The process of audit and control Article Summary

timer Asked: Feb 5th, 2019
account_balance_wallet $25

Question Description

Research an article in the University Library related to this week's objectives.

Write a 700- to 1,050-word summary of the article.

Apply what you learned to your professional life. How could you use the information on your job?

Format your paper consistent with APA standards.

Click the Assignment Files tab to submit your assignment.

Article attached

Unformatted Attachment Preview

Policing: An International Journal of Police Strategies & Management The process of audit and control – a comparison of manual and electronic information systems Caroline Allinson, Downloaded by University Library At 09:36 05 February 2019 (PT) Article information: To cite this document: Caroline Allinson, (2004) "The process of audit and control – a comparison of manual and electronic information systems", Policing: An International Journal of Police Strategies & Management, Vol. 27 Issue: 2, pp.183-205, Permanent link to this document: Downloaded on: 05 February 2019, At: 09:36 (PT) References: this document contains references to 21 other documents. To copy this document: The fulltext of this document has been downloaded 1698 times since 2006* Users who downloaded this article also downloaded: (2005),"E-commerce impact: emerging technology – electronic auditing", Managerial Auditing Journal, Vol. 20 Iss 4 pp. 408-421 https:// (2001),"The impact of information technology on the audit process: an assessment of the state of the art and implications for the future", Managerial Auditing Journal, Vol. 16 Iss 3 pp. 159-164 Access to this document was granted through an Emerald subscription provided by emerald-srm:485088 [] For Authors If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service information about how to choose which publication to write for and submission guidelines are available for all. Please visit for more information. About Emerald Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online products and additional customer resources and services. Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation. *Related content and download information correct at time of download. The Emerald Research Register for this journal is available at The current issue and full text archive of this journal is available at The process of audit and control – a comparison of manual and electronic information systems The process of audit and control 183 Caroline Allinson Downloaded by University Library At 09:36 05 February 2019 (PT) Manager Information Security, Queensland Police Service Information and Security Research Centre (ISRC), Queensland University of Technology, Brisbane, Queensland, Australia Keywords Law enforcement, Auditing, Information, Evidence, Electronic media Abstract A question is posed; have audit and control of information in a high security environment, such as law enforcement, improved or not in the transition from manual to electronic processes? This paper attempts to elucidate this question by a thorough examination of information collection, control of processing and audit in manual processes used by the Queensland Police Service, Australia, during the period 1940-1980. It assesses those processes against current electronic systems essentially introduced to policing in the decades of the 1980s and 1990s. The results of this assessment show that electronic systems provide for faster communications with centrally controlled and updated information readily available for use by large number of users connected across significant geographical locations. It is clearly evident that the price paid for this is a lack of ability and/or reluctance to provide improved audit and control processes. Thus, the claim can be made that audit and control processes may be considered to have been downgraded in the electronic world where standard commercial systems are used. 1. Introduction Organisations require a standard of good practice for internal processes relating to business activities. Amongst other things, this standard must address policy and verifiable procedures, roles and responsibilities, accountability, proof of business processes, laws and regulations, and associated risks. Provision of adequate controls and evaluation of these controls dictate the inclusion of a combined audit and control process. In this context “control” is defined as “the policies, practices and organisational structures, designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected” (ISACA, 2001). “Audit” is the means by which implemented processes of control are effectively assessed and evaluated. Audit steps are performed to substantiate that controls have been properly and consistently applied and adhered to and that records correctly and completely reflect the transactions to which they relate. This paper has been edited and reviewed by Professor William Caelli, Head of School of Data Communications, Queensland University of Technology (QUT), Brisbane, Australia. This paper has also been reviewed and approved for release by Mr Richard Warry, Deputy Chief Executive (Resource Management), Queensland Police Service, Brisbane, Australia. Policing: An International Journal of Police Strategies & Management Vol. 27 No. 2, 2004 pp. 183-205 q Emerald Group Publishing Limited 1363-951X DOI 10.1108/13639510410536814 PIJPSM 27,2 Downloaded by University Library At 09:36 05 February 2019 (PT) 184 Historically, audit and control was introduced when records were hand written and processes were manual. Most manual processes producing hand written or typed hardcopy form provided a visual and easily verifiable record of information. Whilst the traditional reasons for audit still exist the techniques and objectives should have been expanded and enhanced to accommodate changes in industrial, technological and business processing. In particular, the need for security, audit and control in the implementation and use of information technology (IT). To keep pace with the speed with which technology has developed society has blindly, through either inability of understanding or complacency, trusted those implementing IT without really knowing or caring that audit and control processes may be eroded and down graded. In general, the introduction of electronic processing and communication through IT has been viewed as introducing new efficiency and services. However, due to a lack of understanding