The division of responsibilities for the organization and its IT department's responsibilities organization is an important issue that needs to be considered in the organization. The division of responsibilities will help each function effectively and provide supervision and control functions. Especially for important systems such as large financial systems, regulators need more responsibility than subordinates. The IT department is equally important to division of workers and information systems in other departments. Further explanation of several fields of task division of labor: 1. Transaction Authorization Transaction Authorization is the responsibility of the user sector. In fact, authorization also means the degree of responsibility of authorized personnel. Management and Information System Auditors must regularly detect unauthorized transactions. 2. Sub-book is the user's responsibility. In some organizations, the data control group also uses the "Nuclear Total" and balancing tables for application, which makes users more confidently of the operation of the application. 3. An asset storage company must decide and assign appropriate asset storage. When a user is assigned to "data owner", you should make a clear text. The data owner is responsible for determining the authorization level of the protection of data, and the data security management team is often responsible for the installation and execution of the security system. 4. Access the data entity environment must be secure enough to prevent unauthorized access to a tangible device that links to the host. Systems and application security is another layer of security that prevents unauthorized access to access. In addition, the company's internal data from the outside is new issues after the Internet. Therefore, system managers need to strengthen the responsibility of protecting information assets. 5. Use the authorized table user sector manager to submit an electronic or printing formal license form, which define the access to the employee, that is, anyone who can access what, the authorization form must be approved by the management. Usually all users should apply to the supervisor to access access to a particular system in writing. Big companies or companies with remote units, authorized signatures, and application signs should be archived to verify that ensuring that the authorization application is correct. In addition, the program should also be requested to regularly check access rights to confirm that the user's permissions are matched and updated at any time. 6. The user authorizes the table IT department uses data in the license table to establish and maintain user authorization forms. Define which people are authorized to update, modify, delete, or browse data. These rights are defined in the system, transaction, etc. In addition, the authorization table itself has a password or encryption to protect unauthorized access. The control log shall record all user activities in detail, and have the appropriate supervisor to check, all accident situations should be investigated. 7. Abnormal report abnormal events should be reported to management processing, requiring evidence after proper handling, that is, the signature on the report indicates that the exception has been properly handled. Management should also track abnormal treatment to ensure that all exceptions have been resolved in time. 8. The audit trajectory audit trajectory is "map" when the information system auditor is re-describing the transaction process. The audit workers are through tracking audit trajectories to review the economic business and collecting audit evidence. In traditional business activities, every link in each transaction has a text record (such as the hand signature), and the audit trajectory is very clear. The auditor can track the transaction from the original documents until the report is until the statement; it can also be traced back to the original document, forming an auditing method such as a synthesis, reverse check. For information systems, the audit trajectory refers to the record of all events that occur from the data input system from the data input system, and to other subsystems to other subsystems. After implementing electronic, the traditional audit trajectory completely disappears, replaces the paper credentials, books, and reports of electromagmptive accounting information. The information on these magnetic media is no longer directly identified by the naked eye, which may be deleted without leaving traces, thereby greatly increase the risk of auditing. If the system is designed for no circumference, it is possible to discover only the results of the business processing without tracing the source. Therefore, the audit trajectory is the tracking and recording of data processing, and is also a must-have component design.
The audit trajectory can help IT departments and auditors provide records of trace trading processes, which can help information system auditors recreate an actual trading flow, that is, from the original state to update files. The audit trajectory can be used as a compensation control under the absence of a position division. Information system auditors should determine who performs this transaction, transaction time, input data, input form, transaction contains data on which areas of fields, and updated files. 9. The transaction log transaction log can be artificially or automated. The manual log is a record (packet or batch) of the transaction before the data is processed prior to processing. Automatically record the records of all processing transactions provided by the log, is done and retained by the computer system.
