Independent Annual Financial Report of Public Companies (Research Paper Sample)

Professor’s name Student’s Name Course Date IS 744 Final Exam- Internal Auditing Question 1 Meaning of “root cause analysis” and how an IT auditor goes about determining the root cause of an IT risk event or weaknesses in controls "Root Cause Analysis," commonly abbreviated as RCA, is a problem-solving approach that is used to critically establish the exact cause of a given event or problem. According to Ammerman, and Max (40) in the book "The root cause analysis handbook,” the root cause is used to refer to the actual cause of a specific problem or sets of problems. When such causes are eliminated, the risks of the problem occurring are minimal or not capable. Usually, the RCA is more of a reactive method because it is only employed when the given problem has already occurred. The reason as to why it assumes the reactive rather than the preventive dimension is because the aim is to prevent the issue or problem from occurring again. As Rosenfeld and Yehiel (140) argue, the RCA is more of a procedural help guide that analyses a problem, helps to discover, and understand the real causes of given problems. In so doing, the RCA provides the basis for the development of a practical solution that will prevent further occurrence of the problem. The root cause The root cause of the problem of MortgageNow Inc. is the absence of recommendations from the previous audit manager and the unqualified managerial system. Despite previous yearly internal audit revealing the presence of a similar problem, no appropriate measures have been adopted to prevent the occurrence of the problem in the future. The immediate indication is negligence among the staff members concerned with the process of updating user IDs of employees belonging to the Company. An absence of the physical, electronic, as well as assigned employee identifier, is the other potential root cause of the problem. According to Ashok Sarkar, Shri, Ranjan Mukhopadhyay, and Kumar (172), confirming employee identity is one crucial activity that should be granted the most accuracy possible. MortgageNow Inc. lacks the capacity to identify its employees using either the physical labels or electronic software. Other possible root causes of the problem should be lack of identification alerts during the process of recruitment of new employees or departure, the absence of modern technology and safety checks at the automated system and monitoring, and presence of a lot of laxity and negligence at the registration table. A recommendation that addresses the root cause of this identity management process Based on the variables discussed concerning the root cause of identity problems, possible solutions are at the disposal of the company to adopt in order to get rid of the recurring problem. First is the need for the company to improve its designs of the physical, assigned employee identifiers, and electronic system in order to prevent misidentification. Confirming employee identity during daily operations is one critical process that assists to ensure employee accuracy (Sarkar and et.al., 173). Physical, electronic, as well as the use of wristbands are particularly important in ID confirmation. Provision of identification alerts should be the second important measure to be adopted by the company. This should be adopted especially during the process of recruitment or departure of an employee. Identification alerts are crucial because they enable the registration system to automatically verify IDs, therefore reducing the issue of inappropriate user IDs and those that belong to employees who no longer work for the company. Finally, there is the need for MortgageNow Inc. to adopt the new technology which employs the automated system level safety checks, and improving on its registration measures (Sarkar and et.al., 174). New technology is effective in improving identity safety checks and monitoring. The use of radiofrequency identification (RFID) is the most efficient method because it decreases the chances of misidentification. It also plays an important role in the real-time monitoring of employees. Consequently, improvement of registration measures helps to protect against identity theft (Sarkar and et.al., 175). Just like in the case of the company, identity theft is vivid, as there are inappropriate user IDs and the presence of IDs that belong to employees who no longer work for the company. The adoption of the discussed measures is ideal in the elimination of the root cause of the problem. Question 2 Development of a high-level business process flow chart for an emergency change control process that takes into consideration the area of system development and change control Change Requester Director Change owner Change manager Start Resolving an incidence Follow Normal change process Approved Build and Deploy Change working Back-out change Executive backup plan. Communicate appropriately 9.Submit change Request 10.Post-implementation review (PIR) 11.Inform CAB 12. Close The area of system development is one very important that should be developed using the most essential steps in order to promote integrity and availability of the company’s information, confidentiality, and the availability of data. If the development and change process is not well adapted, the results may seem unattractive as the company is likely to lose its business opportunity or suffer from legal, and reputational risks. The flow chart represented above is one ideal for an emergency change control process. The steps 1- 12 show the flow of the change process. The emergency change control process starts with starts with an IT staff member whose sole responsibility is to start the change record by entering the change type (Langley and et.al., 4). The member also communicates the status of the change back to the business in order to prevent risks associated with loss of business opportunity while at the same time maintain the reputation of the company. If the emergency change is approved, it gets up to the next step where it is acted upon by the change owner-manager. This is important especially in avoiding compliance and legal risks. The Change Owner manager review and approves the change requests submitted by the IT staff member in a timely manner. In other words, the manager acts as a technical reviewer of the normal-low risk changes. Additionally, the owner-manager makes improvements to the change, in case of any and hands over the change process to the Change manager (Rafferty, Alannah, Nerina, Jimmieson, and Armenakis, 117). The Change Manager is the overall in the approval process as he validates the type of risk, ensures post-implementation reviews, and escalates to the IT manager in case of any unauthorized change. The Change manager may also implement improvements to the change management process, and therefore helping to prevent ineffective testing of changes and improper authorization. Owing to the various sub-steps that an emergency change is prone to follow, compliance risks are likely not to occur (Alannah and et.al. 118). The Documentation to test as an IT auditor in determining if the emergency controls are working effectively The basic function of the IT auditors is assisting in the independent evaluation of the company in order to ascertain whether policies, procedures, practices, and standards are safeguarded from any form of loss, unintended disclosure, service attack or damage. The IT audits reviews the organizational change environment (Haislip, Jacob, Peters, and Richardson, 7). Emergency change control simply stated is an open request to plan, review, specify, and implement changes to a system in an organization. If the controls are properly planned and well implemented, the changes provide the confidence that the unplanned is likely not to happen. Besides the change control process, it is very important that the IT auditors understand that all these changes to a business process should follow a given formal process to avoid certain risks. Once the audit process has effectively been accomplished, it is usually the case that all shortcomings are reported to the management for actions. However, the process of testing important documentation remains vital in the determination of whether the emergency controls are working effectively. Through the process of documentation, the IT specialist is able to document all relevant changes. Different changes not limited to fixes, major revisions or enhancement are invertible. As a result, it is important that the change to the system is first initiated by a documented document. The process of review and approval by the appropriate staff members then follows immediately (Chong and Gin, 17). For the purposes of testing, the documentation process should be able to test the following questions; Who is in the best position to request a change? Who is in a position to develop the proposed changes? Who has the capacity to move the approved change into production? Who can test the changes to ascertain the level of compliance with the set specifications? Besides the approval process, the auditor should be able to determine whether the change impact process and review was completed. This is an important tool to use in the testing process (Chong and Gin, 17). In case of any outstanding issues, it should be addressed using a back-out plan for the specific change. The specific change should also be in apposition to restore to the previous state. Because the back-out plans are essential in enabling the IT departments to restore the system to its previous working condition, it forms part of the overall organizational document and policies which should be tested for efficient working of the emergency control. Since organizations use the automated change management product for purposes of tracking the changes made on the system, the auditor should make it a priority to access the system and det...