The Information Systems (IS) section provides three basic services: data retrieval, IS systems review, and computer forensic analysis.
The data retrieval staff provide information for audit field work. They write computer programs to provide information from the state's centralized accounting system, individual agency service delivery systems, and college and university transaction files. Various statistical sampling techniques, together with stratification and summary reports, provide the auditor a statistical basis on which to evaluate an entity's operations. Data retrieval staff also produce listings and perform comparisons and other procedures to detect errors or irregularities. Working closely with other audit staff, retrieval staff develop new computer-assisted audit techniques.
The IS section develops automated techniques to reduce costs and improve efficiency. The retrieval and review staff work with the financial and compliance auditors to create computer-assisted audit techniques (CAATs) that use computer programs to perform portions of the audits now done manually. To expand its capability to perform CAATs, the division has implemented Audit Command Language (ACL), data analysis and reporting software. ACL enables nontechnical auditors to perform sophisticated queries and analyses of financial transactions. Because ACL's capabilities are audit specific, yet still highly flexible, the software allows auditors to readily organize and evaluate information embedded in complex systems. IS audit staff provide support in the migration of CAATs from the mainframe to the financial auditors' personal computers.
Information Systems Review
The IS review staff are responsible for obtaining and documenting an understanding of the internal control structure in the computerized accounting and management information systems of entities undergoing financial and compliance audits. These entities include state agencies, colleges and universities, and quasi-governmental organizations. The IS staff review the general and application controls within data processing systems when those systems significantly affect the auditee's operations. The results of these reviews are included in the financial and compliance audit reports. The individual computer centers for various state agencies are audited according to generally accepted government auditing standards. The IS section also conducts Data Reliability Reviews on both financial and program administration systems. These reviews are designed to assess the reliability of key elements of the application's computer processed data, assess the implementation and effectiveness of user control procedures (reconciliations and manual checks to ensure that data is complete and accurate), and to assess the manual follow-up procedures (procedures in place for error correction and review). The procedures conducted are based on the GAO's supplement to Government Auditing Standards, Assessing the Reliability of Computer-Processed Data, and the AICPA's Audit Guide, Consideration of Internal Control in a Financial Statement Audit.
Computer Forensic Analysis
The IS section provides services in the area of computer forensic analysis. Evidence of fraud and abuse may be found on subjects' computers, and the IS section works in support of the Investigation section to acquire, identify, and obtain this evidence. The section utilizes specialized software and hardware to recover evidence of official misconduct by state employees and in support of civil or criminal action against persons or entities engaging in illegal activities resulting in damages to the state.
The IS audit staff recognize that as computer-based systems become more commonplace, all auditors will need increased technical skills to perform their jobs. Toward that end, the IS section has been heavily involved with in-house training and for several years has taught classes on computer-assisted audit techniques, specialized audit software, auditing automated financial management systems, and computer forensic investigation techniques. In addition, information is exchanged through contacts with other state audit organizations for ways to improve IS audit support.
In a new initiative, the IS section is developing a computer network laboratory to assist in the development and performance of network vulnerability assessments to help ensure the security of state computer systems and data.