Description
A THESIS
SUBMITTED TO
SRI LANKA INSTITUTE OF INFORMATION TECHNOLOGY
IN PARTIAL FULLFILMENT OF THE REQUIREMENTS
FOR THE DEGREE OF
MASTER OF SCIENCE IN INFORMATION TECHNOLOGY
A Comparative Study of Information Systems Auditing in Sri Lankan Insurance Industry
Viraj Kariyawasam PGM-IT08-0411
A THESIS SUBMITTED TO SRI LANKA INSTITUTE OF INFORMATION TECHNOLOGY IN PARTIAL FULLFILMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN INFORMATION TECHNOLOGY
September 2009
1
I certify that I have read this thesis and that in my opinion it is fully adequate, in scope and in quality, as a thesis for the degree of Master of Science.
MR. Yashas Mallawarachchi
I certify that I have read this thesis and that in my opinion it is fully adequate, in scope and in quality, as a thesis for the degree of Master of Science.
Prof/Dr/Mr/Mrs Co supervisor’s name and surname (Optional)
Approved for MSc. Research Project:
MSc. Research Project Co-ordinator, SLIIT
Approved for MSc:
MSc. Programme Co-ordinator, SLIIT
2
Declaration of originality
This is to certify that the work is entirely my own and not of any other person, unless explicitly acknowledged (including citation of published and unpublished sources). The work has not previously been submitted in any form to the Sri Lanka Institute of Information Technology or to any other institution for assessment for any other purpose.
Signed _________________________________________________
Date ___________________________________________________
Abstract
3
A Comparative Study of Information Systems Audting in Sri Lankan Insurance Industry
V?raj Kariyawasam MSc. in Information Technology Supervisor:Mr. Yashas Mallawaarachchi Septembr 2009 An information systems audit is an examination of the controls within an Information technology (IT) infrastructure. An Information technology audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. The primary functions of an Information Technology audit are to evaluate the system's efficacy and security protocols, in particular, to evaluate the organization's ability to protect its information assets and properly dispense information to authorized parties. As par as the Sri Lankan Insurance industry is concerned that there are opportunities to make use of Information System auditing for insurance business in order to achieve the business goals while providing a better customer service and without any fraud. In view of a number of different perspectives on the nature of the information technology audit, the scenario of a standardized information technology audit methodology can be questioned. Therefore, the question that arises is whether it is possible (and desirable) to develop a standardized guide lines for information technology auditing. This research will attempt to find an answer.
Acknowledgements
4
I would like to acknowledge my gratitude to Mr. Yashas Mallawarachchi , Sri Lanka Institute Information Technology, for his useful advices, guidance and suggestions, which greatly contributed towards the success of this research. I pay my gratitude to everyone who contributed their time for being interviewed and for sharing their perceptions, attitudes, ideas some time even their most private information. I thank my family members and my colleagues and the management of my office Ceylinco Insurance Company PLC for the support they have given me over the time.
Table of Contents
Abstract IV
5
Acknowledgements Table of Contents List of Figures List of Tables Chapter 1 Introduction 1.1 Study Background 1.2 Problem Statement (Definition) 1.3 Objectives & Research Questions Chapter 2 Literature Review 2.2 Limitations of traditional auditors in Sri Lanka 2.3 Fundamentals of Insurance 2.3.1 The position of insurer 2.3.2 Insurance is to with risk 2.4 Classification of Risk 2.4.1 Attitude of Risk 2.4.2 Risk and Insurance 2.4.3 The Challengers for Insurers today Chapter 3 Data and Methods 3.1 Introduction 3.2 Data Used 3.3 Sampling 3.3.1 Target Population 3.3.2 Representativeness 3.3.3 Variability 3.3.4 Selecting Insurance Companies 3.3.5 The selected method for data collection for Insurance Companies in Sri Lanka 3.4 Measurements Techniques 3.4.1 Likert Scale
V VI VIII IX 1 1 1 3 4 5 5 10 11 11 11 12 13 13 14 15 15 15 15 16 16 16 17 17 19 20 20
6
3.5 Implementation of survey plan (collecting and Analyzing Data) 3.6 Data Analysis 3.7 Tabulate Information 3.8 Interpreting and reporting of findings IS Audit procedures Chapter 4 4.1 Findings related to the evaluation of existing Information Systems Audit Level, identify barriers to implement Information Systems Auditing in Insurance Organizations in Sri Lanka and Identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka. 4.1.1 General View of the Sri Lankan Insurance Industry 4.1.2 Information System Audit decision making in Insurance Companies 4.1.3 A separate department for handling and managing ISA Operations 4.1.4 No of staff members in the IS Audit department 4.1.5 What is the capacity of head of the IS Audit Department 4.1.6 To whom the ISA Department is reported in your Organization 4.1.7 Information related to the IS Audit process in your Organization 4.1.8 If you don’t have separate IS Audit department then who handles ISA operations in your organization 4.1.9 Information related to business Process Planning and Support by IS Audit 4.1.10 Information related to Operation and Support by ISA 4.1.12 ISA Infrastructure and Investment
21 21 22 22 23 24
3.9 Methodology to identify internationally recognized benchmark
24
24
25 26 27 27 28 28 29 30 31 33
4.1.11 Technical Competence of ISA staff in your organization 32 4.1.13 Annual expenditure on ISA as a percentage of expenditure
7
On IT in the same year 4.1.14 Annual expenditure on ISA as total revenue of the Organization 4.1.15 Frequency of IS Audit Assignments carried out in your Organization 4.1.16 Idea on Information System Auditing 4.1.17 Barriers in implement a separate IS Audit Department 4.1.18 Practice Information System Auditing in Sri Lanka 4.2 Findings related to the survey on internationally recognized Benchmark IS Audit procedure / Process 4.2.1 Standards for Information Systems Auditing issued By the Standard Board of the Information Systems Audit and Control Association ( ISACA) 4.2.2 The Information Systems Audit Practicing Manual of KMPG ford Rhodes, Thornton & Company Limited Chapter 5 Discussion 5.1 General view of the Sri Lanka Insurance Industry 5.2 IS Audit level in insurance organizations in Sri Lanka 5.2.1 Investments in IS Auditing 5.2.2 The existing IS Audit Level in insurance organization In Sri Lanka 5.3 Identifying barriers to implement Information Systems Auditing in Insurance Organizations in Sri Lanka 5.4 To identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka 5.4 To identified Benchmarks in IS Audit Procedures and their suitability to Sri Lanka 5.4.1 Evaluation of sutability of identified benchmark IS Audit Standards / Procedures to insurance organizations in
34 34 35 36 37 38
50
39 41 50 50 50 51 54 55 57
59 59
8
Sri Lanka Chapter 6 Conclusions 6.1 Conclusions 6.2 Recommendations Bibliography Appendices Appendix 1: Design process of the research project Appendix 2: A questionnaire to evaluate the existing information Systems Audit Level of Sri Lanka Insurance Organizations in order to identify the relevance of IS auditing to sector
59 63 63 63 66 68 69 69
70
List of Figures
Figure 3.1 Sample Selection for insurance organizations in Sri Lanka Figure 4.1 Categorized of Sri Lanka Insurance companies Figure 4.1.1 Number of years in Business Figure 4.2 IT Auditing Decision Making Figure 4.3 Department handling for IS Audit Figure 4.4 No of Staff Member in the ISA Figure 4.5 Capacity of the head of ISA Department Figure 4.6 Reporting hierarchy in the ISA Audit Figure 4.7 Information related to the IS audit process Figure 4.8 Handling Information Systems Audit Functions Figure 4.9 ISA relates to Business process Figure 4.10 ISA relates to Operation Support 18 24 25 25 26 27 27 28 28 29 30 31
9
Figure 4.11 Technical competence of ISA staff Figure 4.12 ISA infrastructure and Investments Figure 4.13 Annual expenditure on ISA Figure 4.14 Annual expenditure on ISA from the total revenue Figure 4.15 ISA carried out assignments Figure 4.16 Existing knowledge on ISA Figure 4.17 Barriers in implementing separate IS Audit Department Figure 4.18 ISA carried out IS Audit functions
32 33 34 34 35 36 37 38
List of Tables
Table 1.1 Major Insurance Companies in Sri Lanka Table 2.1 Capabilities of web sites Table 3.1 Example of Likert Scale Table 4.1 Capabilities of web sites Table 5.4.1 Identified benchmark IS Audit standards Table 5.4.2 Identified benchmark IS Audit procedures 1 8 20 8 59 60
Chapter 1 Introduction
1.1 Study Background
10
Over the years conventional manual processes have been replaced by computer systems gradually everywhere. There is no difference in the insurance industry also. Central Database, Data Warehousing, Online Fund Transferring and Corporate Websites or Intranet are no more strange terms in the insurance industry. But the controlling and detecting methods or in other words internal audit techniques have not been changed over the years accordingly. This is the area where traditional internal auditing lags and IS Auditing gains the lead. But in countries like Sri Lanka where most of the CEOs are accountants or other professionals who are not very familiar with Information Technology still believe traditionally. They think Internal Auditing will do the job for them. Furthermore in Sri Lanka Internal Auditors are also professional accountants who are very reluctant to change from manual audit procedures to computerize audit procedures. Since we do the study on “Information Systems Auditing in Insurance Industry in Sri Lanka” it is advisable to identify current trends and future prospects in Insurance Industry as well as in Information Systems Auditing. Insurance simply means sharing the risk among a large number of people in the society at a price. In Sri Lankan context, there is a rapid growing interest about insurance is visible among people not only in Colombo & suburbs but also in remote areas. Specially after the disaster done by tsunami not only insurance companies but also the general public speak a lot about insurance. Even before that when government started privatizing free services as Health Service most people started buying insurance. As a result of this trend, large number of companies invested heavily in the insurance industry during the last decade. Most of these investments were on computerizing their systems. According to the records of the Board of Insurance of Sri Lanka, the major players in the industry can be listed as follows.
Table 1.1 Major Insurance Companies In Sri Lanka.
1
Company Ceylinco Insurance (Life) PLC
Type of Business Life
11
2 3 4 5 6 7 8 9 10 11 12
Sri Lanka Insurance Corporation Ltd. Union Assurance PLC Janashakthi Insurance Company PLC. Eagle Insurance PLC HNB Assurance PLC. Asian Alliance Insurance PLC Cooperative Insurance Co.Ltd Allianz Insurance Lanka Ltd MBSL Insurance Co.Ltd., Amana Takaful PLC Ceylinco Insurance (general) PLC
Life & General Insurance Life & General Insurance Life & General Insurance Life & General Insurance Life & General Insurance Life & General Insurance Life & General Insurance General Insurance Life & General Insurance Life & General Insurance General Insurance
All the above companies are in a heavy competition in order to increase their share in the market. Even though these companies use lot of tactics to improve the awareness about insurance, they have only captured less than 10% of the potential market or in other words less then 10% of the Sri Lankan population owns an insurance policy.(Source: Insurance Board of Sri Lanka) Then what is Information Systems Auditing? “Information Systems Auditing is the evaluation of Controls within the Information Systems Environment to ensure the integrity, reliability and accuracy of the information presented, often supporting the attestation of an audit and an evaluation of Information Systems Efficiency, Effectiveness and Economy”. (Source: www.isaca.org) In other words the purpose of the Information Systems Auditing in the Insurance Industry in Sri Lanka is to evaluate the Controls within the Information Systems Environment to ensure the integrity, reliability and accuracy of the information presented and to evaluate the efficiency, effectiveness and economy of information systems in the industry. This is so important when we consider the fact that almost all the Sri Lankan Insurance companies invested heavily on computerizing during the last decade.
1.2 Problem Statement (Definition)
•
When you study the Insurance Industry it is clearly visible though the investment in IT increased heavily during the last decade the controlling and detecting methods or in other words internal audit techniques have not been changed over the years accordingly. So today the conventional
12
audit techniques practiced in most of the insurance organizations in Sri Lanka are not able to cater to the industry requirements, which have been changed drastically during the last decade. As a result of it frauds, errors and mistakes have been increased in an industry where a company has to look after customers’ money for 20 to 30 years. Not only that but also as mentioned earlier if the tendency is to increase the number of frauds, errors and mistakes in the industry customers will loose their faith on insurance and it will hinder the growth of the industry. So the Information Systems Auditing in insurance industry can be recognized as an industry requirement under current circumstances.
•
Though some insurance companies have already started or other companies want to start Information Systems Audit Divisions immediately, their top management is clueless on the fact that how to start an Information Systems Audit Division and how to segregate responsibilities among the Internal Audit Division, the Information Systems Audit Division and the External Auditors. As a result of it in some insurance organizations the implementation of the Information Systems Audit Division has created unnecessary cold war between the Internal Auditors and the Information Systems Auditors instead of enhancing the Control Mechanism.
•
Today not only Customer expectations but Management expectations are also very demanding. They expect reliable, functional, fast & userfriendly Management Information Services. Companies that provide such services have higher success rates. But with a tendency of increase in errors, mistakes and frauds in Information Systems, most of the IT departments in Insurance Organizations are not able to deliver the management requirements. So instead of in-house software developments senior management of Insurance Organizations turn on to out sourcing again which is a failure because of the poor knowledge of insurance of the software developers and due to lack of standard insurance packages at a reasonable price.
13
1.3 Objectives & Research Questions
•
To assess the existing Information Systems Audit level of Insurance Organizations in Sri Lanka To identify barriers to implement Information Systems Auditing in Insurance Organizations in Sri Lanka To identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka The outputs of this research “To identify the main important area to
•
•
implement IS Auditing in an Insurance Organization in Sri Lanka” and “To identify the main important area to practice IS Auditing in an Insurance Organization in Sri Lanka” will be helpful in implementing and practicing IS Auditing in local insurance organizations. It will be a framework or guidance to CEOs and Internal Auditors who are not very comfortable and competent in IS Auditing. It will increase the popularity of IS Auditing organizations. in insurance organizations and ultimately reduce the IT related business risk in those
14
Chapter 2 Literature Review
15
Literature review of a research accomplishes several objectives and basically it helps to get an idea about the similar types of studies undertaken previously. Further, the readers of the research report can share other research approaches and findings for similar type of studies. According to my findings, there is not enough literature available in local context regarding Information Systems Auditing in Insurance sector. Then I considered global context through Internet and was able to collect considerable background information related to the Information Technology and E-commerce in insurance but again nothing about Information Systems Auditing in Insurance. Information Systems Audit and Control Association (ISACA) is the world body of Information Systems Audit Professionals and more than 90% of world’s IS Audit professionals are members of this organization. Information Systems Audit and Control Association (ISACA) got its start in 1967, when a small group of individuals with similar jobs—auditing controls in the computer systems that were becoming increasingly critical to the operations of their organizations—sat down to discuss the need for a centralized source of information and guidance in the field. In 1969, the group formalized, incorporating as the EDP Auditors Association. In 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field.
16
According to it’s website, today, ISACA’s membership—more than 35,000 strong worldwide—is characterized by its diversity. Members live and work in more than 100 countries and cover a variety of professional ITrelated positions—to name just a few, IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor. Some are new to the field, others are at middle management levels and still others are in the most senior ranks. They work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing. This diversity enables members to learn from each other, and exchange widely divergent viewpoints on a variety of professional topics. It has long been considered one of ISACA’s strengths. In the three decades since its inception, ISACA has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS auditing and IS control standards are followed by practitioners worldwide. Its research pinpoints professional issues challenging its constituents. Its Certified Information Systems Auditor (CISA) certification is recognized globally and has been earned by more than 38,000 professionals. Its new Certified Information Security Manager (CISM) certification uniquely targets the information security management audience. It publishes a leading technical journal in the information control field, the Information Systems Control Journal. It hosts a series of international conferences focusing on both technical and managerial topics pertinent to the IS assurance, control, security and IT governance professions. Together, ISACA and its affiliated IT Governance Institute lead the information technology control community and serve its practitioners by providing the elements needed by IT professionals in an ever-changing worldwide environment. (Source: www.isaca.org ) According to it’s website, the Information Systems Audit and Control Association, Inc. (ISACA) has long recognized that the specialized nature of information systems (IS) auditing, and the skills necessary to perform such
17
audits, require standards that apply specifically to IS auditing. However, as the proportion of members from the IS Control Professional community grows, the ISACA has perceived a need to produce further ethical guidance and standards for its non-audit membership. The Standards for IS Control Professionals are considered as the ISACA first steps in meeting this need. The purpose of IT audit is to detect IT-related risks in a company, and to evaluate the security, efficiency, and reasonableness of the IT systems. Additionally, IT audit helps the management to make sure that the existing IT systems are working, and helps them to realize the role of IT system in their business, as well as to find new solutions for managing and controlling the existing IT systems. IT management audit assesses whether the company manages the ITsystems in accordance with internationally recognized COBIT-practices (Control Objectives for Information and related Technology published by ISACA annually). Based on the consultancy firm standards, or the COBIT standards, audit gives the management confidence about the effectiveness of their ITsolutions. The purpose of COBIT is to provide management and business process owners with and information Technology (IT) governance model that’s helps in understanding and managing the risk associated with Information Technology. COBIT helps bridge the gap between business risks, control needs and technical issue. It is a control model to meet the need IT governance and ensure the integrity of information and information System. According to a survey done by KPMG Ford Rhodes, Thornton & Company Limited of USA in 2004, more than 90% of the globally recorded IS Audit assignments in 2003, were carried out by four big firms namely, KPMG Ford Rhodes, Thornton & Company Limited, E & Y, PriceWaterhouseCoopers and Author Anderson. So the benchmark practice for Information Systems Auditing is set by these four big firms worldwide. According to the KPMG Ford
18
Rhodes, Thornton & Company Limited Information Systems Audit practicing manual used in 2004, an IS Auditor has to concentrate to 13 major areas during an IS Audit assignment. They are 1) Organization and Management Policies of the Organization 2) Segregation of Duties in the Organization 3) Logical Access Controls 4) Physical Access Controls 5) System Development and Program change Controls 6) Business Continuity 7) Computer Operations 8) User Management 9) Communications 10) System Software 11) Database 12) End User Computing 13) Application Systems Among these studies, Deloitte & Touché from Insurance Industry group, USA did a research on ‘The Insurance Industry: The E-commerce Imperative’. Though this is not my topic I am interesting on this research because they have done an assessment of Information technology level in Insurance Organisations, which is going to be an area similar to asses the existing Information Systems Audit Level in my research too. In their research they selected more than 20 insurance companies in global context and separated into three categories as property & casualty insurers, life insurers and e-insurers. Each web site was analysed and a summary of the findings along with descriptions of the main features were documented. The primary focus of the research was to investigate the underlying values produced by each e-commerce site based upon transactional capabilities. In order to classify the company website strategies, they have created a benchmarking guide. This guide measures the reactive ability of a company’s site and its overall effectiveness in reaching the customer
19
especially as it relates to its insurance products. This classification does not refer to the transitive capabilities of the company sites with respect to their investment products, mutual funds and other product offerings. Table 2.1 Capabilities of websites Categor y 0 1 2 3 4 5 No site General information provided, no e-Commerce capability Agent referrals, lead qualification, information for business partners Ordering, purchaser registration, claims information Personalized customer service, claims submission, online account access Policy sales, real-time claims processing, real-time access for business partners Their research out put can be summarized as follows • • • • • • • Invest now in strategy and Information Systems Integrate interactive customer service applications – real-time ‘live’ transactions Capitalize on the efficiencies of business-to-business applications Develop complementary multiple service and distribution channels Exploit brand recognition Ensure the security of web sites and the privacy of customer data IT and E-commerce is not optional but mandatory “Auditing Information Systems”, Jack J. Champlain, 2003, Second Edition, explains clearly how to audit the controls and security over all types of information systems environments. The concepts and techniques in the book enable auditors, information’s security professionals, managers, and audit committee members of every knowledge and skill level to truly understand whether or not their computing systems are safe. The book provides a details examination of contemporary auditing issues such as: Description
20
•
Information system audit approach (physical, logical, environmental security)
• • •
Computer forensics Information privacy laws and regulations New technologies and future risks
2.2 Limitations of the traditional internal auditors in Sri Lanka
In Sri Lanka almost all the internal auditors are professional accountants who are not very competent in IT and IT related auditing. The two basic accounting courses in Sri Lanka namely the Chartered Accountancy course conducted by the Institute of Chartered Accountants of Sri Lanka, and the AAT course conducted by the Association of Accounting Technicians of Sri Lanka don’t give depth knowledge in IT which is required in handling systems based audits. As a result of it though almost all the financial organizations automated or computerized their business systems during the last decade the auditing techniques have not been changed much. Our internal auditors still practice the traditional vouching and other manual techniques. As a result of it the sample they can check during an audit assignment has been limited. But over the years the volume and the complexity of the transactions have been increased enormously. Not only that as a result of automation the audit trail has been lost. So the time is right, to introduce new techniques to auditing or in other words to automate auditing.
