Previous | Table of Contents | Next |
Ten years ago, the internal auditor encountered an automated application system in almost every internal control review performed. Todays IT auditors and financial auditors expect to find automation, and are often concerned when they do not. This book is intended to meet the needs of both the technical and general auditor. The auditing models include basic and advanced technical subjects, along with generic and tailored approaches for evaluating IT security and control issues. This volume speaks to the IT auditor, while recognizing that many general auditors are also conducting technical reviews.
IT auditors face several challenges when auditing automated applications. First, the IT auditor must understand the environment in which the applications are developed and operated. Stronger environmental controls reduce the potential risk for every application operating within that environment (see Part I). Second, the increasing complexity of automated applications demands that the IT auditor employ an equally effective approach. An effective audit process is almost certain to result in unidentified vulnerabilities.
IT auditors often work with a self-assessment questionnaire to help evaluate the problems faced when auditing automated applications. The self-assessment questionnaire often brings two major benefits. First, it can help to change the environment. The IT manager completes the self-assessment questionnaire, normally identifying potential control risks before the audit even begins. The more capable IT managers can then begin to take corrective action immediately, having performed their own audit. The IT auditor may choose to reward this response by refraining from proposing an unnecessary recommendation whose only purpose is to overstate the auditors success.
Second, the IT auditor can leverage the IT staffs experience and local knowledge by having them complete a self-assessment questionnaire. The time required to interview the staff to obtain and document environmental information is freed up for substantive procedures to confirm and evaluate that the control structure weaknesses exist; the auditor should look for compensating controls. If there are no compensating controls, the IT auditor may need to expand the audit scope to compensate for those control weaknesses. The IT auditor can also use the self-assessment questionnaire data to determine the staffing requirements for the detailed portion of the review.
The environmental controls that support automated computer applications are collectively referred to as general controls. If the general controls are inadequate, the IT auditor normally cannot rely on application controls, regardless of how effective they may appear to be. This section explains how an IT department should operate and identifies the critical general control factors that form the basis of the self-assessment presented.
The auditor should review two key elements to determine the effectiveness of management control: the organizational structure of the department and ITs position within the overall corporate structure. The IT department should maintain an appropriate level of management independence from the departments or customers that it services, and a level of internal segregation of duties for effective internal controls.
The IT department should also maintain open lines of communication with its customers. The IT manager should ensure that a written organization plan exists that specifically defines the lines of authority and the responsibilities for each position. This plan should facilitate communication, promote operational efficiency, and support the segregation of duties.
IT Organization
The IT department must be an integral part of the overall company structure. IT managers should report to the highest possible level in the company. Ideally, the information technology department should be an independent unit to ensure the proper mix of authority and communication between IT and its customers. A steering committee is normally formed to facilitate that communication (see discussion of IT steering committee later in this chapter).
The board of directors sets policies, and should be familiar with strategic IT department activities; however, they do not need to be technically proficient in IT concepts. Senior management ensures that the boards policies are followed and that the IT department is meeting the needs of the organization. IT management supervises the departments daily activities, which requires a high level of technical proficiency.
Organization Charts
The IT auditor can determine the relationship of the IT department to other departments by reviewing an organization chart. Effective organization charts graphically describe position titles and illustrate the interrelationships and reporting requirements among the various functions. This chart should be distributed to employees to enhance their knowledge of the organization and the lines of communication within it. Responsibility overlaps may become apparent while reviewing the organization charts. Any exceptions such as programmers who are also security officers should be questioned.
Furthermore, small, medium-sized, and large IT departments have inherently different characteristics and their organization charts should reflect these differences. The IT auditor should normally find IT departments that are sized in proportion to the company, but cannot assume this to be the case.
The Small IT Department. Exhibit 1-1 represents the IT department in a small company with an in-house computer. The IT department provides a variety of IT services to other departments in the company, but programming activities are limited. Occasionally, the software vendor provides program updates and corrections. Other possible characteristics include no internal programming function, no IT management function, no formal periodic communication, and no segregation of duties.
The Medium-Sized IT Department. Exhibit 1-2 represents the IT department in a larger organization. In this type of organization, communication is usually more formal due to the increased customer base and the additional coordination required to convey information to senior management and the board of directors. Systems development and programming may be an in-house function, or it may be outsourced, The medium-sized IT department normally has an increased segregation of duties, although not sufficiently segregated to warrant reliance.
Exhibit 1-1. Organization Chart: Small IT Department
Exhibit 1-2. Organization Chart: Medium IT Department
The Large IT Department. Exhibit 1-3 represents IT departments that range from large to the very largest. This department should have detailed organization charts and position descriptions. It also should have specific committees and regularly scheduled management meetings to enhance communication and monitor activities. The segregation of duties should be adequate for the IT auditor to conclude that reliance may be warranted. One interesting feature of large departments is that they often have effective controls in place. If they did not, they would have almost constant problems due to the lack of coordination and structure.
Previous | Table of Contents | Next |