What do you think of IT audit and what it can achieve for your organisation?
Choose one of the following:
[a] a handicap to business performance? [b] a necessary evil? [c] a valuable service?
Few non-auditors choose '[c] a valuable service'. Yet an IT audit can work for you to help ensure your IT environment, applications and data are adequately secure, controlled and productive to give reasonable return on investment.
At a recent North London Branch event of BCS, presenters from Barclays, Ernst & Young, Gotham Digital Science, ISACA, KPMG and PwC provided insights into IT audit and how organisations can benefit.
Increasingly, organisations need assurance about the reliability, accuracy, consistency and security of their IT-dependent work environments. To provide assurance, auditors need to understand and validate the design and performance of IT-related processes and controls. This is done via IT audits.
There are various types of IT audit. Most are focused on providing assurance about IT-related risk mitigation and compliance with legal / regulatory needs. They apply a systematic approach to the evaluation of the organisation's IT-related risk management, control and governance processes. They may check quality, validity and reliability of information to / from computer systems, to assess the systems' internal controls and the security of the environment around the systems.
Internal audits (e.g. process design or operation reviews) may be performed for an organisation’s management. Internal audits should be independent, objective assurance of internal controls, designed to add value and improve the organisation's operations.
External audits (e.g. IT general controls reviews, IT application controls reviews, SAS70 readiness reviews) may be done for the organisation's shareholders, taxpayers and other stakeholders. External audits provide independent opinion on whether or not financial statements are relevant, accurate, complete, and fairly presented. Regulatory audits may also be require, for example, to check compliance with Sarbanes-Oxley needs.
Many organisations have an audit charter that defines the internal audit function's purpose, responsibility, authority and accountability - effectively a contract between management and stakeholders.
Internal audit departments prepare an 'audit universe' of areas to audit. They prioritise these areas based on risk ranking, to define which ones to do first. Audit plans are then prepared and agreed with stakeholders. Plans to audit should be shared with the management of target departments - no audit should be a surprise.
During an IT audit the auditors need to understand relevant processes, identify key controls in each process, collate evidence to test controls and thereby check that the process is working properly. Results are documented and if the control isn't working it is discussed with auditees and their management, and follow-up actions agreed. The audit report must be easy to understand with agreed statements, and not have any surprises.
Computer software tools and techniques may be used during IT audits. They may be useful, for example, where there are large volumes of data or complex calculations to analyse and report, if there are 'black box' closed systems where data processing is not transparent, when there are new or modified systems, or if interfaces between computer systems are poorly controlled.
Desktop tools used for IT audits include spreadsheets, databases and Microsoft Query. Spreadsheets are widely used and can even handle complex algorithms. Microsoft Query is powerful. These tools are inexpensive and easy-to-use for data analysis. Other software tools which can be bought include IDEA, ACL, OAK and Datanomic.
Software tools enable computer power to be used to improve the efficiency and effectiveness of auditing. They also enable 100 per cent data sampling, and quick identification of required data or unusual data.
However, there are risks associated with use of IT tools. For example, data interrogation tests data, but does not test controls. Tools are powerful but can lead to wrong conclusions, especially when used by inexperienced users. They need to be used by experts who can analyse the results accurately.
A common industry standard for IT auditing is COBIT (Control objectives for information and related technology). This best practice framework for IT management from ISACA (Information Systems Audit and Control Association) focuses on IT-related processes to plan and organise, acquire and implement, deliver and support, monitor and evaluate an organisation's IT.
COBIT scoping helps to relate IT goals to business goals, then to focus on key IT processes and resources and then on key control objectives. This shows how well the IT systems support the business, and can show progress. COBIT enables IT people and auditors to 'speak the same language' and helps organisations to benefit from IT audits. ISACA also sponsors the audit professional qualification CISA (Certified Information Systems Auditor) which is held by many IT auditors.
How can you benefit from IT audit?
To get the most out of your audits and auditors you need to understand them and work with them. Like you, the auditor is a professional who wants to make sure that your organisation is well planned, managed and controlled.
- Remember that an audit is not something that is done to you; but with you. It is effectively a business review done with you to help you.
- Treat auditors as critical friends rather than a hindrance, and consider audits as adding value for your organisation.
Early planning
The more you prepare, the less painful audits will be. Start planning and preparation for audits as early as possible or - even better - on an ongoing basis. Get involved as closely as possible in audit planning - and aim to get benefits to help you do your job better.
- Look at where the risks are in your organisation. Also consider the controls in place to mitigate the risks. Identify high risk areas (e.g. IT-related processes and functions with limited controls or high exposure) and the controls in place to mitigate risk.
- If you've had a similar audit before, refer to the data used, tests done, people involved, and results. Collate this information so it is available for easy reference. Ensure follow-up actions addressed all outstanding issues - and clarify what still needs to be done. Also identify what processes and controls have changed since the last audit. Make plans to address the gaps.
- Where you know there are limited or inadequate controls, discuss them with your management and try to address the issues before they are audited.
Before the audit
Understand who the auditors are, their scope, objectives and deliverables.
- Understand the risks and issues in your own areas, explain them to the auditors and correlate their understanding of key risks with yours.
- If there are areas you consider should be covered, agree them first with your management, then discuss with the auditors.
- Appoint a central point of contact, and confirm logistical arrangements.
- Prepare physical storage and electronic network directories ready to hold this audit’s test data and results.
During the audit
Maintain contact with your auditors. Your central point of contact will have a key role in this communication, coordinating logistics and information flow, arranging regular catch-up meetings and notification of findings, and generally ensuring the audit is on track.
After the audit
Review audit findings at the draft report stage and challenge where necessary to enable your feedback to be taken into account.
- Be positive about the findings - Don't take the outcome as personal criticism
- Prepare a plan to address any issues identified, and make sure the plan is published and implemented.
- Note and publish lessons learnt from this audit.
- Categorise and store the data and results from this audit so they are easy to access for future reference.
- Start to prepare for your next audit.
IT auditing is a fast-growing profession, with IT audits regularly performed at many organisations. IT audit is increasingly being recognised as a valuable service. Are you reaping the rewards of using audit to benefit yet?