Year 15 – 2002 – Part 1 – IT Audit

Many audit shops rely on IT auditors to support their use of data analytics; however, the IT audits typically focus on general and application controls.  Around this time I wrote an article for the EDPACS magazine which encouraged IT auditors to look beyond the black box – to look at how IT supports, drives, and impact business processes.  I have included below.

IT Auditors need to come out of the black box

Are you an IT auditor who takes comfort in your specialized knowledge and feels secure in assessing general and application controls – but does no more?  Then you need to wake-up to today’s business environment and step out of your comfort zone.  You also will probably need to pull the general auditor away from the safety of pure compliance audits.  The notion of the integrated auditor was usually applied to the need for the general auditor to increase his/her knowledge of IT.  Alternatively, general audit teams were encouraged to include an IT auditor to assess the IT controls.  It was a one-way street that added IT expertise to the operational audit program.

Today, we are going through yet another time of economic and organizational upheaval.  IT auditors need to look at how they are contributing to the organization’s flexibility and sustainability.  They need to ensure that information systems supporting business processes are not obstructing the very improvements in operations that they are supposed to achieve.  IT auditors need to better understand the operations of the organization and how IT contributes to their effectiveness and efficiency.

As IT becomes more and more integrated with business operations, the role of IT audit is changing, moving beyond the black box, to a role that is tied directly to the achievement of business objectives.   Business processes rely on automated systems for controls and to support efficient and effective processes.  As a result, IT risks are a part of, not separate from, business risks.  In the current market conditions, marked by rapidly changing risks and tough economic conditions, testing of IT controls by IT auditors and compliance testing by general auditors cannot separately address risks and opportunities resulting from the integration of complex technology into multiple business processes.

To add value to their organizations, IT and general auditors will need to not only identify and assess emerging risks, review the adequacy of key controls, and examine compliance with applicable laws and regulations, but also provide recommendations that improve the efficiency and effectiveness of business operations, processes and systems.   This will require IT auditors to understand the goals and objectives of the organization and the risks to the achievement of those objectives.  More specifically, IT auditors will have to determine the role IT applications play in this equation.

This is not to detract from the traditional areas of IT audit as the evaluation of general and application controls will always remain a staple of IT audit.  Traditional areas like security, data integrity, systems implementation, and business continuity will continue to be critical areas for IT audit.  Most IT auditors do not need to be reminded about the importance of protecting systems from unauthorized access – just look at the recent problems at Target, Home Depot, Sony, Lockheed Martin, Goggle’s Gmail, Sega and Le Devoir.

To be credible, IT audit must ensure it is efficient and effective itself. The first place to start is human resources.  Chief audit executives (CAEs) need to develop a talent management strategy for the internal audit function to ensure that it is capable of addressing senior management’s expectations.   To be effective the HR strategy must look at how the audit function is organized and determine if the required competencies are available to deliver value to the organization.  This means that CAEs will need to manage their talent pool; and will entail, among other tactics: optimizing the structure of the internal audit function, recruiting personnel from a wide array of backgrounds, rotating top talent into and out of internal auditing, and improving the internal-audit-career value proposition.  From an IT audit perspective, it will mean ensuring that IT auditors have competencies in operational areas, risk management, and governance, and that they have learning plans that will ensure that their knowledge and skills are kept current and extend beyond pure IT domains.

As technology continues to evolve, new opportunities and risks emerge. IT auditors, perhaps more than any other type of auditor, need to keep up with technology and its potential impact on business.  Wikipedia, social media, e-mobility, and cloud computing are but a few examples of how IT is changing and allowing organizations to interact with their employees, suppliers, and even competitors.  All of these offer opportunities but also represent heightened risks around data leakage, security and privacy; and are significant challenges for IT audit.  For instance, Cloud computing, poised to be the most transformative, technology-drive development since the emergence of the Internet, also introduces new risks such as liabilities and legal issues across multiple jurisdictions.  IT auditors cannot focus only on the technology risks and should be thinking about the complete process in order to provide advice to senior management on the risks and opportunities they present.

Chief audit executives will also need to improve the overall efficiency of both the functioning of the internal audit organization, and the performance of individual audits.  There will be pressures to demonstrate that audit is not only doing the right thing, but also doing it efficiently and in a manner that is as unobtrusive as possible and that does not detract management from their operational duties.

One approach to being more efficient and less obtrusive in today’s highly automated business environment is to use data analysis and technology-enabled audit techniques that will allow full testing of controls while having a minimum impact on operations and personnel.  Auditors themselves will also need to audit smarter – with audit organizations making more efficient and effective use of technology.  Studies have shown that data analytic procedures are a much more cost-effective way to collect and analyze audit evidence.  For the same standard of audit evidence, a recent study (Audit Director Round Table) has shown that analytic procedures cost $0.01 compared to $4.00, when performed manually. Data analysis can also be more effective. For example, using detailed analytics to remotely plan offsite audits can not only shorten audit durations but also increase audit coverage.

IT auditors can play an important role in helping the internal audit function embrace data analysis tools and techniques as general auditors often lack the skill set necessary to make effective use of technology enabled tools and techniques and  break down the numerous barriers to the use of data analytics, including problems accessing the data; a lack of extraction and analysis tools; a lack of skills and knowledge; a lack of methodology or approach; and a failure to integrate analysis techniques in all phases of the audit.  Even audit functions that are employing data analysis techniques are often at the most basic level – only performing queries or analysis to support individual or specific audits.  At this level the use of analytics is often adhoc and limited to a few individuals.  IT auditors can help the organization mature in its use of analytics to where data analysis supports every phase of all audits and is used to continuous identify and assess risks and key controls.

Continued next week.

Leave a comment