Chapter 3—Information Systems Acquisition, 1Certified Information

Secti on Two: C ontent Development and Implementation CI SA S ys tems A u dit or'

An SAW GLIM.

computer-integrated (or computer-intensive) manufacturing
(CIM) and manufacturing accounting and production (MAP).
Original IMSs were based on BOM and BOMP, and usually
supported by a hierarchical DBMS.
a computer at one institution (location) and are transmitted to a
computer at another institution (location) with the monetary
amount

Evolution toward further integration with other business functions

(e.g., recording of raw materials, work-in-process and finished
goods transactions, inventory adjustments, purchases, supplier
management, sales, accounts payable, accounts receivable, goods
received, inspection, invoices, cost accounting, maintenance,
etc.) led to MRP (initially standing for material requirements
processing, now for manufacturing resources planning), which
is a family of widely used standards and standard-based
packages.

MRP is a typical module of most ERP packages such as SAP,

PeopleSoft, Oracle Financials or J.D. Edwards, and is usually
integrated in modern Customer Relationship Management (CRM)
and Supplier Chain Management (SCM) systems.

CAD, computer-assisted engineering (CAE) and CAM—the

latter including computerized numeric control (CNC)—have led
to CIM. CIM is frequently used to run huge lights-out plants,
with a significant portion of consumer goods is being
manufactured in these environments.

The importance for the IS auditor lies in the high number of

systems and applications using these technologies. The larger the
scale of integration, the more auditor attention is required.

Highly integrated CIM projects require the same attention

from the auditor as the ERPs previously mentioned in this
chapter. They are major undertakings that should be based on
comprehensive feasibility studies and subject to top management
approval and close supervision.

Continuity planning is also a primary area that should be

reviewed by the IS auditor.

3.6.11 ELECTRONIC FUNDS TRANSFER

As the Internet continues to transform commercial transactions,
the method of payment is one bothersome concept that will take
on an increasingly significant role in the relationship between
seller and buyer. The underlying goal of the automated
environment is
to wring out costs inherent in the business processes. EFT is the
exchange of money via telecommunications without currency
actually changing hands. In other words, EFT is the electronic
transfer of funds between a buyer, seller and his/her respective
financial institution. EFT refers to any financial transaction that
transfers a sum of money from one account to another electronically.
EFT allows parties to move money from one account to another
account, replacing traditional check writing and cash collection
procedures. EFT services have been available for two decades.
With the increased interest in Internet business, more and more
consumers and businesses have begun to utilize EFT services. In
the settlement between parties, EFT transactions usually function
via an internal bank transfer from one party's account to another or
via a clearinghouse network. Usually, transactions originate from
recorded in the respective organization's accounts. Because of the
potential high volume of money being exchanged, these systems may
be in an extremely high-risk category. Therefore access security and
authorization of processing are important controls. Regarding EFT
transactions, central bank requirements should be reviewed for
application in these processes.
Controls in an EFT Environment
Because of the potential high volume of money being exchanged,
these systems may be in an extremely high-risk category and security
in an EFT environment becomes extremely critical.
Security includes the methods used by the customer to gain access to
the system, the communications network and the host or
application processing site. Individual consumer access to the EFT
system may be controlled by a plastic card and a PIN or
by other means that bypass the need for a card. The IS auditor should
review the physical security of unissued plastic cards, the procedures
used to generate PINs, the procedures used to issue cards and PINs,
and the conditions under which the consumer uses the access
devices.
Security in an EFT environment ensures that:
 All the equipment and communication linkages are tested to
effectively and reliably transmit and receive data
 Each party uses security procedures that are reasonably sufficient
for affecting the authorized transmission of data and for
protecting business records and data from improper access
 There are guidelines set for the receipt of data and to ensure the
receipt date and time for data transmitted are the date and time
the data have been received
184
 On receipt of data, the receiving party will immediately an
acknowledgment or notification to communicate to the sender
that a successful transmission occurred
 Data encryption standards are set
 Standards for unintelligible transmissions are set
 Regulatory requirements for enforceability of electronic data
transmitted and received are explicitly stated
The IS auditor should ensure that reasonable authentication methods
are required for access to EFT systems. The communications network
should be designed to provide maximum security. Data encryption is
recommended for all transactions; however, the IS auditor should
determine any conditions under which the PIN might be accessible
in a clear mode.
An EFT switch involved in the network is also an audit concern_ An
EFT switch is the facility that provides the communication linkage for
all equipment in the network. The IS auditor should review the
contract with the switch and the third-party audit of switch
operations. If a third-party audit has not been performed, the
auditor should consider visiting the switch location.
At the application processing level, the IS auditor should the
interface between the EFT system and the application that process
the accounts from which funds are transferred. Availability of funds or
adequacy.of credit limits should be verified before funds are
transferred. Unfortunately, this is always the case. Because of the
penalties for failure to make
CISA Review Manual 2Clig
ISACA. All Rights Rese^vom