ExxonMobil Information Systems Report

Introduction and a Background to the Case

There were reports in early 2011 that Chinese hackers managed to breach the systems of several leading energy companies in the world and in the process, managed to steal sensitive information of these corporations (Riley, 2011). ExxonMobil was one of the companies that was a victim in these hackings.

Despite the fact that the company asserted that the breach was not serious and hence it was not necessary for them to report to their shareholders, such a breach acts as a risk to the overall knowledge management of an entity since sensitive and confidential information might be exposed and end up in the wrong hands.

ExxonMobil had put in place a knowledge management system that aimed at enhancing its operational efficiency within the energy industry through the identification and transfer of best practices to its personnel (Cohen and Levinthal 2010).

In the course of its operations, ExxonMobil uses several systems to ensure that information is stored, retried, and can be used in an effective and efficient manner.

These systems act as a strong database for the firm’s knowledge and hence its breach by hackers in one way or the other is very detrimental to the operation and sustainability of the firm.

Information System Risks at ExxonMobil

In the course of operations in the information technology portal, a business entity constantly faces a number of risks. For instance, the breach of ExxonMobil systems by Chinese hackers posed a security risks on the firm’s knowledge management systems.

Such a breach however, possess several risks to a given entity. In this case, the breach by Chinese hackers posed an operational risk to the firm. Fischhoff et al (2014) defined operational risk as an expected loss that might come about as a result of failed procedures, systems, or policies.

Hackers usually tamper with the systems that they gain access to affecting their normal operations. If the activities of the hackers are not identified in good time, outcomes that are fatal to the entity in hand might arise (Mischen and Jackson 2008).

Given the fact that the hackers had gained access of ExxonMobil since 2008, there is a high likelihood that their activities resulted in operational failures within the entity.

The period which ExxonMobil systems were exposed as a result of a security breach by Chinese hackers also exposed the firm to financial risks.

According to Liesch (2006), financial risk occurs in an event whereby shareholders stand a chance of losing their investment due to the inadequacy of a given entity’s cash flow to meet its financial obligations.

The exposure that the Chinese hackers had on ExxonMobil financial systems increase the likelihood of inefficiencies within the normal operations of the firm. In most cases, this proves difficult for the firm to achieve the set goals and objectives given its recurrent financial status (Seidl 2007).

This in turn increases its chances of falling into debt hence resulting in a financial crisis. Such a crisis will not only result in the inability of ExxonMobil to meet its recurrent financial obligations but will also expose its shareholders to debt.

Consequently, ExxonMobil stood a high chance of being exposed to compliance risk as result of the hacking activity it had been experiencing.

Compliance risk comes about as a result of its failure to act within the agreed regulations and laws, internal policies, or the agreed practices within its industry resulting in exposure to penalties as set by the law or material loss (Neef 2005).

One of the main ways through which the firm would have been exposed to compliance risks is through the exposure of confidential information by the hackers.

This includes the details of its shareholders, information with regards to the agreements that the firm has with third party companies such as suppliers and partners (this might include patents and copyrights), and so on.

Exposure of such sensitive information might be unlawful or unethical and as such the firm will be faced with a number of legal suits which might require it to pay fines, damages, or nullify contracts (Marshall et al 2011).

Such outcomes are usually detrimental to the overall operation of a given entity and might affect its profitability and sustainability in the short run and in the long run.

Audit Plans and Objectives

Given the probable outcomes of the security breach to IS information systems, it is critical to conduct an information systems audit with the aim of reviewing ExxonMobil information system architecture, to determine the overall implementation and effectiveness of the set control systems and to report on the possible risks that the firm’s information systems might be facing.

To realise this aim, this audit report will take a two way approach. The first step will involve a vigorous planning and analysis of necessary documents and interviewing specific personnel to gather relevant information for the entire process.

The second step will involve a critical analysis of the internal control systems and structures. For these steps to be effective and efficient, it is necessary for an auditor to identify the control environment, procedure, understand the detection risk and control risk assessments and to equate the total risk (Fischhoff et al 2014).

As asserted by Hall (2010), the main role of an IS auditor is to substantiate that the set internal controls are existing and function effectively to minimize the associated business risks. As such, the current audit objectives include:

1. Ensuring that the firms operations are effective and efficient.
2. Ensuring that the operations of the firm are compliant to the set statutory requirements and regulations.
3. Ensuring that the firm maintains confidentiality and integrity of its stakeholders.

Specifically, this audit will focus on three main areas; the operational controls, financial controls, and the overall corporate compliance of the firm. The main objectives of auditing the operational control systems is to:

1. Daily operations are consistent with the set goals and objectives.
2. Determine whether the company’s performance meets the set standards.
3. Determine the overall efficiency of the operational system of the firm.

The main objectives of auditing the financial control systems is to:

1. Have a clear understanding of the major financial processes is arrived at.
2. Determine the key financial policies and goals of the organization.
3. Determine which financial processes have high levels of risks to the company’s operations.

Finally, interviews on specific personnel within ExxonMobil to determine the overall level of risk and the firm’s compliance to the set operational procedures, regulations, and laws. To enhance the effectiveness and efficiency of this process, specific documents within the firm will also be critically scrutinized.

Interview Questions and Documents

The study conducted by Douglas (2011) on information systems audit focused its interviews on personnel who are responsible for the running and maintenance of the various control systems within the entity.

