Good IT Auditor: Sit, Stay, Understand?
For many companies, the end of the calendar year signals the beginning of the audit season. A review of an organizations information technology is an integral part of this effort. The goal of the IT audit is to ensure that the IT infrastructure, supporting controls, policies and procedures provide security, maintain data integrity and adequately support the organizations goals and objectives. Ultimately, the audit process provides confidence to stakeholders, including shareholders, banks, and regulatory authorities.
IT audit processes will be familiar to anyone with experience in financial auditing and include planning, a review of controls, evidence collection, and reporting. The IT audit planning phase includes identification of all the elements to be evaluated and the potential material impact of these elements on the organization’s ability to achieve its goals. Control evaluation includes a review of systems security policies, reconciliation processes and methods to ensure data integrity. Evidence collection might include sampling of system data, actual observation of transactions, or systems monitoring.
While the principles behind the IT audit are sound, the execution is often poor. To support the demands of the IT audit process, audit firms employ staff specifically knowledgeable and certified in information systems audit control best practices. Unfortunately, IT auditors are usually schooled only in general audit practices and principles, and not in particular application technologies or platforms. In short, IT auditors understand best practices, but have little practical knowledge or experience in dealing with the specific systems, or even similar systems, to those being evaluated.
It has been my experience both an as IT systems auditor (I am CISA certified and worked as an IT auditor for one of the Big 4 firms for several years) and as an Operations Manager, that IT audit staff are rarely provided training on industry specific toolsets. These toolsets are often integral to an organization’s ability to conduct business, and thus are of greater materiality, and must be closely scrutinized. The IT audit framework does outline Computer Assisted Auditing Techniques for substantive testing of application and database controls. These tools, however, are also generic, and do not test underlying business assumptions – perhaps the most important component of an application. These tools are useful, but should not be relied upon to test controls of custom applications which are completely unfamiliar to the auditor.
During our last year’s annual audit, the IT auditor, who is CISA certified, asked that I provide test cases for him to perform control tests on our internal billing system because he did not understand the fundamental principles behind our billing system and had no previous experience with systems and processes specific to our industry. The audit firm provided equally as inexperienced staff for the previous year’s IT audit. This is obviously unacceptable — to me and to our shareholders, and does not meet the quality standards set by audit best practices.
An IT audit should provide benefit not only to stakeholders, but to the organization as well. Correctly performed, the audit provides an opportunity to identify and correct inefficiencies, improve product and service quality, and better service customers. To this end, it is essential that management and senior technical staff be actively involved in all aspects of the audit.
Consider the following:
- Insist on IT auditors with experience in your industry. Telecommunications billing systems, for example, require an understanding of call flow, rate planning and management and basic networking. An IT auditor, attempting to test whether a call rating engine is accurately charging, would need a fundamental understanding of Call Detail Records. Without this knowledge, the auditor would have no insight into why calls are rejected by the switch and others, for example, by the call rating engine.
- Document all aspects of the IT audit. This means keep records of all data provided to the auditors, of all communications with the audit team and all systems documentation provided. IT systems generally do not change on an annual basis, but your audit team will! By keeping copies of information provided for previous audits, internal management can expedite the new audit team education process. Keep in mind as well that you are paying for the new audit team to learn about your systems. This type of documentation can help reduce audit costs. Types of documentation might include: network diagrams, application and process flow models, database schema, systems documentation, change logs, reports, records of system errors and evidence of regular maintenance.
- Actively participate in the planning process. Operations Management should review the list of all systems, process, interconnects, procedures, and policies to be audited. Elements that have changed since previous audits need to be noted and explained to the audit team. As part of the planning and risk assessment process, the auditors should present the controls that will be tested and what methods will be used to test. This plan must directly pertain to the organization’s IT infrastructure and supporting environment.
- Dedicate knowledgeable internal IT resources for assisting with the audit. These resources should be familiar with all aspects of the IT infrastructure and environment. Their purpose is to expedite the audit process and ensure that all items covered on the IT audit plan are executed and tested as planned.
- Assess the audit. Provide a copy of the IT audit report to operations and functional managers. This enables management to fully understand and redress issues outlined in the report, as well as review accuracy and ensure completeness. Discuss specific technical issues and assumptions with the staff responsible for managing the system or process.
Finally, at the close of the process, update the IT audit documentation file. Review internal issues associated with the audit. For example, was the audit staff knowledgeable in your industry? What specific systems or controls should have been more closely evaluated and why? Did staff spend too much time focusing on a particular system or process? What was the result of this effort? By being proactive, the IT audit process can be executed quickly and provide substantial value to the internal departments responsible for the organizations IT.
For additional information on IT Governance, visit the Information Systems Audit Control Association.