by executives, in this paper, it is contended that audit, security and control in this new environment have been progressively down graded over the last 20 years. In most organisations, those involved at executive level did not participate in the introduction of IT. Owing to their lack of knowledge and understanding there has been little to no ownership and custodianship of IT by executives who largely consider it as a “cost centre”. This responsibility has been delegated to the IT professionals who themselves at the higher levels of management and directorship have not considered security, audit and control to be of significant importance nor ensured the introduction of electronic processes meet the accountability processes used in manual systems. Auditors and security managers have to fight to be heard. In many instances, the IT professionals have not understood nor cared about audit and security; historically, it has not been considered a high priority or even part of the IT formal education process. Such a statement could not be made in relation to the manually based systems of the past. The introduction and consequent enhancement of IT that provides for electronic recording, storing, processing and transmission of information, in many cases has reduced the level of audit and control that was present in manual systems. Manual recording had a chronological flow of the processing that was visually verifiable with hand written signing for proof of integrity and authenticity. Information systems handle the authorisation and signing of records very poorly. Whilst digital signatures are the subject of serious research and discussion, to date, there is no guarantee for validity of the signing of electronic documents to the same level present in manual systems. Review of content and inspection processes and accountability of actions taken in relation to records stored electronically are poor. IT systems have been developed with security as a low priority. Information systems audit trails implemented for the recording of activity performed against electronic systems have been either poorly designed and implemented, non-existent, turned off or overwritten within short time periods because of problems with space and storage. Removal of electronic records can be achieved with ease and without traceability. Where systems have poor to no information systems audit trails implemented, information can be removed without a trace. The introduction of new technology can also create confusion for managers and users. For example, the introduction of electronic mail (e-mail) has attracted serious debate about the personal privacy of individuals, in particular the auditing and Downloaded by University Library At 09:36 05 February 2019 (PT) monitoring of e-mail use. Like the introduction of many other IT processes and systems, e-mail was introduced with a single user situation in mind. Organisations, now using it as a business tool, are faced with the dilemma of being able to differentiate personal use from business use and knowing what the introduction of auditing and monitoring procedures used in the past will have. There is an urgent need for rules and boundaries to be set in relation to this particular change in business practice. There has been a very slow merging of the manual and electronic worlds where law enforcement agencies are concerned. They have an interest in the manual processes still in existence and the possible conversion of those manual processes to electronic processes and the effect these changes will have on evidentiary issues in legal proceedings in a court of law. Unfortunately they are driven by the agenda of the IT managers who do not always have a full understanding of the business and are, in many cases, too “technology focused” without due consideration of the impact that lack of security, audit and control will have. Each change brings the expectation that all things will improve, be more accountable, and embrace and enhance past processes to ensure the new and more innovative methods in a number of areas such as auditability and control, user and management awareness, information dissemination, more and deeper knowledge of process and procedure, can meet any challenge. This paper reports on the analysis and results of testing this expectation by comparing manual and electronic processes and procedures used by the Queensland Police Service (QPS), Australia from 1940 to 2000. The history of audit is reviewed. The history of policy and procedure for QPS is given with critical analysis for additions, modification and deletions to record keeping in manual written form. This is compared with processes implemented or required for electronic record keeping to satisfy rules of evidence in a court of law. 2. The history of audit The word “Audit” comes from Latin and is translated into English as “he hears”. This originated from the practise in ancient and medieval times where a person, required to account for their handling of public funds, appeared before a responsible official known as the “auditor” to give an oral account. The auditor listened to the account (Anderson, 1977; Lee, 1988). Throughout history audit has been primarily associated with finance and accounting systems. “Bookkeeping” encompasses the record-keeping aspect of accounting. The first published work on accounting was written in 1494 by Luca Pacioli, a Venetian monk. He referred to the importance of internal controls and recommended that auditing of books takes place for internal checks (Anderson, 1977). History shows that audits of financial reports have been performed to detect fraud since at least the 15th century. However, the most rapid progress in this area has taken place within the 19th and 20th centuries (Carmichael and Willingham, 1987). The industrial revolution created a need for audit techniques that were adequate to handle checks on mechanization, factory-manufacturing operations, and the mass production of goods and the provision of services. The concept of “inspect, analyse and report” is the basis for most audit processes. By the mid-20th century accounting processes where carried out by machines. Computers broadened the scope of bookkeeping and the term “data processing” or “Automatic Data Processing (ADP)” encompassed bookkeeping in electronic form The process of audit and control 185 PIJPSM 27,2 Downloaded by University Library At 09:36 05 February 2019 (PT) 186 (Meyer, 1998). Auditors, who