IT GOVERNANCE COURSES FOR CIO

INFORMATION SYSTEMS AUDITING

Effective management of information and related Information Technology (IT) has become of critical importance to the survival and long-term success of any organization. This has arisen because of the increasing dependence on information and the associated systems that deliver this information, together with the costs and size of future use of IT. As a result, management has a heightened expectation of delivery from IT functions and demands improved quality with a decreased delivery time and improved service levels at reduced costs. In addition, the increasing potential from threats such as information warfare or cyber terrorism has added a new awareness. At the same time, the potential for technology to revolutionize organizations and their business practices create new business opportunities and offer the potential to massively reduce costs.

IS Audit has traditionally been based upon the paradigms that control = management control, that management control starts with governance, that top management can control everything, and that control is imposed.

Today’s business environment suggests that a more appropriate re-engineered paradigm might be that continuous improvement focuses control with owners of the process.

The role of IS Audit must change to reflect this new reality. That IS Audit is ultimately responsible to the organization will not change; however, the owners of the process are becoming the custodians of internal control and not necessarily traditional management structures.

IS Auditors frequently become experts at describing the best design and implementation of all types of controls. IS Auditors are not, however, expected to equal—let alone exceed—the technical and operational expertise pertaining to the various activities of the organization. Nevertheless, they may help the responsible individuals achieve more effective results by appraising the existing controls and providing a basis for helping to improve those controls.

MANAGEMENT PROCESS

The management process begins with an understanding of the organization’s business. Until this is achieved, any attempt to determine organizational need will be at best misleading and at worst disastrous. Once the overall objectives and environment of the business have been established, establishing the needs becomes a comparatively easy task. The organization’s needs may be determined by identifying and examining the key activities whose effective performance can make or break the organization. These key activities must themselves be monitored and therefore ambitious performance objectives must be established early in the planning process. For every performance objective there will be a range of threats which, if fulfilled, will either reduce the effectiveness or totally negate the objective. These must be assessed in a formal risk assessment to determine the appropriate corporate coping strategy. The coping or control strategies must be determined by management and the appropriate controls themselves selected. The actual controls must be implemented and monitored and there should exist controls to ensure this happens. Controls, once implemented, must be effective in performance and periodically management must evaluate and review performance with this in mind.

UNDERSTANDING THE ORGANIZATION’S BUSINESS

This is a combination of a theoretical approach utilizing literature searches on the organization and its functions on the business press, if possible, combined with a reading of annual reports in order to obtain the whole picture.

This theory will be combined with a more practical approach involving interviewing staff in order to both evaluate their understanding of the business as well as to confirm the auditor’s understanding. Site visits to observe the operation of specific business functions will also assist. Further information and confirmation may be derived by comparing the current understandings to those in effect during previous reviews.

ESTABLISHING THE NEEDS

Once the overall objectives and environment of the business have been established, the overall needs must be determined. A study of the organizational mission statement permits the general performance objectives to be derived. Management should have established strategic plans and objectives in order to ensure these are achieved. By interviewing executive management, employees, and perhaps even customers and suppliers, the business needs for the successful accomplishment of the objectives may be determined.

IDENTIFYING KEY ACTIVITIES

The major products and services provided to meet the business objectives need to be identified. Once again this will involve determining the level of management understands of customer needs and sizes, the competition and their probable response patterns, as well as their understanding of which are their own key performance areas (KPAs). The KPAs are those activities that will make or break those activities.

ESTABLISH PERFORMANCE OBJECTIVES

For each KPA, Performance Objectives must be established. This involves seeking core activity targets that are both achievable and stretching. Key Performance Indicators (KPIs) will be required to measure performance appropriately. The risks and threats that could lead to non/under-achievement must be assessed including both external and internal threats.

DECIDE THE CONTROL STRATEGIES

Once the full risk analysis is complete, management is in a position to decide what activities must be ensured, which risks must be managed, and which transferred. This, in turn, will dictate which risks can be cost-effectively prevented, which must be detected, and how a materialized risk can be corrected.

Business risks must be prioritized and trade-offs will be required because control measures are commonly contradictory, so that efficiency may trade-off against effectiveness.

IMPLEMENT AND MONITOR THE CONTROLS

For controls to be effective they must be monitored and wishing them into existence will not accomplish the fact. Controls result from the planned and thoughtful intervention of management to achieve a specific end.

Monitoring may take several forms including self-assessment, the use of regular audits, and the introduction of continuous improvement programs. Controls must be frequently reviewed for ongoing relevance as well as for their effectiveness and must be modified and adapted where required.

EXECUTIVE MANAGEMENT’S RESPONSIBILITY AND CORPORATE GOVERNANCE

Corporate Governance may be defined as the relationship among various participants in determining the direction and performance of companies and includes:

• Shareholders
• Management
• Board of Directors
• Employees

Under this definition, the objectives of a corporation may be further defined as including the attainment of human satisfaction in a social structure. Efficiency and effectiveness, flexibility, and continuity then form a significant part of fulfilling a corporation’s objectives.