21
2.3 Fundamentals of insurance
Insurance may be described as a mechanism for transferring risks so that the losses suffered by a few members of a group is borne by the contributions (or premiums) of the many. The first function of insurance is to transfer risk by replacing uncertainty by certainty. The uncertainty as to whether a loss may occur and if so how much it will cost is replaced by paying a known fixed amount in advance that is the premium. The second function is to establish a common fund from which losses will be paid. The third important function is to have a method of providing a fair contribution (premium) to be paid by all those who are members of the fund (the insured). The members' (the insured’s') contribution ought to be fair in relation to the degree of risk and the value of such risk that the member brings into or exposes the fund.
2.3.1 The position of the insurer
If the above description and function of insurance is accepted, the insurer may be considered as the custodian of the fund. This however would not be a complete illustration of the insurer, in that the insurer is more than a custodian. He is in fact also, the owner of the Fund. Further, he assesses the contribution i.e. the premium payable by each member, and, should the claims on the fund exceed the resources available, he must make good any deficiency from his own assets.
2.3.2 Insurance is to with risk
As stated earlier insurance exists to combat the adverse affect of risks. Risk is inseparable from life and nobody is exempt from it. Obviously some people are exposed to greater risks than others. To a greater or lesser extent the risk to life and property due to natural perils, such as flood, storm & tempest and
22
earthquake, and man made perils such as theft and those arising from the negligence of others as well as ourselves, are some of the more common that are constantly with us. For various reasons, details of which are beyond the scope of this article, insurers cannot and do not insure all the risks to which we may be exposed. A very general principal which an insurer may follow in deciding whether or not a particular risk could be insured will be his ability to calculate the appropriate premium for the risk, taking into account its degree, value and frequency, over a period of time.
2.4 Classification of risks
There are different kinds of risks. They may be very broadly categorized as follows. (a) Pure risks These are risks, which offer no prospect of gain. Only a loss if the risk becomes a reality or preservation of the status quo if it does not. Examples of pure risks are fire, food, accident and death. These are risks, which might normally be the subject of insurance. (b) Speculative risks These are risks, which offer the possibility of gain or loss. Trade risks fall within this category. The most extreme form of such risk would of course be gambling. Generally speculative risks may not be insured. (c) Fundamental or catastrophic risks These are risks, which tend to affect large sections of society, the country or the world, rather than individuals. Thus fundamental risks have within it the element of catastrophe and have a tremendously widespread disaster potential.
23
Examples of such risks would be war particularly nuclear war, famine, earthquake and pollution. Because of their sheer magnitude and unpredictability in terms of the law of large numbers, insurers may simply not have the resources to cover such risks. In some countries "pools" are established to cover certain catastrophic risks such as earthquake.
2.4.1 Attitude to risk
How we react to the risks to which we are exposed depends largely on our attitude or mental approach to them. Since the total elimination or avoidance of risks is impossible and in some undesirable situations we have to accept some risks. This can happen in the following circumstances. (a) There is no practical means of avoiding the risk (b) We are unaware of the risk (c) The likely consequences are not serious (d) The cost or consequences of avoiding the risk are not acceptable considering the benefits or satisfaction of taking them (e) The risk is acceptable
2.4.2 Risk and insurance
Our continuous well being in present society depends largely on economic factors. It is in the financial realm that perhaps the most strenuous efforts have been made to reduce or avoid risks. In particular, the individual or firm may seek to avoid risks in the following ways: (a) Eliminating or reducing risks This may be achieved by taking precautions. For instance in a factory or office, fire, burglary and accidents to employees could be avoided by using
24
modern machinery, regular maintenance, good housekeeping, safety measures and well constructed and secure premises. The individual may reduce or eliminate risks by simply not exposing himself to them such as not taking part in hazardous pursuits. (b) Bearing or accepting risks After evaluating the risk an individual or organization may decide to bear the risk. This can be achieved in several ways one of which would be to set up a fund into which contributions are made periodically with the intention of paying out from the fund any losses. Today many large organizations have taken this concept further by setting up their own insurance company known as a "captive insurer" to which they place all their insurances. The ultimate objective is of course to retain for themselves the difference between the contribution (premium) paid into the insurance fund and amounts (losses and expenses) paid out. (c) Transferring risks - insurance By this means the risk is transferred from the individual person or organization to the common insurance fund. This fundamentally is what insurance is all about. Transferring the risk, which is upon the individual to the shoulders of the whole insuring community "so that the loss lightest rather easily on the many, than heavily upon the few."
2.4.3 The Challenges for Insurers today
The steady deregulation of the insurance market, the emergence of new technologies, increasing competition from existing and new entrants, are all resulting in a new economic paradigm centered on the customer. The new paradigm will induce many pressures on insurers.
25
Chapter 3 Data and Methods
3.1 Introduction
The framework of the research was comprised of the following stages. (Refer appendix –1 for graphical representation) 1. Assessment of Information System (IS) Audit level in Insurance in Sri Lanka. 2. Identification of Benchmark IS Audit Procedures 3. Identification of their Suitability to Sri Lanka 4. The main important area to Implement and Practice IS auditing in Local Insurance Industry.
3.2 Data Used
For this research, primary data collection method, ‘made to measure’ – field research method is chosen. Because, • • There is no secondary data available on Information Audit Level assessments of insurance companies As this research is purely academic one ‘off the peg’ method is considered inappropriate The ‘survey method’ approach is employed to collect primary data as the other two methods ‘experimentation’ and ‘observation’ was felt impracticable to use data collection.
26
3.3 Sampling
Sampling involves taking a portion of a target population so that sample statistics may be used to estimate population parameters within certain limits. There are several reasons for sampling. The most obvious one is the cost. Samples are only a very small portion of the target population. The second reason is for sampling is that to shorten the time involved in the research project. A third reason is that the use of samples is the only alternative to finding information about large population groups. The only problem is ensuring that the sample represents the target population. Three terms are important in understanding the concept of sampling: target population, representative ness and variability
3.3.1 Target population
The target population is the whole that the researchers wish to study through sampling. In this research, target population for existing IS Audit Level in insurance organizations in Sri Lanka. This is around 16 in number.
3.3.2 Representativeness
If the sample is to provide estimates of target population characteristics or parameters, it must be representative. This means that the sampling frame or arrangements for selecting units must allow all eligible an opportunity to be selected. In this research following factors are considered, when selecting insurance companies to improve the representative level. Private sector/ Government / Foreign subsidiary Life insurance/General insurance/Both/Specialized Large/ medium/ Small scale No of years in the business
27
When selecting the sample to assess the Information Systems Audit Level above mentioned factors were considered.
3.3.3 Variability
The sample’s limits, within which estimates are made about the target population, can be called variability. There is a direct relationship between the potential magnitude of the sampling error and the variability of the population. When considering insurance companies, a low variability is observed.
3.3.4 Selecting Insurance Companies
The Selected sample size is 16 insurance companies. Quota sampling method is used to select the sample. The target population is all insurance companies, which are operating in Sri Lankan market. Therefore, initially insurance companies are divided into stratums as private sector, government or foreign subsidiary. Then they are sub divided into scale wise as large, medium or small scale within the sector. Within the scale they are further classified into categories as life insurance, general insurance or both. Finally samples from each stratum are combined into a single sample of the target population. It can be shown graphically as below.
28
Figure 3.1 Sample Selection for insurance organizations in Sri Lanka
Large Scale Private Sector Medium Scale Small Scale Large Scale Insurance Compani es in Sri Lanka Governm ent Sector Medium Scale Small Scale Large Scale Foreign Subsidiar y Medium Scale Small Scale
Life Gener al Both
Life Gener al Both
Life Gener al Both
29
3.3.5 The selected method for data collection for insurance companies in Sri Lanka
‘Fully Structured Interview method’ is mainly used in this research to collect information from insurance companies. In most cases, Information Tecnology people in insurance companies personally interviewed and all questions were read out by myself to the respondent in an unbiased manner and noted the responses exactly as they are given. The above method is chosen because of following reasons. • • Ensure that all questions are answered in the correct order Easy to check that the Information technology people have understood the questions and can encourage them to answer as fully as possible. • Because of a live relationship was easily built, reliability of collected data is high It is important to note that, ‘Postal Research Questionnaire method’ is used to get responses from some insurance companies due to interviewing method is not practicable for those places. So same questionnaire is e-mail to required people and telephone reminders were given to get the quick responses. Where the instances interviewing is not possible, ‘Postal Research Questionnaire method’ is employed. Sometimes I have to use telephone method to collect information from some personal since time schedule is very strict.
30
3.4 Measurement Techniques
Measurement is the process of turning the factors under investigation onto quantitative data and requires an appropriate scale of measurement on which the property’s characteristics can be measured. When developing the questionnaire, greater attention is paid to introduce questions, which could be used to quantify answers. Even for the questions, which rose to get the answers to emotional qualities like attitudes, perceptions were armed with questioning techniques like ‘Likert Scales’ and ‘Semantic differential Scales’ that could easily quantify data.
3.4.1 Likert Scale
A list of statements reflecting the attitudes of people interviewed is generated from semi-structured or depth interviews. The list of attitudes developed is then tested on a sample of respondents. Each respondent is required to score each statement using a five-point scale. There are many questions in Information Systems Audit Level evaluation questionnaires, which were analyzed and valued using Likert scale.
Table 3.1 Example for Likert Scale
Option Always true Frequently true Sometimes true Rarely true Never true
Score 4 3 2 1 0
3.5 Implementation of the survey plan (Collecting and analyzing data)
31
This involves process and analysis of the collected data to isolate important information and findings.
3.6 Data Analysis
Data analysis entailing rearrangement, breaking down, reduction and separation of data into as many parts as needed to determine their nature, relative importance, function and interrelationships. In this research following steps are carried out under data analysis process. • • As a first step the data, which are collected from questionnaires are checked for accuracy and clarity Checking for comprehensibility Sometimes responses are not understandable, as is often the case in open ended questions or in scale type questions where the respondent circles two answers when only one answer should be circled. This problem arose when dealing with responses received through postal method. • Checking for completeness If a question in the data collection form is left blank, the researcher must determine whether to discard the question, to locate the missing data, or to record as no response. In this research the question that are left blank, are considered as ‘no response’. • Checking for consistency Inconsistent responses seem to be an inherent element of questionnaires.
3.7 Tabulate Information
32
After grouping information according to their appropriateness and relationships, numbers of tables are created using Microsoft SQL 2000 database package and MS Excel spread sheet package. When creating tables high priority was given to define primary keys and maintain proper relationships among tables. SQL queries are formulated to get desired outputs using the tables and they are converted to graphs and charts using MS EXCEL 2000 software package.
3.8 Interpreting and reporting of findings
Interpretation, the next to last step, builds on the findings from analysis and gives them meaning to the users. Interpretation can be pictured as moving from results of analysis to a synthesized whole using induction to conclusions. Reporting findings is the last step in the research project and it can be thought of as putting the research results into an understandable and usable format. The importance of effective reporting cannot be overemphasized, regardless of the quality of the research project and the accuracy and usefulness of the resulting data, the data will not be used if they are not effectively communicated to the appropriate decision makers. Chapter four is totally discussed about research findings.
33
3.9
Methodology
to
identify
internationally
recognised
benchmark IS Audit procedures
By studying industry recognized best practices by four big firms KPMG, E & Y, PriceWaterhouseCooper and Arthur Anderson According to a survey done by KPMG Ford Rhodes, Thornton & Company Limited of USA in 2004, more than 90% of the globally recorded IS Audit assignments in 2003, were carried out by four big firms namely, KPMG Ford Rhodes, Thornton & Company Limited, E & Y, PriceWaterhouseCoopers and Author Anderson. So the benchmark practice for Information Systems Auditing is set by these four big firms worldwide. According to the KPMG Ford Rhodes, Thornton & Company Limited Information Systems Audit practicing manual used in 2004, an IS Auditor has to concentrate to 13 major areas during an IS Audit assignment. By Studying Information Systems Audit Standards set by the Information Systems Audit and control Association (ISACA) of USA ISACA is the world body of Information Systems Audit Professionals and more than 90 % of world’s IS Audit professionals are members of this organization. Internationally recognized benchmark IS Audit procedures were identified base on KPMG Ford Rhodes, Thornton & Company Limited Information Systems Audit practicing manual used in 2004 & Information Systems Audit Standards set by the Information Systems Audit and control Association (ISACA) of USA (revised in 2004)
34
Chapter 4
4.1 Findings related to the evaluation of existing Information Systems Audit Level , identify barriers to implement Information Systems Auditing in Insurance Organizations in Sri Lanka and identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka
4.1.1 General View of the Sri Lankan Insurance Industry
There are two questions regarding the general nature of the company, in the IS Audit Level evaluation questionnaire. In all companies I received the same answer for the same question from different persons. a) Category Wise Classification of Sri Lankan Insurance Companies
Figure 4.1 Categorized of Sri Lanka Insurance Companies
Life 7%
Specilized 14%
General 7%
Life & General 72%
?
In this research, all insurance companies in Sri Lanka were categorized into areas where they serve as life insurance, general insurance, any specialized area or both life & general. According to the above graph, almost 70 percent of insurance companies provide life and general insurance covers to the people.
?
35
b) Number of years in business
Figure 4.1.1 Number of Years in Business
More than 20 years 21%
Less than 2 years 7% More than 2 years 21%
More than 10 years 21%
More than 5 years 30%
?
Number of years in insurance business is questioned in this research and results are classified as above graph. According to that, only 21 percent of companies are in insurance sector for more than 20 years and majority, which is 30 percent, lies in more than 5 years group. It is observed that new comers to the sector are around 7 percent.
?
?
4.1.2 Information Systems Audit decision making in Insurance Companies
Figure 4.2 IS Auditing Decision making
Any other 8% Chief Information Officer (CIO) 17%
Chief Executive Officer (CEO) 17% Internal Audit Committee or ISA Committee 41% CEO & CIO 17%
36
?
It was questioned that who is / are taking information systems audit decisions in insurance companies by providing possible options. As seen above graph, Internal Audit Committee or ISA committee is taking ISA decisions as the highest figure and CEO, CIO and CEO / CIO both, are all joining the second. In one organization, Internal Audit Manager is taken ISA decisions and it is mentioned as any other.
?
?
4.1.3 A Separate department for handling and managing ISA operations
Figure 4.3 Department handling for IS Audit
10 8 No.of Companies 6 4 2 0 Have ISA dept Not ISA dept Status
?
Whether the insurance company has a separate department to handle IS Audits is checked during this research. According to results, only one insurance company has own ISA department to handle ISA assignments
?
37
4.1.4 No of Staff Members in the IS Audit Department
Figure 4.4 Number of Staff members in the ISA
More than 10 0%
M ore than 5 17%
Less than 5 83%
?
Out of the 12 companies only one company has separate IS Audit departments But in both the number of staff in the IS Audit department is between 5 and 10
?
4.1.5 What is the capacity of the head of the IS Audit Department
Figure 4.5 Capacity of the head of ISA Department
10 8 No.of Companies 6 4 2 0 A Middle Level Manager Status Not ISA dept
=
?
Out of the 12 companies only one company has separate IS Audit departments In the head of IS Audit department is a Middle Level Manager
?
38
4.1.6 To whom the IS Audit Department is reported in your organization
Figure 4.6 Reporting hierarchy in the IS Audit
10 8 No.of Companies 6 4 2 0 A Senior Manager Status Not ISA dept
?
Out of the 12 companies only one company has separate IS Audit departments In IS Audit department is reported to a Senior Manager
?
4.1.7 Information related to the IS Audit Process in your organization
Figure 4.7 Information related to the IS audit Process
9 8 7 6 5 4 3 2 1 0 Internal Development of ISA S/W Uses Benchmark ISA St. T echnical Competence in ISA Sufficient Linkage ISA a Separate Entitiy
A F S R N
A-Always true F-Frequently true S-Sometimes true R- Rarely true Never true The statements related to above graph can be listed as flows.
N-
39
Internal development of ISA S / W – Our ISA / IT department internally develops information systems audit software for the company usage Uses Benchmark ISA Standards - Our ISA department always uses benchmark ISA standards Technical Competence in ISA - Our ISA department has adequate technical competence to handle all company ISA assignments Sufficient Linkage - There is a sufficient linkage between ISA department and the other business departments ISA a Separate Entity – Out IS Audit department can always seen as a separate entity
?
In this research, it is necessary to get information about ISA competence, professionalism in handling ISA assignments, ISA division independence and it’s usefulness to the other departments, to assess ISA Level of Sri Lankan insurance companies. Responses are rated using “Likert Scale” and graphically displayed as above.
?
4.1.8 If you don’t have a separate IS Audit Department then who handles ISA operations in your organization
Figure 4.8 Handling Information system Audit Functions
6 No.of Companies 5.5 5 4.5 Internal Audit Dept or Consultants Status No one
?
Out of the 11 companies without a separate IS Audit departments, in 6 companies ISA assignments are handled by Internal Auditors or Outside Consultants In other companies there is no one to handle ISA issues
?
40
4.1.9 Information related to business Process Planning and Support by ISA
Figure 4.9 ISA relates to Business Process
9 8 7 6 5 4 3 2 1 0 ISA Streamline Business Process ISA Strengths Strategic Planning ISA Improves Management Decision Making
A F S R N
A-Always true Never true
F-Frequently true
S-Sometimes true
R- Rarely true
N-
The statements related to above graph can be listed as flows. ISA Streamlines Business Process – Our ISA function helps to streamline the Company Business Process ISA Strengths Strategic Planning - Our ISA department helps strategic planning by assuring the accuracy of MIS reports ISA improves Management Decision Making- Our ISA department improves the decision making ability of the management by improving system quality In this research, it is necessary to get information about ISA support to the company’s Business Process, It’s Strategic Planning and It’s Management Decision Making
?
41
4.1.10 Information related to Operations Support by ISA
Figure 4.10 ISA relates to Operations Support
9 8 7 6 5 4 3 2 1 0 ISA Enhances ISA Improves Enhances ISA Decreases ISA Enhances Quality of IT Productivity of Utilisation of Cost of New IT Our Reliability Products & IT Staff H/W, S/W & Products in IT Services L/W
A F S R N
A-Always true Never true
F-Frequently true
S-Sometimes true
R- Rarely true
N-
The statements related to above graph can be listed as flows. ISA enhances Quality of IT Products and Services – Our ISA department enhances the quality of IT Products and Services produce by our IT department ISA improves the Productivity of IT Staff ISA enhances Utilization of H/W, S/W & L/W - Our ISA department improves utilization of our computer resources ISA decreases the cost of new IT products- ISA department decreases the cost of new IT products ISA enhances our reliability in IT
?
