QUESTION 3

In evaluating controls over financial systems and processes, auditors assess three main aspects: prevention, detection, and recovery (sometimes referred to as correction). This is a useful way to think about the challenges of ensuring reliable systems and IT-enabled processes.

Prevention-oriented controls aim to reduce the likelihood of human errors or malicious harm (such as from disgruntled employees or hackers intent on harming systems or stealing confidential information), that lead to system failures (such as the network outage that occurred at CareGroup).

Detective controls are needed since it is impossible to guarantee that errors, breaches and system failures will not occur. Rapid detection means that managers will quickly discover that an error, breach or failure has happened or (better yet) is in the process of happening (the sooner you know, the easier it will be to protect your systems, processes and people from further harm).

Recovery/correction refers to steps managers and other employees need to take during an IT-related crisis (such as the CareGroup network outage), in order to minimize harm to employees, business partners, customers, and (by extension) the organizations reputation. Longer-term, the organization that has suffered one of these events needs to fix the underlying problems that contributed to the event -- however, we are not referring to these long-term steps here; we are referring to things managers need to do during the crisis.

Discuss evidence in the CareGroup case pointing to strong or weak prevention, detection, and recovery. Then, as if you were an auditor, reach a conclusion about CareGroups ability to prevent, detect, and recover from future problems due to errors, malicious harm or system failures.

Please write a one-page answer using the next available page. Font size 12, font type Times or Arial, margins, 1 in for all.