Management then becomes the link between the providers of capital (owners and shareholders) and users of capital (operational or functional management). The review and approve financial and operating objectives are normally carried out by executive management. They will also offer advice to general management, recommend board candidates, and review of the adequacy of internal controls.

AUDIT ROLE

Auditing may take the form of IS, internal, external, and public sector auditing. Internal auditing examines the adequacy and effectiveness of the management system of internal control. The role of the external auditor is primarily one of ensuring the fairness of representation of the financial accounts of the entity audited. Within the public sector, much auditing is aimed at ensuring the effectiveness and efficiency of management processes in order to ensure service delivery. IS Auditing may be used in any of the other areas.

The auditing process is also designed to determine where to audit as well as what to audit, and may use any and all of:

• Control Strategy Assessment
• Control Adequacy and Effectiveness
• Performance Quality Assessment
• Unit Performance Reporting
• Following Up

Overall the standards of audit performance must be up to a professional level. For IS Audit, this typically means to a level laid down in the ISACA standards.

CONCEPTUAL FOUNDATION

The Conceptual Foundation is provided by implementing a structured Risk Analysis. This involves the assessment of the risk of expressing an incorrect audit opinion that comprises both the risk of audit misstatement as well as the risk of failure to discover. In addition, this includes the evaluation of business risk that comprises risks to both the auditee as well as to third parties.

PROFESSIONALISM WITHIN THE IS AUDITING FUNCTION

IS Auditing responsibilities include the development and implementation of a risk-based IS Audit strategy and objectives in compliance with generally accepted audit standards (GAAS) in order to provide a statement of assurance that the organization’s information technology and business processes are controlled, monitored, and assessed adequately, and are aligned with the organization’s business objectives. This would also facilitate the monitoring of the implementation of risk management and control practices within the organization.

In addition, IS Auditing involves the planning of specific audit to ensure that the IS Audit strategy and objectives are achieved and that information is obtained that is sufficient, reliable, relevant, and useful in order to achieve the audit objectives. This will typically involve the analysis of information gathered in order to identify reportable conditions and reach appropriate conclusions. IS management will be required to review the work performed in order to provide a reasonable assurance that objectives have been achieved. A critical function within IS Auditing is the communication of audit results to key managers and stakeholders.

 

RELATIONSHIP OF INTERNAL IS AUDIT TO THE EXTERNAL AUDITOR

The external auditor is primarily responsible to the organization and all of its stakeholders. While the external auditor has a statutory responsibility to report on financial matters, IS Auditing forms a key role in achieving that statutory responsibility. As such, while IS Auditing is an integral part of an internal audit function, that must also be seen as an integrated function within the execution of the work of the independent external auditor.

RELATIONSHIP OF IS AUDIT TO OTHER COMPANY AUDIT ACTIVITIES

An understanding of the relationship between IS Auditing and other company audit activities are required in order to fully understand the nature of IS Auditing. The IS Auditor may be seen as an integral part of the IS Audit function, playing an external consultant’s role or playing an internal role but independent of the IS Audit function.

Overall, the roles and responsibilities of the audit function typically are found within the audit charter.

AUDIT CHARTER

Charters tend to be common in approach although individual charters are tailored to meet the unique needs for the organization for which they are designed. Because of its role, to define the relationship and responsibilities that should exist between the Chief Executive, the head of IS Audit, and the line managers, it is normally seen to be highly desirable that the Chief Executive takes a close interest in the drafting of the charter. In practice, many audit functions draw up their own charter and seek ratification from the Chief Executive and audit committee. In most organizations, it is commonly perceived to be the defining terms of reference for the head of the audit function and provides top management with a measurement of the level of assurance regarding the reliability and quality of internal control within the organization. It also acts as a point of reference when the audit function’s structure, plans, or reports are being reviewed.

To the operational managers of an organization, the charter indicates the level of authority to act delegated to the audit function in reviewing each of their systems of internal control over the computer and manual systems. They may expect to see constraints within the body of the document, which preserves their own rights as decision makers.

CHARTER CONTENT

The form, content, and wording of the charter will normally be selected by the audit function itself. These will typically be influenced by IS Audit standards and should encourage best professional practice as defined by the appropriate professional bodies. The IS Audit charter may be an independent publication or, in the case of a formerly constituted IS Audit function, be part of the IS Audit charter. The document is normally signed-off by both the Chief Executive and the Chairman of the Audit Committee. The document itself would typically consist of:

• A formal definition of IS Audit within the organization and its key objectives.
• The authority under which the head of IS Audit acts, including the line of reporting as well as rights of access to people, properties, assets, and records.
• Terms of reference describing, at a detailed level, the role and working objectives of the head of IS Audit.