In this research, it is necessary to get information about ISA support to enhance the IT Product & Service quality and it’s support in utilization of computer resources of the organization. Not only that I acquired the information about ISA contribution in reducing the IT cost of the company
4.1.11 Technical Competence of ISA Staff in your organization
42
Figure 4.11 Technical Competences of ISA Staff
12 10 8 6 4 2 0 All are Prof Qualified in Some are Prof None are Prof Qualified IT or ISA Qualified in IT or ISA in IT or ISA
?
Out of the 12 Companies taken for consideration in one company all ISA Staff is professionally qualified in IT or ISA In another company part of the ISA Staff is qualified in IT or ISA In all other companies none of the auditors have qualification in IT or ISA
? ?
4.1.12 ISA Infrastructure and Investment
43
Figure 4.12 ISA Infrastructure and Investments
9 8 7 6 5 4 3 2 1 0 ISA Always Always Uses more Uses Modern We have uses Modern Migrate to new Sopisticted T ech used by Specialised S/W H/W and S/W T ech T ools than our worlds leading & H/W not Competitiors Insurers own by others
A F S R N
A-Always true Never true
F-Frequently true
S-Sometimes true
R- Rarely true
N-
The statements related to above graph can be listed as flows. ISA always uses Modern H/W & S/W– Our ISA department enhances the quality of ISA by using modern H/W & S/W ISA always migrates to new Technologies - ISA always migrates to new Technologies and it is always updated ISA always uses more sophisticated tools than our competitors ISA uses modern technology used by world leading insurers ISA has modern S/W and H/W not own by others
?
In this research, it is necessary to get information about the technology wise updating of the company ISA Department to make sure that it provides a quality job for the organization
4.1.13 Annual expenditure on ISA as a percentage of expenditure on IT in the same year
Figure 4.13 Annual expenditure on ISA
44
(20% - 25%) 0%
(15% - 20%) 8%
(10% - 15%) 8%
(Less than 5%) 61%
(5% - 10%) 23%
?
Out of the 12 Companies taken for consideration only one company spends 15% to 20% of it’s annual IT budget to ISA An another company spend between 10% to 15% of it’s annual IT budget to ISA 3 companies spend between 5% to 10% of it’s annual IT budget to ISA All other companies spend less than 5% of it’s annual IT budget to ISA
?
? ?
4.1.14 Annual expenditure on ISA as a percentage of total revenue of the organization
Figure 4.14 Annual expenditure on ISA from total revenue
(8% - 6%) 0% (6% - 4%) 8% (4% - 2%) 8%
(10% - 8%) 0%
(Less than 2%) 84%
?
Out of
the 12 Companies taken for consideration only one company spends 6% to 4% of it’s annual income for ISA
?
An another company spend between 4% to 2% of it’s annual income to ISA
45
?
All other companies spend less than 2% of it’s annual income to ISA
4.1.15 Frequency of IS Audit Assignments carried out in your organization
Figure 4.15 ISA carried out assignments
Regularly 0% Never 42%
Not so Regularly 8%
Never in Some Branches / Dept 25%
Sometimes by Out Side Consultants or our Internal Auditors 25%
?
Regularly - Since we have a separate department to handle and manage ISA function, IS Audit assignments have been carried out regularly (Every branch / department is audited at least once a year) – In No Company Not so regularly - Though we have a separate department to handle and manage ISA function, IS Audit assignments have not been carried out regularly (Every branch and department is not audited at least once a year) – In One Company Never in Some Branches / Depts. - Though we have a separate department to handle and manage ISA function, IS Audit assignments have never been carried out for some branches / departments (Some branches / departments never have been audited since their inception) – In 3 Companies Sometimes by Outside Consultants or our Internal Auditors - Though we don’t have a separate department to handle and manage ISA function, IS
?
?
?
46
Audit assignments have been carried out for some branches / departments time to time by internal auditors or by an out side firm – In 3 Companies
?
Never - IS Audit assignments never have been carried out in our branches / departments – In 5 Companies
4.1.16 Idea on Information System Auditing
Figure 4.16 Existing knowledge on ISA
120 100 80 60 40 20 0 A B C D E F Questions
Legend : A- The evaluation of Controls within the Information Systems Environment to ensure the integrity, reliability and accuracy of the information presented, often supporting the attestation of an audit and an evaluation of Information Systems Efficiency, Effectiveness and Economy. B- Auditing Organizational Management policies, Logical Access, Physical Access, Software Development and control. C- Integration of organizational audit culture to audit user interaction with internal software used D- Management of all IT functionalities of the Organization E- Auditing of Computer operations, End-user computing F- Auditing of Application systems, System software and Databases.
47
?
According to the graph, out of 12 companies only 4 companies have marked answer ‘A’ of the question number 2.2.9. All companies have marked answer ‘B’ for the above question.
?
4.1.17 Barriers in implement a separate IS Audit Department
Figure 4.17 Barriers in implementing separate IS Audit Department
Legend : A- IS Audit functionalities must come under the existing Internal Audit Department. B- Lack of knowledge on IS Auditing C- Centralization of all IS Auditing responsibilities, decision making and security D- Holding of entire IS Auditing by single person E- Lack of ISA professionals in Sri Lanka F- Lack of education institutes to train IS Auditing G- Cost of forming separate IS Audit department H- Lack of knowledge in segregating the functionalities with Internal Audit and IS Audit. I- No legal background for IS Auditing in Sri Lanka
48
J- Positioning of IS Audit department in Organizational hierarchy. K- Recruiting additional staff for the IS Audit division L- Development of an IS Audit policy for the Organization According to the graph, all 11 companies had marked answers ‘Lack of
ISA professionals in Sri Lanka’, ‘Lack of education institutes to train IS Auditing
?
’ and ‘Positioning of IS Audit department in Organizational hierarchy’ of question number 2.2.10
?
Out of given 12 answers 10 answers were marked by all companies for the above.
4.1.18 Practice Information System Auditing in Sri Lanka
Figure 4.18 ISA carried out IS Audit functions
120 100 80 60 40 20 0
Organization Segregation of Logical Access Physical and duties in the IT C ontrols to IT Access Management function resources Controls to IT Policies resources System Development C ontrols and Change Controls Business continuity Computer Operations User Management Communication System Soft Ware Database End User Computing Application Systems
?
All 12 Companies taken for consideration have shown that more than 70% interest in implementing all 13 functionalities.
4.2 Findings related to the survey on internationally recognized benchmark IS Audit Procedures / Practices
As explained under the Chapter 3-9, the Benchmark IS Audit Procedures were identified by studying the Practicing Manuals of 4 big firms KPMG, E & Y,
49
PriceWatehouseCoopers and Author Anderson who covered more than 90% of the globally recorded IS Audit assignments in 2003. Not only that I went through the Information Systems Audit Standard set by the ISACA (USA) the world body for IS Auditing
4.2.1 Standards for Information Systems Auditing issued by the Standard Board of the Information Systems Audit and Control Association (ISACA)
• 010 Audit Charter
010.010 Responsibility: Authority and Accountability. The responsibility, authority and accountability of the information systems audit functions are to be appropriately documented in an audit charter or engagement letter. • 020 Independence
020.010 Professional Independence: In all matters related to auditing, the information systems auditor is to be independent of the auditee in attitude and appearance. 020.020 Organisational Relationship: The information systems audit function is to be sufficiently independent of the area being audited to permit objective completion of the audit. • 030 Professional Ethics and Standards
030.010 Code of Professional Ethics: The information systems auditor is to adhere to the Code of Professional Ethics of the Information Systems Audit and Control Association. 030.020 Due Professional Care: Due professional care and observance of applicable professional auditing standards are to be exercised in all aspects of the information systems auditor's work.
50
•
040 Competence
040.010 Skills and Knowledge: The information systems auditor is to be technically competent, having the skills and knowledge necessary to perform the auditor's work. 040.020 Continuing Professional Education: The information systems auditor is to maintain technical competence through appropriate continuing professional education. • 050 Planning
050.010 Audit Planning: The information systems auditor is to plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards. • 060 Performance of Audit Work
060.010 Supervision: Information systems audit staff are to be appropriately supervised to provide assurance that audit objectives are accomplished and applicable professional auditing standards are met. 060.020 Evidence: During the course of the audit, the information systems auditor is to obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.
070 Reporting 070.010 Report Content and Form: The information systems auditor is to provide a report, in an appropriate form, to intended recipients upon the completion of
51
audit work. The audit report is to state the scope, objectives, period of coverage, and the nature and extent of the audit work performed. The report is to identify the organisation, the intended recipients and any restrictions on circulation. The report is to state the findings, conclusions and recommendations and any reservations or qualifications that the auditor has with respect to the audit. 080 Follow-Up Activities 080.010 Follow-Up: The information systems auditor is to request and evaluate appropriate information on previous relevant findings, conclusions and recommendations to determine whether appropriate actions have been implemented in a timely manner. Effective Date - These standards are effective for all information systems audits with periods of coverage beginning 25 July 1997.
4.2.2 The Information Systems Audit Practicing Manual of KPMG Ford Rhodes, Thornton & Company Limited
According to the KPMG Ford Rhodes, Thornton & Company Limited Information Systems Audit practicing manual used in 2004, an IS Auditor has to concentrate to 13 major areas during an IS Audit assignment. They are 1) Organization and Management Policies a) Evaluate the risk that organizational policies and management procedures are not in place to enable the IT function to be properly controlled b) Evaluate the risk that management and staff are not aware of their duties and responsibilities which could result in loss of integrity and confidentiality of the company system and data • • • Evaluate the overall responsibility of the IT function Formal Organizational Structure of the company and the place of IT in it IT Steering Committee
52
• • • • • • • • • • • • • • • •
Attitude of Management towards IT Formal IT Strategy for next 3 years Does it support company’s Business Strategy Formal IT budget Evaluation of IT investment Current version of system S/W Computer Security Policy Document standard supporting the computer security policy Availability of Security Committee or a similar body Security Administration End user computing policy Data ownership IT Standards and Procedures of the company Company compliance with regulatory and statutory aspects of IT Functions of Internal Auditors Company’s IT manpower requirement (Requirement, Training & Dismissal)
2) Segregation of Duties a) Evaluate the risk that the segregation of duties for staff, both within the IT department and between IT and user functions, is not adequate to prevent and / or detect errors or irregularities? • • • • • Organizational Chart of the IT department Job descriptions of IT staff Segregation of duties within IT department Evaluate whether IT staff only have responsibilities for functions within IT department Programmers segregated from users of the system
3) Logical Access Controls
53
a) Evaluate the risk that data files, application programs, and or operating systems could be access and or amended without appropriate authority. • • • • • • • • • • • • • • Identify sensitive data and applications Security measures on them Prevention of development staff from accessing data and S/W in the production environment User Ids to each user Pass word changes regularly Pass word issue and change control procedure Removal of passwords and User Ids from System when someone leaves Access rights are changed when employees are relocated Pass word file encryption Allocation, authorization and use of powerful user ids and passwords are monitored Any other access control system in use End users prevented from using utility programs capable of deleting and amending data Development staff who have access to utility programs prevented from accessing live data Authorization and documentation of using utility programs on live data 4) Physical Access Controls a) Evaluate the risk of accidental or malicious damage to or theft of computer equipment • Site control o Perimeter fence for the site o Access to the site is controlled and monitored
54
o Staff and visitors prevented from parking close to the IT area • Building Control o Security of the building o Record of all visitors o Unattended access points o Control on unattended access points o Control mechanism to ensure only staff and authorized visitors enter the premises o Authority to remove computer equipment from the premises • Computer Area o Restriction of Access to computer rooms o Access to highly sensitive areas o Restrict and monitor access to sensitive areas o Windows to the computer area are protected o Ability to locate computer area by observation • Services o Access to the main power supply to the computer room o Alternative power supply o Loss or disruption of communication o Access to cable risers, distribution boards, PABX rooms etc. o Service maintenance visits scheduled, authorized and monitored o Cleaners and Service staff have to sign in and out from computer area • Environmental Controls o Fire precaution o Fire practices held regularly
55
o Fire equipments are serviced regularly o Catering and kitchen facilities are away from computer area o Computer data, media and documentation adequately secured 5) System Development and Change Control a) Evaluate the risk that system developments and program changes are not authorized, tested and or documented and will not operate as designed • Methodology o Methodology for in-house developments o Adherence to the established methodology o Feasibility study on new developments and systems o User involvement in development o System and program documentation procedure o Produce control specifications o Use of automated tools (CASE) • Package Consideration o Dependants maintenance o Stability of the supplier o Documentation provided o Evaluation of Controls o Training and Technical support o Maintenance agreement with supplier o Source code is provided o If the S/W is owned by vendor Escrow agreement o S / W version update o Changes and upgrades checked and tested before installation on external suppliers and application
56
• • • • • • • •
Fourth Generation Languages Project Management Control QA Change control Procedures User involvement in change process Testing Procedures Training Documentation o System documentation o User manuals o Training manuals o Operating manuals
6) Business Continuity a) Evaluate the risk that the business will not be able to resume effective operations (within a reasonable period of time) in the event that their existing processing facilities were not available. • • • • • • • • • • • • Recovery Procedures Back ups procedures (S/W, H/W, L/W and Data) Offsite storage been tested for reusability of data Access to back up is restricted Access to backup is available 24 hours a day (Who are they) H/W and Environmental Requirements H/W maintenance contracts Environmental controls Alternative power supply Personal requirements Disaster recovery planning Insurance
57
7) Computer operations a) Evaluate the risk that both inappropriate working practices may be adopted and processing delays or disruption may occur as a result of lack of control over computer operations • • • • • • Management Review and Supervision Operation Statistics including Capacity Monitoring Job set-up and Scheduling Operating instructions O/P Handling and distribution Incident Handling
8) User Management (E.g. Financial Director, Financial Controller, Chief Accountant) a) Evaluate the level of management concern that IT systems do not satisfy the business needs) • • • User satisfaction about critical systems User satisfaction about service from IT function System Stability
9) Communication a) Evaluate the risk of inadequate security over data communications (E.g. data confidentiality, integrity and availability) • • • • Network of the organization Data encryption Network Access controls Network resilience
58
• • • •
EDI (Electronic Data Interchange) Data security policies and procedures Adequate backup, recovery and restart capability in an in-house network failure Security of messages sent and received
10) System Software a) Evaluate the risk that the integrity of the operating system may be compromised (ie through unauthorized amendment) or that the system S/W is not adequately secured (ie through back up copies) • • • • • • • • • System S/W security Definition of System S/W security requirements Access Controls to operating systems Identify sensitive System S/W System Maintenance Version upgrades of System S/W S/W features System S/W backups Analysis and Monitoring
(Please refer System S/W guidance notes in the manual) 11) Database a) Evaluate the risk that the database is not properly maintained. ie, data confidentiality, integrity, availability and accuracy • • • • • • Database Management System Database Administration Data Dictionary Data Confidentiality Data Integrity Data Accuracy
59
• •
Data Back-up Database Replacement Plans
12) End User Computing a) Evaluate the risk that security of information could be compromised through end user use of PCs terminals and or workstations • • • • • • Policy and Management Acquisition Controls Security and Control Procedural Control and Documentation Maintenance End User developments
13) Application Systems a) Evaluate the risk that application systems do not contain appropriate controls to ensure the completeness and accuracy of input, processing and output of data • • Pre implementation procedures Post implementation procedures
60
Chapter 5 Discussion
As discussed in previous chapters this research was conducted using a questionnaire on ISA and the sample was 16 local insurance organizations. However responses were received only from 12 companies and these results are listed in earler chapter. Benchmark IS Audit procedures were extracted from ISACA - USA, (the world body for IS Audit) standards and KPMG Ford Rhodes & Thornton Co. Ltd., (who do IT consultancy and IS Audit whole over the world) practicing manual used in 2004.
5.1 General View of the Sri Lankan Insurance Industry
According to the latest statistics available in the Insurance Board of Sri Lanka (IBSL), there are 16 insurance companies existing in the local market and insurance sector is ever expanding in a competitive way during the resent past. Out of the 16 companies, 72 percent provide both life and general insurance plans while 7 percent provide only life insurance. 7 percent is general insurance providers and balance 14 percent for specialized insurance. Here the term ‘specialized’ can be defined as operating in selected areas or niches in the insurance market. Sri Lanka Export Credit Insurance Cooperation is a very good example for this and it provides only for export credit insurance.
61
Few years back, a major share of the insurance market in Sri Lanka was owned by the government sector insurance organizations. They are Sri Lanka Insurance Cooperation (around 40 percent) and National Insurance Cooperation (2 percent). But at present all insurance organizations are from private sector except Sri Lanka Insurance Cooperation which was recently took over to government and some foreign companies are also operating in the market. One example is Life Insurance Cooperation Lanka Limited, which is an Indian based company. After the privatization, the competition in the market is very heavy. According to the premium income, number of issued policies, existing life/general fund and other factors defined by the IBSL, insurance companies are categorized as large scale, medium scale and small scale. Under this classification, 21 percent of them belong to large scale, same percentage to medium and 58 percent for small scale.
5.2 IS Audit level in insurance organizations in Sri Lanka
The IS Audit decision-making is the key factor in measuring the existing IS Audit level in insurance organizations, since success of any process is totally depend on the right decision-making and the authority to implement them. According to results, in 17 percent of insurance companies, CEO takes the strategic level ISA decisions. This is 41 percent for the Internal Audit or ISA committee and 17 percent for both CEO and CIO. Another 17 percent for the CIO alone. Balance 8 percent is for “Any other” and in that company it is referring to none other than the internal audit manager who is a chartered accountant but not qualified in IT or ISA. As per professional views, chief information officer is the major character in any organization related to IT and he/she should involve with major information technology decisions. Then theoretically IS Auditor evaluates the effectiveness and efficiency of IT. Then the independence factor is not
62
maintained in places where CIO takes IS Audit decisions since he is responsible for IT decisions also. So the best person to take IS Audit decisions is CEO and it is 17% only. ISA committee or Internal Audit Committee option is also good if committee members are properly selected. That is also 41%. Even then the total is only 58%. So logically in 42% of Sri Lankan insurance organizations strategic IS Audit decisions are not taken by the proper person. So can you expect the IS Audit function to be performed well and give it’s benefits and value of their money invested on it, to it’s stake holders in local insurance organizations? Not only correct decision-making and implementation of them but also it is important to have a separate IS Audit department within the organization to handle IS Audits in an efficient and effective manner. According to results of the research, only two local insurance companies, have their own ISA departments. It appears that information systems audit division is still a new concept for most of the companies. This fact became quite clear in the IT Level assessment research also.
Then the number of staff engage in IS Audit is also useful to evaluate the effectiveness of the function. It is less than 5 in 83% of companies. It is quite sure all of them are not IS Auditors but traditional auditors who handle IS Audit assignments using their experience. It won’t be effective any way. In all companies it is less than 10 and in 17% of companies it is between 5% and 10%. These 7% represent by the one company who has separate department for IS Audits. Then to make suggestions and findings effective and to implement them properly the capacity of the head of the IS Audit division is also important. In number it is one out of twelve. In these one company also the capacity of the head of IS Audit is a middle level manager or in designations they are managers. So it is also not very convincing when we consider the organizational structures of these organizations. In both of these companies the internal audit managers are in AGM grade, which is a senior manager post. So it is quite evident that even in
63
the one company the IS Audit department receives the stepmothers treatment and care. The person to whom the IS Audit function is reported is also important in implementing those decisions effectively. Again this is not relevant to 93% of companies who do not have a separate department for IS Audit. In balance 7% of companies it is reported to a senior manager but the professional view is, it should be to the CEO or the IS Audit committee.
