IT GOVERNANCE COURSES FOR CIO

 

ORGANIZATION OF THE FUNCTION

The dividing line between what is a computer audit function and what is a general audit function can vary significantly between audit groups. Some groups include what in other audit departments would be a computer audit function in the general audit responsibilities. There are three different views on computer audit as a discrete discipline.

The first view, and one often held by computer auditors themselves, is that any review of computer controls should be carried out by a specialist computer auditor. Therefore, as computer systems are continuing to spread and increase in complexity, the number of staff working as professional, full-time computer auditors must increase correspondingly.

The contrary view is that computer auditors and general auditors must integrate fully. Because most business systems are computer based, all auditors must be computer auditors. Extreme proponents of this view see no future for separate computer audit specialists, even for the most technical work.

Between these views is a third view, which has much to commend it. There is some benefit in some areas of audit work involving the review of computer systems being carried out by computer-literate general auditors. This includes the review of PC systems, which tend to be highly integrated into the workings of user departments, and many aspects of the review of both developing and live systems, which again benefit from a detailed knowledge of the business environment. Some straightforward file interrogations can now easily be carried out by general auditors. However, there is still a continuing and major role for specialist computer audit staff, particularly in the more technical areas of developing or live application reviews, and for mainframe computer installation and systems software reviews.

Such an organization will typically report independently to a level sufficiently high to ensure adequate authority for access. Normally it is seen as a part of internal audit and reports within that structure. The structure of IS Audit itself is a factor of size, which will determine the need for specialists as opposed to generalists, the complexity of systems and the uniqueness of systems, as well as the extent of use of packaged systems will also play a part in deciding the structure.

STAFFING

Depending on the size and complexity, staffing could consist of a mix of:

• Computer audit manager
• Application auditors
• Trainee auditors
• Audit application development staff
• Technical support

Skill levels required of the manager of such a department would include specialized skills in both conventional and computer auditing as well as the managerial skills appropriate to handle a mix of technical specialists. Knowledge of the corporation would be absolutely essential to ensure adequacy of risk coverage.

Tasks of the IS manager include the planning of the strategic direction of the section, which must take into account corporate priority setting as well as the liaison internally and externally to ensure effective IS coverage in an efficient manner. As with any line manager, the review and approval of all IS Audit work and the controlling and monitoring of the workflow are part of the normal managerial function. The staffing of the department, defining of roles, sourcing of staff and training, motivating and career planning for acquired staff are part of the normal managerial process.

Once the audit universe has been defined, it will be possible to work out the types of skill required to review the audit areas that have been identified.

Assuming a typical IS Audit coverage in a large organization, the following skills or knowledge may be required in an IS Audit department:

• IS security and control principles.
• Audit principles. Auditors need to understand how to plan and undertake audits, and how to document their work.
• Good interpersonal and communications skills, both oral and written, because very complex technical information often has to be communicated in a jargon-free way.
• Good sense of judgment, because they need to analyze complex technical and business issues, and to conclude on the security and control implications.
• Business-specific skills; for example, a bank will benefit in application reviews if some staff have banking training.
• Systems analysis skills, to assist in understanding computer systems, and reviewing the development process.
• Data analysis skills, to assist the auditor in understanding the design and development process, as data analysis techniques are in widespread use.
• Some programming skill, to assist in preparing computer assisted audit techniques (CAATs) and reviewing systems under development.
• Computer operations experience, to help the auditor to review computer installations.
• Networks, for the review of data communications.
• Systems software, to assist in the review of the systems software infrastructure of the organization.
• PCs and minicomputers. This has now become a very significant area in many organizations.

In-depth and varied skills are therefore required, and are rarely found in one individual. Many computer audit departments are thus staffed by auditors from a variety of different computing and audit backgrounds. It is management’s job to develop missing skills in the group, and bring the group together as a team. Ongoing training is essential to keep skills current in an ever-changing data processing environment.

