Previous | Table of Contents | Next |
An Automated application review will include some combination of auditors, the application, methods, tools, technical personnel, end users, etc. Audit management is responsible for ensuring that these are in place and effective. This chapter identifies eight areas that should be addressed during the audit process:
The audit director should ensure that there are policies or procedures that are likely to select the auditors best suited to perform a particular review. The audit director retains ultimate responsibility for all work done by the department, and should therefore periodically review and/or approve the following:
The IT and financial audit personnel must have sufficient IT expertise to perform the audits, whether IT audit coverage is provided by an internal audit staff, external auditors, or a combination of both. The IT expertise should be commensurate with the degree and sophistication of the IT function. The audit director should utilize internal and external third parties when it is not possible or practical to acquire or develop the internal IT expertise required for a particular assignment.
The internal IT audit function should provide independent appraisals of applications, systems, etc., as needed. IT auditors evaluate the effectiveness of controls to ascertain whether processing is done in compliance with the applicable internally or externally created standards.
IT auditors should produce reports with analyses, appraisals, recommendations, and other pertinent comments concerning the activities reviewed. These comments should help the auditors meet their responsibilities more effectively. The IT auditor is properly concerned with all phases of business activity and must look beyond simple technical or financial issued to obtain a full understanding of the operations under review. The IT auditors full range of activities should include one or more of the following in each review.
Competence
The overall skills required for IT audit tasks depend on the size and complexity of the IT operation. In some instances, the internal IT audit is performed by an individual or group that is only responsible for IT auditing. In other cases, the responsibility for the audit may be placed with a generalist auditor who plans and performs the audits personally or directs staff borrowed from other departments. Whatever the situation, an auditor must possess IT expertise commensurate with the sophistication of the system under audit. The following basic skills are required of any internal auditors with IT audit responsibilities:
Audit management should be committed to providing a program of continuing education to maintain or improve competence levels, because the automated environment changes with the introduction of new technologies. Available sources of technical audit training include:
The IT auditors competence will ultimately be evidenced by the quality of the work performed, the ability to communicate the results of that work, and the ability to have deficiencies corrected.
Independence. The audit departments real or perceived independence is likely to have a significant impact on its ability to meet departmental objectives. One quick, although not always accurate, indication of its independence is to determine where the auditor director reports within the organization. Internal auditor departments should report to the board of directors or to the audit committee. The board should ensure that the audit department does not participate in functions that compromise its independence. These areas include such activities as preparing records, developing procedures, or engaging in other duties they would normally review.
Audit department or individual auditor independence can be evaluated by reviewing the appropriate organization charts, evaluating the findings and recommendations actually being presented, and performing other procedures as needed. To be effective, the IT auditor should be given authority to obtain all records necessary to conduct the audit and to require management to respond formally to audit findings. Internal IT and financial auditors have been considered responsible for ensuring that financial and operating management takes corrective action on each recommendation presented. This has more recently been seen as inappropriate because it does not permit the affected management to have the final say in the areas for which they are responsible. The auditors power comes from the ability to escalate an issue all the way to the Board of Directors if the affected managers do not appear to respond appropriately to particular issue, or group of issues.
The audit director should oversee the development of a manual that will increase the likelihood that audits performed will be successful and consistent. This manual should be built on an Internal Audit Charter that defines the role of the audit department in the organization, describes the philosophies of the Audit Committee, and establishes the authority the department needs to meet its objectives.
The manual and the charter should include sections that similarly define and empower the IT auditing function within the department. These sections should establish appropriate guidelines for auditing data centers, automated applications, and other related controls.
The Board of Directors must approve the Audit Charter for the latter to be meaningful. The Board is less likely to be involved in the audit manual, although it may choose to review and approve it as well. The Board may ask the external auditors to determine whether the standards and procedures it contains meet the requirements to perform an effective audit. Once the manual has been approved, it should provide the audit department with uniform standards and serve as a valuable training aid. In addition, it gives the Board a basis for evaluating the audit department.
The audit manual should contain the following policies, standards, and procedures:
Previous | Table of Contents | Next |