Furthermore in evaluating IS Audit Level it is important to assess the technical expertise and the competence of the IS Audit members in the organization. In aiming to do that the first comment given was ‘Our ISA or IT department Internally develops Information Systems Audit software for company usage’ 75% responded as “never true” another 8% as “rarely true”. The next comment given was ‘Bench mark IS Audit Standards, Procedures & Practices are followed by our ISA team’ The response for 67% was “never true” and for another 8% it was “rarely true”. The next comment given was ‘ Our technical and management expertise is adequate to satisfy company ISA requirements’ Again the response for 67% was “never true” and for another 8% it was “rarely true” In over all, all the comments given in this section received the “never true” or “rarely true” options in more than 75% of times.
Then in six companies out of eleven where they don’t have a separate IS Audit department, IS Audit assignments are handled by internal auditors or out side consultants but not regularly. In the balance six companies there is no one to handle IS Audit assignments. Then the next questions were about information related to Business Process Planning and Support by IS Audit function in local insurance organizations. The comments given were ‘ISA streamlines business processes’, ‘ISA strengthens strategic planning’ and ‘ISA improves management decisionmaking’ respectively. For the first comment “never true” or “rarely true” option
64
received in 75% of times. For the second comment also it was 75% and for the last comment it was 58%. In general the support of IS Audit to Business Process Planning, Strategic Planning and Management Decision Making in insurance organizations in Sri Lanka is very weak.
Next comments were related to Operations support by the IS Audit function in local insurance organizations. The comments given were ‘ ISA enhances quality of IT products and services’, ‘ISA improves productivity of IT staff’, ‘ISA enhances utilization of computer resources (H/W, S/W & L/W)’, ‘ISA decreases cost of designing new IT products’ and ‘ISA enhances IT product quality’. For the first comment 83% of responses were “never true” or “rarely true”. Never true option was 75%. Like wise for other 4 comments also “never true” or “rarely true” option received in more than 75% of times. Specially for the comment of ‘ISA decreases cost of designing new IT product’ 75% responses were “never true” and another 17% were “rarely true” In over all IS Audit has not improved quality of IT in more than 75% of organizations. That is because the IS Audit function is not available in those organizations or it is not practiced properly and productively by IS Audit professionals who are competent in the subject. Then in the next section the IT or IS Audit technical knowledge of internal auditors were evaluated. Amazingly in 93% of organizations internal auditors do not possess qualifications in IT or IS Audit.
I don’t think anything more than that is required to assess the IS Audit level in local insurance organizations. This is the problem highlighted at the beginning of the research also. Though the systems and the technology has been changed over the years nothing has been changed in the controlling and detecting techniques or in other words in the internal audit function. Still our internal auditors in local insurance organizations use the manual methods used by their forefathers.
65
5.2.1 Investments in IS Auditing
Future of IS Audit level of any company largely depends on present investments. To measure future preparedness of ISA, few statements were given in the IS Audit level evaluation questionnaire and their answers were analyzed. The first statement is ‘Our insurance company uses modern hardware and software tools for ISA’ and 75% of companies rated it as “never true”, another 8% as “rarely true”. For the statement, ‘We migrate to new technologies although current applications and tools can cater our company requirements’ in eight insurance companies out of twelve have commented as “never true”, one as “rarely true”. For the statement of ‘Using more sophisticated ISA systems and tools than our competitive insurance companies’, received the same type of responses. 75% of companies have said that it is “never true”. Similarly for the two comments ‘Follow modern technologies used by world leading insurance companies for IS Auditing’ and ’Posses specialized hardware & software which are not still available to other organizations for IS Auditing’ also received very low ratings for “always true” and “frequently true” options. At last they were asked about whether the insurance company increases ISA investments annually & responses were high for “never true” and “rarely true” options. Then the annual expenditure on IS Audit was questioned. The question was ‘According to your knowledge what is the annual percentage expenditure on ISA as a percentage of expenditure on IT in the same year? ’ In 61% of companies it is less than 5%. In 23% of companies it is between 5% to 10%. In the two companies which have a separate department for IS Audits it is between 10% to 15% in one and in the other it is between 15% to 20% from the total expenditure on IT. The industry accepted percentage is 20%. So it is quite clear the importance of IS Audit has also not properly recognized in the industry. So the investment on IS Audit is neglected and forgotten and by doing so most of the local insurance organizations have been exposed to a high risk unknowingly. The next comments were on frequency of IS Audit assignments carried out in those organization. The first comment was ‘Since we have a separate
66
department to handle and manage ISA function, IS Audit assignments have been carried out regularly (Every branch / department is audited at least once a year) ’ The percentage of this answer was 0 from 12 companies. Then the percentage for the comment ‘Though we have a separate department to handle and manage ISA function, IS Audit assignments have not been carried out regularly (Every branch and department is not audited at least once a year) ’ was 8%. For 42% of companies the answer was ‘IS Audit assignments never have been carried out in our branches / departments’ and for another 25% each the answers were ‘Though we don’t have a separate department to handle and manage ISA function, IS Audit assignments have been carried out for some branches / departments time to time by internal auditors or by an out side firm ’ and ‘Though we have a separate department to handle and manage ISA function, IS Audit assignments never have been carried out for some branches / departments (Some branches / departments never have been audited since their inception)’
5.2.2 The existing IS Audit Level in insurance organizations in Sri Lanka
So the final out come of the IS Audit level evaluation research in Sri Lankan Insurance Organizations can be summarized as “The existing IS Audit Level in insurance organizations in Sri Lanka can be given as Very Low in a scale where five levels are available. They are Very High, Moderately High, Reasonable, Moderately Low and Very Low respectively from the best to the worst. But only for two companies who have a separate department for IS Audit and enjoy a market share of 40% it can be given as Reasonable. Any way for the other companies who enjoy a market share of 60% it is Very Low. So in overall the IS Audit level in the insurance organizations in Sri Lanka can be concluded as Very Low. The gravity of the problem can be understood in this way also. 60 persons out of every 100 who have an insurance policy in Sri Lanka have invested their money in organizations which do not evaluate their system and IT risk, which do
67
not worry about their investment in IT and which do not worry about the efficient and effective utilization of their IT resources? So dear policyholder doesn’t you think that your money is at a risk? Addition to my conclusion at the end of the IS Audit level evaluation questionnaire also I guided the replier himself to grade the IS Audit level in his organization. In there also more than 90% have selected the answers of “Moderately Low” or “Very Low” This may be the reason for me to found in my IT level assessment research that the majority of insurance organizations in Sri Lanka prefer for vendor developed insurance products rather than in house developed insurance applications. But again customization of these products is very expensive and won’t give expected results also.
5.3 Identifying barriers to implement Information Systems Auditing in Insurance Organizations in Sri Lanka
To identify the knowledge on Information System Auditing, a general question was given on the definition of ISA. According to the statistics generated by the analysis, found that only 33% has answered correctly to the question ‘ What is your idea about ‘IS Auditing’ in your organization’, that is, 4 companies out of 11 Insurance organizations in Sri Lanka. The above fact shows that the most of the Insurance organizations do not have a sound knowledge on the IS Auditing. Those companies had marked combinations of incomplete answers that were given, which proves those companies do not have even a fair knowledge on ISA. This important fact shows that there is a huge knowledge barrier on ISA within most Insurance companies in Sri Lanka. Which thereafter becomes a barrier in
68
the process of implementing a Information System Auditing in Insurance Organization in Sri Lanka. In the process of identifying the barriers in implementing Information Systems Auditing, I have conducted several interviews with all levels of staff of IS Auditing department of Ceylinco Life PLC which is the only company which had formed an IS Audit department within a period of one year in Sri Lankan Insurance industry. According the interviews carried out at Ceylinco Life PLC, I was able to extract the barriers that they faced while forming new ISA department in their company. To identify the barriers of implementing new ISA in insurance industry in Sri Lanka, a specific question was given on the barriers faced during the implementation process of ISA in questionnaire of the analysis conducted. The list of barriers given as answers to that question was designed using the barriers identified through the interviews and several other general barriers identified during the literature review conducted. The statistical analysis conducted on the above question ‘If you are planning to form a IS Auditing Department in your Organization what would be the barriers, that you will face in the implementation process.’ Which are listed bellows. • • • Lack of ISA professionals in Sri Lanka Lack of education institutes to train IS Auditing Cost of forming separate IS Audit department shows that all 11 companies had identify three main barriers which carried percentage of 100 in the analysis.
Other than the above main barriers, statistics shows that all companies have identified 10 of the barriers given are related to them considering the new implementation of ISA in their organization. Only two of the given barriers carry
69
less than 50% in the statistical analysis. The list of barriers is given bellow after prioritizing accordingly. • • • • • • • • • Lack of knowledge in segregating the functionalities with Internal Audit and IS Audit. Lack of knowledge on IS Auditing Recruiting additional staff for the IS Audit division Development of an IS Audit policy for the Organization IS Audit functionalities must come under the existing Internal Audit Department. Centralization of all IS Auditing responsibilities, decision making and security Cost of forming separate IS Audit department Holding of entire IS Auditing by single person Positioning of IS Audit department in Organizational hierarchy.
To identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka
5.4 To identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka
5.4.1 Evaluation of the suitability of identified benchmark IS Audit standards / procedures to insurance organizations in Sri Lanka
Table 5.4.1 Identified benchmark IS Audit standards
Description (Please refer Benchmark IS Audit Standard Audit charter Chapter 4.3.1 for Standards) Responsibility, Authority
Suitability to Local Insurance Industry Suitable
70
Independence Professional Ethics and Standards Competence Planning Performance of Audit Work Reporting Follow up Activities
and Accountability Professional Independence Suitable Code of Professional Suitable Ethics Skills and Knowledge Suitable Audit Planning Supervision Evidence Report Content and Form Actions on previously reported issues Suitable Suitable Suitable Suitable
Table 5.4.2 identified benchmark IS Audit Procedures
Benchmark IS Audit Procedure Organization and Management Policies Segregation of Duties Logical Access Controls Physical Access Controls System Development and Change Control Business Continuity Computer Operations User Management
Description (Please refer Chapter 4.3.2 for Procedures) Organizational and Management Policies on IT Segregation of duties within IT function Access to Data & Applications Physical Access to computer resources S/W Development and Changes Disaster recovery Inappropriate Working practices Management satisfaction on Computer Systems
Suitability to Local Insurance Industry Suitable Suitable Suitable Suitable
Suitable
Suitable Suitable Suitable
71
Will be suitable for 25% of companies Security on data Communication communication who enjoy online connectivity with their branches. For others its not for the System S/W Database End User Computing Application Systems Security of Operating Systems Security of the Database Security issues of End users Application System Security moment Suitable Suitable Suitable Suitable
When we consider all the IS Audit Standards given by ISACA every standard is equally important in local environment also. First standard speaks about how an IS Audit function should be started and the Responsibility, the Authority and the Accountability of the IS Auditor. The next one is about auditors Independence that is very crucial in reporting errors and frauds. The next ISACA standard is about Professional Ethics and Standards. The next is about the Competence of the IS Auditor or in other words his Skills and Knowledge. The next three standards are about Planning, Performing and Reporting of the IS Audit Assignments. Final Standard is on follow up of reported issues. Similarly all the IS Audit procedures practiced by four big firms are also very relevant to the Sri Lankan insurance industry also. There is only one IS Audit procedure which is not very much required to local insurance companies at this moment since only 25% of companies are online connected with it’s branches. This is the security on Data Communication. But it will also be very useful in near future because in the research it was found that most companies prefer to be online connected in near future. But when we consider the cost factor also, for the time being, it is not very much required to concentrate on audit procedures in data communication in local insurance organizations except for the 25% of companies who are connected online with their branches.
72
The 12 insurance companies which were taken for the above analysis “Practice IS Audit in an Insurance Organization in Sri Lanka “, proved that over 50% have selected all given IS Auditing functionalities of question no 7 in the given questionnaire.
73
Chapter 6 Conclusions
6.1 Conclusions
When the industry figures in last few years are considered it is quite visible though the investment in IT increased heavily during the last decade the controlling and detecting methods or in other words internal audit techniques have not been changed accordingly. So now a day the conventional audit techniques practiced in most of the insurance organizations in Sri Lanka are not being able to cater to the industry requirements, which have been changed drastically during the last decade. Or in other words the IT in Insurance Organizations is ready for IS Auditing. Not only that but also as mentioned by several intellectuals in the industry if the conventional audit techniques will not be changed accordingly, the tendency will be to increase the number of frauds, errors and mistakes in the industry. As a result of it customers will loose their faith on insurance and it will hinder the growth of the industry in coming years. So the Information Systems Auditing in insurance industry can be recognized as an industry requirement under current circumstances. So “The general guideline to practice Information Systems Auditing in an Insurance Organization in Sri Lanka” which is given at the end of this chapter will cater for an industry requirement in the insurance industry in SL. Not only that but also in some companies though the IS audit divisions have already been started the return on investment is very low. The expected results have not been achieved. That is due to implantation weaknesses. For an example in 41% of insurance organizations in Sri Lanka the strategic decisions on IS Audit are not taken by the proper person. And again in the one company even where we can see a separate department for the IS Audit function, One IS Audit managers are not satisfied with what they have done so far. One of them says “Though we have a separate department to handle and manage ISA function, IS
74
Audit assignments have not been carried out regularly (Every branch and department is not audited at least once a year)” and the other says “Though we have a separate department to handle and manage ISA function, IS Audit assignments never have been carried out for some branches / departments (Some branches / departments never have been audited since their inception)” All these disappointments may be due to lack of resources, bad planning, weak implementation and poor practice.
That is why many intellectuals and IT professionals in the industry believe, though some insurance companies have already started or other companies want to start Information Systems Audit Divisions immediately, their top management is clueless on the fact that how to start an Information Systems Audit Division and how to segregate responsibilities among the Internal Audit Division, the Information Systems Audit Division and the External Auditors. As a result of it in some insurance organizations the implementation of the Information Systems Audit Division has created unnecessary cold war between the Internal Auditors and the Information Systems Auditors instead of enhancing the Control Mechanism. So the “identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka” which is given at the end of this chapter will help to ion out at least a few issues in the insurance industry in Sri Lanka. Most of the IT professionals in the industry believe, the success story of IS Audit in the local insurance industry will save the IT departments in these organizations from closing down in near future and prevent their CEO s from exploring the opportunities for outsourcing their insurance applications. Not only that but also it will retain millions of dollars which will absorb by foreign countries for insurance applications from the industry in future.
75
In such organizations, an investment on a separate IS Audit department will be a waste of resources. But they can assigned external consultants / IS Auditors for their IS Audit assignments in time to time. In such an organization the IS Auditor doesn’t have a very much work to be done regularly, because the outsiders do not enjoy accessibility to their policy database through the web. In such a situation, time-to-time IS Audit assignments carried out by external consultants or IS Auditors is adequate. In no organization in local insurance industry, online Need Analysis or Real Time Quotes are provided. In such environments the full time IS Audit requirement is minimum. Then in most organizations online policy servicing functions to policyholders, as Online Policy Application, E-Claim Processing, Online Payments and Online Agent referrals are not available. In such situations the security threats for the live database is limited. So a huge investments on IS Auditing with a separate department is not very much required in those organizations. All these indicators suggest nothing else other than the Readiness of the IT in Insurance Industry in Sri Lanka for IS Auditing. So the IT of the Insurance Industry, at least in the largest 5 companies who enjoys a market share of more than 90% is ready for IS Auditing. So the urgent requirement is nothing else other than the proper implementation and proper practice of IS Auditing in the Insurance industry.
76
6.2 Recommendations
So to achieve the objectives of identify the main important area to implementation and proper practice of IS Auditing in the Insurance industry following two guidelines have to be established. 1) The Main important area to implement Information Systems Auditing in an Insurance Organization in Sri Lanka
a) Responsibility, Authority and Accountability of the IS Auditor has to be decided by the CEO or the Audit Committee or both of the insurance organization. b) In all matters related to IS Auditing the IS Auditor has to be independent form the audited from attitude and appearance in insurance organizations c) The IS Audit function has to be sufficiently independent from the area being audited to achieve it’s audit objectives in insurance organizations d) All the IS Auditors in insurance organizations have to adhere to the code of professional ethics published by ISACA (USA) and should give due professional care for all his IS Audit assignments in insurance organizations e) IS Auditor in an insurance organization should be Competent, Skilful and Knowledgeable to handle IS Audit assignments relevant to the insurance organization and should always engage in continuous professional education f) It is the sole responsibility and the duty of the IS Auditor in an insurance organization to audit and report on areas mentioned in the main important area to practice Information Systems Auditing in an Insurance Organization in Sri Lanka” which is given in the following recommendation in addition to assignments handover by the management of the insurance organization in time to time
77
g) Please refer the Standards published by the Information Systems Audit and Control Association of USA (ISACA) for further reference.
2) The main important area to practice Information Systems Auditing in an Insurance Organization in Sri Lanka
It is the sole responsibility and the duty of the IS Auditor to audit and report on areas mentioned in “The main important area to practice Information Systems Auditing in an Insurance Organization in Sri Lanka” in addition to assignments handover by the management of the organization in time to time
a) Organization and Management Policies b) Segregation of duties in the IT function c) Logical Access Controls to IT resources d) Physical Access Controls to IT resources e) System Development Controls and Change Controls f) Business continuity g) Computer Operations h) User Management i) Communication j) System Soft Ware k) Database l) End User Computing m) Application Systems
78
Bibliography
References
[1] Information Systems Audit and Control Association (ISACA), ‘Certified Information Systems Auditor (CISA) Review Manual’ USA, 2004 [2] Uma Sekaran, “Research Methodos for Business A Skill Building Approach”,4th Edition:Wiley India [3] The CoBIT Steering Committee and Information System Audit and Control Foundation, CoBIT Governance, Control and Audit for Information and Related Technology (Executive Summary, Framework, Control Objective, Audit Guidelines, Implementation Tool Set ) , Second edition, April 1998 [4] KPMG Ford Rhodes and Thornton Co. Ltd., ‘Information Systems Audit Manual’ UK, 2004 [5] Deloitte & Touché, Insurance Industry group, ‘ The Insurance Industry: The E-commerce Imperative.’ USA, 2003 [6] Anna Carlin and Frederick Gallegos, “IT Audit”, California State Polytechnic University, Pomona [7] Jack J. Champlain, "Auditing Information Systems", 2nd edition, 2003 [8].Eric Kannangara, ”E-Business and Mobile computing Prospects in Sri Lanka Insurance Industry”,Sri Lanka Institute of Information Technology Sri Lanka [9] The web site http://www.isaca.org [10] The web site http:// http://en.wikipedia.org [11] New Paper articles release by the Board of Insurance of Sri Lanka [12].Marten Simonsson and Pontus Johnson, ”Assestment of IT Governance – A Prioritization of COBIT”, KTH Royal Institute of Technology Sweeden.
