|
| [ HERDSA ]
[ Proceedings Contents ] |
The paper discusses the approach adopted by the author in designing and subsequently evaluating a graduate Information Systems (IS) auditing course at the Australian National University. The unit provides education to a specialist group of professionals whose knowledge and skills are currently in high demand. The main reason for the scarcity of expertise in Information Systems auditing is that it appears to be a hybrid of two well established disciplines, namely Information Technology (IT) and Auditing, and as such has not yet reached a mature stage of development.The paper proceeds by identifying the requirements of the external professional and the internal university environments in which the course operated, the resources available to it and the objectives to be achieved. Particular recognition is given to the pervasive effects of diverse and complex Information Technology on auditing. Next, the teaching components consisting of topics, instructions and grading are outlined. General Systems Theory provided the hallmarks for identifying the range of topics for the course.
As part of course evaluation, the course was compared with advanced IS auditing courses taught at other universities, both in Australia and Northern America. A number of differences are identified and discussed. To broaden access to information and to compare itself to developments elsewhere it is recommended that information systems auditing courses make increasing use of the electronic audit resources available on the fast growing Internet.
The knowledge and skills of this specialist group of professionals is in high demand and well rewarded because of a current shortage. The main reason for the scarcity of expertise in IS auditing is that it appears to be a hybrid of two well established disciplines, namely Information Technology and Auditing, and as such has not yet reached a mature stage of development. The challenge for educationalists is to devise education and training programmes that equip the novice IS auditors with the necessary knowledge and skills in this new profession in the most effective manner.
The auditing environment in Australia is influenced most strongly by The Institute of Chartered Accountants (ICA) and the IS Audit and Control Association (ISACA). Among the former are those whose who carry out statutory corporate audits. The strongest interest in IS auditing, however, comes from the latter because it is the only internationally recognised specialist IS audit body. It is estimated that in Australia there are about twelve thousand members of the ICA and one thousand practising IS auditors.
Within the auditing profession diverse approaches exist to auditing IT. For example transaction-based auditing is suitable for centrally managed computer (eg. mainframe) whilst systems-based auditing focuses on applications and procedures (eg. general and application controls). The profession recognises that to carry out audits of IT the auditor needs to possess the necessary knowledge and skills. Furthermore, he or she cannot delegate the responsibility of forming an audit opinion to someone else when expertise and/or experience are lacking.
Figure 1: Overview of the design and conduct of an IS Auditing unit
| Objectives: |
|
The most difficult task of an IS audit course is to determine the range of topics (ie. which topics to include) and the coverage of these topics (ie. how much class time to spend on them). General Systems Theory (GST) provides hallmarks which were used to identify the range of topics for the course. These hallmarks have previously been used to develop a training course for computer security professionals (see Yngstrom, 1992). The postulates were listed and, by deduction, the implications for IS auditing were derived (Table 1).
| Postulates | Implications for IS Auditing |
| There exists an interrelationship and interdependence of objects and their attributes. | Focus on all components of IS - information technology, people, procedures, etc. |
| All systems have a gestalt - a wholeness. | Understand the environment in which IS operates. |
| All systems are goal seeking. | Security goals need to align with organisational goals, strategies and objectives. |
| All systems are open. | System inflows and outflows need to be controlled. |
| All systems transform inputs into output. | Processes that transform inputs into outputs need to be controlled. |
| Systems have a degree of structural order or disorder (entropy). | Disorder needs to be resisted or neutralised. |
| All systems need to be managed to reach their goals. | There is a requirement for security planning, management and control. |
| There exists a natural hierarchy within systems - systems contain subsystems. | Consider the degree of structure (complexity) within IS. |
| In complex systems specialised units perform specialised functions. | Focus on security requirements of specialised (technologically advanced) components of IS. |
| Open systems can reach their goals in many different ways (equifinality). | Have concern for more than just simple cause-and-effect of natural systems. |
The IS auditing implications were interpreted to become topics in the course. This was done in two ways. First, topics were derived directly from Table 1 and second, consideration was given to the requirements and influences of the external environment, namely IT and auditing. See Table 2 for the range of topics covered.
