain data integrity and operate effectively to achieve the organization's objectives. Decision makers need to ensure a reliable collection and evaluation of the evidence of an organization's information systems, practices and operations. Data manipulation can be caused by external or internal threat. Internal manipulation threat is the most dangerous because it is committed by authorized personnel, which makes it very difficult to detect. In particular, the framework introduces an anomaly detection technique, a data mining method, to determine if the suspected transactions arose from internal or external threats. Once the suspected transactions are identified, procedures and monitoring controls will be in place to minimize each threat. The proposed framework is expected to help university and ministry of higher education managers at all levels to make vital decisions based on reliable and accurate information. Keywords:  ISA Framework, Data Mining, Outlier Technique, Higher Education Introduction Most organizations and firms worldwide have replaced their manual systems with computerized ones in the form of information systems. These changes require close monitoring and auditing of the data generated by such systems. Currently, higher education institutions such as universities and colleges are facing numerous challenges; for example, their information systems transactions have grown in volume and complexity. These institutions exist in a highly regulated environment. Therefore, there is a compelling need for controlling and monitoring mechanisms to evaluate and validate these transactions. The data stored in information systems in higher education institutions is of paramount importance for both the institutions as well as the body represented by the ministry of higher education. Higher education institutions have to ensure the integrity of the data, which means the data must not be tampered with by external nor internal sources. Auditing in financial accounting is concerned with the systematic verification of a company’s or government unit’s books of account transactions and it is conducted by external auditors. By contrast, Information Systems Auditing (ISA) must ensure that the data generated and stored by the information systems is safeguarded to protect against abuse, protect assets, maintain data integrity and allow the firms to continue successfully. ISA is more complex than financial auditing because the threats can come from either internal or external sources. Authorities in the ministry of higher education have a greater role in monitoring and overseeing the activities of universities. They have to ensure that the data generated by information systems that relate to student marks, records and other personal information are accurate and  Elfadil A. Mohamed et al  . / Journal of Computer Science 2019, ■■  ( ■ ): ■■■ . ■■■   DOI: 10.3844/jcssp.2019.■■■.■■■ ■■   secure. Based on these requirements, there is strong need for ISA to guarantee the accuracy of the data provided by universities to the ministry of higher education. A substantial body of research has already defined ISA. For example, Abdul Rahman et al  . (2015) defined ISA as the assessment of various controls, risks and system developments within IS infrastructures. The auditing process was srcinally manual but is now computer-based. Recently, the notion of Continuous Auditing (CA) was introduced as part of ISA, defined as a comprehensive electronic audit process that enables auditors to provide some degree of assurance on continuous information simultaneously with, or shortly after, the disclosure of that information (Rezaee et al  ., 2002). Researchers have long pointed out the importance of Continuous Monitoring (CM) and auditing of information systems. To emphasize the importance of CA of organizational transactions, Marquesa et al  . (2012) proposed a solution under a new vision for organizational auditing and monitoring. There is also increasing research on the applications of artificial intelligence in auditing. Kamil (2012) reviewed the main research efforts and current debates on auditors’ uses of artificially-intelligent systems, with a view toward predicting future directions of research and software development in the area. The authors believe that data mining, specifically outlier analysis, could be a viable approach to facilitate auditing in information systems by highlighting suspicious transactions. In the present study, we intend to address the two questions: (1) what are the most appropriate techniques to detect fraudulent transactions in university information registration systems? (2) More specifically, what are the main components that reflect a generic approach to ISA used by universities and the ministry of higher education? The main purpose of this paper is to introduce a framework for auditing information systems in higher education. The framework aims to provide the ministry of higher education with a system to evaluate, monitor and validate university registration system transactions in a non- disturbing way. The proposed model is expected to help both university management and the ministry of higher education to conduct a systematic verification of the validity of stored information that pertains to students.  Literature Review  Non-traditional auditing tools have long been used in the audit of information systems. For instance, the use of expert systems to facilitate the ISA process is documented in Comyn-Wattiau and Akoka (1996). It is understandable that most professional auditors lack expertise in Information Technology (IT) that would allow them to implement generalized audit software. To bridge the gap between information systems and professional auditors, Li et al  . (2007) proposed a systematic analysis approach that provides a framework for auditors to understand business processes and the data flow/structures of information systems effectively. Axelsen et al  . (2017) developed an explanation theory that addresses the role of the information systems auditor in the public sector in supporting the financial audit and outlines key determinants that affect that role. With the vast proliferation of data stored in an electronic form, there is a compelling need to ensure its validity and reliability. ISA is a necessity for most organizations seeking to compete in the market. In recent  years, extensive research in the realm of ISA has explored suitable means to ensure the reliability of stored data. For example, Kim et al  . (2015) proposed a model to bridge the gap between contemporary auditing