Académique Documents
Professionnel Documents
Culture Documents
Audit Management
THIS CHAPTER LOOKS at audit management and its resource allocation and prioritization in the planning and
execution of assignments. The management of Information Technology (IT) audit quality through techniques such as
peer reviews and best practice identification is explored. The human aspects of management in the forms of career
development and career-path planning, performance assessment, counseling and feedback, as well as professional
development through certifications, professional involvement, and training (both internal and external) are reviewed.
PLANNING
It is important to emphasize that computer auditing is only one part of the total internal or external audit function. The
IT audit groups responsibility is to provide support to the general audit side on computer-related aspects of their work,
by providing adequate audit coverage of the organizations information systems. Audit management must ensure that
general and computer audit work complement each other, dovetailing together to provide adequate audit coverage for
the enterprise.
Planning the IT audit function involves defining the areas of audit involvement. These could be the review of:
Business systems
Systems under development
IT facilities management
Security and recovery controls
Efficiency and effectiveness of IT
AUDIT MISSION
To review, appraise, and report on:
IT AUDIT MISSION
To review, appraise, and report on:
The scope of work undertaken includes installation reviews, systems reviews, audits of systems under development, as
well as audits of the development process. Auditing of the contingency planning arrangements, provision of indepartment expertise, and training of non-IT auditors may also be IT audit responsibilities. The specialist may be
required to assist in computerizing the internal audit function, to review logical security, and to liaise with external IT
audit functions.
Specialist tasks would include reviews of logical security, IT strategic planning, efficiency/effectiveness, communications
systems security, and IT technical support functions.
STAFFING
Depending on the size and complexity, staffing could consist of a mix of:
Skill levels required of the manager of such a department would include specialized skills in both conventional and
computer auditing as well as the managerial skills appropriate to handle a mix of technical specialists. Knowledge of the
corporation would be absolutely essential to ensure adequacy of risk coverage.
Tasks of the IT manager include the planning of the strategic direction of the section, which must take into account
corporate priority setting as well as the liaison internally and externally to ensure effective IT coverage in an efficient
manner. As with any line manager, the review and approval of all IT audit work and the controlling and monitoring of
the workflow are part of the normal managerial function. The staffing of the department, defining of roles, sourcing of
staff and training, motivating, and career planning for acquired staff are part of the normal managerial process.
Once the audit universe has been defined, it will be possible to work out the types of skill required to review the audit
areas that have been identified.
Assuming typical IT audit coverage in a large organization, the following skills or knowledge may be required in an IT
audit department:
In-depth and varied skills are therefore required and are rarely found in one individual. Many computer audit
departments are thus staffed by auditors from a variety of different computing and audit backgrounds. It is
managements job to develop missing skills in the group, and bring the group together as a team. Ongoing training is
essential to keep skills current in an ever-changing data processing environment.
In order to discharge their responsibility of identifying and analyzing risk in computer systems, the computer auditor
must, as is the case with all auditors, be able to write reports in simple, jargon-free language. The auditor must be able
to report on risk in terms that management can understand; insofar as is possible, the effect of the risk must be
described in business terms for business management. While the final report of findings to management, both orally
and in writing, may take only a small percentage of audit time, if it is not done professionally, much of the potential
benefit of the audit will be lost. Good written and oral communications skills are therefore essential.
PLANNING
Planning the computer audit function involves defining the areas of audit involvement. These could be the review of:
Business systems
Systems under development
IT facilities management
Security and recovery controls
Efficiency and effectiveness of IT
In designing the audit procedures, the auditor is testing to obtain evidence. This means that the auditor must know what
he or she is looking for. It must always be understood that not all controls need to be tested and that, to provide costeffective auditing, the auditor should look for common controls, that is, controls that address a variety of control
objectives. As individual controls are identified, the auditor should try to identify control structures or combinations of
controls that serve to mitigate risk areas and should establish the degrees of control effectiveness.
Integrated Auditor
The basic concept is to develop an expanded auditor skill set, basically to train financial/operational auditors to be
partial IT auditors. Armed with a basic understanding of computersand general and application controlsall
auditors would be able to include IT control considerations in each and every audit, as well as use basic CAATs (without
being totally dependent on the IT audit staff). Basic training on information technology and IT audit remains the first
step in developing IT auditors (including integrated auditors) at all skill levels.
