The process of audit and control Article Summary Research an article in the University Library related to this week’s objectives. Write a 700- to 1,050-wo

The process of audit and control Article Summary Research an article in the University Library related to this week’s objectives.

Write a 700- to 1,050-word summary of the article.

Apply what you learned to your professional life. How could you use the information on your job?

Format your paper consistent with APA standards.

Click the Assignment Files tab to submit your assignment.

Article attached Policing: An International Journal of Police Strategies & Management
The process of audit and control – a comparison of manual and electronic information
Caroline Allinson,
Downloaded by University Library At 09:36 05 February 2019 (PT)
Article information:
To cite this document:
Caroline Allinson, (2004) “The process of audit and control – a comparison of manual and electronic
information systems”, Policing: An International Journal of Police Strategies & Management, Vol. 27 Issue:
2, pp.183-205,
Permanent link to this document:
Downloaded on: 05 February 2019, At: 09:36 (PT)
References: this document contains references to 21 other documents.
To copy this document:
The fulltext of this document has been downloaded 1698 times since 2006*
Users who downloaded this article also downloaded:
(2005),”E-commerce impact: emerging technology – electronic auditing”, Managerial Auditing
Journal, Vol. 20 Iss 4 pp. 408-421 https://
(2001),”The impact of information technology on the audit process: an assessment of the state of the art
and implications for the future”, Managerial Auditing Journal, Vol. 16 Iss 3 pp. 159-164
Access to this document was granted through an Emerald subscription provided by emerald-srm:485088 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for
Authors service information about how to choose which publication to write for and submission guidelines
are available for all. Please visit for more information.
About Emerald
Emerald is a global publisher linking research and practice to the benefit of society. The company
manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as
providing an extensive range of online products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee
on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive
*Related content and download information correct at time of download.
The Emerald Research Register for this journal is available at
The current issue and full text archive of this journal is available at
The process of audit and
control – a comparison of
manual and electronic
information systems
The process of
audit and control
Caroline Allinson
Downloaded by University Library At 09:36 05 February 2019 (PT)
Manager Information Security, Queensland Police Service Information and
Security Research Centre (ISRC), Queensland University of Technology,
Brisbane, Queensland, Australia
Keywords Law enforcement, Auditing, Information, Evidence, Electronic media
Abstract A question is posed; have audit and control of information in a high security
environment, such as law enforcement, improved or not in the transition from manual to
electronic processes? This paper attempts to elucidate this question by a thorough examination of
information collection, control of processing and audit in manual processes used by the
Queensland Police Service, Australia, during the period 1940-1980. It assesses those processes
against current electronic systems essentially introduced to policing in the decades of the 1980s
and 1990s. The results of this assessment show that electronic systems provide for faster
communications with centrally controlled and updated information readily available for use by
large number of users connected across significant geographical locations. It is clearly evident that
the price paid for this is a lack of ability and/or reluctance to provide improved audit and control
processes. Thus, the claim can be made that audit and control processes may be considered to have
been downgraded in the electronic world where standard commercial systems are used.
1. Introduction
Organisations require a standard of good practice for internal processes relating to
business activities. Amongst other things, this standard must address policy and
verifiable procedures, roles and responsibilities, accountability, proof of business
processes, laws and regulations, and associated risks. Provision of adequate controls
and evaluation of these controls dictate the inclusion of a combined audit and control
In this context “control” is defined as “the policies, practices and organisational
structures, designed to provide reasonable assurance that business objectives will be
achieved and that undesired events will be prevented or detected and corrected”
(ISACA, 2001). “Audit” is the means by which implemented processes of control are
effectively assessed and evaluated. Audit steps are performed to substantiate that
controls have been properly and consistently applied and adhered to and that records
correctly and completely reflect the transactions to which they relate.
This paper has been edited and reviewed by Professor William Caelli, Head of School of Data
Communications, Queensland University of Technology (QUT), Brisbane, Australia. This paper
has also been reviewed and approved for release by Mr Richard Warry, Deputy Chief Executive
(Resource Management), Queensland Police Service, Brisbane, Australia.
Policing: An International Journal of
Police Strategies & Management
Vol. 27 No. 2, 2004
pp. 183-205
q Emerald Group Publishing Limited
DOI 10.1108/13639510410536814
Downloaded by University Library At 09:36 05 February 2019 (PT)
Historically, audit and control was introduced when records were hand written
and processes were manual. Most manual processes producing hand written or
typed hardcopy form provided a visual and easily verifiable record of information.
Whilst the traditional reasons for audit still exist the techniques and objectives should
have been expanded and enhanced to accommodate changes in industrial,
technological and business processing. In particular, the need for security, audit and
control in the implementation and use of information technology (IT). To keep pace
with the speed with which technology has developed society has blindly, through
either inability of understanding or complacency, trusted those implementing IT
without really knowing or caring that audit and control processes may be eroded and
down graded.
In general, the introduction of electronic processing and communication through IT
