other business process part 2 (Customer Relationship Management (CRM…
other business process part 2
Artificial Intelligence and Expert Systems
IS Auditor’s Role in Expert Systems
An IS auditor needs to be concerned with
the controls relevant to these systems when used as an integral part of an organization’s business process or mission-critical functions,
and the level of experience or intelligence used as a basis for developing the software.
Other accounting-and auditing-related applications for expert systems include audit planning, internal control analysis, account attribute analysis, quality review, accounting decisions, tax planning and user training
Well-designed questionnaires or software that integrates and reports on system parameters and data sets are available to assist IS auditors in reviewing these systems.
Specifically, an IS auditor should perform the following activities:
• Understand the
purpose and functionality of the system.
• Assess the system’s
to the organization and related businesses processes as well as the
associated potential risk.
• Review the
adherence of the system to corporate policies and procedures.
• Review the
decision logic built into the system to ensure that the expert knowledge or intelligence in the system is sound and accurate.
An IS auditor should ensure that the proper level of expertise was used in developing the basic assumptions and formulas.
procedures for updating information in the KB.
security access over the system, specifically the KB.
• Review procedures
to ensure that qualified resources are available for maintenance and upgrading
interfaces with a database
in obtaining data to analyze a particular problem in deriving an expert conclusion.
The information in the KB can be expressed in several ways:
In addition, an expert system includes the following components:
– Data interface—Collection of data from nonhuman sources through an expert system,
such as measurement instruments in a power plant
– Knowledge interface—Inclusion of knowledge from an expert into the system without the traditional mediation of a software engineer
inference engine shown is a program that uses the KB and determines the most appropriate outcome based on the information supplied by the user.
resemble a data flow diagram and make use of an
inheritance mechanism to prevent duplication of data.
Use of a graph in which the
and the arcs describe the relationship between the nodes.
nodes represent physical or conceptual objects
Expression of declarative knowledge through the use of if-then relationships.
For example, if a patient’s body temperature is over 39°C(102.2°F) and their pulse is under 60, then the patient might be suffering from a certain disease.
Use of questionnaires to lead the user through a series of choices, until a conclusion is reached. Flexibility is compromised because the user must answer the questions in an exact sequence.
Key to the system is the knowledge base (KB), which contains
and the rules for interpreting these facts.
specific information or fact patterns associated with particular subject matter
The use of expert systems has many potential benefits within an organization including
• Operating in environments
where a human expert is not available
(e.g., medical assistance on board of a ship, satellites)
• Sharing knowledge and experience
• Automating highly (statistically) repetitive tasks (help desk, score credits, etc.)
• Enhancing personnel productivity and performance
• Capturing the knowledge and experience of individuals
how it works?
An expert system allows the user to specify certain basic assumptions or formulas and then uses these assumptions or formulas to analyze arbitrary events.
Based on the information used as input to the system, a conclusion is produced
Expert systems are an area of AI and perform a specific function or are prevalent in certain industries.
AI fields include, among others:
• Machine translation of foreign languages
• Problem solving
• Voice recognition
• Pattern recognition
• Abstract reasoning
• Theorem proving
• Intelligent text management
• Neural networks
• Natural and artificial (such as programming) languages
• Expert systems
Artificial intelligence (AI) is the study and application of the principles by which:
• Languages are developed
• Concepts are formed.
• Collaboration is achieved.
• Information is communicated.
• Goals are generated and achieved.
• Knowledge is acquired and used.
Customer Relationship Management
Among uses of analytical CRM are
and making pricing decisions.
increasing marketing success rates,
moving customers to lower-cost service channels,
increasing moving customers into higher margin products,
customer product holdings or “share of customer wallet,”
Analytical CRM seeks to
and their interactions with the organization into information that allows greater value to be obtained from the customer base.
information captured by the organization about its customers
Operational CRM is concerned with
maximizing the utility of the customer’s service experience
while also capturing useful data about the customer interaction
Customer-centered applications focus on CRM processes
other business partners can share information, communicate and collaborate with the organization with the seamless integration of webenabled applications and without changing their local network and other configurations.
This includes , and
inter- enterprise integration capabilities.
integration of telephony,
skill sets and technology.
optimum combination of strategy,
The customer-driven business trend is to be focused on the wants and needs of the customers.
emphasizes the importance of following rather than on products.
service trends of customers,
demographic information and
focusing on information relating to transaction data,
Industrial Control Systems see image 13
Industrial control system (ICS) is a general term that encompasses several types of control systems, including
supervisory control and data acquisition(SCADA) systems,
distributed control systems (DCS),
and other control system configurations such as
programmable logic controllers (PLC),
often found in the industrial sectors and critical infrastructures.
• Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation
• Unauthorized changes to
commands or alarm thresholds,
damage, disable or shut down equipment,
create environmental impacts, and/or endanger human life
• Inaccurate information sent to system operators which could have various negative effects
, either to disguise unauthorized changes
or to cause the operators to initiate inappropriate actions,
• ICS software or configuration settings modified, or ICS software
infected with MALWARE
, which could have various negative effects
Interference with the operation of safety systems,
which could endanger human life
Restricting logical access to the ICS network and network activity. This includes
using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks
and having separate authentication mechanisms and credentials for users of the corporate and ICS networks.
The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer
Restricting physical access to the ICS network and devices.
Unauthorized physical access to components could cause serious disruption of the ICS’s functionality.
A combination of physical access controls should be used, such as locks, card readers and/or guards.
Protecting individual ICS components from exploitation. This includes ;
deploying security patches in as expeditious a manner as possible, after testing them under field conditions
disabling all unused ports and services;
restricting ICS user privileges
to only those that are required for each person’s role;
tracking and monitoring audit trails;
and using security controls such as antivirus software and file integrity checking software,
where technically feasible, to prevent, deter, detect and mitigate malware
Maintaining functionality during adverse conditions.
This involves designing the ICS so that
each critical component has a redundant counterpart.
Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event
Restoring the system after an incident. Incidents are inevitable, and an incident response plan is essential. .
A major characteristic of a good security program is how quickly a system can be recovered after an incident has occurred