| Topic (US/Canada) | ANU | Australia (n=7) | US/Can (n=36) |
| IT/IS and Auditing (Audit Objectives) | 9.2 | 9.1 (7) 3.8-16.6 | 11.6 (9) |
| Computer Assisted Audit Techniques (Computer Audit Techniques) | 9.2 | 10.0 (7) 3.5-14.2 | 9.3 (13) |
| The Use of ACL (Generalised Audit Software) | 15.3 | 15.3 (5) 3.5-35.7 | 14.0 (12) |
| Issues in IS Security (Managing the EDP Function) | 7.7 | 8.7 (6) 7.1-14.2 | 9.1 (7) |
| (Computer Audit Process) | 30.0 (17) | ||
| Auditing Computer Programs and Data | 6.2 | 6.4 (4) 3.5-7.6 | |
| Internal Controls: general, applications, physical (General and Application Controls) | 6.2 | 15.0 (7) 7.1-21.4 | 30.7 (18) |
| Information Systems Development (Systems Analysis and Design) | 9.2 | 8.0 (7) 3.5-14.2 | 9.8 (10) |
| Internal Controls: Advanced IT | 6.2 | 12.9 (7) 7.1-16.6 | |
| Computer Crime and Abuse | 7.7 | 6.0 (3) 3.8-7.1 | |
| Professional Standards and Privacy | 7.7 | 5.9 (3) 3.5-7.1 | |
| Research Opportunities | 6.2 | 5.6 (2) 3.5-7.6 | |
| The Impact of IT Developments | 9.2 | 6.1 (5) 3.5-8.3 | |
| (Other) | 11.8 (7) 7.1-16.7 | 18.4 (10) |
| Objectives: |
|
Based on Foster's (1987) finding that the knowledge gap between staff and students hindered teaching outside speakers were used to complement and to supplement my own efforts. First, a debate took place between an audit and an IS faculty member in front of the class on how they viewed the integration of audit with IT/IS. A number of views were expressed and reflect the current pros and cons for the integration of IS, general auditing and IS auditing (see Kneer et al., 1994) and cross-training (see Owen, 1994). The other visitors were from academe and the computer industry.
The teaching material took the form of texts, readings and a computer laboratory. Extensive use of readings was made since it was found that IS auditing texts either were technologically out of date or lacked sufficient depth for an advanced graduate course. A computer laboratory provided the Audit Command Language (ACL) software which was used to carry out a computer audit case study. Students were also required to conduct an industry project. This had been arranged for them and consisted of a review of the IS security in a real life organisation and the submission of a report. The importance of a cooperative effort between academics and industry in IS auditing education was stressed by Bailey (referenced in Singleton and Flesher, 1994).
| Objectives: |
|
In devising a grading scheme it was endeavoured to satisfies the student's intrinsic, competitive and vocational motivation, rather than instilling a fear of failure (Entwistle and Tait, 1990). Emphasis was therefore placed on continuous assessment in the form of the audit case study and the industry project. The approach also satisfied the good teaching principle of providing freedom of learning and orientation to personal meaning (Ramsden and Entwistle, 1981) and the practical requirements of the two professional bodies. The internal university environment required the completion of a final examination. This consisted of solving problems and answering questions requiring some degree of reproducing knowledge gained.
