Please note that these materials are provided for historical purposes only. The information presented is out of date and may be neither accurate nor useful. External hyperlinks may no longer be valid. For current court technology information, please see the new Court Technology Bulletin.
January/February
2000 Volume 12 Number 1
Demonstrating
Results
Information Technology Audits Can Help Make the Case For
Funding
Henry
Townsend
States are beginning to follow the example of the federal government in
instituting results oriented, performance based budgeting.
Information technology (IT) audits can provide the justification that
court administrators need for requesting resources to meet the demands for
electronic case management systems, e-filing systems, productivity systems, and
general management support systems. An
IT audit is a review performed by specially trained and certified professionals
to provide administrators with reasonable assurance that the information
resources management activities of the court are being conducted in an
efficient, effective, secure, and accurate manner or to identify existing
weaknesses in these activities and to recommend actions to correct those
weaknesses. An IT audit is an
independent risk based assessment which compares current conditions and
practices to established standards and generally accepted management practices.
IT audits are standards based. Several bodies are responsible for issuing standards that guide the management of information resources.
· The legal requirements enacted by the state legislature are of the most significance. These laws are supported and implemented by both administrative codes and case law specific to the administrator’s state.
· Some federal legislation exists that must be implemented by the administrative office and the information resource managers including the Computer Fraud and Abuse Act, the Copyright Act, and the Electronic Communications Privacy Act.
· The National Center for State Courts in cooperation with the Joint Technology Task Force of COSCA and NACM is developing functional IT standards and data interchange standards for the courts. These efforts are being jointly funded by state and federal grants. The first set of functional standards for civil cases is in final draft with approval pending. The Center is prepared to begin work on IT standards for criminal cases, for family and domestic relations cases, and for juvenile cases. NCSC is developing plans to develop these standards for probate cases and traffic cases.
· The Committee Of Sponsoring Organizations of the Treadway Commission has published a framework for establishing internal controls within an organization that have been incorporated into the standards of professional organizations including the American Institute of Certified Public Accountants and the Information Systems Audit and Control Association.
· The most comprehensive set of IT management standards is the Second Edition of the Control Objectives (CobiT 2) of the Information Systems Audit and Control Foundation - a non-profit research and standards arm of the Information Systems Audit and Control Association (ISACA). CobiT 2 is a set of specific management requirements based on generally accepted management practices within the IT community. These requirements are defined in four domains - planning and organization, acquisition and implementation, delivery and support, and monitoring. These domains contain 302 specific detailed control objectives that target 34 different IT processes. CobiT is an open standard and may be downloaded from the ISACA web site at http://www.isaca.org/down.htm.
These standards provide a basis for measuring the performance of the information resource management activities within the administrative office of the courts.
These standards based performance evaluations are best performed by a certified, independent professional supported by a trained and competent technical staff. These professionals are best prepared to target the performance review on those aspects of the IT operations that are at greatest risk of failure, fraud, or abuse. These systematic weaknesses can generally be classified in terms of failures of general controls, failures of specific application controls, failures of access or security controls, or failures of data reliability. Each of these types of audit builds on the other moving from the more general to the more specific. The auditors use risk analysis to determine the specific types of audits and reviews to be conducted at a particular time.
A general controls audit reviews the information systems in sufficient detail for the auditor to determine if
· Input data is correctly recorded, transcribed and captured by the system;
· All processed transactions are appropriately authorized and captured without material omission or addition;
· All processing computations, accumulations and comparisons are performed correctly;
· Output from the system is distributed to the proper recipients in a timely manner.
An application controls audit reviews the controls that are designed and implemented in the software and operating procedures that constitute the operating systems and application systems in sufficient detail to determine if
· The application controls in the systems design are adequate to provide reasonable assurance that the system will not be subject to denials of service, fraud, or abuse;
· The application controls are appropriately and accurately implemented in the computer software and in the operating instructions and supervisory practices associated with the system;
· Tests of the application controls indicate that the auditor can have reasonable assurance that the controls designed into the system and implemented by the programmers are not being intentionally or unintentionally defeated in normal operations.
General controls audits tend to be "black box" types of reviews that look at the policies and procedures of the organization and at the results of general functional tests of the system (e.g. looking at cross footings of totals in system outputs or at operations logs). Applications control reviews tend to be detailed examination of source code, application of unit testing procedures, system testing procedures, regression testing procedures, and stress testing procedures to determine if the system is "broken". Access and security controls audits review the procedures and programmatic safeguards to allow the auditor to determine if
· There is reasonable assurance that authorized individuals can gain access to the system and to the specific information that they have a need to know;
· There is reasonable assurance that unauthorized individuals cannot access the system and that all individuals are restricted in their access to that information that is essential to the accomplishment of their mission;
· Adequate backup and recovery plans exist to provide reasonable assurance that valuable data will not be lost;
· Adequate protection exists to prevent or limit the loss of resources to fire, to water, to wind, to malicious attacks by employees, or to malicious attacks by others outside the organization.
Data reliability audits are reviews that provide the auditor with reasonable assurance that the information contained with the databases of the organization are accurate, valid, reliable, and timely or that allow the auditor to make recommendations to improve data quality.
The IT audit can provide strong and convincing evidence of the quality of information resources management. The audit can reinforce public trust and confidence in the ability of the administrative office of the courts to efficiently and effectively manage those resources and in the reliability of the information used by court administrators and judges in reaching fair and impartial decisions. The audit may also identify material weaknesses in the management of information resources and provide administrators with recommendations and suggestions for eliminating those weaknesses. In either case, IT audits can be invaluable in reinforcing public trust and confidence in the judicial institutions and can provide strong evidence to support requests for resources from the legislative and executive branch funding agencies of government.
Henry K. Townsend is the Technology Operations Manager of the NCSC Court Technology Division. He has over 25 years of experience in government, higher education, management, research and consulting. He can be reached at (757) 259-1567 or email to htownsend@ncsc.dni.us.