practices and ISA. The authors included the auditor’s expertise and role clarity as antecedent variables that affect audit responsiveness and audit reliability, which, in turn, affect audit satisfaction. For higher education institutions, the presence or absence of CA/CM is an important characteristic that likely improves the reliability of the stored data and hence the credibility of the institution. Moreover, such auditing complies with the external regulations set up by the ministry of higher education. Marques et al  . (2015) present a similar work, related to continuous assurance services in information systems that aim to improve the reliability of the business. The authors developed a prototype and consequent results analysis using real data, demonstrating the feasibility and effective use of the proposal. CA and CM in information systems remains a hot research topic. For instance, Hardy and Laslett (2015) described a case study about the interpretation and implementation of CA and CM in a wholesale distribution and marketing company in Australia. They obtained interesting results from over 100 automated tests that were performed daily, a fully-integrated exception management system, advancement from data to predictive analytics and the use of visualization technologies to enhance reporting. In many ways, ISA is similar to process auditing, a mechanism frequently used by many organizations to ensure the quality of their processes. To improve the quality of audit recommendations, Kurniati et al  . (2015) suggested the use of process mining in auditing business processes based on data from event logs stored in information systems. CM of information systems data from external and internal threats is of paramount importance for top management. Many methods have been proposed to prevent external intruders from  Elfadil A. Mohamed et al  . / Journal of Computer Science 2019, ■■  ( ■ ): ■■■ . ■■■   DOI: 10.3844/jcssp.2019.■■■.■■■ ■■   accessing—and hence, tampering with—the data. Tao et al  . (2018) present excellent work to detect external intruders; they proposed an alarm intrusion detection algorithm with Feature selection, Weight and Parameter optimization of Support Vector Machine (FWP-SVM-GA) based on the Genetic Algorithm (GA) and Support Vector Machine (SVM) algorithm for use in a human-centered smart IDS. Alles et al  . (2018) emphasized that the use of computer algorithms derived from statistics, data mining and machine learning can help the auditing profession to remain relevant in these increasingly volatile times. Material transactions that deviate from the auditor’s expectations are considered anomalous and require the auditor’s attention. Internal threats can cause huge damage for an organization because insiders have legitimate data access. Liu et al  . (2018) identified several possible reasons for enormous loss: (1) the existing solutions do not pay enough attention to the early indications of an arising malicious insider, most of which do not raise alerts until damaging behaviors have occurred; (2) most of the solutions rely only on an individual audit data source, diminishing insights into the threats; and (3) conventional data analytics rely too heavily on domain knowledge to extract features and establish rules, resulting in a limited capability against evolving threats. Some universities might opt for storing their data using a cloud storage system, but this approach requires more rigorous auditing to ensure the integrity of the data. Different schemes have been proposed to address such a problem. For example, Wang et al  . (2017) proposed an Identity-Based Data Outsourcing (IBDO) scheme equipped with desirable features that are favorable to existing proposals for securing outsourced data.  Information Systems in Higher Education  Institutions   Information and Communication (ICT) infrastructure investment in emerging countries still lags behind. Kunda et al  . (2019) gathered evidence from both public and private higher education institutions in Zambia to investigate factors that impact Zambian lecturers’ attitudes about incorporating ICTs in research and teaching activities. They found a positive correlation between the important factors that influence lecturers to assimilate ICTs in an academic environment. Other researchers have highlighted the importance of integrating IT governance in higher education institutions (Khouja et al  ., 2018). In the United Arab Emirates, there are currently 68 accredited universities and colleges and the majority are private institutions (www.mohesr.gov.ae). All these institutions use information systems to handle a variety of things, including student academic information. The reliability of the generated data is a crucial part of the management of these institutions, which have to deal with both internal and external threats. Management requires close monitoring and thorough auditing of the information systems to ensure the trustworthiness of academic data. Higher education institutions, especially private ones, exist in a very tough, competitive and regulated environment that necessitates maintaining their reputation in the academic field. The ministry of higher education requires all accredited universities and colleges to adhere to a strict set of rules and regulations. The ministry of higher education desperately needs mechanisms to monitor, audit and ensure the integrity of the academic data generated by these systems. Information systems in higher education institutions have peculiar characteristics compared with other types of information systems. For example, the pattern of transactions is unique; transactions are particularly heavy in certain time periods, such as during student registration, student admission and mark entries. The proposed model attempts to close the research gap by providing an easy method to detect and highlight suspected fraudulent transactions and facilitate the decision process. Methods Information systems are composed of hardware, software, users and data. Auditing in information systems is entirely different from other types of auditing. In this study, the auditing process will be confined to data and information. Ioan (2015) identified seven characteristics of information: •   Availability—the information must be available at any time during the decision process •   Integrity—the content and accuracy of the data must be in accordance with the rules and expectations of the organization •   Compliance—the logical structure of information and its concrete values must reflect the actual level of processes it characterizes •   Reliability—the information must relate to the specific decision-making process that it serves •   Efficiency—the information must be provided with the lowest consumption of resources •   Effectiveness—the information must be relevant, accurate and provided in a timely manner for decision making •   Confidentiality—the information must be provided only to the intended users Figure 1 shows the proposed framework processes, which use data mining techniques to audit and detect suspected fraudulent transactions for referral to the management of the higher education institution and the ministry of higher education.  