The Volkswagen Group AG - Information Systems Auditing - Case Study Example

INFORMATION SYSTEMS (IS) AUDITING Student’s name Course code + name Professor’s name University name City, State Date of submission Executive Summary The failure of the emissions software to perform according to the expectations has landed the Volkswagen Group into an economic downturn following the decision of regulatory authorities to order the company to recall some of its vehicles over the issue. Even though the performance lapse exhibited by the software has declined the company’s growth process, Volkswagen remains focused to its objective of becoming an automobile manufacturer that presents the best performance both economically and environmentally. As a counter strategy to the adverse turn out of the software solution, the company has recalled the affected vehicles to rectify the issue. Volkswagen has found it necessary to conduct an IS risk audit to enhance its preparedness and response towards future IS risks that span the various departments of the company: internally, externally and inside the vehicles. The firm believes that the audit will enable it to achieve the seamless flow of information between the departments of the company and between the company and its partners without the threat of succumbing to cyber insecurity and the failure of fragmented information systems such as the emissions software. Background to the Case The Volkswagen Group AG has transitioned from a single automobile company in the 1930s to integrate other automobile brands such as Audi, Bugatti, Bentley, Lamborghini, Porsche, MAN, Scania, Skoda, SEAT and Ducati as well as the Volkswagen brands. The company also sells motorcycles and passenger and commercial vehicles and hopes to be increase its market share (Pratt 2015). In accordance with this goal, the Group intends that by 2018, the company targets to become the global environmental and economic leader among all the automobile manufacturers. The recent Volkswagen crisis about its “cheating” emissions software on certain brands has done a great deal towards tainting the image of the company and its efforts towards becoming the global environmental leader by the target year. However, the company has already implemented the necessary measures that will restore the confidence and trust of its customers thereby regaining its competitive advantage in the automobile industry. Towards attaining the objective, the company understands that the effective functioning of its computerised environment will be pivotal to its success. As a matter of fact, the recent emissions scandal resulted from a failure in the emission software that the company had installed on the vehicles in question. As a strategy of averting such pitfalls in the future, the company has devoted its efforts towards revolutionising its computerised environment. In the quest to become a world leader in quality and customer satisfaction, Volkswagen intends to deploy intelligent technologies and innovations. Apparently, revolutionising the computerised environment depends on the ability of the company to implement the necessary technological innovations in automobile safety, performance, emissions, and alternative fuel systems so as to realise customer satisfaction and compliance with government regulations particularly on emissions (Blackwelder et al. 2016). IS Risks It is evident that the proper implementation of information systems and technologies in automobiles contributes significantly towards the success and profitability of the automobile company. For instance, information systems play a pivotal role in guiding the design of vehicles and the management of inventory that results in a proper supply chain. However, there are several risks associated with the use of information systems in the automotive industry. One of the areas that present the greatest risk in the implementation of the information technologies and systems in automobiles is the fragmentation of systems. It is apparent that the segregation of systems decreases the efficiency of the entire system as opposed to scenarios involving the implementation of the entire system. Heterogeneous systems found in automobiles exhibit software and data incompatibility (Alvin et al. 2011). As a result, segregated systems such as the emissions software systems may fail to perform as expected under certain circumstances. The fact can provide an explanation for the failure of the emissions software installed in the vehicles involved in the scandal even though the software had performed tremendously during the initial tests conducted on the automobiles. As a result, the installation of fragmented systems decreases the flexibility and efficiency of the value chain. Therefore, the Volkswagen Group should understand that the decreased efficiency and flexibility of the system occurs in the vehicle, between the departments and also externally. The case of the decreased efficiency of the emissions software is a case that presents decreased efficiency within the vehicle itself. The proper management of the risk necessitates the use of standardised information systems both within and outside the organisation and vehicles. The standardised systems guarantee a seamless flow of information between the vehicle components and the systems user interface thereby providing a true reflection of what is happening within the vehicle. The internal challenges associated with the implementation of a standardised system emanate mainly from the resistance of departments. It is also important to manage the risk of data redundancy in the implementation of the standardised IS. The management of the data redundancy risk ensures the availability of information as and when required as well as the hiding of particular information whose availability may impact adversely on the performance of the organisation. A good example describing the seamless flow of information that eliminates data redundancy is a case where the design department avails product design information to the engineering, procurement and marketing departments in a manner that permits the concurrent configuration of production facilities, the drawing of marketing plans and the procurement of materials (Alvin et al. 2011). On the other hand, instances of annoyance and decreased productivity emanate from the availability of information where its availability is unnecessary. Attaining user acceptance of a product and eliminating data redundancy depend on the effective design of the IS. Volkswagen should understand that even though an effective IS design is pivotal to its success; it is difficult and quite involving to develop such a system. Poor partnerships with distributors and suppliers rather than adversarial relationships turn out to be the other IS risk in the automobile sector. As a result, an effective