Previous | Table of Contents | Next |
Analysis 3: Timing of the Event
Factual Question:
When was it done?
The IT auditor must determine the time of the event.
Analytical Question:
Why then?
The IT auditor must challenge the timing of the event; that is, whether it was performed in the wrong part of the application.
General Analysis:
Usually, when the IT auditor believes that the finding was caused by timing, the results of the analysis indicate that the process was in a poor or improper sequence.
Analysis 4: Responsibility for the Event
Factual Question:
Who did it?
The IT auditor must be able to determine who or what caused the problem (e.g., a manual process, a person, or a program or part of a program).
Analytical Question:
Why that person?
The IT auditor must judge whether the right person performed this event, program, or process.
General Analysis:
When the event was performed by the wrong program or person, the results of the analysis reveal that the process was fragmented, the individual performing it lacked the proper skill, or the program that performed it should not, in fact, have done so.
Analysis 5: Process that Produced the Event
Factual Question:
How was it done?
The IT auditor must be able to substantiate the process that produced the unfavorable event or finding.
Analytical Question:
Why that way?
The IT auditor must investigate the chosen process to determine whether it could produce the desired results.
General Analysis:
In most cases in which the process appears to be the cause of the problem, the conclusion is that the process was either too complicated or too costly.
Analysis 6: Reason for Performing the Event
Factual Question:
Why was it done?
The IT auditor must determine who authorized or approved the occurrence of the event (either manually or through a computer program).
Analytical Question:
Why was it permitted?
The IT auditor investigates and determines whether the event was or was not performed in accordance with management policies and intent. If it was not, the IT auditor must determine why not and how it was allowed to occur.
General Analysis:
When there is a problem of authority, the conclusion generally finds that the authorization procedures either were not followed or were inherently ineffective. The analysis will produce a series of conclusions about the finding that should be recorded on a workpaper. These results become the basis for developing the recommendations, supporting both the finding and the audit report. If the steps of the task are followed faithfully, there is little risk that the analysis will be incomplete or that it will result in insufficiently developed conclusions.
After the cause of a problem has been determined, the next question to be addressed must be how to correct it. The task now is to advise management and the auditee how, in the IT auditors best judgment, the problem can be corrected. Any recommendation made should be both sound and workable. Frequently, however, IT auditors add recommendations as an afterthought. Poorly or hastily constructed recommendations seriously affect the credibility of the audit department. Because the same types of control weaknesses usually occur repeatedly, the same audit recommendations are often made repeatedly.
An IT audit recommendation should make its intent clear; it must be extremely specific rather than general. A recommendation that data validation and controls be improved is too general; the recommendation must state specifically which controls are weak or nonexistent. A good recommendation should demonstrate that it will provide a positive return on investment. (Whenever it is practical to do so, the economics of the recommendation should be included.) The recommendation should be clearly written in managerial terms. At the same time, it should provide sufficient technical information to be accepted (technical data can be appended as appropriate). Any good audit recommendation in the computer field must be logical as well as creative because it must fit into a structured application system. The recommendations should relate directly to the audit findings and should be similarly categorized. It is essential for the IT auditor to understand that some recommendations cannot be cost-justified and that the IT departments resources may be inadequate to implement the recommendation. It is also important that the recommendation be fully thought through; otherwise, its implementation will be impractical.
Findings are factual and, when properly stated, inarguable. Recommendations, on the other hand, because they are opinions and suggestions, must be supported by solid information and then marketed to the auditee and management. The objective of this task is to help the IT auditor structure these recommendations, a difficult task for IT auditors without a strong enough IT background to develop easily implemented, cost-effective recommendations. Effective IT audit recommendations take the following factors into account:
IT auditors with minimal IT experience may find it helpful to consult with the project team, the user, or an independent consultant while developing the recommendations. Their recommendations may be accepted more easily if a highly skilled person in IT can be cited as a co-developer or supporter of the recommendation.
Economics is a major cause for rejecting audit recommendations. IT personnel may agree that the recommendations are good but add that they are unacceptable because of the high cost of implementation. Although some IT auditors consider this a ploy to avoid accepting the recommendations, the position may be valid. Studies have indicated that the cost of implementing a change in an operational system is at least a hundred times more costly than implementing that same change in a system under development. The solution to the cost dilemma is to work out the economic factors, with some concurrence from the IT project team regarding their reasonableness, before making the recommendation. The arguments can then center on the merits of the recommendation, not its cost. In addition to the economic feasibility of the recommendation, the IT auditor should consider the possibility that the IT department will have neither adequate staff nor skills available to implement it. It is important to look for alternatives that could address the finding at lower cost or with greater ease of implementation.
Previous | Table of Contents | Next |