The following is a compilation of Information Systems best practices employed throughout industry and government, which have been adopted as minimal standards by the Arkansas Division of Legislative Audit (ADLA). This outline will likely be a work in progress, with changes and additions incorporated as the need arises. The purpose of compiling these best practices and then communicating them to entities throughout the state is to:
– raise awareness of technical areas which present the highest level of risk and are considered most important by ADLA (and throughout government);
– provide general guidance on minimal standards in these technical areas (which may serve as a refresher for counties more dependent on advanced technology while serving as a starting point for counties with smaller operations and less exposure to technical issues);
– provide ADLA with a documented framework to be updated and revised as necessary, based on changing best practices, to reference when recommending an entity change existing processes to comply with best practices.
Standards governing the audit profession published recently prohibit auditors from mandating the implementation of specific operational procedures since this impairs auditor independence. Simply put, management decisions must remain the responsibility of management. However, increased reliance on computer systems in everyday operations introduces significantly more complex control issues. These issues, as well as standard guidelines and acceptable risk, must be factored into management decisions to ensure proper authorization, accuracy and completeness of processed data. As stated previously, our goal is to raise awareness of potential (and real) threats and provide guidelines for management to reference when making decisions.