In order to discharge their responsibility of identifying and analyzing risk in computer systems, the computer auditor must, as is the case with all auditors, be able to write reports in simple, jargon-free language. The auditor must be able to report on risk in terms that management can understand; insofar as is possible, the effect of the risk must be described in business terms for business management. While the final report of findings to management, both orally and in writing, may take only a small percentage of audit time, if it is not done professionally much of the potential benefit of the audit will be lost. Good written and oral communications skills are therefore essential.

PLANNING

Planning the computer audit function involves defining the areas of audit involvement. These could be the review of:

• Business systems
• Systems under development
• IS facilities management
• Security and recovery controls
• Efficiency and effectiveness of IS

Of these we will focus primarily on the review of business information systems.

BUSINESS INFORMATION SYSTEMS

Reviews of business systems include audits of application systems, fraud audits, compliance audits, financial audits, operational audits, recovery audits, and systems development audits.

Auditing computer systems of any kind is a systematic process commenced by obtaining a business understanding of the system under review. From this understanding, the auditor can define the business objectives of the system and verify them with user management. The next stage would be the definition of the specific control objectives and from there the auditor may proceed to identify and evaluate critical controls/processes/apparent exposures and design the audit procedures to test the critical facets. Evaluation of the results, reporting, and follow-up complete the process.

In designing the audit procedures, the auditor is testing to obtain evidence. This means that the auditor must know what he or she is looking for. It must always be understood that not all controls need to be tested and that, to provide cost-effective auditing, the auditor should look for common controls; that is, controls that address a variety of control objectives. As individual controls are identified, the auditor should try to identify control structures or combinations of controls that serve to mitigate risk areas and should establish the degrees of control effectiveness.

INTEGRATED IS AUDITOR VS INTEGRATED IS AUDIT

For many years confusion has arisen as to the difference between integrated audit and the integrated auditor. Contrary to what some believe, there are some simple and realistic answers to this question.

There are two readily identifiable approaches to integrated audit that have been tried with varying degrees of success: integrated auditor and integrated audit.

Integrated Auditor

The basic concept is to develop an expanded auditor skill set, basically to train financial/operational auditors to be “partial” IS Auditors. Armed with a basic understanding of computers—and general and application controls—all auditors would be able to include IS control considerations in each and every audit, as well as use basic CAATs (without being totally dependent on the IS Audit staff). Basic training on information technology and IS Audit remains the first step in developing IS Auditors (including integrated auditors) at all skill levels.

Audit programs may then be modified to include IS control considerations, as well as to identify opportunities for CAATs.

If extensive IT audit education is provided for the integrated auditor, standard “off the shelf” IS Audit programs might be used without modification. If the education provided is less extensive, audit programs may require significant modification to ensure the auditor fully understands both the question and possible answers, and knows what to do next based on the answer given.

The complete integrated auditor fully understands and will use CAATs in all audits. Undertrained integrated auditors rely on others to do CAATs for them.

In today’s world, all auditors must have some level of information technology (IT) expertise. All organizations base audit staffing and training requirements on the audit mission and audit requirements, and are becoming increasingly sophisticated in accomplishing that process. Thus, in reality, all auditors have become integrated IS Auditors—some just have greater knowledge and skills than others. Effective integration is therefore dependent on:

• Expanding the IT knowledge base of each and every auditor
• Realistic audit assignments based on knowledge and skill level
• Extensive IS Audit tools and support
• Effective technical supervision

Integrated Audit

The alternate solution chosen by some organizations is to focus their resources more directly by providing an integrated audit product rather than developing an integrated auditor. Rather than attempt to expand the knowledge base of an individual, they seek to apply the knowledge base that currently exists within their organization by assembling an audit team including IS Audit-trained as well as financial/operationally trained auditors working together. This approach is obviously preferred by those organizations that already use cross-functional teams extensively. Though it is not always a viable alternative for smaller audit staffs, including a technical expert in an audit can have major internal assurance and risk management advantages.

