A Quantitative Approach to Information Systems Audit in Small and Medium Enterprises

An Information Systems (IS) Auditor performs several audit related functions in a Small and Medium Enterprise (SME) such as preparation of a written IS audit procedure, comparison of actual IS configuration with documented configuration standards, assess whether IS assets are secure, check the access rights for users and system services, check for the presence of IS security procedures and finally analyze transactions in an information system. The current work focuses on a quantitative approach to measure the effectiveness of the IS audit functions in selected small and medium enterprises. The variations in KPI scores between sectors and regions are analyzed for the sample SMEs. Finally, the operational best practices for IS Auditors working in SMEs are suggested.


Introduction
An enterprise is mainly involved in economic activities.It can be categorized as Large, Medium or Small depending on the limits for investment, number of employees, balance sheet and total turnover.SMEs are contributing for economic development across the world.Information Systems Audit plays an important role in SMEs for running computer based application systems.Information Systems Audit ensures protection of IS assets and maintains data integrity.It also helps in achieving organizational goals and facilitates efficient usage of resources [1].SMEs in the modern environment extensively make use of information system resources.This will ensure smooth flow of information between various sub systems and improves the business processes as well.An Information Systems (IS) Auditor performs several audit related functions in a Small and Medium Enterprise (SME) such as preparation of a written IS audit procedure, comparison of actual IS configuration with documented configuration standards, assess whether IS assets are secure, check the access rights for users and system services, check for the presence of IS security procedures and finally analyze transactions in an information system.

Objectives
The objectives of the present work can be stated as follows: 1) To assess the existence of IS Audit expertise in SMEs with reference to the KPI-Maturity level Index.2) To study the variations in the KPI scores between the sectors and regions.3) Suggest operational best practices for IS Auditors with respect to Information Systems Audit in SMEs.

Related Work
The article by Tommie W. Singleton [2] analyses the four phases of the design phase.The operational effectiveness phase is concerned with ability of the controls to perform their goals (e.g.prevent a material misstatement).The monitoring phase involves continuous auditing on the controls and proper review of the change management procedures.The monograph by Khabib [3] gives an overview of controls for applications, data centre operations and access security.It also gives an overview of computer based audit techniques to independently test computer data.Jim Kaplan proposed [4] a simplified representation of the enterprise information environment.He gave an overview of IS audit process, accuracy, consistency and reliability of data, controls for the core processes and application systems.The fourth annual Information Systems Audit Benchmarking Survey conducted by Information Systems Audit and Control Association (ISACA and Protiviti in 2014 [5] highlights the challenges and concerns relating to computer and internet security, IS staffing and resources, IS risk assessment and IS audit reporting structure.

Present Scenario of Information Systems Deployment in SMEs
SMEs in the modern context are making use of IS infrastructure in a big way in their normal operations.However, the IS Audit is yet to evolve significantly in many SMEs.The internet based applications face a lot of problems related to information security in SMEs.The fraudulent websites create problems for SMEs by stealing personal and confidential data such as password, credit card number and so on.The Federal Trade Commission has stated that the number of phishing attacks have increased to a large extent during the last five years [6].The phishing sites target individuals, banks, SMEs, e-commerce websites and government organizations.When the recipient has keyed in his/her personal details, the cybercriminals gain access to the recipient's confidential details and cause problems relating to the recipient's money/credit/account. SMEs also face threats from external as well as internal sources.For example, computer data are stolen using malwares like Trojans / viruses.Computer Crime as defined by the Association of Information Technology Professionals (AITP) include unauthorized actions involving usage, access, modification and destruction of hardware, software, data or network resources, release of information, copying of software tools, causing denial of service attack to genuine users and using computer & network resources to illegally obtain information [7].SMEs face external threats from Trojans, Spyware, Viruses and Worms for their IS infrastructure.These threats penetrate into web browsers, desktop computers and e-mail servers.The common assumption that small businesses are too small to be targeted by computer threats is not true in the present scenario [8].This is the background against which the current work will investigate the objectives listed earlier.Equal sample selection from each stratum has been considered.Although, the strata sizes are different, it is required to compare the differences among the strata [9].The sample size has been chosen using standard table for a given set of criteria [10]

Framework of Analysis
The statistical measures include the following: Measurement Scale, Mean and Two-way ANOVA.The KPI (Key Performance Indicator) considered for the stakeholder / IS Auditor has been Maturity Level Index.
The alternate hypothesis states that there exists an interaction between the two factors sector and region.The above hypothesis is tested with the primary data pertaining to the KPI: Maturity Level Index.Compliance with IS practices.The current work is aimed at studying the maturity level of IS Audit in sample SMEs.The observed values for the KPI -Maturity Level Index are represented on a scale of 10.The Sectoral and Regional Variations in both the countries are analyzed using Two-way ANOVA.Finally, the hypothesis is tested and appropriate inferences are made for the KPI -Maturity Level Index.The results of the above hypothesis testing with the primary data for India and the UAE are shown below in TABLEs 1.A and 1.B.