79
Appendices
Appendix –1 Design process of the research project
Identification of Benchmark IS Audit Procedures
To identify the main important areas to Implement and Practice IS Auditing in Local Insurance Org. Identification of their Suitability to the Local Insurance Industry
Assessment of IS Audit Level in Insurance Org. in SL
Dear Sir, Herewith , I attaché my project report which is amended Regards,
80
doc_412686553.doc
A THESIS
SUBMITTED TO
SRI LANKA INSTITUTE OF INFORMATION TECHNOLOGY
IN PARTIAL FULLFILMENT OF THE REQUIREMENTS
FOR THE DEGREE OF
MASTER OF SCIENCE IN INFORMATION TECHNOLOGY
A Comparative Study of Information Systems Auditing in Sri Lankan Insurance Industry
Viraj Kariyawasam PGM-IT08-0411
A THESIS SUBMITTED TO SRI LANKA INSTITUTE OF INFORMATION TECHNOLOGY IN PARTIAL FULLFILMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN INFORMATION TECHNOLOGY
September 2009
1
I certify that I have read this thesis and that in my opinion it is fully adequate, in scope and in quality, as a thesis for the degree of Master of Science.
MR. Yashas Mallawarachchi
I certify that I have read this thesis and that in my opinion it is fully adequate, in scope and in quality, as a thesis for the degree of Master of Science.
Prof/Dr/Mr/Mrs Co supervisor’s name and surname (Optional)
Approved for MSc. Research Project:
MSc. Research Project Co-ordinator, SLIIT
Approved for MSc:
MSc. Programme Co-ordinator, SLIIT
2
Declaration of originality
This is to certify that the work is entirely my own and not of any other person, unless explicitly acknowledged (including citation of published and unpublished sources). The work has not previously been submitted in any form to the Sri Lanka Institute of Information Technology or to any other institution for assessment for any other purpose.
Signed _________________________________________________
Date ___________________________________________________
Abstract
3
A Comparative Study of Information Systems Audting in Sri Lankan Insurance Industry
V?raj Kariyawasam MSc. in Information Technology Supervisor:Mr. Yashas Mallawaarachchi Septembr 2009 An information systems audit is an examination of the controls within an Information technology (IT) infrastructure. An Information technology audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. The primary functions of an Information Technology audit are to evaluate the system's efficacy and security protocols, in particular, to evaluate the organization's ability to protect its information assets and properly dispense information to authorized parties. As par as the Sri Lankan Insurance industry is concerned that there are opportunities to make use of Information System auditing for insurance business in order to achieve the business goals while providing a better customer service and without any fraud. In view of a number of different perspectives on the nature of the information technology audit, the scenario of a standardized information technology audit methodology can be questioned. Therefore, the question that arises is whether it is possible (and desirable) to develop a standardized guide lines for information technology auditing. This research will attempt to find an answer.
Acknowledgements
4
I would like to acknowledge my gratitude to Mr. Yashas Mallawarachchi , Sri Lanka Institute Information Technology, for his useful advices, guidance and suggestions, which greatly contributed towards the success of this research. I pay my gratitude to everyone who contributed their time for being interviewed and for sharing their perceptions, attitudes, ideas some time even their most private information. I thank my family members and my colleagues and the management of my office Ceylinco Insurance Company PLC for the support they have given me over the time.
Table of Contents
Abstract IV
5
Acknowledgements Table of Contents List of Figures List of Tables Chapter 1 Introduction 1.1 Study Background 1.2 Problem Statement (Definition) 1.3 Objectives & Research Questions Chapter 2 Literature Review 2.2 Limitations of traditional auditors in Sri Lanka 2.3 Fundamentals of Insurance 2.3.1 The position of insurer 2.3.2 Insurance is to with risk 2.4 Classification of Risk 2.4.1 Attitude of Risk 2.4.2 Risk and Insurance 2.4.3 The Challengers for Insurers today Chapter 3 Data and Methods 3.1 Introduction 3.2 Data Used 3.3 Sampling 3.3.1 Target Population 3.3.2 Representativeness 3.3.3 Variability 3.3.4 Selecting Insurance Companies 3.3.5 The selected method for data collection for Insurance Companies in Sri Lanka 3.4 Measurements Techniques 3.4.1 Likert Scale
V VI VIII IX 1 1 1 3 4 5 5 10 11 11 11 12 13 13 14 15 15 15 15 16 16 16 17 17 19 20 20
6
3.5 Implementation of survey plan (collecting and Analyzing Data) 3.6 Data Analysis 3.7 Tabulate Information 3.8 Interpreting and reporting of findings IS Audit procedures Chapter 4 4.1 Findings related to the evaluation of existing Information Systems Audit Level, identify barriers to implement Information Systems Auditing in Insurance Organizations in Sri Lanka and Identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka. 4.1.1 General View of the Sri Lankan Insurance Industry 4.1.2 Information System Audit decision making in Insurance Companies 4.1.3 A separate department for handling and managing ISA Operations 4.1.4 No of staff members in the IS Audit department 4.1.5 What is the capacity of head of the IS Audit Department 4.1.6 To whom the ISA Department is reported in your Organization 4.1.7 Information related to the IS Audit process in your Organization 4.1.8 If you don’t have separate IS Audit department then who handles ISA operations in your organization 4.1.9 Information related to business Process Planning and Support by IS Audit 4.1.10 Information related to Operation and Support by ISA 4.1.12 ISA Infrastructure and Investment
21 21 22 22 23 24
3.9 Methodology to identify internationally recognized benchmark
24
24
25 26 27 27 28 28 29 30 31 33
4.1.11 Technical Competence of ISA staff in your organization 32 4.1.13 Annual expenditure on ISA as a percentage of expenditure
7
On IT in the same year 4.1.14 Annual expenditure on ISA as total revenue of the Organization 4.1.15 Frequency of IS Audit Assignments carried out in your Organization 4.1.16 Idea on Information System Auditing 4.1.17 Barriers in implement a separate IS Audit Department 4.1.18 Practice Information System Auditing in Sri Lanka 4.2 Findings related to the survey on internationally recognized Benchmark IS Audit procedure / Process 4.2.1 Standards for Information Systems Auditing issued By the Standard Board of the Information Systems Audit and Control Association ( ISACA) 4.2.2 The Information Systems Audit Practicing Manual of KMPG ford Rhodes, Thornton & Company Limited Chapter 5 Discussion 5.1 General view of the Sri Lanka Insurance Industry 5.2 IS Audit level in insurance organizations in Sri Lanka 5.2.1 Investments in IS Auditing 5.2.2 The existing IS Audit Level in insurance organization In Sri Lanka 5.3 Identifying barriers to implement Information Systems Auditing in Insurance Organizations in Sri Lanka 5.4 To identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka 5.4 To identified Benchmarks in IS Audit Procedures and their suitability to Sri Lanka 5.4.1 Evaluation of sutability of identified benchmark IS Audit Standards / Procedures to insurance organizations in
34 34 35 36 37 38
50
39 41 50 50 50 51 54 55 57
59 59
8
Sri Lanka Chapter 6 Conclusions 6.1 Conclusions 6.2 Recommendations Bibliography Appendices Appendix 1: Design process of the research project Appendix 2: A questionnaire to evaluate the existing information Systems Audit Level of Sri Lanka Insurance Organizations in order to identify the relevance of IS auditing to sector
59 63 63 63 66 68 69 69
70
List of Figures
Figure 3.1 Sample Selection for insurance organizations in Sri Lanka Figure 4.1 Categorized of Sri Lanka Insurance companies Figure 4.1.1 Number of years in Business Figure 4.2 IT Auditing Decision Making Figure 4.3 Department handling for IS Audit Figure 4.4 No of Staff Member in the ISA Figure 4.5 Capacity of the head of ISA Department Figure 4.6 Reporting hierarchy in the ISA Audit Figure 4.7 Information related to the IS audit process Figure 4.8 Handling Information Systems Audit Functions Figure 4.9 ISA relates to Business process Figure 4.10 ISA relates to Operation Support 18 24 25 25 26 27 27 28 28 29 30 31
9
Figure 4.11 Technical competence of ISA staff Figure 4.12 ISA infrastructure and Investments Figure 4.13 Annual expenditure on ISA Figure 4.14 Annual expenditure on ISA from the total revenue Figure 4.15 ISA carried out assignments Figure 4.16 Existing knowledge on ISA Figure 4.17 Barriers in implementing separate IS Audit Department Figure 4.18 ISA carried out IS Audit functions
32 33 34 34 35 36 37 38
List of Tables
Table 1.1 Major Insurance Companies in Sri Lanka Table 2.1 Capabilities of web sites Table 3.1 Example of Likert Scale Table 4.1 Capabilities of web sites Table 5.4.1 Identified benchmark IS Audit standards Table 5.4.2 Identified benchmark IS Audit procedures 1 8 20 8 59 60
Chapter 1 Introduction
1.1 Study Background
10
Over the years conventional manual processes have been replaced by computer systems gradually everywhere. There is no difference in the insurance industry also. Central Database, Data Warehousing, Online Fund Transferring and Corporate Websites or Intranet are no more strange terms in the insurance industry. But the controlling and detecting methods or in other words internal audit techniques have not been changed over the years accordingly. This is the area where traditional internal auditing lags and IS Auditing gains the lead. But in countries like Sri Lanka where most of the CEOs are accountants or other professionals who are not very familiar with Information Technology still believe traditionally. They think Internal Auditing will do the job for them. Furthermore in Sri Lanka Internal Auditors are also professional accountants who are very reluctant to change from manual audit procedures to computerize audit procedures. Since we do the study on “Information Systems Auditing in Insurance Industry in Sri Lanka” it is advisable to identify current trends and future prospects in Insurance Industry as well as in Information Systems Auditing. Insurance simply means sharing the risk among a large number of people in the society at a price. In Sri Lankan context, there is a rapid growing interest about insurance is visible among people not only in Colombo & suburbs but also in remote areas. Specially after the disaster done by tsunami not only insurance companies but also the general public speak a lot about insurance. Even before that when government started privatizing free services as Health Service most people started buying insurance. As a result of this trend, large number of companies invested heavily in the insurance industry during the last decade. Most of these investments were on computerizing their systems. According to the records of the Board of Insurance of Sri Lanka, the major players in the industry can be listed as follows.
Table 1.1 Major Insurance Companies In Sri Lanka.
1
Company Ceylinco Insurance (Life) PLC
Type of Business Life
11
2 3 4 5 6 7 8 9 10 11 12
Sri Lanka Insurance Corporation Ltd. Union Assurance PLC Janashakthi Insurance Company PLC. Eagle Insurance PLC HNB Assurance PLC. Asian Alliance Insurance PLC Cooperative Insurance Co.Ltd Allianz Insurance Lanka Ltd MBSL Insurance Co.Ltd., Amana Takaful PLC Ceylinco Insurance (general) PLC
Life & General Insurance Life & General Insurance Life & General Insurance Life & General Insurance Life & General Insurance Life & General Insurance Life & General Insurance General Insurance Life & General Insurance Life & General Insurance General Insurance
All the above companies are in a heavy competition in order to increase their share in the market. Even though these companies use lot of tactics to improve the awareness about insurance, they have only captured less than 10% of the potential market or in other words less then 10% of the Sri Lankan population owns an insurance policy.(Source: Insurance Board of Sri Lanka) Then what is Information Systems Auditing? “Information Systems Auditing is the evaluation of Controls within the Information Systems Environment to ensure the integrity, reliability and accuracy of the information presented, often supporting the attestation of an audit and an evaluation of Information Systems Efficiency, Effectiveness and Economy”. (Source: www.isaca.org) In other words the purpose of the Information Systems Auditing in the Insurance Industry in Sri Lanka is to evaluate the Controls within the Information Systems Environment to ensure the integrity, reliability and accuracy of the information presented and to evaluate the efficiency, effectiveness and economy of information systems in the industry. This is so important when we consider the fact that almost all the Sri Lankan Insurance companies invested heavily on computerizing during the last decade.
1.2 Problem Statement (Definition)
•
When you study the Insurance Industry it is clearly visible though the investment in IT increased heavily during the last decade the controlling and detecting methods or in other words internal audit techniques have not been changed over the years accordingly. So today the conventional
12
audit techniques practiced in most of the insurance organizations in Sri Lanka are not able to cater to the industry requirements, which have been changed drastically during the last decade. As a result of it frauds, errors and mistakes have been increased in an industry where a company has to look after customers’ money for 20 to 30 years. Not only that but also as mentioned earlier if the tendency is to increase the number of frauds, errors and mistakes in the industry customers will loose their faith on insurance and it will hinder the growth of the industry. So the Information Systems Auditing in insurance industry can be recognized as an industry requirement under current circumstances.
•
Though some insurance companies have already started or other companies want to start Information Systems Audit Divisions immediately, their top management is clueless on the fact that how to start an Information Systems Audit Division and how to segregate responsibilities among the Internal Audit Division, the Information Systems Audit Division and the External Auditors. As a result of it in some insurance organizations the implementation of the Information Systems Audit Division has created unnecessary cold war between the Internal Auditors and the Information Systems Auditors instead of enhancing the Control Mechanism.
•
Today not only Customer expectations but Management expectations are also very demanding. They expect reliable, functional, fast & userfriendly Management Information Services. Companies that provide such services have higher success rates. But with a tendency of increase in errors, mistakes and frauds in Information Systems, most of the IT departments in Insurance Organizations are not able to deliver the management requirements. So instead of in-house software developments senior management of Insurance Organizations turn on to out sourcing again which is a failure because of the poor knowledge of insurance of the software developers and due to lack of standard insurance packages at a reasonable price.
13
1.3 Objectives & Research Questions
•
To assess the existing Information Systems Audit level of Insurance Organizations in Sri Lanka To identify barriers to implement Information Systems Auditing in Insurance Organizations in Sri Lanka To identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka The outputs of this research “To identify the main important area to
•
•
implement IS Auditing in an Insurance Organization in Sri Lanka” and “To identify the main important area to practice IS Auditing in an Insurance Organization in Sri Lanka” will be helpful in implementing and practicing IS Auditing in local insurance organizations. It will be a framework or guidance to CEOs and Internal Auditors who are not very comfortable and competent in IS Auditing. It will increase the popularity of IS Auditing organizations. in insurance organizations and ultimately reduce the IT related business risk in those
14
Chapter 2 Literature Review
15
Literature review of a research accomplishes several objectives and basically it helps to get an idea about the similar types of studies undertaken previously. Further, the readers of the research report can share other research approaches and findings for similar type of studies. According to my findings, there is not enough literature available in local context regarding Information Systems Auditing in Insurance sector. Then I considered global context through Internet and was able to collect considerable background information related to the Information Technology and E-commerce in insurance but again nothing about Information Systems Auditing in Insurance. Information Systems Audit and Control Association (ISACA) is the world body of Information Systems Audit Professionals and more than 90% of world’s IS Audit professionals are members of this organization. Information Systems Audit and Control Association (ISACA) got its start in 1967, when a small group of individuals with similar jobs—auditing controls in the computer systems that were becoming increasingly critical to the operations of their organizations—sat down to discuss the need for a centralized source of information and guidance in the field. In 1969, the group formalized, incorporating as the EDP Auditors Association. In 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field.
16
According to it’s website, today, ISACA’s membership—more than 35,000 strong worldwide—is characterized by its diversity. Members live and work in more than 100 countries and cover a variety of professional ITrelated positions—to name just a few, IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor. Some are new to the field, others are at middle management levels and still others are in the most senior ranks. They work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing. This diversity enables members to learn from each other, and exchange widely divergent viewpoints on a variety of professional topics. It has long been considered one of ISACA’s strengths. In the three decades since its inception, ISACA has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS auditing and IS control standards are followed by practitioners worldwide. Its research pinpoints professional issues challenging its constituents. Its Certified Information Systems Auditor (CISA) certification is recognized globally and has been earned by more than 38,000 professionals. Its new Certified Information Security Manager (CISM) certification uniquely targets the information security management audience. It publishes a leading technical journal in the information control field, the Information Systems Control Journal. It hosts a series of international conferences focusing on both technical and managerial topics pertinent to the IS assurance, control, security and IT governance professions. Together, ISACA and its affiliated IT Governance Institute lead the information technology control community and serve its practitioners by providing the elements needed by IT professionals in an ever-changing worldwide environment. (Source: www.isaca.org ) According to it’s website, the Information Systems Audit and Control Association, Inc. (ISACA) has long recognized that the specialized nature of information systems (IS) auditing, and the skills necessary to perform such
17
audits, require standards that apply specifically to IS auditing. However, as the proportion of members from the IS Control Professional community grows, the ISACA has perceived a need to produce further ethical guidance and standards for its non-audit membership. The Standards for IS Control Professionals are considered as the ISACA first steps in meeting this need. The purpose of IT audit is to detect IT-related risks in a company, and to evaluate the security, efficiency, and reasonableness of the IT systems. Additionally, IT audit helps the management to make sure that the existing IT systems are working, and helps them to realize the role of IT system in their business, as well as to find new solutions for managing and controlling the existing IT systems. IT management audit assesses whether the company manages the ITsystems in accordance with internationally recognized COBIT-practices (Control Objectives for Information and related Technology published by ISACA annually). Based on the consultancy firm standards, or the COBIT standards, audit gives the management confidence about the effectiveness of their ITsolutions. The purpose of COBIT is to provide management and business process owners with and information Technology (IT) governance model that’s helps in understanding and managing the risk associated with Information Technology. COBIT helps bridge the gap between business risks, control needs and technical issue. It is a control model to meet the need IT governance and ensure the integrity of information and information System. According to a survey done by KPMG Ford Rhodes, Thornton & Company Limited of USA in 2004, more than 90% of the globally recorded IS Audit assignments in 2003, were carried out by four big firms namely, KPMG Ford Rhodes, Thornton & Company Limited, E & Y, PriceWaterhouseCoopers and Author Anderson. So the benchmark practice for Information Systems Auditing is set by these four big firms worldwide. According to the KPMG Ford
18
Rhodes, Thornton & Company Limited Information Systems Audit practicing manual used in 2004, an IS Auditor has to concentrate to 13 major areas during an IS Audit assignment. They are 1) Organization and Management Policies of the Organization 2) Segregation of Duties in the Organization 3) Logical Access Controls 4) Physical Access Controls 5) System Development and Program change Controls 6) Business Continuity 7) Computer Operations 8) User Management 9) Communications 10) System Software 11) Database 12) End User Computing 13) Application Systems Among these studies, Deloitte & Touché from Insurance Industry group, USA did a research on ‘The Insurance Industry: The E-commerce Imperative’. Though this is not my topic I am interesting on this research because they have done an assessment of Information technology level in Insurance Organisations, which is going to be an area similar to asses the existing Information Systems Audit Level in my research too. In their research they selected more than 20 insurance companies in global context and separated into three categories as property & casualty insurers, life insurers and e-insurers. Each web site was analysed and a summary of the findings along with descriptions of the main features were documented. The primary focus of the research was to investigate the underlying values produced by each e-commerce site based upon transactional capabilities. In order to classify the company website strategies, they have created a benchmarking guide. This guide measures the reactive ability of a company’s site and its overall effectiveness in reaching the customer
19
especially as it relates to its insurance products. This classification does not refer to the transitive capabilities of the company sites with respect to their investment products, mutual funds and other product offerings. Table 2.1 Capabilities of websites Categor y 0 1 2 3 4 5 No site General information provided, no e-Commerce capability Agent referrals, lead qualification, information for business partners Ordering, purchaser registration, claims information Personalized customer service, claims submission, online account access Policy sales, real-time claims processing, real-time access for business partners Their research out put can be summarized as follows • • • • • • • Invest now in strategy and Information Systems Integrate interactive customer service applications – real-time ‘live’ transactions Capitalize on the efficiencies of business-to-business applications Develop complementary multiple service and distribution channels Exploit brand recognition Ensure the security of web sites and the privacy of customer data IT and E-commerce is not optional but mandatory “Auditing Information Systems”, Jack J. Champlain, 2003, Second Edition, explains clearly how to audit the controls and security over all types of information systems environments. The concepts and techniques in the book enable auditors, information’s security professionals, managers, and audit committee members of every knowledge and skill level to truly understand whether or not their computing systems are safe. The book provides a details examination of contemporary auditing issues such as: Description
20
•
Information system audit approach (physical, logical, environmental security)
• • •
Computer forensics Information privacy laws and regulations New technologies and future risks
2.2 Limitations of the traditional internal auditors in Sri Lanka
In Sri Lanka almost all the internal auditors are professional accountants who are not very competent in IT and IT related auditing. The two basic accounting courses in Sri Lanka namely the Chartered Accountancy course conducted by the Institute of Chartered Accountants of Sri Lanka, and the AAT course conducted by the Association of Accounting Technicians of Sri Lanka don’t give depth knowledge in IT which is required in handling systems based audits. As a result of it though almost all the financial organizations automated or computerized their business systems during the last decade the auditing techniques have not been changed much. Our internal auditors still practice the traditional vouching and other manual techniques. As a result of it the sample they can check during an audit assignment has been limited. But over the years the volume and the complexity of the transactions have been increased enormously. Not only that as a result of automation the audit trail has been lost. So the time is right, to introduce new techniques to auditing or in other words to automate auditing.