were responsible for applying procedures which in their judgement were necessary to meet generally accepted auditing standards and rules of professional conduct, now needed to expand their knowledge base to incorporate computers and associated “unit record” systems. The concept of audit in current information systems has changed from that of the past till date to involve a process whereby an electronic record is maintained of a particular series of events in order to provide evidence in the case of a dispute, to ensure compliance with certain rules and regulations, to check on the effectiveness of control systems, and to provide evidence in the case of criminal activity. These records are commonly known as “audit trails” or “audit logs” and are a means of tracing all activities affecting a piece of information from the time it enters the system to the time it leaves. It also documents the path from input to output and should provide enough information to reconstruct or verify the entire sequence of events, either manually or through automated tracking procedures. For example, when several people are working on a document or records in a networked environment, an audit trail makes it possible to know which “user-id” was used to make a particular change, and when, or even to see the document before and after changes were made (Meyer, 1998). Auditors rely heavily on electronically recorded audit trails during an information systems audit. Information systems auditing has thus become a specialised field within the audit profession. In this regard, significant work has been undertaken by the Information Systems Audit and Control Association (ISACA) in the development of guidelines for the process of information systems audit (ISACA, 1996). 3. The QPS procedures, process and controls Law enforcement has always worked under a defined code of conduct and operational instruction in a written form This written form was well established for the QPS by 1940 and was known as “The Policeman’s Manual (TPM)”, comprising a loose-leaf binder with inserted pages. Computerisation began in the late 1970s with the first mainframe computer specific to QPS use, installed in 1983. TPM was introduced for QPS (1905) use by the then Commissioner Cahill in 1905. It was an adaptation of “TPM” developed by Sir Andrew Reed, K.C.B., Inspector-General of the Royal Irish Constabulary. It consisted of numbered “General Instructions”, more affectionately known as the “GIs”. The GIs were issued under rules made in pursuance of legislation governing the Queensland police and any breach of the GIs was deemed an offence against discipline. There were five significant reprints of the manual by QPS during the 20th century. The most significant reprint involved renaming and restructuring after the Fitzgerald Enquiry [1] in 1989. The manual was renamed as the “Operational Procedures Manual (OPM)” and significantly restructured, removing the instruction numbering and introducing the format of “Policy, Order, Procedure” [2]. The OPM was made available in the electronic form at in the mid 1990s by way of an Intranet/bulletin board. Procedures for updating the electronic version of the manual are centrally controlled and achieved through a version control process that reflects the date and change made. Until the manual was electronically produced each QPS police officer was issued with his/her own printed copy of the TPM and was required to be conversant with its contents. The TPM was considered personal property and each officer was instructed to treat it as such. Downloaded by University Library At 09:36 05 February 2019 (PT) When amendments and additions to the TPM were necessary they were numbered for reference purposes and distributed to all members. On receipt of an amendment or addition, each officer was required to insert it into the relevant place in the manual and note the details in the “register of amendments”. The register of amendments was a separate page which was usually placed at the front of the TPM and consisted of a list of the number of the amendments or addition, GIs affected, date of insertion, and the officer’s own initials and the initials of the officer in-charge (OIC) (Figure 1) (QPS, 1968). The TPM issued between 1939 and 1953 (QPS, 1939) contained a GI such that if a member required the replacement of any amendment of the TPM earlier issued s/he was required to pay the sum of 1 shilling, now technically equivalent to 10 cents, but a considerable amount in terms of pay rates in that period. It is considered by many officers that the action of manually updating their TPM assisted in their knowledge base remaining up to date. A two level inspection process for monitoring of printed copies of TPMs was in place. The OIC of each police establishment would regularly inspect each manual held by members stationed at that establishment to ensure that the manuals were complete and up to date. As part of their inspection process District Officers were also required to examine all manuals for completeness (QPS, 1956, 1968). The implementation of electronic copies has taken away the enforced reading and noting process of the past. It has also taken away the auditing and inspection to ensure that officers were complying with instructions and updating manuals that in turn provided knowledge of the change. Notification of changes is now communicated to all officers by the QPS mainframe computer based “Message System”. This method of communication requires the message to be printed and a manual verification check is made by each officer signing the print-out to acknowledge the advice. There is no way to verify that officers accessed the electronic instructions to update their knowledge base in the first place. Procedures in electronic form reduce cost and administration functions and ensure up to date information is made available consistently. However, availability of systems provided electronically is an issue to be considered. If the system is experiencing problems and not operational for periods of time, access to instructions and operational procedures is not available online. Copying to other media, to provide for “standby” copies in case of system failure, is an administrative overhead and difficult to trace and control. Users may be using out of date and incomplete instructions. A problem exists if the procedures are not synchronised with the latest legislative ...
Purchase answer to see full attachment