Observation
In case of India and the UAE, the average values for Maturity Level Index observed for a given pair of sector and region are shown in TABLEs 1.A and 1.B.Their values vary between 2.778 to 5.8333.

Findings
In the case of India, the sectoral and regional variations are summarized as follows.
Between Sectors: The calculated value for F (0.55686) is less than the table value F crit (3.25945) at 5 Percent level of significance.Hence, the null hypothesis is accepted.Between Regions: The calculated value for F (0.4569) is less than the table value F crit (2.86627) at 5 Percent level of significance.Hence, the null hypothesis is accepted.In case of the UAE, the sectoral and regional variations are summarized as follows.
Between Sectors: The calculated value for F (5.57561) is greater than the table value F crit. (3.25945) at 5 Percent level of significance.Hence, the null hypothesis is rejected.Between Regions: The calculated value for F (2.16098) is less than the table value F crit (2.86627) at 5 Percent level of significance.Hence, the null hypothesis is accepted.Inference There are no significant variations in the Maturity Level Index scores, between the three sectors in India.There are significant variations in the Maturity Level Index scores, between the three sectors in the UAE.There are no significant variations in the Maturity Level Index scores, between the four regions, in both the countries.There is no significant interaction between the two factors sector and region, in the determination of Maturity Level Index scores, in both the countries.The release of such systems should be audited at a regular basis so there are no security loopholes in them which might lead to an OS (operating system) level attack.In-house / External applications such as ERP, HR, and Payroll etc should also be audited towards their functionality.There should be proper controls for the Information Systems which are purchased from third party vendors.An IS auditor should examine the security of information systems in a SME, as described below: Logical access 1. Passwords must be set according to the standards set by the IS Security department.2. The passwords set for the last 5 times should not be the same.
3. There should be a certain time interval (say 30 to 90 days) during which the passwords must be changed.Physical access 1.No outsider should be able to enter the company's premises until and unless the entry procedure is followed.Each and every outsider should deposit an identity.2. Laptops must be locked to the workstations in case the owner of the laptop has gone outside.3. The access to the server room should always be recorded and should be accessed only by the authorized personnel.4. Server room should be protected from natural disasters.

Backup Policy
An IS auditor should examine the backup policy in a SME, as described below: 1. Frequent backup (daily, weekly, monthly basis) of the data within the systems / applications should be taken and kept in a secure place in the premises of SME. 2. For critical data, the backup can be stored additionally at a secure remote site/location.

Disaster Recovery Plan (DRP) / Business Continuity Plan (BCP)
An IS auditor should examine the DRP/BCP in a SME, as described below: 1. Availability of DRP/BCP Plan. 2. Frequency of DRP/BCP drill.
3. Results of the drill must be maintained for future reference.

5
Research MethodologyThis section deals with Data Collection, Sources of Data, Period of the study, Geographical area for the study and the Sampling Frame.Data Collection: The primary data were collected from the sample respondents chosen from the Stakeholders / IS Auditors in select SMEs in India and the UAE.A Questionnaire has been prepared to administer upon them for collection of firsthand information from sample population.The strategies for evidence collection and evaluation include the following: discussion, observation, web based survey using Google Documents and telephonic interview.Sources of Data: The sources of data about SMEs have been taken from Annual Reports of Ministry of MSME, Govt. of India, Annexure-XII and Mohammed Bin Rashid Establishment for SME Development, Dubai, UAE, for the period 2009-2010.Period of the study: The period of the study for making worthwhile analysis has been chosen as 2010-2011.DOI: 10.12948/issn14531305/19.3.2015.08Geographical area for the study: The geographical area for the study includes two countries, namely India and the UAE by taking into consideration the feasibility and accessibility factors.The four regions considered in India include: North, South, East and West.The four regions considered in the UAE include: Abu Dhabi, Dubai, Sharjah and Other Emirates.Sampling Frame STRATIFIED SAMPLING method has been deployed in the current work.The Strata considered for the study comprises of three sectors Manufacturing, Services and Trading.
. The set of criteria considered in the present work are: Confidence level=95% and level of precision=5%.The sample SMEs chosen in each sector has been 4.The Total number of Stakeholders / Information Systems Auditors selected from both countries (India and the UAE) has been 96.(i.e. 2 countries * 4 regions * 3 sectors * 4 SMEs/sector * 1 Stakeholder/IS Auditor per SME = 96).