has been viewed as introducing new efficiency and services. However, due to a lack of
understanding by executives, in this paper, it is contended that audit, security and
control in this new environment have been progressively down graded over the last
20 years. In most organisations, those involved at executive level did not participate in
the introduction of IT. Owing to their lack of knowledge and understanding there has
been little to no ownership and custodianship of IT by executives who largely consider
it as a “cost centre”. This responsibility has been delegated to the IT professionals who
themselves at the higher levels of management and directorship have not considered
security, audit and control to be of significant importance nor ensured the introduction
of electronic processes meet the accountability processes used in manual systems.
Auditors and security managers have to fight to be heard. In many instances, the IT
professionals have not understood nor cared about audit and security; historically, it
has not been considered a high priority or even part of the IT formal education process.
Such a statement could not be made in relation to the manually based systems of
the past.
The introduction and consequent enhancement of IT that provides for electronic
recording, storing, processing and transmission of information, in many cases has
reduced the level of audit and control that was present in manual systems. Manual
recording had a chronological flow of the processing that was visually verifiable with
hand written signing for proof of integrity and authenticity. Information systems handle
the authorisation and signing of records very poorly. Whilst digital signatures are the
subject of serious research and discussion, to date, there is no guarantee for validity of
the signing of electronic documents to the same level present in manual systems.
Review of content and inspection processes and accountability of actions taken in
relation to records stored electronically are poor. IT systems have been developed with
security as a low priority. Information systems audit trails implemented for the
recording of activity performed against electronic systems have been either poorly
designed and implemented, non-existent, turned off or overwritten within short time
periods because of problems with space and storage. Removal of electronic records can
be achieved with ease and without traceability. Where systems have poor to no
information systems audit trails implemented, information can be removed without
a trace.
The introduction of new technology can also create confusion for managers and
users. For example, the introduction of electronic mail (e-mail) has attracted serious
debate about the personal privacy of individuals, in particular the auditing and
Downloaded by University Library At 09:36 05 February 2019 (PT)
monitoring of e-mail use. Like the introduction of many other IT processes and systems,
e-mail was introduced with a single user situation in mind. Organisations, now using it
as a business tool, are faced with the dilemma of being able to differentiate personal
use from business use and knowing what the introduction of auditing and monitoring
procedures used in the past will have. There is an urgent need for rules and boundaries
to be set in relation to this particular change in business practice.
There has been a very slow merging of the manual and electronic worlds where law
enforcement agencies are concerned. They have an interest in the manual processes
still in existence and the possible conversion of those manual processes to electronic
processes and the effect these changes will have on evidentiary issues in legal
proceedings in a court of law. Unfortunately they are driven by the agenda of the IT
managers who do not always have a full understanding of the business and are, in
many cases, too “technology focused” without due consideration of the impact that lack
of security, audit and control will have.
Each change brings the expectation that all things will improve, be more
accountable, and embrace and enhance past processes to ensure the new and more
innovative methods in a number of areas such as auditability and control, user and
management awareness, information dissemination, more and deeper knowledge of
process and procedure, can meet any challenge. This paper reports on the analysis and
results of testing this expectation by comparing manual and electronic processes and
procedures used by the Queensland Police Service (QPS), Australia from 1940 to 2000.
The history of audit is reviewed. The history of policy and procedure for QPS is given
with critical analysis for additions, modification and deletions to record keeping in
manual written form. This is compared with processes implemented or required for
electronic record keeping to satisfy rules of evidence in a court of law.
2. The history of audit
The word “Audit” comes from Latin and is translated into English as “he hears”.
This originated from the practise in ancient and medieval times where a person,
required to account for their handling of public funds, appeared before a responsible
official known as the “auditor” to give an oral account. The auditor listened to the
account (Anderson, 1977; Lee, 1988).
Throughout history audit has been primarily associated with finance and
accounting systems. “Bookkeeping” encompasses the record-keeping aspect of
accounting. The first published work on accounting was written in 1494 by Luca
Pacioli, a Venetian monk. He referred to the importance of internal controls and
recommended that auditing of books takes place for internal checks (Anderson, 1977).
History shows that audits of financial reports have been performed to detect fraud
since at least the 15th century. However, the most rapid progress in this area has
taken place within the 19th and 20th centuries (Carmichael and Willingham, 1987).
The industrial revolution created a need for audit techniques that were adequate to
handle checks on mechanization, factory-manufacturing operations, and the mass
production of goods and the provision of services. The concept of “inspect, analyse and
report” is the basis for most audit processes.
By the mid-20th century accounting processes where carried out by machines.
Computers broadened the scope of bookkeeping and the term “data processing” or
“Automatic Data Processing (ADP)” encompassed bookkeeping in electronic form
The process of
audit and control
Downloaded by University Library At 09:36 05 February 2019 (PT)