IS design that addresses the issue necessitates the establishment of effective communication channels to all pertinent stakeholders as well as the development of value proposition. An information system that attains the objective is capable of encouraging long-term collaboration and partnership between parties. This is contrary to the case of adversarial relationships. In such relationships, cost suffices to be the primary determinant of decisions associated with procurement (Alvin et al. 2011). In the event that the partnerships of the organisation are secure, it is apparent that the firm will realise the significance and value of the standardised system that aligns with its objectives. Audit Plan, Objectives and Procedures The audit plan intends to cover the organisational areas that present a high IS risk such as Volkswagen’s centralised ERP application, the standard IT service and the associated delivery processes and the global infrastructure support areas. The IT audit also involves the manufacturing facilities and their underlying infrastructure (Rehage et al. 2008). The audit plan will also ensure the alignment of the audit with the individual business process audits of each facility. Table 1 below shows the business unit and the audit subjects. Business Unit Audit Subject Corporate Remote Connectivity Corporate Network security and administration Corporate UNIX security and administration Corporate Windows Server security and administration Corporate Corporate privacy compliance Corporate ERP application and general controls Corporate IT governance practices Corporate Database security and administration Corporate Application programme change control Corporate ITIL deployment practices Business Segment 1-3 Major capital investment projects such as the corporate compliance and information protection Facility 1-10 Human resource and payroll application Facility 1-10 IT infrastructure Facility 1-10 Process Control Systems Figure 1: The IT Audit Universe The objective of the audit will be to determine the impact and probability of occurrence of the IT risk in each of the audit elements in the audit universe. Basically, the plan will entail the administration of questionnaires to the employees of each of the target departments and facilities in the organisation. The three-point impact and likelihood scale will enable the assessment of the probability of occurrence and impact of the risk during the audit. Table 2 below shows the three-point likelihood scale. Likelihood Scale H 3 High probability of risk occurrence M 2 Medium probability of risk occurrence L 1 Low probability of risk occurrence Table 2: Three-point likelihood scale Table 3 below shows the three-point impact scale that the audit intends to use Impact Scale (Financial) H 3 There is a potential for material impact on the company’s earnings, stakeholders, reputation or assets M 2 The potential of the impact is significant to the business unit but has a moderate impact to the entire organisation L 1 The potential impact is limited in scope and minor in size Table 3: Three-point Impact Scale Audit Questions and Documents During the audit exercise, the audit targets to ask three main questions about all the elements contained in the audit universe. For instance, most of the questions under the corporate section revolve on the security and administration. Some of the questions in the audit questionnaire include: Has there been an incident of network breach in your organisation over the last five years? If yes, what is the approximate number of times that the organisation has had to deal with the issue? Has your company faced a scandal involving a faulty information system over the last five years? If yes, what is the issue and how has the company dealt with the concern? Has the company suffered any losses from the occurrence of an IS-related risk? If yes, what is the extent of the loss? The interviewers will adjust the above questions to receive the responses on each of the audit subjects in the audit universe. Prior to the commencement of the audit exercise, the audit team will avail audit programmes to the company’s management and the target departments so as to enable the smooth running of the activities of the audit. The team will also avail the letters of representation and confirmation as a justification of the audit exercise. The team will also prepare a checklist that covers all the audit subjects to ensure the comprehensive coverage of the target areas. Moreover, the auditors will also avail the audit analyses, issues memoranda, and summaries of important matters noted during the audit. Finally, the team will also avail the necessary correspondence including emails about the significant matters faced by the company. Control Recommendations The IS risk management profile summarises the control recommendations that the organisation can use to shield itself from the adverse effects of the IS risks. The categorisation of the information systems is the first stage. It details all the IS categories used in the organisation by defining the sensitivity of the systems with regard to the potential adverse impact to the business under the worst case scenario. The second phase entails the selection of the baseline security controls geared towards enhancing cyber security and eliminating data redundancy to ensure the seamless flow and availability of information to the right parties only. The third step entails the implementation of the security controls with the help of a well-known information security expert organisation such as Intel. It is also imperative for the company to assess the security controls on a regular basis to ascertain their conformance to performance expectations. Next, the company should authorise the information system and monitor the security state to guarantee the effective performance of the system (McCarcthy & Harnett 2014). Following the strict adherence to the recommendations, the company will benefit from the seamless flow of information and the protection of all its information systems against all forms of cyber insecurity. Reference List Alvin, T C H, Bing, G S, Mei, Y & Shunpeng, Z 2011, ‘Impact of Information Systems on the Automobile Industry’. Blackwelder, B, Coleman, K, Colunga-Santoyo, S, Harrison, J S & Wozniak, D 2016, ‘The Volkswagen Scandal’, Case Study. University of Richmond: Robins School of Business. McCarthy, C & Harnett, K 2014, ‘National Institute of Standards and Technology cybersecurity risk management framework applied to modern vehicles. Washington DC: National Highway Traffic Safety Administration. Pratt, B 2015, ‘Case Analysis: Volkswagen Group’. Available from: http://people.ucsc.edu/~brpratt/Courses/ECON136Su15/VWAG_Example.pdf Rehage, K, Hunt, S & Nikitin, F D 2008, ‘Developing the IT Audit Plan’, Institute of Internal Auditors. Read More