Elfadil A. Mohamed et al  . / Journal of Computer Science 2019, ■■  ( ■ ): ■■■ . ■■■   DOI: 10.3844/jcssp.2019.■■■.■■■ ■■   Fig. 1: The proposed framework processes The proposed framework indicates five phases:  Data Extraction Phase This phase uses the log file from information systems to extract data and to prepare and extract features that are valuable for detecting suspected fraudulent transactions.  Data Pre-Processing Phase The step may include data cleaning, normalization, transformation and feature selection to prepare the data for analysis.  Detection Process Phase As shown in Figure 1, this phase includes two processes: •   Mining: This phase uses a suitable outlier analysis algorithm to detect suspected fraudulent transactions •   Post-processing: This phase intends to evaluate the generated patterns after the mining process Generating Suspected Fraudulent Transactions Phase This phase uses the tested pattern to generate suspected fraudulent transactions. This phase is the actual experimental work. The result will be delivered to the institution’s management for further investigations. These steps or phases will be detailed further when the actual data is prepared and the model is tested. Conceptual Design of the Proposed Framework Figure 2 shows the conceptual design of the proposed framework. The proposed design consists of the following services/components: •   User Interface Service: This service helps the users to navigate the different services, as detailed in the rest of this section •    Naming and Location Service: This service stores information about the names and locations of the registered services. This service can be implemented as a centralized or distributed service •   Detection Service: This service can be implemented as an extensible class that can be extended by the developer to add a new detection service, such as for the academic institution or for the regulatory institution •   Reporting Service: This service stores suspicious transactions in a special database that can be accessed and investigated by different users through the user interface service •   Data Sources: These encompass the databases and files that include information about the academic regulations, registration information, policies, processes/procedures, student information, regulatory rules and any other data that is relevant to the purpose of audit •   Suspicious Transactions Database: This database stores only the suspicious transactions detected by the Extracted data Update or retrieve extracted data Data Sources Data extraction Pre-processing Update suspicious transactions Detection process Update or retrieve suspicious transactions Suspicious transactions  Elfadil A. Mohamed et al  . / Journal of Computer Science 2019, ■■  ( ■ ): ■■■ . ■■■   DOI: 10.3844/jcssp.2019.■■■.■■■ ■■   detection service. This database can be implemented as a centralized or distributed database as required  Framework Model Formulation The proposed framework will be based on outlier analysis, a data mining technique that can detect suspected fraudulent transactions. An outlier is generally defined as an object that deviates from the rest of the objects in the dataset. As explained in Han et al  . (2012), there are many outlier detection methods in practice, such as supervised, semi-supervised and unsupervised methods. In this research, we intend to use supervised method for detecting the suspected fraudulent transaction. The supervised method needs to model data normality and abnormality. It requires a domain expert to label the sample data. In this research, we have designed an algorithm to act as a domain expert for labeling the transactions (Transactions Labeling Algorithm). Two classes can be labeled: legitimate transaction and suspected fraudulent transaction. Figure 3 shows the algorithm steps. After the data is extracted and pre-processed a model should be designed to predict the suspected fraudulent transactions. The model can be formulated by utilizing Support Vector Machine (SVM), a prominent classification technique for predicting illegal transactions. SVM (Vapnik and Vapnik, 1998) is a non-probabilistic binary linear classifier that constructs a hyperplane or set of hyperplanes in a high or infinite dimensional space. It can be used for classification, regression, or other tasks. The main idea underlying SVM for transactions classification is to find a hyperplane that divides the transactions into fraudulent or legitimate. In order to discriminate between “fraudulent” and “legitimate” transactions, the SVM learns a classification function from a set of positive examples (fraudulent) χ  +  and set of negative examples (legitimate) χ-. Following (Ismail et al  ., 2018; Zaki et al  ., 2004; 2006), the classification function takes the form shown in Equation (1): ( )  ( ) ( ) : : , , i i i i i ii x i x  f x K x x K x x  χ χ  λ λ  ∈ + ∈ − = − ∑ ∑  (1) where, the non-negative weights  λ i  are computed during training by maximizing a quadratic objective function and the kernel function  K  (  x ,  x i ). In this case, Gaussian Radial Basis Function kernel (RBF kernel) can be used. Fig. 2:  The proposed framework components User interface service component User requests Systems responses Update database of suspicious transactions Report suspicious transaction Suspicious transactions    N  a  m   i  n  g  s  e  r  v   i  c  e   D  e   t  e  c   t   i  o  n  s  e  r  v   i  c  e   /  c  o  m  p  o  n  e  n   t   R  e  g  u   l  a   t  o  r   /  s  r  u   l  e  s  v  e  r   i   f   i  c  a   t   i  o  n  c  o  m  p  o  n  e  n   t   O  r  g  a  n   i  z  a   t   i  o  n  r  u   l  e  s  v  e  r   i   f   i  c  a   t   i  o  n  c  o  m  p  o  n  e  n   t   R  e  p  o  r   t   i  n  g  s  e  r  v   i  c  e  c  o  m  p  o  n  e  n   t Update data sources Extract data Data source 1 Data source 2 Data source n
Recommended
View more...
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x