21
2.3 Fundamentals of insurance
Insurance may be described as a mechanism for transferring risks so that the losses suffered by a few members of a group is borne by the contributions (or premiums) of the many. The first function of insurance is to transfer risk by replacing uncertainty by certainty. The uncertainty as to whether a loss may occur and if so how much it will cost is replaced by paying a known fixed amount in advance that is the premium. The second function is to establish a common fund from which losses will be paid. The third important function is to have a method of providing a fair contribution (premium) to be paid by all those who are members of the fund (the insured). The members' (the insured’s') contribution ought to be fair in relation to the degree of risk and the value of such risk that the member brings into or exposes the fund.
2.3.1 The position of the insurer
If the above description and function of insurance is accepted, the insurer may be considered as the custodian of the fund. This however would not be a complete illustration of the insurer, in that the insurer is more than a custodian. He is in fact also, the owner of the Fund. Further, he assesses the contribution i.e. the premium payable by each member, and, should the claims on the fund exceed the resources available, he must make good any deficiency from his own assets.
2.3.2 Insurance is to with risk
As stated earlier insurance exists to combat the adverse affect of risks. Risk is inseparable from life and nobody is exempt from it. Obviously some people are exposed to greater risks than others. To a greater or lesser extent the risk to life and property due to natural perils, such as flood, storm & tempest and
22
earthquake, and man made perils such as theft and those arising from the negligence of others as well as ourselves, are some of the more common that are constantly with us. For various reasons, details of which are beyond the scope of this article, insurers cannot and do not insure all the risks to which we may be exposed. A very general principal which an insurer may follow in deciding whether or not a particular risk could be insured will be his ability to calculate the appropriate premium for the risk, taking into account its degree, value and frequency, over a period of time.
2.4 Classification of risks
There are different kinds of risks. They may be very broadly categorized as follows. (a) Pure risks These are risks, which offer no prospect of gain. Only a loss if the risk becomes a reality or preservation of the status quo if it does not. Examples of pure risks are fire, food, accident and death. These are risks, which might normally be the subject of insurance. (b) Speculative risks These are risks, which offer the possibility of gain or loss. Trade risks fall within this category. The most extreme form of such risk would of course be gambling. Generally speculative risks may not be insured. (c) Fundamental or catastrophic risks These are risks, which tend to affect large sections of society, the country or the world, rather than individuals. Thus fundamental risks have within it the element of catastrophe and have a tremendously widespread disaster potential.
23
Examples of such risks would be war particularly nuclear war, famine, earthquake and pollution. Because of their sheer magnitude and unpredictability in terms of the law of large numbers, insurers may simply not have the resources to cover such risks. In some countries "pools" are established to cover certain catastrophic risks such as earthquake.
2.4.1 Attitude to risk
How we react to the risks to which we are exposed depends largely on our attitude or mental approach to them. Since the total elimination or avoidance of risks is impossible and in some undesirable situations we have to accept some risks. This can happen in the following circumstances. (a) There is no practical means of avoiding the risk (b) We are unaware of the risk (c) The likely consequences are not serious (d) The cost or consequences of avoiding the risk are not acceptable considering the benefits or satisfaction of taking them (e) The risk is acceptable
2.4.2 Risk and insurance
Our continuous well being in present society depends largely on economic factors. It is in the financial realm that perhaps the most strenuous efforts have been made to reduce or avoid risks. In particular, the individual or firm may seek to avoid risks in the following ways: (a) Eliminating or reducing risks This may be achieved by taking precautions. For instance in a factory or office, fire, burglary and accidents to employees could be avoided by using
24
modern machinery, regular maintenance, good housekeeping, safety measures and well constructed and secure premises. The individual may reduce or eliminate risks by simply not exposing himself to them such as not taking part in hazardous pursuits. (b) Bearing or accepting risks After evaluating the risk an individual or organization may decide to bear the risk. This can be achieved in several ways one of which would be to set up a fund into which contributions are made periodically with the intention of paying out from the fund any losses. Today many large organizations have taken this concept further by setting up their own insurance company known as a "captive insurer" to which they place all their insurances. The ultimate objective is of course to retain for themselves the difference between the contribution (premium) paid into the insurance fund and amounts (losses and expenses) paid out. (c) Transferring risks - insurance By this means the risk is transferred from the individual person or organization to the common insurance fund. This fundamentally is what insurance is all about. Transferring the risk, which is upon the individual to the shoulders of the whole insuring community "so that the loss lightest rather easily on the many, than heavily upon the few."
2.4.3 The Challenges for Insurers today
The steady deregulation of the insurance market, the emergence of new technologies, increasing competition from existing and new entrants, are all resulting in a new economic paradigm centered on the customer. The new paradigm will induce many pressures on insurers.
25
Chapter 3 Data and Methods
3.1 Introduction
The framework of the research was comprised of the following stages. (Refer appendix –1 for graphical representation) 1. Assessment of Information System (IS) Audit level in Insurance in Sri Lanka. 2. Identification of Benchmark IS Audit Procedures 3. Identification of their Suitability to Sri Lanka 4. The main important area to Implement and Practice IS auditing in Local Insurance Industry.
3.2 Data Used
For this research, primary data collection method, ‘made to measure’ – field research method is chosen. Because, • • There is no secondary data available on Information Audit Level assessments of insurance companies As this research is purely academic one ‘off the peg’ method is considered inappropriate The ‘survey method’ approach is employed to collect primary data as the other two methods ‘experimentation’ and ‘observation’ was felt impracticable to use data collection.
26
3.3 Sampling
Sampling involves taking a portion of a target population so that sample statistics may be used to estimate population parameters within certain limits. There are several reasons for sampling. The most obvious one is the cost. Samples are only a very small portion of the target population. The second reason is for sampling is that to shorten the time involved in the research project. A third reason is that the use of samples is the only alternative to finding information about large population groups. The only problem is ensuring that the sample represents the target population. Three terms are important in understanding the concept of sampling: target population, representative ness and variability
3.3.1 Target population
The target population is the whole that the researchers wish to study through sampling. In this research, target population for existing IS Audit Level in insurance organizations in Sri Lanka. This is around 16 in number.
3.3.2 Representativeness
If the sample is to provide estimates of target population characteristics or parameters, it must be representative. This means that the sampling frame or arrangements for selecting units must allow all eligible an opportunity to be selected. In this research following factors are considered, when selecting insurance companies to improve the representative level. Private sector/ Government / Foreign subsidiary Life insurance/General insurance/Both/Specialized Large/ medium/ Small scale No of years in the business
27
When selecting the sample to assess the Information Systems Audit Level above mentioned factors were considered.
3.3.3 Variability
The sample’s limits, within which estimates are made about the target population, can be called variability. There is a direct relationship between the potential magnitude of the sampling error and the variability of the population. When considering insurance companies, a low variability is observed.
3.3.4 Selecting Insurance Companies
The Selected sample size is 16 insurance companies. Quota sampling method is used to select the sample. The target population is all insurance companies, which are operating in Sri Lankan market. Therefore, initially insurance companies are divided into stratums as private sector, government or foreign subsidiary. Then they are sub divided into scale wise as large, medium or small scale within the sector. Within the scale they are further classified into categories as life insurance, general insurance or both. Finally samples from each stratum are combined into a single sample of the target population. It can be shown graphically as below.
28
Figure 3.1 Sample Selection for insurance organizations in Sri Lanka
Large Scale Private Sector Medium Scale Small Scale Large Scale Insurance Compani es in Sri Lanka Governm ent Sector Medium Scale Small Scale Large Scale Foreign Subsidiar y Medium Scale Small Scale
Life Gener al Both
Life Gener al Both
Life Gener al Both
29
3.3.5 The selected method for data collection for insurance companies in Sri Lanka
‘Fully Structured Interview method’ is mainly used in this research to collect information from insurance companies. In most cases, Information Tecnology people in insurance companies personally interviewed and all questions were read out by myself to the respondent in an unbiased manner and noted the responses exactly as they are given. The above method is chosen because of following reasons. • • Ensure that all questions are answered in the correct order Easy to check that the Information technology people have understood the questions and can encourage them to answer as fully as possible. • Because of a live relationship was easily built, reliability of collected data is high It is important to note that, ‘Postal Research Questionnaire method’ is used to get responses from some insurance companies due to interviewing method is not practicable for those places. So same questionnaire is e-mail to required people and telephone reminders were given to get the quick responses. Where the instances interviewing is not possible, ‘Postal Research Questionnaire method’ is employed. Sometimes I have to use telephone method to collect information from some personal since time schedule is very strict.
30
3.4 Measurement Techniques
Measurement is the process of turning the factors under investigation onto quantitative data and requires an appropriate scale of measurement on which the property’s characteristics can be measured. When developing the questionnaire, greater attention is paid to introduce questions, which could be used to quantify answers. Even for the questions, which rose to get the answers to emotional qualities like attitudes, perceptions were armed with questioning techniques like ‘Likert Scales’ and ‘Semantic differential Scales’ that could easily quantify data.
3.4.1 Likert Scale
A list of statements reflecting the attitudes of people interviewed is generated from semi-structured or depth interviews. The list of attitudes developed is then tested on a sample of respondents. Each respondent is required to score each statement using a five-point scale. There are many questions in Information Systems Audit Level evaluation questionnaires, which were analyzed and valued using Likert scale.
Table 3.1 Example for Likert Scale
Option Always true Frequently true Sometimes true Rarely true Never true
Score 4 3 2 1 0
3.5 Implementation of the survey plan (Collecting and analyzing data)
31
This involves process and analysis of the collected data to isolate important information and findings.
3.6 Data Analysis
Data analysis entailing rearrangement, breaking down, reduction and separation of data into as many parts as needed to determine their nature, relative importance, function and interrelationships. In this research following steps are carried out under data analysis process. • • As a first step the data, which are collected from questionnaires are checked for accuracy and clarity Checking for comprehensibility Sometimes responses are not understandable, as is often the case in open ended questions or in scale type questions where the respondent circles two answers when only one answer should be circled. This problem arose when dealing with responses received through postal method. • Checking for completeness If a question in the data collection form is left blank, the researcher must determine whether to discard the question, to locate the missing data, or to record as no response. In this research the question that are left blank, are considered as ‘no response’. • Checking for consistency Inconsistent responses seem to be an inherent element of questionnaires.
3.7 Tabulate Information
32
After grouping information according to their appropriateness and relationships, numbers of tables are created using Microsoft SQL 2000 database package and MS Excel spread sheet package. When creating tables high priority was given to define primary keys and maintain proper relationships among tables. SQL queries are formulated to get desired outputs using the tables and they are converted to graphs and charts using MS EXCEL 2000 software package.
3.8 Interpreting and reporting of findings
Interpretation, the next to last step, builds on the findings from analysis and gives them meaning to the users. Interpretation can be pictured as moving from results of analysis to a synthesized whole using induction to conclusions. Reporting findings is the last step in the research project and it can be thought of as putting the research results into an understandable and usable format. The importance of effective reporting cannot be overemphasized, regardless of the quality of the research project and the accuracy and usefulness of the resulting data, the data will not be used if they are not effectively communicated to the appropriate decision makers. Chapter four is totally discussed about research findings.
33
3.9
Methodology
to
identify
internationally
recognised
benchmark IS Audit procedures
By studying industry recognized best practices by four big firms KPMG, E & Y, PriceWaterhouseCooper and Arthur Anderson According to a survey done by KPMG Ford Rhodes, Thornton & Company Limited of USA in 2004, more than 90% of the globally recorded IS Audit assignments in 2003, were carried out by four big firms namely, KPMG Ford Rhodes, Thornton & Company Limited, E & Y, PriceWaterhouseCoopers and Author Anderson. So the benchmark practice for Information Systems Auditing is set by these four big firms worldwide. According to the KPMG Ford Rhodes, Thornton & Company Limited Information Systems Audit practicing manual used in 2004, an IS Auditor has to concentrate to 13 major areas during an IS Audit assignment. By Studying Information Systems Audit Standards set by the Information Systems Audit and control Association (ISACA) of USA ISACA is the world body of Information Systems Audit Professionals and more than 90 % of world’s IS Audit professionals are members of this organization. Internationally recognized benchmark IS Audit procedures were identified base on KPMG Ford Rhodes, Thornton & Company Limited Information Systems Audit practicing manual used in 2004 & Information Systems Audit Standards set by the Information Systems Audit and control Association (ISACA) of USA (revised in 2004)
34
Chapter 4
4.1 Findings related to the evaluation of existing Information Systems Audit Level , identify barriers to implement Information Systems Auditing in Insurance Organizations in Sri Lanka and identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka
4.1.1 General View of the Sri Lankan Insurance Industry
There are two questions regarding the general nature of the company, in the IS Audit Level evaluation questionnaire. In all companies I received the same answer for the same question from different persons. a) Category Wise Classification of Sri Lankan Insurance Companies
Figure 4.1 Categorized of Sri Lanka Insurance Companies
Life 7%
Specilized 14%
General 7%
Life & General 72%
?
In this research, all insurance companies in Sri Lanka were categorized into areas where they serve as life insurance, general insurance, any specialized area or both life & general. According to the above graph, almost 70 percent of insurance companies provide life and general insurance covers to the people.
?
35
b) Number of years in business
Figure 4.1.1 Number of Years in Business
More than 20 years 21%
Less than 2 years 7% More than 2 years 21%
More than 10 years 21%
More than 5 years 30%
?
Number of years in insurance business is questioned in this research and results are classified as above graph. According to that, only 21 percent of companies are in insurance sector for more than 20 years and majority, which is 30 percent, lies in more than 5 years group. It is observed that new comers to the sector are around 7 percent.
?
?
4.1.2 Information Systems Audit decision making in Insurance Companies
Figure 4.2 IS Auditing Decision making
Any other 8% Chief Information Officer (CIO) 17%
Chief Executive Officer (CEO) 17% Internal Audit Committee or ISA Committee 41% CEO & CIO 17%
36
?
It was questioned that who is / are taking information systems audit decisions in insurance companies by providing possible options. As seen above graph, Internal Audit Committee or ISA committee is taking ISA decisions as the highest figure and CEO, CIO and CEO / CIO both, are all joining the second. In one organization, Internal Audit Manager is taken ISA decisions and it is mentioned as any other.
?
?
4.1.3 A Separate department for handling and managing ISA operations
Figure 4.3 Department handling for IS Audit
10 8 No.of Companies 6 4 2 0 Have ISA dept Not ISA dept Status
?
Whether the insurance company has a separate department to handle IS Audits is checked during this research. According to results, only one insurance company has own ISA department to handle ISA assignments
?
37
4.1.4 No of Staff Members in the IS Audit Department
Figure 4.4 Number of Staff members in the ISA
More than 10 0%
M ore than 5 17%
Less than 5 83%
?
Out of the 12 companies only one company has separate IS Audit departments But in both the number of staff in the IS Audit department is between 5 and 10
?
4.1.5 What is the capacity of the head of the IS Audit Department
Figure 4.5 Capacity of the head of ISA Department
10 8 No.of Companies 6 4 2 0 A Middle Level Manager Status Not ISA dept
=
?
Out of the 12 companies only one company has separate IS Audit departments In the head of IS Audit department is a Middle Level Manager
?
38
4.1.6 To whom the IS Audit Department is reported in your organization
Figure 4.6 Reporting hierarchy in the IS Audit
10 8 No.of Companies 6 4 2 0 A Senior Manager Status Not ISA dept
?
Out of the 12 companies only one company has separate IS Audit departments In IS Audit department is reported to a Senior Manager
?
4.1.7 Information related to the IS Audit Process in your organization
Figure 4.7 Information related to the IS audit Process
9 8 7 6 5 4 3 2 1 0 Internal Development of ISA S/W Uses Benchmark ISA St. T echnical Competence in ISA Sufficient Linkage ISA a Separate Entitiy
A F S R N
A-Always true F-Frequently true S-Sometimes true R- Rarely true Never true The statements related to above graph can be listed as flows.
N-
39
Internal development of ISA S / W – Our ISA / IT department internally develops information systems audit software for the company usage Uses Benchmark ISA Standards - Our ISA department always uses benchmark ISA standards Technical Competence in ISA - Our ISA department has adequate technical competence to handle all company ISA assignments Sufficient Linkage - There is a sufficient linkage between ISA department and the other business departments ISA a Separate Entity – Out IS Audit department can always seen as a separate entity
?
In this research, it is necessary to get information about ISA competence, professionalism in handling ISA assignments, ISA division independence and it’s usefulness to the other departments, to assess ISA Level of Sri Lankan insurance companies. Responses are rated using “Likert Scale” and graphically displayed as above.
?
4.1.8 If you don’t have a separate IS Audit Department then who handles ISA operations in your organization
Figure 4.8 Handling Information system Audit Functions
6 No.of Companies 5.5 5 4.5 Internal Audit Dept or Consultants Status No one
?
Out of the 11 companies without a separate IS Audit departments, in 6 companies ISA assignments are handled by Internal Auditors or Outside Consultants In other companies there is no one to handle ISA issues
?
40
4.1.9 Information related to business Process Planning and Support by ISA
Figure 4.9 ISA relates to Business Process
9 8 7 6 5 4 3 2 1 0 ISA Streamline Business Process ISA Strengths Strategic Planning ISA Improves Management Decision Making
A F S R N
A-Always true Never true
F-Frequently true
S-Sometimes true
R- Rarely true
N-
The statements related to above graph can be listed as flows. ISA Streamlines Business Process – Our ISA function helps to streamline the Company Business Process ISA Strengths Strategic Planning - Our ISA department helps strategic planning by assuring the accuracy of MIS reports ISA improves Management Decision Making- Our ISA department improves the decision making ability of the management by improving system quality In this research, it is necessary to get information about ISA support to the company’s Business Process, It’s Strategic Planning and It’s Management Decision Making
?
41
4.1.10 Information related to Operations Support by ISA
Figure 4.10 ISA relates to Operations Support
9 8 7 6 5 4 3 2 1 0 ISA Enhances ISA Improves Enhances ISA Decreases ISA Enhances Quality of IT Productivity of Utilisation of Cost of New IT Our Reliability Products & IT Staff H/W, S/W & Products in IT Services L/W
A F S R N
A-Always true Never true
F-Frequently true
S-Sometimes true
R- Rarely true
N-
The statements related to above graph can be listed as flows. ISA enhances Quality of IT Products and Services – Our ISA department enhances the quality of IT Products and Services produce by our IT department ISA improves the Productivity of IT Staff ISA enhances Utilization of H/W, S/W & L/W - Our ISA department improves utilization of our computer resources ISA decreases the cost of new IT products- ISA department decreases the cost of new IT products ISA enhances our reliability in IT
?
