Year 15 – 2002 – Part 2 – IT Audit

Second part of article on making IT Audits more effective and value-added ….

The next area that will need to be address by CAEs is ensuring that risk-based audit plans are relevant and that selected audits provide maximum value to senior management.  Today’s business environment changes rapidly to adjust to market conditions, evolving legislation and economic forces; and the risk-based audit plan must keep pace with this rapid change if it is to properly identify and assess emerging risks that can impact the achievement of business objectives.

ISACA standards state that appropriate risk assessments approach should be used when developing the overall IS audit plan.  Risk should also guide IT auditors in determining priorities for the allocation of resources to provide assurance regarding the state of the IT control processes.  This means that risk should drive the IT audit plan and the focus of IT audit resources.  IT audit should use a top-down approach that starts with the identification of the business objectives.  The next step should be the identification of the key controls required, in both the application system and the business process, to provide assurance for the business objectives.  Finally, IT audit should identify the applications where the IT controls need to be tested in order to focus IT audit effort where it is needed most.

IT audit plans also need to lay the groundwork for integrating IT audit expertise within non-IT auditor to ensure that the risks associated with the IT systems are considered when assessing the overall risk in a business process.  Conversely, you should also be looking at the risks in the business processes and determining the IT controls that are mitigating these risks.

Aside from being guided by risk considerations in planning its own activities, internal audit plays a role in the organization’s risk management process.  During times of constraint, fundamental changes in the economic landscape, management should question the effectiveness of even the most mature risk management frameworks and call upon internal audit to play a larger role in organization-wide risk management efforts.

For example, in areas where there are new programs or activities, IT audit should be involved in the initial stages to help management establish a strong system of internal controls.  Audit could also help ensure projects are on the right track by evaluating project management structures, governance procedures, project risk assessments and issue resolution processes; and by assessing processes for tracking and reporting key project data and performing tests for data integrity.   IT audit must also continue to conduct systems under development audits.  Pre- and post-implementation work in this area can include ensuring the manual and automated controls adequately support the planned business processes; assessing modifications to current business processes and the control environment; evaluating the project risk and the project management capabilities; evaluating the system security, backup and recovery, and segregation of duties plans; and examining the plans for data conversion, system tests, and data integrity.

Two areas where IT audit must step up to the plate are: internal IT controls over financial reporting and the efficiency and effectiveness of business operations.

IT control is hardly a new concept. What is new is the unprecedented scrutiny around financial management including the heightened demand for accountability, especially during times of constraint.  Financial scandals and frauds of recent years have created a public wariness and have been the catalyst for changes in the financial control environment.   Financial information produced by industry and government is relied upon by many different stakeholders.  Given the technological advances of recent years, that information is available sooner, in more detail, and to a bigger audience than could have possibly been imagined even a decade ago.  Information must be reliable, or the credibility of the organization is forever damaged. The internet has a very long memory.

However, there is a price tag attached to every control and that price has to be considered relative to the benefit that can be realized from implementing the control.  When looking at internal control over financial reporting, there are often a variety of systems, such as the pay, inventory, HR, and special purpose systems, interfacing with the financial system.   The question which arises is – to what extent do the IT controls in these other systems need to be assessed when examining the internal control over financial reporting.  The first part of the answer lies in the identification of the significant financial accounts and the IT applications supporting these accounts.  The second part is the assessment of the IT general control process risks which affect the critical IT functionality of these applications and the data which will feed the financial system.  IT auditors need to keep these principles in mind, when considering the testing of internal controls that support reliable financial reporting.

In times of economic constraint, you should also include steps in your audit programs to not only test compliance and the adequacy and effectiveness of the controls, but also to determine if the IT systems are reliable and if improvements in the systems could bring benefits to the business process.  For example, the IT controls in the Procurement-to-Payment process not only help to ensure compliance with contracting and payment regulations and the safe guarding of assets, but they also support the Procurement-to-Payment process.  Control weakness in the application system could result in increased costs, fraud, and general inefficiencies in the business process; and improvements in the application controls, such as an automated 3-way matching of orders, receipts, and payments can support a more efficient and effective procurement-to-payment process.

I would like to stress that it is important to consider not only control weaknesses, but also opportunities to streamline business processes, to maximize the department’s use of technology, and to focus senior management on the areas of highest risk.

Thus, rather than simply confirming that physical inventory levels match with was is recorded in the system, inventory audits should also examine the efficiency of the inventory management system and the adequacy of the IT controls.   This will require IT auditors to work closely with the general auditors.

For example, one such inventory audit identified a failure to configure automatic re-order functionality that resulted in inventory clerks having to manually process reorder requests.  It also identified obsolete inventory that was taking up valuable warehouse space and causing delays in getting parts to equipment that needed critical repairs.  Finally, it identified economic reorder quantities that had not been updated to reflect current usage and purchase requirements.  Recommendations included the enhancement of the system’s reporting capabilities to support the identification and removal of obsolete inventory, and the proper configuring of economic re-order quantities and automatic reordering functionality.  These resulted in significant improvements to the inventory management system.  So, rather than simply counting and confirming the number of items in inventory, the inclusion of IT audit objectives resulted in recommendations that reduced storage requirements and inventory management costs; that improved the management of information to support decision-making; and that contributed to increased efficiencies in the inventory systems.  The audit saved the organization hundreds of millions of dollars and was much more valuable than if all it had done was to tell management that 14 widgets were missing.

Lesson-Learned:  Internal audit cannot ignore the changing economic and business environment.  In particular, this means that we must keep a close watch on the IT environment and associated risks.  In the mid-1990s the notion of the “integrated auditor” was promoted.  These were meant to be auditors that could do everything – finance, HR, operations and IT.  Given the complexity of auditing in general – this was an unrealistic expectation.  Instead we have arrived at the idea of the “integrated audit team” where the combination of the skills and experience of the team members is sufficient to cover all the audit requirements.   However, this can mean that the individual team members skills are widely divergent and that without proper team management – they may work in silos.  Team leaders need to ensure that IT auditors work closely with non-IT auditors.

In addition, chief audit executives must ensure that IT audit objectives are considered when the risk-based audit plan is developed; and that the IT functionality and controls support the business processes and objectives of the department.  This is a critical, not only for the reliability information for financial reporting but also in addressing information for decision-making.  Therefore, I encourage you to take a broad view of IT audit, one that examines the risks to the business process, the IT controls that will mitigate these risks, and opportunities to improve business process.  Then we will have truly integrated teams that bring a unique set of skills to bear on all audits.

Leave a comment