| Instruction | ANU | Australia (n=7) | US/Can (n=20) |
| Cases and Problems | 12.4 | 32.6 (5) 20-50 | 19.6 (13) |
| Outside Speakers | 10.8 | 10.0 (1) | 15.7 (5) |
| Readings | 52.3 | 38.3 (3) 15-70 | 28.9 (11) |
| Text | 15.3 | 41.2 (5) 22-50 | 49.6 (14) |
| Computer Laboratory | 9.2 | 26.5 (4) 20-33 |
| Grading (US/Canada) | ANU | Australia (n=7) | US/Can (n=109) |
| Computer Audit Case Study | 25 | 30 (5) 20-50 | |
| Industry Project | 25 | 22.5 (2) 15-30 | |
| (Cases and Problems) | 16.6 (3) 15-20 | 36.7 (50) | |
| Examination (Test and Quizzes) | 50 | 48.3 (6) 30-70 | 48.0 (57) |
| (Attendance and Participation) | 13.7 (4) 5-30 | 15.4 (36) | |
| (Homework) | 5 (1) | 13.4 (8) | |
| (Other Written Assignments) | 16.2 (14) | ||
| (Term Papers) | 26.2 (4) 20-40 | 24.3 (42) |
Second, the organisations receiving the students' industry project reports reviewing their IS stated that the reports provided valuable assessments of the security of their information systems. Third, the students' evaluations of the course provided very strong endorsement of the design and conduct of the course. Students particularly valued the practical work they completed in the form of the audit case study and industry project. One student volunteered that it was the best course she had attended at the university.
Comparisons with other Australian universities indicate that more time could be spend on cases and problems in tutorials and in computer laboratories. ANU students, however, undertook two major practical assignments, namely the audit case study and the industry project, which they completed largely in their own time rather than in tutorials. Similarly, only a limited amount of formal instructions was provided on how to use the computer and the ACL audit software. Not much use of texts was made because those that were considered were judged to be inadequate. Instead a larger amount of time than other universities was spent on readings. Some adjustment in time between the use of texts and readings seems appropriate provided a suitable text can be found.
Comparisons with the US/Canada revealed the following major differences. First, in the US/Canada 30% of the topics is devoted to the computer audit process whilst this is not separately identified in Australia. Australian universities generally cover this topic at the undergraduate level. Table 3 shows that Australian universities spent a much higher average of class time on cases and problems than the ANU or US/Canada universities. This is due to the tutorial system practised at Australian universities where tutorials follow the lecture and are used to discuss and solve problems and cases. Both countries allocate about 50% to examinable parts of the course which is high for a graduate course.
To broaden access to audit information and to compare itself to audit developments elsewhere it is recommended that the course makes increasing use of the electronic audit resources available on the fast growing Internet. This enables audit academics and their students to participate in discussion groups and mailing lists. These offer information on a variety of subjects such as innovative audit procedures, the sharing of CAATs, experiences gained from audits performed in a certain area, audit-related legislation, and so on.
Foster, G. (19887), "The Learner in Tertiary Education: A Forgotten Experience", Research and Development in Higher Education, 9, p.286.
Groomer, S. M., and Heintz, J. A. (1994), "A Survey of Advanced Auditing Courses in the United States and Canada", Issues in Accounting Education, 9(1), 96-108.
Kneer, D., Vyskoc, J., Manson, D., and Gallegos, F. (1994), "Information Systems Audit Education", IS Audit and Control Journal, IV, pp. 13-20.
Owen, L. (1994), "Looking Ahead: The Future of the IS Audit and Control Profession", IS Audit and Control Journal, IV, pp. 62-67.
Ramsden, P., and Entwistle, N. J. (1981), "Effects of Academic Departments on Students' Approaches to Studying", British Journal of Educational Psychology, 5, pp. 368-383.
Singleton, T., and Flesher, D. L. (1994), "The Developments of EDP Auditing Education, Research and Literature in North America: 1977 to 1994", IS Audit and Control Journal, IV, pp. 51-60.
Yngstrom, L. (1992), "General Systems Theory can Bridge the Gaps of Knowledge between IT-Security Specialists", In Managing Information Technology's Organisational Impact, ed. R. Clarke, and J. Cameron, Elsevier Publishers B.V., pp. 299-312.
| Author: Dieter Fink, School of Management Information Systems, Edith Cowan University. Email: D.Fink@cowan.edu.au Fax: + 61 8 9387 7095
Please cite as: Fink, D. (1996). Educating across two disciplines: Challenges, course development and lessons learned. Different Approaches: Theory and Practice in Higher Education. Proceedings HERDSA Conference 1996. Perth, Western Australia, 8-12 July. http://www.herdsa.org.au/confs/1996/fink.html |