In this research, it is necessary to get information about ISA support to enhance the IT Product & Service quality and it’s support in utilization of computer resources of the organization. Not only that I acquired the information about ISA contribution in reducing the IT cost of the company
4.1.11 Technical Competence of ISA Staff in your organization
42
Figure 4.11 Technical Competences of ISA Staff
12 10 8 6 4 2 0 All are Prof Qualified in Some are Prof None are Prof Qualified IT or ISA Qualified in IT or ISA in IT or ISA
?
Out of the 12 Companies taken for consideration in one company all ISA Staff is professionally qualified in IT or ISA In another company part of the ISA Staff is qualified in IT or ISA In all other companies none of the auditors have qualification in IT or ISA
? ?
4.1.12 ISA Infrastructure and Investment
43
Figure 4.12 ISA Infrastructure and Investments
9 8 7 6 5 4 3 2 1 0 ISA Always Always Uses more Uses Modern We have uses Modern Migrate to new Sopisticted T ech used by Specialised S/W H/W and S/W T ech T ools than our worlds leading & H/W not Competitiors Insurers own by others
A F S R N
A-Always true Never true
F-Frequently true
S-Sometimes true
R- Rarely true
N-
The statements related to above graph can be listed as flows. ISA always uses Modern H/W & S/W– Our ISA department enhances the quality of ISA by using modern H/W & S/W ISA always migrates to new Technologies - ISA always migrates to new Technologies and it is always updated ISA always uses more sophisticated tools than our competitors ISA uses modern technology used by world leading insurers ISA has modern S/W and H/W not own by others
?
In this research, it is necessary to get information about the technology wise updating of the company ISA Department to make sure that it provides a quality job for the organization
4.1.13 Annual expenditure on ISA as a percentage of expenditure on IT in the same year
Figure 4.13 Annual expenditure on ISA
44
(20% - 25%) 0%
(15% - 20%) 8%
(10% - 15%) 8%
(Less than 5%) 61%
(5% - 10%) 23%
?
Out of the 12 Companies taken for consideration only one company spends 15% to 20% of it’s annual IT budget to ISA An another company spend between 10% to 15% of it’s annual IT budget to ISA 3 companies spend between 5% to 10% of it’s annual IT budget to ISA All other companies spend less than 5% of it’s annual IT budget to ISA
?
? ?
4.1.14 Annual expenditure on ISA as a percentage of total revenue of the organization
Figure 4.14 Annual expenditure on ISA from total revenue
(8% - 6%) 0% (6% - 4%) 8% (4% - 2%) 8%
(10% - 8%) 0%
(Less than 2%) 84%
?
Out of
the 12 Companies taken for consideration only one company spends 6% to 4% of it’s annual income for ISA
?
An another company spend between 4% to 2% of it’s annual income to ISA
45
?
All other companies spend less than 2% of it’s annual income to ISA
4.1.15 Frequency of IS Audit Assignments carried out in your organization
Figure 4.15 ISA carried out assignments
Regularly 0% Never 42%
Not so Regularly 8%
Never in Some Branches / Dept 25%
Sometimes by Out Side Consultants or our Internal Auditors 25%
?
Regularly - Since we have a separate department to handle and manage ISA function, IS Audit assignments have been carried out regularly (Every branch / department is audited at least once a year) – In No Company Not so regularly - Though we have a separate department to handle and manage ISA function, IS Audit assignments have not been carried out regularly (Every branch and department is not audited at least once a year) – In One Company Never in Some Branches / Depts. - Though we have a separate department to handle and manage ISA function, IS Audit assignments have never been carried out for some branches / departments (Some branches / departments never have been audited since their inception) – In 3 Companies Sometimes by Outside Consultants or our Internal Auditors - Though we don’t have a separate department to handle and manage ISA function, IS
?
?
?
46
Audit assignments have been carried out for some branches / departments time to time by internal auditors or by an out side firm – In 3 Companies
?
Never - IS Audit assignments never have been carried out in our branches / departments – In 5 Companies
4.1.16 Idea on Information System Auditing
Figure 4.16 Existing knowledge on ISA
120 100 80 60 40 20 0 A B C D E F Questions
Legend : A- The evaluation of Controls within the Information Systems Environment to ensure the integrity, reliability and accuracy of the information presented, often supporting the attestation of an audit and an evaluation of Information Systems Efficiency, Effectiveness and Economy. B- Auditing Organizational Management policies, Logical Access, Physical Access, Software Development and control. C- Integration of organizational audit culture to audit user interaction with internal software used D- Management of all IT functionalities of the Organization E- Auditing of Computer operations, End-user computing F- Auditing of Application systems, System software and Databases.
47
?
According to the graph, out of 12 companies only 4 companies have marked answer ‘A’ of the question number 2.2.9. All companies have marked answer ‘B’ for the above question.
?
4.1.17 Barriers in implement a separate IS Audit Department
Figure 4.17 Barriers in implementing separate IS Audit Department
Legend : A- IS Audit functionalities must come under the existing Internal Audit Department. B- Lack of knowledge on IS Auditing C- Centralization of all IS Auditing responsibilities, decision making and security D- Holding of entire IS Auditing by single person E- Lack of ISA professionals in Sri Lanka F- Lack of education institutes to train IS Auditing G- Cost of forming separate IS Audit department H- Lack of knowledge in segregating the functionalities with Internal Audit and IS Audit. I- No legal background for IS Auditing in Sri Lanka
48
J- Positioning of IS Audit department in Organizational hierarchy. K- Recruiting additional staff for the IS Audit division L- Development of an IS Audit policy for the Organization According to the graph, all 11 companies had marked answers ‘Lack of
ISA professionals in Sri Lanka’, ‘Lack of education institutes to train IS Auditing
?
’ and ‘Positioning of IS Audit department in Organizational hierarchy’ of question number 2.2.10
?
Out of given 12 answers 10 answers were marked by all companies for the above.
4.1.18 Practice Information System Auditing in Sri Lanka
Figure 4.18 ISA carried out IS Audit functions
120 100 80 60 40 20 0
Organization Segregation of Logical Access Physical and duties in the IT C ontrols to IT Access Management function resources Controls to IT Policies resources System Development C ontrols and Change Controls Business continuity Computer Operations User Management Communication System Soft Ware Database End User Computing Application Systems
?
All 12 Companies taken for consideration have shown that more than 70% interest in implementing all 13 functionalities.
4.2 Findings related to the survey on internationally recognized benchmark IS Audit Procedures / Practices
As explained under the Chapter 3-9, the Benchmark IS Audit Procedures were identified by studying the Practicing Manuals of 4 big firms KPMG, E & Y,
49
PriceWatehouseCoopers and Author Anderson who covered more than 90% of the globally recorded IS Audit assignments in 2003. Not only that I went through the Information Systems Audit Standard set by the ISACA (USA) the world body for IS Auditing
4.2.1 Standards for Information Systems Auditing issued by the Standard Board of the Information Systems Audit and Control Association (ISACA)
• 010 Audit Charter
010.010 Responsibility: Authority and Accountability. The responsibility, authority and accountability of the information systems audit functions are to be appropriately documented in an audit charter or engagement letter. • 020 Independence
020.010 Professional Independence: In all matters related to auditing, the information systems auditor is to be independent of the auditee in attitude and appearance. 020.020 Organisational Relationship: The information systems audit function is to be sufficiently independent of the area being audited to permit objective completion of the audit. • 030 Professional Ethics and Standards
030.010 Code of Professional Ethics: The information systems auditor is to adhere to the Code of Professional Ethics of the Information Systems Audit and Control Association. 030.020 Due Professional Care: Due professional care and observance of applicable professional auditing standards are to be exercised in all aspects of the information systems auditor's work.
50
•
040 Competence
040.010 Skills and Knowledge: The information systems auditor is to be technically competent, having the skills and knowledge necessary to perform the auditor's work. 040.020 Continuing Professional Education: The information systems auditor is to maintain technical competence through appropriate continuing professional education. • 050 Planning
050.010 Audit Planning: The information systems auditor is to plan the information systems audit work to address the audit objectives and to comply with applicable professional auditing standards. • 060 Performance of Audit Work
060.010 Supervision: Information systems audit staff are to be appropriately supervised to provide assurance that audit objectives are accomplished and applicable professional auditing standards are met. 060.020 Evidence: During the course of the audit, the information systems auditor is to obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.
070 Reporting 070.010 Report Content and Form: The information systems auditor is to provide a report, in an appropriate form, to intended recipients upon the completion of
51
audit work. The audit report is to state the scope, objectives, period of coverage, and the nature and extent of the audit work performed. The report is to identify the organisation, the intended recipients and any restrictions on circulation. The report is to state the findings, conclusions and recommendations and any reservations or qualifications that the auditor has with respect to the audit. 080 Follow-Up Activities 080.010 Follow-Up: The information systems auditor is to request and evaluate appropriate information on previous relevant findings, conclusions and recommendations to determine whether appropriate actions have been implemented in a timely manner. Effective Date - These standards are effective for all information systems audits with periods of coverage beginning 25 July 1997.
4.2.2 The Information Systems Audit Practicing Manual of KPMG Ford Rhodes, Thornton & Company Limited
According to the KPMG Ford Rhodes, Thornton & Company Limited Information Systems Audit practicing manual used in 2004, an IS Auditor has to concentrate to 13 major areas during an IS Audit assignment. They are 1) Organization and Management Policies a) Evaluate the risk that organizational policies and management procedures are not in place to enable the IT function to be properly controlled b) Evaluate the risk that management and staff are not aware of their duties and responsibilities which could result in loss of integrity and confidentiality of the company system and data • • • Evaluate the overall responsibility of the IT function Formal Organizational Structure of the company and the place of IT in it IT Steering Committee
52
• • • • • • • • • • • • • • • •
Attitude of Management towards IT Formal IT Strategy for next 3 years Does it support company’s Business Strategy Formal IT budget Evaluation of IT investment Current version of system S/W Computer Security Policy Document standard supporting the computer security policy Availability of Security Committee or a similar body Security Administration End user computing policy Data ownership IT Standards and Procedures of the company Company compliance with regulatory and statutory aspects of IT Functions of Internal Auditors Company’s IT manpower requirement (Requirement, Training & Dismissal)
2) Segregation of Duties a) Evaluate the risk that the segregation of duties for staff, both within the IT department and between IT and user functions, is not adequate to prevent and / or detect errors or irregularities? • • • • • Organizational Chart of the IT department Job descriptions of IT staff Segregation of duties within IT department Evaluate whether IT staff only have responsibilities for functions within IT department Programmers segregated from users of the system
3) Logical Access Controls
53
a) Evaluate the risk that data files, application programs, and or operating systems could be access and or amended without appropriate authority. • • • • • • • • • • • • • • Identify sensitive data and applications Security measures on them Prevention of development staff from accessing data and S/W in the production environment User Ids to each user Pass word changes regularly Pass word issue and change control procedure Removal of passwords and User Ids from System when someone leaves Access rights are changed when employees are relocated Pass word file encryption Allocation, authorization and use of powerful user ids and passwords are monitored Any other access control system in use End users prevented from using utility programs capable of deleting and amending data Development staff who have access to utility programs prevented from accessing live data Authorization and documentation of using utility programs on live data 4) Physical Access Controls a) Evaluate the risk of accidental or malicious damage to or theft of computer equipment • Site control o Perimeter fence for the site o Access to the site is controlled and monitored
54
o Staff and visitors prevented from parking close to the IT area • Building Control o Security of the building o Record of all visitors o Unattended access points o Control on unattended access points o Control mechanism to ensure only staff and authorized visitors enter the premises o Authority to remove computer equipment from the premises • Computer Area o Restriction of Access to computer rooms o Access to highly sensitive areas o Restrict and monitor access to sensitive areas o Windows to the computer area are protected o Ability to locate computer area by observation • Services o Access to the main power supply to the computer room o Alternative power supply o Loss or disruption of communication o Access to cable risers, distribution boards, PABX rooms etc. o Service maintenance visits scheduled, authorized and monitored o Cleaners and Service staff have to sign in and out from computer area • Environmental Controls o Fire precaution o Fire practices held regularly
55
o Fire equipments are serviced regularly o Catering and kitchen facilities are away from computer area o Computer data, media and documentation adequately secured 5) System Development and Change Control a) Evaluate the risk that system developments and program changes are not authorized, tested and or documented and will not operate as designed • Methodology o Methodology for in-house developments o Adherence to the established methodology o Feasibility study on new developments and systems o User involvement in development o System and program documentation procedure o Produce control specifications o Use of automated tools (CASE) • Package Consideration o Dependants maintenance o Stability of the supplier o Documentation provided o Evaluation of Controls o Training and Technical support o Maintenance agreement with supplier o Source code is provided o If the S/W is owned by vendor Escrow agreement o S / W version update o Changes and upgrades checked and tested before installation on external suppliers and application
56
• • • • • • • •
Fourth Generation Languages Project Management Control QA Change control Procedures User involvement in change process Testing Procedures Training Documentation o System documentation o User manuals o Training manuals o Operating manuals
6) Business Continuity a) Evaluate the risk that the business will not be able to resume effective operations (within a reasonable period of time) in the event that their existing processing facilities were not available. • • • • • • • • • • • • Recovery Procedures Back ups procedures (S/W, H/W, L/W and Data) Offsite storage been tested for reusability of data Access to back up is restricted Access to backup is available 24 hours a day (Who are they) H/W and Environmental Requirements H/W maintenance contracts Environmental controls Alternative power supply Personal requirements Disaster recovery planning Insurance
57
7) Computer operations a) Evaluate the risk that both inappropriate working practices may be adopted and processing delays or disruption may occur as a result of lack of control over computer operations • • • • • • Management Review and Supervision Operation Statistics including Capacity Monitoring Job set-up and Scheduling Operating instructions O/P Handling and distribution Incident Handling
8) User Management (E.g. Financial Director, Financial Controller, Chief Accountant) a) Evaluate the level of management concern that IT systems do not satisfy the business needs) • • • User satisfaction about critical systems User satisfaction about service from IT function System Stability
9) Communication a) Evaluate the risk of inadequate security over data communications (E.g. data confidentiality, integrity and availability) • • • • Network of the organization Data encryption Network Access controls Network resilience
58
• • • •
EDI (Electronic Data Interchange) Data security policies and procedures Adequate backup, recovery and restart capability in an in-house network failure Security of messages sent and received
10) System Software a) Evaluate the risk that the integrity of the operating system may be compromised (ie through unauthorized amendment) or that the system S/W is not adequately secured (ie through back up copies) • • • • • • • • • System S/W security Definition of System S/W security requirements Access Controls to operating systems Identify sensitive System S/W System Maintenance Version upgrades of System S/W S/W features System S/W backups Analysis and Monitoring
(Please refer System S/W guidance notes in the manual) 11) Database a) Evaluate the risk that the database is not properly maintained. ie, data confidentiality, integrity, availability and accuracy • • • • • • Database Management System Database Administration Data Dictionary Data Confidentiality Data Integrity Data Accuracy
59
• •
Data Back-up Database Replacement Plans
12) End User Computing a) Evaluate the risk that security of information could be compromised through end user use of PCs terminals and or workstations • • • • • • Policy and Management Acquisition Controls Security and Control Procedural Control and Documentation Maintenance End User developments
13) Application Systems a) Evaluate the risk that application systems do not contain appropriate controls to ensure the completeness and accuracy of input, processing and output of data • • Pre implementation procedures Post implementation procedures
60
Chapter 5 Discussion
As discussed in previous chapters this research was conducted using a questionnaire on ISA and the sample was 16 local insurance organizations. However responses were received only from 12 companies and these results are listed in earler chapter. Benchmark IS Audit procedures were extracted from ISACA - USA, (the world body for IS Audit) standards and KPMG Ford Rhodes & Thornton Co. Ltd., (who do IT consultancy and IS Audit whole over the world) practicing manual used in 2004.
5.1 General View of the Sri Lankan Insurance Industry
According to the latest statistics available in the Insurance Board of Sri Lanka (IBSL), there are 16 insurance companies existing in the local market and insurance sector is ever expanding in a competitive way during the resent past. Out of the 16 companies, 72 percent provide both life and general insurance plans while 7 percent provide only life insurance. 7 percent is general insurance providers and balance 14 percent for specialized insurance. Here the term ‘specialized’ can be defined as operating in selected areas or niches in the insurance market. Sri Lanka Export Credit Insurance Cooperation is a very good example for this and it provides only for export credit insurance.
61
Few years back, a major share of the insurance market in Sri Lanka was owned by the government sector insurance organizations. They are Sri Lanka Insurance Cooperation (around 40 percent) and National Insurance Cooperation (2 percent). But at present all insurance organizations are from private sector except Sri Lanka Insurance Cooperation which was recently took over to government and some foreign companies are also operating in the market. One example is Life Insurance Cooperation Lanka Limited, which is an Indian based company. After the privatization, the competition in the market is very heavy. According to the premium income, number of issued policies, existing life/general fund and other factors defined by the IBSL, insurance companies are categorized as large scale, medium scale and small scale. Under this classification, 21 percent of them belong to large scale, same percentage to medium and 58 percent for small scale.
5.2 IS Audit level in insurance organizations in Sri Lanka
The IS Audit decision-making is the key factor in measuring the existing IS Audit level in insurance organizations, since success of any process is totally depend on the right decision-making and the authority to implement them. According to results, in 17 percent of insurance companies, CEO takes the strategic level ISA decisions. This is 41 percent for the Internal Audit or ISA committee and 17 percent for both CEO and CIO. Another 17 percent for the CIO alone. Balance 8 percent is for “Any other” and in that company it is referring to none other than the internal audit manager who is a chartered accountant but not qualified in IT or ISA. As per professional views, chief information officer is the major character in any organization related to IT and he/she should involve with major information technology decisions. Then theoretically IS Auditor evaluates the effectiveness and efficiency of IT. Then the independence factor is not
62
maintained in places where CIO takes IS Audit decisions since he is responsible for IT decisions also. So the best person to take IS Audit decisions is CEO and it is 17% only. ISA committee or Internal Audit Committee option is also good if committee members are properly selected. That is also 41%. Even then the total is only 58%. So logically in 42% of Sri Lankan insurance organizations strategic IS Audit decisions are not taken by the proper person. So can you expect the IS Audit function to be performed well and give it’s benefits and value of their money invested on it, to it’s stake holders in local insurance organizations? Not only correct decision-making and implementation of them but also it is important to have a separate IS Audit department within the organization to handle IS Audits in an efficient and effective manner. According to results of the research, only two local insurance companies, have their own ISA departments. It appears that information systems audit division is still a new concept for most of the companies. This fact became quite clear in the IT Level assessment research also.
Then the number of staff engage in IS Audit is also useful to evaluate the effectiveness of the function. It is less than 5 in 83% of companies. It is quite sure all of them are not IS Auditors but traditional auditors who handle IS Audit assignments using their experience. It won’t be effective any way. In all companies it is less than 10 and in 17% of companies it is between 5% and 10%. These 7% represent by the one company who has separate department for IS Audits. Then to make suggestions and findings effective and to implement them properly the capacity of the head of the IS Audit division is also important. In number it is one out of twelve. In these one company also the capacity of the head of IS Audit is a middle level manager or in designations they are managers. So it is also not very convincing when we consider the organizational structures of these organizations. In both of these companies the internal audit managers are in AGM grade, which is a senior manager post. So it is quite evident that even in
63
the one company the IS Audit department receives the stepmothers treatment and care. The person to whom the IS Audit function is reported is also important in implementing those decisions effectively. Again this is not relevant to 93% of companies who do not have a separate department for IS Audit. In balance 7% of companies it is reported to a senior manager but the professional view is, it should be to the CEO or the IS Audit committee.
