This open access book discusses the most modern approach to auditing complex digital systems and technologies. It combines proven auditing approaches, advanced programming techniques and complex application areas, and covers the latest findings on theory and practice in this rapidly developing field. Especially for those who want to learn more about novel approaches to testing complex information systems and related technologies, such as blockchain and self-learning systems, the book will be a valuable resource. It is aimed at students and practitioners who are interested in contemporary technology and managerial implications.
Author(s): Egon Berghout, Rob Fijneman, Lennard Hendriks, Mona de Boer, Bert-Jan Butijn
Series: Progress in IS
Publisher: Springer
Year: 2022
Language: English
Pages: 264
City: Cham
Preface
Contents
Editors and Contributors
Abbreviations
Auditing Advanced Information Systems and Technologies in a Modern Digital World
1 Introduction
2 Assurance Continuum
3 Technology Developments
4 Management Responsibilities
5 Outline of This Book
References
Auditing Complexity
1 Introduction
2 Object of Auditing
3 Auditing Criteria and Methodology
4 Clients
5 Auditors
6 Conclusions
Reference
Introduction to Advanced Information Technology
1 Introduction
2 Blockchain Technology
2.1 Basic Notions of Blockchain Technology
2.2 Smart Contracts
2.3 An Overview of Blockchain Architectures
3 Artificial Intelligence
3.1 How Machines Learn
3.2 Deep Learning and Neural Networks
3.3 Measuring the Accuracy of Machine Learning Algorithms
3.4 Using AI in Practice
3.4.1 Natural Language Processing
3.4.2 Speech Recognition
3.4.3 Image Recognition
3.4.4 Process Mining
3.4.5 Robotics
4 Cloud Computing
4.1 Cloud Computing Architecture
4.2 Cloud Computing Ecosystem
5 Conclusions
References
The Intercompany Settlement Blockchain: Benefits, Risks, and Internal IT-Controls