The key to successful team auditing is the building of team participation skills to assure functional groups. Not all auditors are used to working as members of cohesive groups, and some have had no training or experience whatsoever of working in a group setting. This means that effective team building will involve expanding the group process knowledge base of both staff and management. Realistic audit team assignments based on knowledge and skill level are a prerequisite as IS Audit management involvement and participation.

The biggest barriers to achieving effective auditing in an IS environment include the assumption that IS Audit is a separate and unique and special audit discipline, while the fundamental internal auditor skill set is accounting and general business oriented, with limited IS knowledge required.

Many organizations are redefining internal audit as the business processes are re-engineered throughout the rest of the organization. The internal audit discipline is also undergoing a massive re-engineering and reorganization as new philosophies, methodologies, and techniques such as control self-assessment are tested and implemented. What better time to restructure based on an IT philosophy?

IT is pervasive within the organization. Structures that seek to make IS distinct and special are obsolete and counterproductive. As auditors we have created the artificial functional designations of financial audit, operational audit, and IS Audit because that suited our purposes at the time. In today’s business environment we must use functional specialization to our advantage, not be ruled by it. We must eliminate over-specialization and correctly reclassify IT as a pervasive and critical organization resource rather than a special organization function that can only be audited by function specialists.

AUDITEES AS PART OF THE AUDIT TEAM

Effective internal control can only be achieved when everyone wants to have effective internal control and work together to achieve that goal. Team-based auditing has long been a preferred integrated audit approach. As in any team effort, success is dependent on shared objectives and full participation. In today’s world, however, the team audit approach needs to be taken to the next level, including management and staff of the area undergoing evaluation.

True team audits can provide team access to the broader specialized knowledge content of its individual members, and also identify those areas where critical specialized knowledge is absent.

APPLICATION AUDIT TOOLS

The tools available for computer auditors include not only CAATs but also the standard tools such as interviews, system questionnaires, control questionnaires, and documentation. Control evaluation tools such as CAATs, test data generators, and flowcharting packages may be combined with specialized audit software, generalized audit software, utility programs, and non-audit-specific software such as reporting programs and general query languages.

Risk analyzers, audit planning software, and automated working papers may also prove useful tools in this environment.

ADVANCED SYSTEMS

The audit of advanced systems such as paperless systems (e.g., electronic data interchange [EDI]) or decision support systems (e.g., Executive Information Systems) involves a risk multiplier factor. The risk is limited only by the corporate dependency on the system. This is normally unevaluated and normally understated because risks in these areas could threaten the ongoing existence of the organization.

Advanced systems are an enormous corporate investment designed to maintain the corporate competitive edge. In some cases they may lead to a complete re-engineering of the organization with major impacts on effectivity, efficiency, and economy.

SPECIALIST AUDITOR

Many organizations make use of specialists within their IS Audit function to carry out tasks classed as being beyond the scope of the conventional IS Auditor. These include such audit areas as performance auditing of computerized systems, auditing logical computer security, auditing telecommunications, auditing that technical specialist’s area, and auditing IS strategic planning. In all of these areas a higher level of technical competence is normally required and for many organizations it is neither cost effective nor desirable to retain such skill levels in-house. In these circumstances, the organization will rather outsource to a technical specialist or use consultancy skills as required. Where the specialist IS Audit capability is in-sourced, career progression can be a problem because such high levels of technical skills are normally only required within IS Audit, IS security, or IS itself.

IS AUDIT QUALITY ASSURANCE

As with any other audit area, quality assurance remains the responsibility of the audit manager. In practice, this will normally involve review of audit work by other IS Auditors as well as audit management. It is critical, to maintain the confidence of the auditee and the IS department in the IS Audit function, that IS Audit work be seen to be technically competent in all of the areas addressed. Once more, where such assurance cannot be given in-house, outside sources may be used as external quality assurance (QA) reviewers. Such external resources can come from a variety of sources including specialist consultancy firms and independent external auditors.