Previous | Table of Contents | Next |
The senior IT auditor is likely to consider having a peer review done when an objective evaluation of the internal IT audit capabilities is needed. An internal self-assessment is an effective substitute when the objectivity of a third party is not required. This self-assessment program is divided into three main areas. The first area explains who should conduct the self-assessment, the second describes how, and the third how to analyze the results. The IT auditor performing a self-assessment will not only learn about their capabilities and the capabilities of the IT audit function, but will also gain a better understanding of what the auditees asked to complete self-assessment questionnaire experience.
The self-assessment should be performed by the internal IT audit staff. The audit team should include no more than five people. The ideal self-assessment team would include:
The team should be responsible for conducting the self-assessment and reporting self-assessment results. While the team approach is preferable, the reality of leaner and more focused audit departments has led to many situations where multi-billion dollar international companies have IT audit functions that include three persons or less. In these situations, it is completely reasonable and appropriate to have a single IT auditor conduct the self-assessment.
The internal IT audit manager, or the audit director if there is no IT manager, should appoint the self-assessment team. If the internal IT audit staff lacks the necessary IT skills, an experienced professional from the IT department may be selected to conduct the assessment. A self-assessment or peer review should be done at least once every three years.
The self-assessment exercise should cover three areas, as follows:
These areas should be reviewed in order, because the environment is the foundation for systems development, and because both must be understood before being able to assess the adequacy of available IT audit skills. For example, the more complex or technically specialized the environment is, the more significant the SDLC methodology becomes, and the required IT audit capabilities grow accordingly.
The self-assessment can be performed and documented using the following workpapers:
The person or team performing the self-assessment should complete the questionnaires without outside assistance. There are two reasons for this: first, this is not an audit, and interviewing IT or other internal professionals could create confusion and second, the self-assessment needs to encompass both skills and knowledge, and the knowledge needs to be sufficient to complete the project.
The analysis and reporting of self-assessment results includes three tasks.
Each self-assessment questionnaire contains several areas. For example, in the IT environment, the first area is planning. The number of positive and not applicable responses for the questions should be totaled, and the percentage of those responses versus the total number of questions should be calculated. The percentages should be posted to the analysis workpapers.
Using the analysis worksheets, the self-assessment team should review each of the three areas. At this point, the analysis worksheets should be complete, showing the control and audit capabilities for the various areas. A sample preliminary analysis would be as follows:
% Score | Analysis |
0-60 | Either the controls or capabilities appear to be inadequate. More analysis should be done to determine which one is weak. If it is the IT environment or SDLC methodology, then the timing and scope of the next planned review may require re-evaluation. If it is deficient capabilities, then improvements should be made. |
70-80 | The controls and capabilities appear to be adequate. Improvements may be worthwhile and should be considered if there is available time. |
90-100 | The controls and capabilities appear to be more than adequate. No further attention is required.M |
As was mentioned in the first analysis comment above, each potential problem can have one or more causes. The person or team performing the self-assessment will either have to perform additional analysis to better understand the situation or will have to defer a conclusion on that item until an audit is performed. For example, if an IT audit were being undertaken in the near future, an assessment of the potential weakness could be incorporated into that audit plan.
The self-assessment person or team should develop conclusions and prepare recommendations once the work is at least substantially completed. Where additional analysis indicates that there is a problem in the basic technology environment or the SDLC methodology, that information should be input to the overall risk assessment and audit department planning process. Conversely, where the additional analysis indicates a weakness in the IT audit capabilities, specific recommendations should be made to either correct those weaknesses, or to arrange for third parties to participate when IT audits need to be performed on the areas where capabilities are weak.
Internal IT audit functions using this self-assessment exercise should evaluate the effectiveness of the exercise at its conclusion and supplement or modify the exercise as needed to improve its usefulness.
Workpaper 3-1. Self-Assessment Questionnaire
Assessment Area: IT Environment
Auditor:_____________
Review:______________
Date:________________
Workpaper 3-2. Analysis Summary for Workpaper 3-1IT Environment | # of Yesand N/A | # ofQuestions | % ofTotal |
---|---|---|---|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 Response totals |
3 3 3 3 3 3 3 3 3 3 3 3 3 3 42 |
5 5 5 5 5 5 5 5 5 5 5 5 5 5 70 |
60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% |
Workpaper 3-3. Self-Assessment Questionnaire
Assessment Area: SDLC Methodology
Auditor:_____________
Review:______________
Date:________________
Workpaper 3-4. Analysis Summary for Workpaper 3-3SDLC Methodology | # of Yes and N/A | # ofQuestions | % ofTotal |
---|---|---|---|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 Response totals |
3 3 3 3 3 3 3 3 3 3 3 3 3 3 42 |
5 5 5 5 5 5 5 5 5 5 5 5 5 5 70 |
60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% |
Workpaper 3-5. Self-Assessment Questionnaire |
|||||||||||||||
Internal IT Audit Capabilities |
|||||||||||||||
|
|||||||||||||||
Workpaper 3-6. Analysis Summary for Workpaper 3-5 |
IT Audit Capabilities | # of Yes and N/A | # of Questions | % of Total |
---|---|---|---|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 Response totals |
3 3 3 3 3 3 3 3 3 3 3 3 3 3 42 |
5 5 5 5 5 5 5 5 5 5 5 5 5 5 70 |
60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% 60% |
Auditor:______________ |
Review:______________ |
Date:________________ |
Workpaper 3-7. Analysis Summary for Workpapers 3-2, 3-4, and 3-6 |
Previous | Table of Contents | Next |