Furthermore in evaluating IS Audit Level it is important to assess the technical expertise and the competence of the IS Audit members in the organization. In aiming to do that the first comment given was ‘Our ISA or IT department Internally develops Information Systems Audit software for company usage’ 75% responded as “never true” another 8% as “rarely true”. The next comment given was ‘Bench mark IS Audit Standards, Procedures & Practices are followed by our ISA team’ The response for 67% was “never true” and for another 8% it was “rarely true”. The next comment given was ‘ Our technical and management expertise is adequate to satisfy company ISA requirements’ Again the response for 67% was “never true” and for another 8% it was “rarely true” In over all, all the comments given in this section received the “never true” or “rarely true” options in more than 75% of times.
Then in six companies out of eleven where they don’t have a separate IS Audit department, IS Audit assignments are handled by internal auditors or out side consultants but not regularly. In the balance six companies there is no one to handle IS Audit assignments. Then the next questions were about information related to Business Process Planning and Support by IS Audit function in local insurance organizations. The comments given were ‘ISA streamlines business processes’, ‘ISA strengthens strategic planning’ and ‘ISA improves management decisionmaking’ respectively. For the first comment “never true” or “rarely true” option
64
received in 75% of times. For the second comment also it was 75% and for the last comment it was 58%. In general the support of IS Audit to Business Process Planning, Strategic Planning and Management Decision Making in insurance organizations in Sri Lanka is very weak.
Next comments were related to Operations support by the IS Audit function in local insurance organizations. The comments given were ‘ ISA enhances quality of IT products and services’, ‘ISA improves productivity of IT staff’, ‘ISA enhances utilization of computer resources (H/W, S/W & L/W)’, ‘ISA decreases cost of designing new IT products’ and ‘ISA enhances IT product quality’. For the first comment 83% of responses were “never true” or “rarely true”. Never true option was 75%. Like wise for other 4 comments also “never true” or “rarely true” option received in more than 75% of times. Specially for the comment of ‘ISA decreases cost of designing new IT product’ 75% responses were “never true” and another 17% were “rarely true” In over all IS Audit has not improved quality of IT in more than 75% of organizations. That is because the IS Audit function is not available in those organizations or it is not practiced properly and productively by IS Audit professionals who are competent in the subject. Then in the next section the IT or IS Audit technical knowledge of internal auditors were evaluated. Amazingly in 93% of organizations internal auditors do not possess qualifications in IT or IS Audit.
I don’t think anything more than that is required to assess the IS Audit level in local insurance organizations. This is the problem highlighted at the beginning of the research also. Though the systems and the technology has been changed over the years nothing has been changed in the controlling and detecting techniques or in other words in the internal audit function. Still our internal auditors in local insurance organizations use the manual methods used by their forefathers.
65
5.2.1 Investments in IS Auditing
Future of IS Audit level of any company largely depends on present investments. To measure future preparedness of ISA, few statements were given in the IS Audit level evaluation questionnaire and their answers were analyzed. The first statement is ‘Our insurance company uses modern hardware and software tools for ISA’ and 75% of companies rated it as “never true”, another 8% as “rarely true”. For the statement, ‘We migrate to new technologies although current applications and tools can cater our company requirements’ in eight insurance companies out of twelve have commented as “never true”, one as “rarely true”. For the statement of ‘Using more sophisticated ISA systems and tools than our competitive insurance companies’, received the same type of responses. 75% of companies have said that it is “never true”. Similarly for the two comments ‘Follow modern technologies used by world leading insurance companies for IS Auditing’ and ’Posses specialized hardware & software which are not still available to other organizations for IS Auditing’ also received very low ratings for “always true” and “frequently true” options. At last they were asked about whether the insurance company increases ISA investments annually & responses were high for “never true” and “rarely true” options. Then the annual expenditure on IS Audit was questioned. The question was ‘According to your knowledge what is the annual percentage expenditure on ISA as a percentage of expenditure on IT in the same year? ’ In 61% of companies it is less than 5%. In 23% of companies it is between 5% to 10%. In the two companies which have a separate department for IS Audits it is between 10% to 15% in one and in the other it is between 15% to 20% from the total expenditure on IT. The industry accepted percentage is 20%. So it is quite clear the importance of IS Audit has also not properly recognized in the industry. So the investment on IS Audit is neglected and forgotten and by doing so most of the local insurance organizations have been exposed to a high risk unknowingly. The next comments were on frequency of IS Audit assignments carried out in those organization. The first comment was ‘Since we have a separate
66
department to handle and manage ISA function, IS Audit assignments have been carried out regularly (Every branch / department is audited at least once a year) ’ The percentage of this answer was 0 from 12 companies. Then the percentage for the comment ‘Though we have a separate department to handle and manage ISA function, IS Audit assignments have not been carried out regularly (Every branch and department is not audited at least once a year) ’ was 8%. For 42% of companies the answer was ‘IS Audit assignments never have been carried out in our branches / departments’ and for another 25% each the answers were ‘Though we don’t have a separate department to handle and manage ISA function, IS Audit assignments have been carried out for some branches / departments time to time by internal auditors or by an out side firm ’ and ‘Though we have a separate department to handle and manage ISA function, IS Audit assignments never have been carried out for some branches / departments (Some branches / departments never have been audited since their inception)’
5.2.2 The existing IS Audit Level in insurance organizations in Sri Lanka
So the final out come of the IS Audit level evaluation research in Sri Lankan Insurance Organizations can be summarized as “The existing IS Audit Level in insurance organizations in Sri Lanka can be given as Very Low in a scale where five levels are available. They are Very High, Moderately High, Reasonable, Moderately Low and Very Low respectively from the best to the worst. But only for two companies who have a separate department for IS Audit and enjoy a market share of 40% it can be given as Reasonable. Any way for the other companies who enjoy a market share of 60% it is Very Low. So in overall the IS Audit level in the insurance organizations in Sri Lanka can be concluded as Very Low. The gravity of the problem can be understood in this way also. 60 persons out of every 100 who have an insurance policy in Sri Lanka have invested their money in organizations which do not evaluate their system and IT risk, which do
67
not worry about their investment in IT and which do not worry about the efficient and effective utilization of their IT resources? So dear policyholder doesn’t you think that your money is at a risk? Addition to my conclusion at the end of the IS Audit level evaluation questionnaire also I guided the replier himself to grade the IS Audit level in his organization. In there also more than 90% have selected the answers of “Moderately Low” or “Very Low” This may be the reason for me to found in my IT level assessment research that the majority of insurance organizations in Sri Lanka prefer for vendor developed insurance products rather than in house developed insurance applications. But again customization of these products is very expensive and won’t give expected results also.
5.3 Identifying barriers to implement Information Systems Auditing in Insurance Organizations in Sri Lanka
To identify the knowledge on Information System Auditing, a general question was given on the definition of ISA. According to the statistics generated by the analysis, found that only 33% has answered correctly to the question ‘ What is your idea about ‘IS Auditing’ in your organization’, that is, 4 companies out of 11 Insurance organizations in Sri Lanka. The above fact shows that the most of the Insurance organizations do not have a sound knowledge on the IS Auditing. Those companies had marked combinations of incomplete answers that were given, which proves those companies do not have even a fair knowledge on ISA. This important fact shows that there is a huge knowledge barrier on ISA within most Insurance companies in Sri Lanka. Which thereafter becomes a barrier in
68
the process of implementing a Information System Auditing in Insurance Organization in Sri Lanka. In the process of identifying the barriers in implementing Information Systems Auditing, I have conducted several interviews with all levels of staff of IS Auditing department of Ceylinco Life PLC which is the only company which had formed an IS Audit department within a period of one year in Sri Lankan Insurance industry. According the interviews carried out at Ceylinco Life PLC, I was able to extract the barriers that they faced while forming new ISA department in their company. To identify the barriers of implementing new ISA in insurance industry in Sri Lanka, a specific question was given on the barriers faced during the implementation process of ISA in questionnaire of the analysis conducted. The list of barriers given as answers to that question was designed using the barriers identified through the interviews and several other general barriers identified during the literature review conducted. The statistical analysis conducted on the above question ‘If you are planning to form a IS Auditing Department in your Organization what would be the barriers, that you will face in the implementation process.’ Which are listed bellows. • • • Lack of ISA professionals in Sri Lanka Lack of education institutes to train IS Auditing Cost of forming separate IS Audit department shows that all 11 companies had identify three main barriers which carried percentage of 100 in the analysis.
Other than the above main barriers, statistics shows that all companies have identified 10 of the barriers given are related to them considering the new implementation of ISA in their organization. Only two of the given barriers carry
69
less than 50% in the statistical analysis. The list of barriers is given bellow after prioritizing accordingly. • • • • • • • • • Lack of knowledge in segregating the functionalities with Internal Audit and IS Audit. Lack of knowledge on IS Auditing Recruiting additional staff for the IS Audit division Development of an IS Audit policy for the Organization IS Audit functionalities must come under the existing Internal Audit Department. Centralization of all IS Auditing responsibilities, decision making and security Cost of forming separate IS Audit department Holding of entire IS Auditing by single person Positioning of IS Audit department in Organizational hierarchy.
To identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka
5.4 To identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka
5.4.1 Evaluation of the suitability of identified benchmark IS Audit standards / procedures to insurance organizations in Sri Lanka
Table 5.4.1 Identified benchmark IS Audit standards
Description (Please refer Benchmark IS Audit Standard Audit charter Chapter 4.3.1 for Standards) Responsibility, Authority
Suitability to Local Insurance Industry Suitable
70
Independence Professional Ethics and Standards Competence Planning Performance of Audit Work Reporting Follow up Activities
and Accountability Professional Independence Suitable Code of Professional Suitable Ethics Skills and Knowledge Suitable Audit Planning Supervision Evidence Report Content and Form Actions on previously reported issues Suitable Suitable Suitable Suitable
Table 5.4.2 identified benchmark IS Audit Procedures
Benchmark IS Audit Procedure Organization and Management Policies Segregation of Duties Logical Access Controls Physical Access Controls System Development and Change Control Business Continuity Computer Operations User Management
Description (Please refer Chapter 4.3.2 for Procedures) Organizational and Management Policies on IT Segregation of duties within IT function Access to Data & Applications Physical Access to computer resources S/W Development and Changes Disaster recovery Inappropriate Working practices Management satisfaction on Computer Systems
Suitability to Local Insurance Industry Suitable Suitable Suitable Suitable
Suitable
Suitable Suitable Suitable
71
Will be suitable for 25% of companies Security on data Communication communication who enjoy online connectivity with their branches. For others its not for the System S/W Database End User Computing Application Systems Security of Operating Systems Security of the Database Security issues of End users Application System Security moment Suitable Suitable Suitable Suitable
When we consider all the IS Audit Standards given by ISACA every standard is equally important in local environment also. First standard speaks about how an IS Audit function should be started and the Responsibility, the Authority and the Accountability of the IS Auditor. The next one is about auditors Independence that is very crucial in reporting errors and frauds. The next ISACA standard is about Professional Ethics and Standards. The next is about the Competence of the IS Auditor or in other words his Skills and Knowledge. The next three standards are about Planning, Performing and Reporting of the IS Audit Assignments. Final Standard is on follow up of reported issues. Similarly all the IS Audit procedures practiced by four big firms are also very relevant to the Sri Lankan insurance industry also. There is only one IS Audit procedure which is not very much required to local insurance companies at this moment since only 25% of companies are online connected with it’s branches. This is the security on Data Communication. But it will also be very useful in near future because in the research it was found that most companies prefer to be online connected in near future. But when we consider the cost factor also, for the time being, it is not very much required to concentrate on audit procedures in data communication in local insurance organizations except for the 25% of companies who are connected online with their branches.
72
The 12 insurance companies which were taken for the above analysis “Practice IS Audit in an Insurance Organization in Sri Lanka “, proved that over 50% have selected all given IS Auditing functionalities of question no 7 in the given questionnaire.
73
Chapter 6 Conclusions
6.1 Conclusions
When the industry figures in last few years are considered it is quite visible though the investment in IT increased heavily during the last decade the controlling and detecting methods or in other words internal audit techniques have not been changed accordingly. So now a day the conventional audit techniques practiced in most of the insurance organizations in Sri Lanka are not being able to cater to the industry requirements, which have been changed drastically during the last decade. Or in other words the IT in Insurance Organizations is ready for IS Auditing. Not only that but also as mentioned by several intellectuals in the industry if the conventional audit techniques will not be changed accordingly, the tendency will be to increase the number of frauds, errors and mistakes in the industry. As a result of it customers will loose their faith on insurance and it will hinder the growth of the industry in coming years. So the Information Systems Auditing in insurance industry can be recognized as an industry requirement under current circumstances. So “The general guideline to practice Information Systems Auditing in an Insurance Organization in Sri Lanka” which is given at the end of this chapter will cater for an industry requirement in the insurance industry in SL. Not only that but also in some companies though the IS audit divisions have already been started the return on investment is very low. The expected results have not been achieved. That is due to implantation weaknesses. For an example in 41% of insurance organizations in Sri Lanka the strategic decisions on IS Audit are not taken by the proper person. And again in the one company even where we can see a separate department for the IS Audit function, One IS Audit managers are not satisfied with what they have done so far. One of them says “Though we have a separate department to handle and manage ISA function, IS
74
Audit assignments have not been carried out regularly (Every branch and department is not audited at least once a year)” and the other says “Though we have a separate department to handle and manage ISA function, IS Audit assignments never have been carried out for some branches / departments (Some branches / departments never have been audited since their inception)” All these disappointments may be due to lack of resources, bad planning, weak implementation and poor practice.
That is why many intellectuals and IT professionals in the industry believe, though some insurance companies have already started or other companies want to start Information Systems Audit Divisions immediately, their top management is clueless on the fact that how to start an Information Systems Audit Division and how to segregate responsibilities among the Internal Audit Division, the Information Systems Audit Division and the External Auditors. As a result of it in some insurance organizations the implementation of the Information Systems Audit Division has created unnecessary cold war between the Internal Auditors and the Information Systems Auditors instead of enhancing the Control Mechanism. So the “identify the main important areas to implement and practice Information Systems Auditing in an Insurance Organization in Sri Lanka” which is given at the end of this chapter will help to ion out at least a few issues in the insurance industry in Sri Lanka. Most of the IT professionals in the industry believe, the success story of IS Audit in the local insurance industry will save the IT departments in these organizations from closing down in near future and prevent their CEO s from exploring the opportunities for outsourcing their insurance applications. Not only that but also it will retain millions of dollars which will absorb by foreign countries for insurance applications from the industry in future.
75
In such organizations, an investment on a separate IS Audit department will be a waste of resources. But they can assigned external consultants / IS Auditors for their IS Audit assignments in time to time. In such an organization the IS Auditor doesn’t have a very much work to be done regularly, because the outsiders do not enjoy accessibility to their policy database through the web. In such a situation, time-to-time IS Audit assignments carried out by external consultants or IS Auditors is adequate. In no organization in local insurance industry, online Need Analysis or Real Time Quotes are provided. In such environments the full time IS Audit requirement is minimum. Then in most organizations online policy servicing functions to policyholders, as Online Policy Application, E-Claim Processing, Online Payments and Online Agent referrals are not available. In such situations the security threats for the live database is limited. So a huge investments on IS Auditing with a separate department is not very much required in those organizations. All these indicators suggest nothing else other than the Readiness of the IT in Insurance Industry in Sri Lanka for IS Auditing. So the IT of the Insurance Industry, at least in the largest 5 companies who enjoys a market share of more than 90% is ready for IS Auditing. So the urgent requirement is nothing else other than the proper implementation and proper practice of IS Auditing in the Insurance industry.
76
6.2 Recommendations
So to achieve the objectives of identify the main important area to implementation and proper practice of IS Auditing in the Insurance industry following two guidelines have to be established. 1) The Main important area to implement Information Systems Auditing in an Insurance Organization in Sri Lanka
a) Responsibility, Authority and Accountability of the IS Auditor has to be decided by the CEO or the Audit Committee or both of the insurance organization. b) In all matters related to IS Auditing the IS Auditor has to be independent form the audited from attitude and appearance in insurance organizations c) The IS Audit function has to be sufficiently independent from the area being audited to achieve it’s audit objectives in insurance organizations d) All the IS Auditors in insurance organizations have to adhere to the code of professional ethics published by ISACA (USA) and should give due professional care for all his IS Audit assignments in insurance organizations e) IS Auditor in an insurance organization should be Competent, Skilful and Knowledgeable to handle IS Audit assignments relevant to the insurance organization and should always engage in continuous professional education f) It is the sole responsibility and the duty of the IS Auditor in an insurance organization to audit and report on areas mentioned in the main important area to practice Information Systems Auditing in an Insurance Organization in Sri Lanka” which is given in the following recommendation in addition to assignments handover by the management of the insurance organization in time to time
77
g) Please refer the Standards published by the Information Systems Audit and Control Association of USA (ISACA) for further reference.
2) The main important area to practice Information Systems Auditing in an Insurance Organization in Sri Lanka
It is the sole responsibility and the duty of the IS Auditor to audit and report on areas mentioned in “The main important area to practice Information Systems Auditing in an Insurance Organization in Sri Lanka” in addition to assignments handover by the management of the organization in time to time
a) Organization and Management Policies b) Segregation of duties in the IT function c) Logical Access Controls to IT resources d) Physical Access Controls to IT resources e) System Development Controls and Change Controls f) Business continuity g) Computer Operations h) User Management i) Communication j) System Soft Ware k) Database l) End User Computing m) Application Systems
78
Bibliography
References
[1] Information Systems Audit and Control Association (ISACA), ‘Certified Information Systems Auditor (CISA) Review Manual’ USA, 2004 [2] Uma Sekaran, “Research Methodos for Business A Skill Building Approach”,4th Edition:Wiley India [3] The CoBIT Steering Committee and Information System Audit and Control Foundation, CoBIT Governance, Control and Audit for Information and Related Technology (Executive Summary, Framework, Control Objective, Audit Guidelines, Implementation Tool Set ) , Second edition, April 1998 [4] KPMG Ford Rhodes and Thornton Co. Ltd., ‘Information Systems Audit Manual’ UK, 2004 [5] Deloitte & Touché, Insurance Industry group, ‘ The Insurance Industry: The E-commerce Imperative.’ USA, 2003 [6] Anna Carlin and Frederick Gallegos, “IT Audit”, California State Polytechnic University, Pomona [7] Jack J. Champlain, "Auditing Information Systems", 2nd edition, 2003 [8].Eric Kannangara, ”E-Business and Mobile computing Prospects in Sri Lanka Insurance Industry”,Sri Lanka Institute of Information Technology Sri Lanka [9] The web site http://www.isaca.org [10] The web site http:// http://en.wikipedia.org [11] New Paper articles release by the Board of Insurance of Sri Lanka [12].Marten Simonsson and Pontus Johnson, ”Assestment of IT Governance – A Prioritization of COBIT”, KTH Royal Institute of Technology Sweeden.
79
Appendices
Appendix –1 Design process of the research project
Identification of Benchmark IS Audit Procedures
To identify the main important areas to Implement and Practice IS Auditing in Local Insurance Org. Identification of their Suitability to the Local Insurance Industry
Assessment of IS Audit Level in Insurance Org. in SL
Dear Sir, Herewith , I attaché my project report which is amended Regards,
80
doc_412686553.doc