Audit programs may then be modified to include IT control considerations, as well as to identify opportunities for
CAATs.
If extensive IT audit education is provided for the integrated auditor, standard off the shelf IT audit programs might
be used without modification. If the education provided is less extensive, audit programs may require significant
modification to ensure the auditor fully understands both the question and possible answers, and knows what to do next
based on the answer given.
The complete integrated auditor fully understands and will use CAATs in all audits. Undertrained integrated auditors
rely on others to do CAATs for them.
In todays world, all auditors must have some level of IT expertise. All organizations base audit staffing and training
requirements on the audit mission and audit requirements, and are becoming increasingly sophisticated in
accomplishing that process. Thus, in reality, all auditors have become integrated IT auditorssome just have greater
knowledge and skills than others. Effective integration is therefore dependent on:
Integrated Audit
The alternate solution chosen by some organizations is to focus their resources more directly by providing an integrated
audit product rather than developing an integrated auditor. Rather than attempt to expand the knowledge base of an
individual, they seek to apply the knowledge base that currently exists within their organization by assembling an audit
team including IT audit-trained as well as financial/operationally trained auditors working together. This approach is
obviously preferred by those organizations that already use cross-functional teams extensively. Though it is not always a
viable alternative for smaller audit staffs, including a technical expert in an audit can have major internal assurance and
risk management advantages.
The key to successful team auditing is the building of team participation skills to assure functional groups. Not all
auditors are used to working as members of cohesive groups, and some have had no training or experience whatsoever
of working in a group setting. This means that effective team building will involve expanding the group process
knowledge base of both staff and management. Realistic audit team assignments based on knowledge and skill level are
a prerequisite as IT audit management involvement and participation.
The biggest barriers to achieving effective auditing in an IT environment include the assumption that IT Audit is a
separate and unique and special audit discipline, while the fundamental internal auditor skill set is accounting and
general business oriented, with limited IT knowledge required.
Many organizations are redefining internal audit as the business processes are re-engineered throughout the rest of the
organization. The internal audit discipline is also undergoing a massive re-engineering and reorganization as new
philosophies, methodologies, and techniques such as control self-assessment are tested and implemented. What better
time to restructure based on an IT philosophy?
IT is pervasive within the organization. Structures that seek to make IT distinct and special are obsolete and
counterproductive. As auditors we have created the artificial functional designations of financial audit, operational
audit, and IT audit because that suited our purposes at the time. In todays business environment we must use
functional specialization to our advantage, not be ruled by it. We must eliminate over-specialization and correctly
reclassify IT as a pervasive and critical organization resource rather than a special organization function that can only be
audited by function specialists.
ADVANCED SYSTEMS
The audit of advanced systems such as paperless systems (e.g., electronic data interchange [EDI]) or decision support
systems (e.g., Executive Information Systems) involves a risk-multiplier factor. The risk is limited only by the corporate
dependency on the system. This is normally unevaluated and normally understated because risks in these areas could
threaten the ongoing existence of the organization. The use of cloud computing and enterprise resource management
(ERM) systems to drive the fundamental business of the organization means the risks within these areas must be clearly
understood by the IT auditor and that the IT audit program must be tailored to meet these advanced risks.
Advanced systems are an enormous corporate investment designed to maintain the corporate competitive edge. In some
cases they may lead to a complete re-engineering of the organization with major impacts on efficacy, efficiency, and
economy.
SPECIALIST AUDITOR
Many organizations make use of specialists within their IT audit function to carry out tasks classed as being beyond the
scope of the conventional IT auditor. These include such audit areas as performance auditing of computerized systems,
auditing logical computer security, auditing telecommunications, auditing that technical specialists area, and auditing
IT strategic planning. In all of these areas a higher level of technical competence is normally required and for many
organizations it is neither cost effective nor desirable to retain such skill levels in-house. In these circumstances, the
organization would rather outsource to a technical specialist or use consultancy skills as required. Where the specialist
IT audit capability is in-sourced, career progression can be a problem because such high levels of technical skills are
normally only required within IT audit, IT security, or IT itself.