(Meyer, 1998). Auditors, who were responsible for applying procedures which in their
judgement were necessary to meet generally accepted auditing standards and rules of
professional conduct, now needed to expand their knowledge base to incorporate
computers and associated “unit record” systems.
The concept of audit in current information systems has changed from that of the
past till date to involve a process whereby an electronic record is maintained of a
particular series of events in order to provide evidence in the case of a dispute, to
ensure compliance with certain rules and regulations, to check on the effectiveness of
control systems, and to provide evidence in the case of criminal activity. These records
are commonly known as “audit trails” or “audit logs” and are a means of tracing all
activities affecting a piece of information from the time it enters the system to the time
it leaves. It also documents the path from input to output and should provide enough
information to reconstruct or verify the entire sequence of events, either manually or
through automated tracking procedures. For example, when several people are
working on a document or records in a networked environment, an audit trail makes it
possible to know which “user-id” was used to make a particular change, and when, or
even to see the document before and after changes were made (Meyer, 1998). Auditors
rely heavily on electronically recorded audit trails during an information systems
audit. Information systems auditing has thus become a specialised field within
the audit profession. In this regard, significant work has been undertaken by the
Information Systems Audit and Control Association (ISACA) in the development of
guidelines for the process of information systems audit (ISACA, 1996).
3. The QPS procedures, process and controls
Law enforcement has always worked under a defined code of conduct and operational
instruction in a written form This written form was well established for the QPS by
1940 and was known as “The Policeman’s Manual (TPM)”, comprising a loose-leaf
binder with inserted pages. Computerisation began in the late 1970s with the first
mainframe computer specific to QPS use, installed in 1983.
TPM was introduced for QPS (1905) use by the then Commissioner Cahill in 1905.
It was an adaptation of “TPM” developed by Sir Andrew Reed, K.C.B.,
Inspector-General of the Royal Irish Constabulary. It consisted of numbered
“General Instructions”, more affectionately known as the “GIs”. The GIs were issued
under rules made in pursuance of legislation governing the Queensland police and any
breach of the GIs was deemed an offence against discipline.
There were five significant reprints of the manual by QPS during the 20th century.
The most significant reprint involved renaming and restructuring after the Fitzgerald
Enquiry [1] in 1989. The manual was renamed as the “Operational Procedures Manual
(OPM)” and significantly restructured, removing the instruction numbering and
introducing the format of “Policy, Order, Procedure” [2]. The OPM was made available
in the electronic form at in the mid 1990s by way of an Intranet/bulletin board.
Procedures for updating the electronic version of the manual are centrally controlled
and achieved through a version control process that reflects the date and change made.
Until the manual was electronically produced each QPS police officer was issued
with his/her own printed copy of the TPM and was required to be conversant with its
contents. The TPM was considered personal property and each officer was instructed
to treat it as such.
Downloaded by University Library At 09:36 05 February 2019 (PT)
When amendments and additions to the TPM were necessary they were numbered
for reference purposes and distributed to all members. On receipt of an amendment or
addition, each officer was required to insert it into the relevant place in the manual and
note the details in the “register of amendments”. The register of amendments was a
separate page which was usually placed at the front of the TPM and consisted of a list
of the number of the amendments or addition, GIs affected, date of insertion, and the
officer’s own initials and the initials of the officer in-charge (OIC) (Figure 1) (QPS, 1968).
The TPM issued between 1939 and 1953 (QPS, 1939) contained a GI such that if a
member required the replacement of any amendment of the TPM earlier issued s/he
was required to pay the sum of 1 shilling, now technically equivalent to 10 cents, but a
considerable amount in terms of pay rates in that period. It is considered by many
officers that the action of manually updating their TPM assisted in their knowledge
base remaining up to date.
A two level inspection process for monitoring of printed copies of TPMs was in
place. The OIC of each police establishment would regularly inspect each manual held
by members stationed at that establishment to ensure that the manuals were complete
and up to date. As part of their inspection process District Officers were also required
to examine all manuals for completeness (QPS, 1956, 1968).
The implementation of electronic copies has taken away the enforced reading and
noting process of the past. It has also taken away the auditing and inspection to ensure
that officers were complying with instructions and updating manuals that in turn
provided knowledge of the change. Notification of changes is now communicated to all
officers by the QPS mainframe computer based “Message System”. This method of
communication requires the message to be printed and a manual verification check is
made by each officer signing the print-out to acknowledge the advice. There is no way
to verify that officers accessed the electronic instructions to update their knowledge
base in the first place.
Procedures in electronic form reduce cost and administration functions and ensure
up to date information is made available consistently. However, availability of systems
provided electronically is an issue to be considered. If the system is experiencing
problems and not operational for periods of time, access to instructions and operational
procedures is not available online. Copying to other media, to provide for “standby”
copies in case of system failure, is an administrative overhead and difficult to trace
and control. Users may be using out of date and incomplete instructions. A problem
exists if the procedures are not synchronised with the latest legislative…
Purchase answer to see full

"Order a similar paper and get 100% plagiarism free, professional written paper now!"

Order Now