Previous | Table of Contents | Next |
The second activity that must be performed is to interview the audit team members to assess problems perceived by them. Although this can be done either individually by the quality assurance manager or as a team activity, it is recommended that it be done as a team activity by the entire staff that participated in the audit if the individuals can be assembled for this purpose. It is recommended that this procedure be followed for team reviews:
The major impediment to documenting audit problems is that people do not like to recognize that problems occur. In addition, many individuals feel that documenting problems is indicative of poor performance. It is important for audit management to emphasize the fact that the problems occur most frequently because of the processnot the individual. Until the audit staff accepts the concept that the process causes the problems, IT auditors will be reluctant to spend much effort documenting problems.
This step is the responsibility of the quality assurance group in auditing. If there is no quality assurance group, audit management can perform this task or it could be delegated to the users of the process. The objective of the task is to improve the process for auditing computer applications. This task involves two activities. The first is to identify the cause of each audit problem, and the second is to develop and implement a process improvement. These two activities occur for each identified problem with the audit process. The task begins with a list of identified problems. In determining the cause of the problem, IT auditors should consider the following procedures.
Cluster Similar Audit Problems. All of the audit problems that appear to address the same area should be clustered into a single group. If the number of audit problems identified is small, this can be done mentally. As the number of audit problems increases, however, it may be more efficient to write each problem on a 3 ¥ 5 card and then sort the cards into clusters. When this has been done, the similar audit problems should be recorded in the appropriate workpaper. It is not unrealistic to include the same audit problem in more than one cluster.
Determine How the Problem Was Identified. In looking for the cause of the problem, it is important to know how the IT auditors realized that a problem existed. Did they have problems following a procedure? Was there a column missing on the workpaper? Were they unable to find needed information from another workpaper? This section should be referenced to the workpaper in which the problem was identified or noted.
Indicate Which Audit Process and Workpapers Are Involved. This procedure involves determining what process the IT auditor was performing when the problem occurred and what workpapers were being used. This may be the same or different items than were used to identify the problem. For example, the problem may have occurred in completing the workpaper, but it was identified during the supervisory review. All of the information about the process and workpapers should be recorded in the appropriate workpaper.
Identify the Skills Necessary to Perform the Identified Process and the Skill Level of the IT Auditors Involved in the Problem. This information can be obtained from the IT auditor-in-charge or departmental documents. It must be determined which skills the IT auditor must possess to properly perform an audit and to complete appropriate workpapers. The skills actually possessed by the IT auditors who performed the question procedure or completed the question workpaper should also be documented.
Identify the Cause of the Problem. The most likely causes are improper process instructions, improper or improperly sequenced process, incomplete or confusing workpapers, or IT auditors lack of skills. The quality assurance manager should study the information about the problem and then attempt to determine what part of the process broke down, including training and staffing of IT auditors for the assignment.
The next activity is to identify the improvement to the process that will eliminate the cause of the problem. The quality assurance manager should attempt to identify as many potential solutions as is reasonable to improve the process. The solutions identified should be realistic on the basis of the size and skill level of the audit staff. For each identified potential solution, the advantages as well as the disadvantages of implementing that solution should be determined. It may be advantageous to discuss the potential solutions with the audit staff and get their input on which solution they prefer. Having the audit staff accept the solution is helpful in having it implemented.
The implementation plan should include what needs to be changed in the audit process, including the documentation of the workpapers, when the change will occur, and how the audit staff will be notified and trained to properly execute the changed procedures.
Previous | Table of Contents | Next |