Tutor Answer

School: Carnegie Mellon University




Institution affiliation:



The article “The process of audit and control – a comparison of manual and electronic
information systems” by Caroline Allinson delves into the 1900s and examines how audit and
control procedures used to be carried out manually in the Queensland Police Service (QPS). A
comparison of those past manual practices with the electronic systems of the modern world of IT
presents clear differences, with each of the two systems having some of its features better than
the other. According to Allinson (2004), organizations require an internal standard of good
practice that must address policy and verifiable procedures, roles and responsibilities,
accountability, proof of business processes, laws and regulations, and associated risks. While the
manual process entailed a high level of audit and control, the introduction and enhancement of IT
that provides for electronic handling of information has reduced that level significantly.
The QPS procedures, process, and controls.
In 1940, QPS used a well-established, written form called ...

flag Report DMCA

Good stuff. Would use again.

Similar Questions
Hot Questions
Related Tags
Study Guides

Brown University

1271 Tutors

California Institute of Technology

2131 Tutors

Carnegie Mellon University

982 Tutors

Columbia University

1256 Tutors

Dartmouth University

2113 Tutors

Emory University

2279 Tutors

Harvard University

599 Tutors

Massachusetts Institute of Technology

2319 Tutors

New York University

1645 Tutors

Notre Dam University

1911 Tutors

Oklahoma University

2122 Tutors

Pennsylvania State University

932 Tutors

Princeton University

1211 Tutors

Stanford University

983 Tutors

University of California

1282 Tutors

Oxford University

123 Tutors

Yale University

2325 Tutors