Year 15 – 2002 – Part 2 – IT Audit

Second part of article on making IT Audits more effective and value-added ….

The next area that will need to be address by CAEs is ensuring that risk-based audit plans are relevant and that selected audits provide maximum value to senior management.  Today’s business environment changes rapidly to adjust to market conditions, evolving legislation and economic forces; and the risk-based audit plan must keep pace with this rapid change if it is to properly identify and assess emerging risks that can impact the achievement of business objectives.

ISACA standards state that appropriate risk assessments approach should be used when developing the overall IS audit plan.  Risk should also guide IT auditors in determining priorities for the allocation of resources to provide assurance regarding the state of the IT control processes.  This means that risk should drive the IT audit plan and the focus of IT audit resources.  IT audit should use a top-down approach that starts with the identification of the business objectives.  The next step should be the identification of the key controls required, in both the application system and the business process, to provide assurance for the business objectives.  Finally, IT audit should identify the applications where the IT controls need to be tested in order to focus IT audit effort where it is needed most.

IT audit plans also need to lay the groundwork for integrating IT audit expertise within non-IT auditor to ensure that the risks associated with the IT systems are considered when assessing the overall risk in a business process.  Conversely, you should also be looking at the risks in the business processes and determining the IT controls that are mitigating these risks.

Continue reading Year 15 – 2002 – Part 2 – IT Audit

Year 15 – 2002 – Part 1 – IT Audit

Many audit shops rely on IT auditors to support their use of data analytics; however, the IT audits typically focus on general and application controls.  Around this time I wrote an article for the EDPACS magazine which encouraged IT auditors to look beyond the black box – to look at how IT supports, drives, and impact business processes.  I have included below.

IT Auditors need to come out of the black box

Are you an IT auditor who takes comfort in your specialized knowledge and feels secure in assessing general and application controls – but does no more?  Then you need to wake-up to today’s business environment and step out of your comfort zone.  You also will probably need to pull the general auditor away from the safety of pure compliance audits.  The notion of the integrated auditor was usually applied to the need for the general auditor to increase his/her knowledge of IT.  Alternatively, general audit teams were encouraged to include an IT auditor to assess the IT controls.  It was a one-way street that added IT expertise to the operational audit program.

Today, we are going through yet another time of economic and organizational upheaval.  IT auditors need to look at how they are contributing to the organization’s flexibility and sustainability.  They need to ensure that information systems supporting business processes are not obstructing the very improvements in operations that they are supposed to achieve.  IT auditors need to better understand the operations of the organization and how IT contributes to their effectiveness and efficiency.

As IT becomes more and more integrated with business operations, the role of IT audit is changing, moving beyond the black box, to a role that is tied directly to the achievement of business objectives.   Business processes rely on automated systems for controls and to support efficient and effective processes.  As a result, IT risks are a part of, not separate from, business risks.  In the current market conditions, marked by rapidly changing risks and tough economic conditions, testing of IT controls by IT auditors and compliance testing by general auditors cannot separately address risks and opportunities resulting from the integration of complex technology into multiple business processes.

Continue reading Year 15 – 2002 – Part 1 – IT Audit

Year 14 – 2001 – Fraud Analytics – part 2

The “Big one that got Away” – involved hundreds of millions of dollars in contracts for hardware and software maintenance over ten years.  I ran a couple of tests to highlight red flags related to fraud risks and identified the fraudster a couple of times – but didn’t pursue the issue enough to uncover the fraud.

The first red flag was identified when I performed an audit to determine if we had employees who were also contractors.  This test identified a contracting officer (Paul).  When his manager was asked whether Paul (the employee) had declared that he was also serving as a contractor we were told that our test was inaccurate because Paul was not an employee.  We pointed out that for ten years Paul was: on the organization chart; had employees reporting to him; had an office and phone; had contracting authority and was responsible for a budget.  If he was not an employee then this was an employer-employee relationship which was against policy and a serious risk.  The manager said “not to worry, we will hire him” and did so.  I was told to close the file on the issue.  Strike One.

Later that year, I was purchasing 20 laptops for the audit department.  The contract went to Paul for approval and he called me.  He was combining a bunch of purchase and trying to get a bulk purchase discount and wanted to know if I was willing to include my laptops in the package.  I agreed as long as I got the same quality for the price.  When the laptops arrived they were lower CPU speeds and cost more than what it would have cost me for the better laptops.  I called Paul and complained, but he rationalized the purchase by saying that we did really well on the desktop computers and had to give a bit on the laptops.  I wrote an email to his manager and received an answer that was identical to the verbal response from Paul (obviously Paul had told his manager how to respond – maybe even wrote it for him).  I checked to see if the contractor who supplied the laptops was the same one Paul used to work for – it wasn’t.  (Later I learned that I had not dug deep enough – the firm who delivered on the bulk purchase was a subsidiary of the firm Paul had worked for.)  I was told to drop the issue since apparently our company had done well on the bulk purchase overall.  We never actually verified that we had saved on the bulk purchase.  Swing and a miss – strike two.

Continue reading Year 14 – 2001 – Fraud Analytics – part 2

Year 14 – 2001 – Fraud Analytics – part 1

After my year of consulting in numerous private sector companies I felt that my experience not only with ACL, but also with risk assessment and fraud risk assessment in particular had grown.  While ACL’s basic command set was powerful, there were a number of techniques that I had used specifically for fraud that were not (at this time) included in the basic ACL command set.  They required the use of ACL scripts and since the ACL programming language and was beyond most basic users of ACL, I thought that a book which contained not only case studies and the scripts, but an explanation of how each script worked would be useful to the ACL user community.  While not originally designed as such, it was used by many people as a self study course on ACL scripting.  Once again the book was well received – with many expert users praising it for helping them to improve their own ACL skills when they were beginners.

I would like to think that the toolkit, originally published by ACL in 2001, encouraged them to expand the command set available in ACL.  The scripts included a number of functionalities that would later be added to ACL’s basic command set such as Crosstab (added 2010), Benford analysis (added 2010), Frequency of numeric value (added 2015), and Min/Max ratio (added 2015).  (Note: some of the dates may be incorrect – hard to remember exact versions when ACL commands were added, but it was years after the toolkit was developed.)  So, much to my surprise, I was a thought leader in the analytics space.

The toolkit, now called “Fraud Analysis Techniques using ACL” is still being published and used.  In the latest addition published by John Wiley and Sons, I added a self-study course on ACL scripting – complete with data, exercises and solutions as well as some generic scripts that perform useful function such as “unbucket” and “flatten” a data file.  The notion of providing standard useful scripts has also been adopted by ACL in their Script Hub (in 2012) – so again I was ahead of the curve in providing functionality to users.

Continue reading Year 14 – 2001 – Fraud Analytics – part 1