ANOMALY DETECTION IN IT AUDIT : The possibilities and potential in the domain of IT Audit
De Vries, Tom (2022-06-17)
ANOMALY DETECTION IN IT AUDIT : The possibilities and potential in the domain of IT Audit
De Vries, Tom
(17.06.2022)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
avoin
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2022062850301
https://urn.fi/URN:NBN:fi-fe2022062850301
Tiivistelmä
IT Audit is dealing with a continuous increase in complexity and work. Regulations get stricter, while IT plays an increasingly more important role in companies. New technologies like anomaly detection can play a role in supporting IT Audit decisions. Anomaly detection has recently seen use in many domains, including financial audit, for example in fraud detection. Yet IT Audit does not make use of this technology as of now. This research looks atthe possible roles that anomaly detection can play in this domain.
This research starts by attempting to bring the existing literature on both domains closer together and then creating variables that influence successful anomaly detection implementation in IT Audit. Exploratory interviews led to different approaches to implementation. IT Audit currently works with random samples to offer reasonable assurance on a statistical basis. As anomaly detection requires more data than the samples can provide, the potential benefits and consequences of utilizing the entire data population in an audit are researched.
As controls are unique to each client, IT Audit tasks have been grouped per common IT risk. For each risk, the potential of anomaly detection is determined based on four variables: the impact of erroneous instances going undetected, the time spent on the audit task, the frequency of the task, and the external pressure. Interviews with IT Audit professionals have been used to go through the IT risks with the highest potential, and determine the challenges. For each challenge, solutions have been discussed, as well as their feasibility.
Two use-cases have been formulated based on the interviews. The first use-case aims to use anomaly detection to detect multiple manage change risks, by looking at the full data population of changes at big clients working in standardized systems. The second use-case aims to discover SoD concerns and could be combined with financial audit data to discover fraud. Unsupervised deep learning methods are most likely to succeed. Prior research indicates deep autoencoder neural networks as a suitable method.
The biggest challenges for implementation turned out to be in the current audit methodology, rather than development. The current sample approach is based on the notion that testing the full data population would not be possible while remaining within time and budget norms. New techniques, such as anomaly detection, might mean this notion is outdated, but the methods cannot be created and optimized due to the current restraints.
This research starts by attempting to bring the existing literature on both domains closer together and then creating variables that influence successful anomaly detection implementation in IT Audit. Exploratory interviews led to different approaches to implementation. IT Audit currently works with random samples to offer reasonable assurance on a statistical basis. As anomaly detection requires more data than the samples can provide, the potential benefits and consequences of utilizing the entire data population in an audit are researched.
As controls are unique to each client, IT Audit tasks have been grouped per common IT risk. For each risk, the potential of anomaly detection is determined based on four variables: the impact of erroneous instances going undetected, the time spent on the audit task, the frequency of the task, and the external pressure. Interviews with IT Audit professionals have been used to go through the IT risks with the highest potential, and determine the challenges. For each challenge, solutions have been discussed, as well as their feasibility.
Two use-cases have been formulated based on the interviews. The first use-case aims to use anomaly detection to detect multiple manage change risks, by looking at the full data population of changes at big clients working in standardized systems. The second use-case aims to discover SoD concerns and could be combined with financial audit data to discover fraud. Unsupervised deep learning methods are most likely to succeed. Prior research indicates deep autoencoder neural networks as a suitable method.
The biggest challenges for implementation turned out to be in the current audit methodology, rather than development. The current sample approach is based on the notion that testing the full data population would not be possible while remaining within time and budget norms. New techniques, such as anomaly detection, might mean this notion is outdated, but the methods cannot be created and optimized due to the current restraints.