As such, this audit will take a similar approach and will interview key personnel who are in charge of running and managing the financial and operational systems.

As such, three open ended questions will be posed to these personnel to gather a wide range of information and data with respect to their operation and effectiveness. In this respect, the following questions will be asked:

1. What is the process for?
2. Which other parties are involved in the process?
3. How can the process be improved?

Since this process is objective in nature, open ended questions are effective in increasing the scope of information that will be received from the clients (Eisenhardt 2009).

For instance, while auditing the financial control systems, this audit might focus on the payroll system and in the process it will be necessary to interview the payroll processing clerk.

By asking this personnel what the system if for, the clerk will be in a position of explaining the entire payroll process, an act that will provide the audit with a clear understanding of incoming and outgoing dependencies of this specific system (Sherif 2006).

By repeating the same question to the personnel in charge of other systems, a clear picture of the overall operation of this system will come out and hence it will be easy to identify possible risks within the system and hence propose mechanisms that will enhance its overall operational efficiency.

Inquiring about the other parties that are involved in a given process provides an auditor with a clear picture of the operating environment (Grant 2009). In this audit process, this question will be useful in providing a clear understanding of the interdependencies between sub-systems and entire systems.

As such, it will be easy to determine the start point, intermediaries, and the end point of a given process. In the process, it will be easy to determine any irregularities that might be present and hence propose corrective measures to ensure effective and efficient operation.

The main aim of an audit process is to detect any flaws and irregularities in the operations of a given entity and hence suggest means through which operations can be improved.

It is evident, however, that the best individuals to come up with corrective mechanisms to specific systems are those who operate them on a regular basis (Liesch et al 2006).

It is due to this fact this audit process will specifically ask the personnel it will interview the possible means through which specific systems can be improved.

This will increase the chances of coming up with long term solution to systems problems that the firm might be facing especially after the hacking incident.

In the course of this process, documents of interest include financial statements, account entries, and system maintenance records. These documents will be vital in providing the necessary information that will be used in this audit.

Conclusion and Recommendations

Based on the business and computerised environment of ExxonMobil as well as the risks that have been identified, this audit report recommends the following:

1. The firm needs to develop and coordinate effective and efficient mechanisms to share vital information that might be a threat to the overall financial and operational control systems.
2. Research and collaborate with communities of best practice to come up with technological advancements (hardware and software) to combat individual and organized cybercrimes that might affect the overall financial position and operational efficiency of the firm.
3. The firm needs to develop a strong internal information system audit system that will frequently monitor the performance of all information systems to detect any form of fraud or irregularities to prevent fatal operational and financial outcomes.
4. Partner up with external firms to develop strong control mechanisms as well as improve the existing ones.
5. Critically monitor the operational and financial systems and operations to ensure that the firm is compliant to the set policies, procedures, regulations and laws.

These considerations are effective to ExxonMobil since they will ensure that the firm’s operation is effective and efficient by reducing the risk of attack from hackers.

At the same time, the high level of information system awareness that the firm will have will also be influential in preventing other forms of risks that the firm might be exposed to in its normal operations.

These recommendations thus will ensure that the firm realises it’s set operational goals and objectives and hence will be profitable and sustainable in the short run and in the long run.

References

Cohen, W and Levinthal, D, 2010, ‘Absorptive capacity: a new perspective on learning and innovation’ , Administrative Science Quarterly, Vol. 35 No. 1, pp. 128-52.

Douglas, D, 2006, ‘Intransitivities of managerial decisions: a grounded theory case’’, Management Decision’, Vol. 44 No. 2, pp. 259-75.

Eisenhardt, K, 2009, ‘Building theories from case study research’’, Academy of Management Review’, Vol. 14 No. 4, pp. 532-50.

Fischhoff, B., Watson, S. and Hope, C, 2014, ‘Defining risk’, Policy Sciences, Vol. 17, pp. 123-39.

Grant, R, 2009, ‘Toward a knowledge-based theory of the firm’, Strategic Management Journal, Vol. 17, pp. 109-22.

Hall, J, 2010, Information technology audit and Assurance, Cengage Learning, New York.

Liesch, P., Steen, J., Knight, G. and Czinkota, M, 2006, ‘Problematizing the internationalization decision: terrorism-induced risk’, Management Decision, Vol. 44 No. 6, pp. 809-26.

Marshall, C., Prusak, L. and Shpilberg, D, 2011, ‘Financial risk and the need for superior knowledge management’, California Management Review, Vol. 38 No. 3, pp. 77-102.

Mischen, P and Jackson, S, 2008, ‘Connecting the dots: applying complexity theory, knowledge management and social network analysis to policy implementation’, Public Administration Quarterly, Vol. 32 No. 3, pp. 314-39.

Neef, D, 2005, ‘Managing corporate risk through better knowledge management’, The Learning Organization, Vol. 12 No. 2, pp. 112-24.

Riley, M, 2011, ‘Exxon, Shell Said to Have Been Hacked Via Chinese Servers’, BloombergBusiness. Web.

Seidl, D, 2007, ‘The dark side of knowledge’, Emergence: Complexity and Organization, Vol. 9 No. 3, pp. 16-29.

Sherif, K, 2006, ‘An adaptive strategy for managing knowledge in organizations’, Journal of Knowledge Management, Vol. 10 No. 4, pp. 72-80.