1 Introduction
2 Internal Control over Financial Reporting (ICFR): ``IT-Controls´´
2.1 IT-Controls
2.2 Benefits of Blockchain for Accounting
3 Case Study: ``Intercompany Settlement Blockchain´´
3.1 AS-IS: ``Intercompany Settlement (ICS)´´
3.2 TO BE: ``Intercompany Settlement Blockchain´´
3.3 IT-Controls: ``AS-IS Control Environment´´
3.4 Objective and Risks: ``Top-Down´´
3.5 Objective and Risks: ``ICS Blockchain´´
3.6 Entity Level Controls: ``Corporate Level´´
3.7 Blockchain and ELC: ``IT-Control Environment´´
3.8 Transaction Level Controls: ``IT-Dependent Controls´´
3.9 Blockchain and Transaction Level Controls: ``IT-Dependent Controls´´
3.10 IT General Controls: ``IT in Control´´
3.11 Blockchain and IT General Controls: ``IT-Controls´´
4 Analysis: ``IT-Control Change´´
4.1 Process Level Controls
4.2 IT Level Controls
4.3 Process Level: ``Application Level´´
4.4 IT Level: ``Corporate Level´´
4.5 The External Auditor: ``Controls´´
5 Conclusions
Appendix: Framework TO-BE Corporate Blockchain
References
Understanding Algorithms
1 Introduction
2 Basic Notions of Algorithms
2.1 The Use of Algorithms in Practice
2.1.1 Automating Administrative Activities and Implementing Simple Legislation
2.1.2 Improving and Facilitating Operational Management
2.1.3 Targeted Deployment of Resources Based on Risk Predictions
2.2 Opportunities and Threats of Algorithms
3 An Audit Framework for Algorithms
3.1 Ethics
3.2 Governance and Accountability
3.3 Model and Data
3.4 Privacy
3.5 IT General Controls (ITGCs)
4 Case Studies
4.1 Selection of Algorithms
5 Analysis and Main Observations
5.1 Governance and Accountability
5.2 Model and Data
5.3 Privacy
5.4 IT General Controls (ITGCs)
5.5 Ethics
5.5.1 Respect for Human Autonomy
5.5.2 The Prevention of Damage
5.5.3 Fairness
5.5.4 Explainability and Transparency
6 Discussion
6.1 An Algorithm Does Not Have to Be a Black Box
6.2 No Insight Information: Need for Specific Tools
6.3 Predictive and Prescriptive Algorithms Still Under Development: Limited Impact on Private Citizens to Date
6.4 Insufficient Account Taken of Private Citizens
6.5 Improvements for the Responsible Use and Refinement of Algorithms
6.5.1 Governance and Accountability
6.5.2 Model and Data
6.5.3 Privacy
6.5.4 IT General Controls (ITGCs)
6.5.5 Ethics
7 Conclusions
Appendix: Methodology of the Audit
Analysis of Existing Algorithms
Brainstorming Session in September 2020
Constructing the Audit Framework
Practical Assessment of Three Algorithms
References
Keeping Control on Deep Learning Image Recognition Algorithms
1 Introduction
2 Machine Learning and Image Recognition
3 Related Frameworks
3.1 Steering and Accountability
3.2 Data and Model
3.3 Privacy
3.4 ITGC
3.5 Ethics
4 Case Study
4.1 Motivation for the Project
4.2 Image Recognition Greenhouse Damage
4.3 Process
4.4 IT Department
4.5 Project Output
4.5.1 Training and Testing the Model
4.5.2 Finetuning the Model
4.6 Organizational Aspects of the Project
4.6.1 Involvement of the Business Unit
4.6.2 Involvement of Other Departments
4.6.3 Compliance
4.6.4 Security
4.7 Benefits of the Project
5 Analysis of Case Study
6 A Framework for ML Algorithms
6.1 Fostering Trust in ML Algorithms
6.2 Control Areas of the Algorithm
6.2.1 Control
6.2.2 Process
6.2.3 Contents
6.2.4 Preconditions Aspects of IT General Controls (ITGCs)
6.3 Governance
6.4 Human Aspect
7 Role Auditor
7.1 What Requirements Must an Algorithm Meet?
7.2 Systems-Oriented Versus Data-Oriented Auditing
7.3 Conclusion Role of the Auditor
8 Conclusions
References
Algorithm Assurance: Auditing Applications of Artificial Intelligence
1 Introduction
2 Background
2.1 Common Risk Factors
2.2 Algorithm Task Environments
3 Running Example for This Chapter
4 Scoping an Algorithm Assurance Engagement
4.1 The Importance of Understanding an Algorithm´s Context
4.2 Assurance Criteria
4.3 What Do the Trust Services Criteria Apply to?
4.3.1 An AI Model´s Technical Architecture
4.4 Stakeholders in the Audit and Accountability
4.4.1 Accountability of Cloud Providers
5 Risk Assessment
5.1 Drivers for Likelihood and Impact
5.2 A Standard Set of Likelihood and Impact Drivers
5.3 Who to Involve in the Risk Assessment?
6 The Audit Plan
6.1 Audit Approaches
6.1.1 Approach 1: Evaluation of Algorithm Entity Level Controls
6.1.2 Approach 2: Testing the Model
6.1.3 Approach 3: Testing Monitoring Controls
6.1.4 Approach 4: Substantive Testing
6.2 Tools and Techniques
7 AI Skills and Expertise in the Audit
7.1 Realistic Problem Specification
7.2 Data Lineage
7.3 Reliability of Trained Models
7.4 Exploratory Data Analysis and the Use of Explainable AI (XAI) Techniques
7.5 Measuring Fairness
8 Discussion
8.1 Transparency and Standardization
8.2 Skills and Expertise
8.3 Auditing AI with AI
9 Conclusions
References
Demystifying Public Cloud Auditing for IT Auditors
1 Introduction
2 Cloud Computing
3 Audit Programs for Public Cloud Audits
3.1 Shared Responsibility Model
3.2 Frameworks
3.3 Audit Programs
3.4 Suitability of the Available Frameworks and Work Programs
4 Case Description: The ABN AMRO IT/Cloud Transformation
4.1 ABN AMRO Bank
4.2 IT Within ABN AMRO Bank
5 Internal Audit Activities on Public Cloud
5.1 Bringing the IT Auditors Up to Speed
5.2 Audits Performed
6 Conceptual Framework
6.1 Cloud Service Provider
6.2 Infrastructure Managed Services
6.2.1 Identity Management
6.2.2 Policy Management
6.2.3 Product Development
6.2.4 Subscription Management/Secure Landing Zones
6.2.5 Network Management
6.2.6 Security Event Monitoring
6.2.7 Summary of Key Risks and Controls for Infrastructure Managed Services
6.3 Services and Workloads
6.3.1 Network Configuration & Management
6.3.2 Identity & Access Management
6.3.3 Resource Security
6.3.4 Logging and Monitoring
6.3.5 Security Incident Response
6.3.6 Data Encryption
6.3.7 Business Continuity and Disaster Recovery (BCDR)
6.3.8 Summary Key Risks and Controls for Services and Workloads
6.4 Processes
6.5 Policies and Standards
6.6 Governance
7 Discussion
7.1 Manual Versus Automated Controls and the Impact on Audit Procedures and Costs
7.2 Control over Public Cloud Environments Versus On-Premises IT
7.3 Public Cloud and DevOps
7.4 Relevance of the Distinction Between IaaS and PaaS
7.5 Managing Costs
8 Conclusions
References
Process Mining for Detailed Process Analysis
1 Introduction
2 Process Modelling and Analysis
2.1 Model-Based Process Analysis: Business Process Management
2.2 Process Modelling Languages: Procedural vs. Declarative
2.3 Data-Driven Process Analysis: Process Mining
2.4 Six Phases Within a Process Mining Analysis
3 Requirements and Core Principles of Process Mining
3.1 The Event Log
3.2 Process Discovery
3.2.1 The Mechanism Behind Process Discovery
3.2.2 Levels of Abstraction
3.2.3 Output
3.3 Conformance Checking
4 Process Mining in the Audit
4.1 Process Mining and the Internal Audit
4.2 Process Mining Interaction Internal and External Audit
4.3 Practical Applications and Available Software Tools
5 Conclusion
References