Auditor’s Guide to IT Auditing, Second Edition

By Richard E. Cascarino
Copyright © 2012 by Richard E. Cascarino

8
CHAPTER EIGHT

Audit Management

T
H IS C H A P T ER LO O K S at audit management and its resource allocation and
prioritization in the planning and execution of assignments. The management
of Information Technology (IT) audit quality through techniques such as peer
reviews and best practice identification is explored. The human aspects of management
in the forms of career development and career-path planning, performance assessment,
counseling and feedback, as well as professional development through certifications,
professional involvement, and training (both internal and external) are reviewed.

PLANNING

It is important to emphasize that computer auditing is only one part of the total inter-
nal or external audit function. The IT audit group’s responsibility is to provide sup-
port to the general audit side on computer-related aspects of their work, by providing
adequate audit coverage of the organization’s information systems. Audit management
must ensure that general and computer audit work complement each other, dovetailing
together to provide adequate audit coverage for the enterprise.
Planning the IT audit function involves defining the areas of audit involvement.
These could be the review of:

93

c08.indd 93 1/31/2012 8:33:23 AM

 94 ◾ IT Audit Process

▪ Business systems
▪ Systems under development
▪ IT facilities management
▪ Security and recovery controls
▪ Efficiency and effectiveness of IT

AUDIT MISSION

To review, appraise, and report on:

▪ Soundness, adequacy, and application of controls

▪ Compliance with established policies, plans, and procedures
▪ Accounting for and safeguarding corporate assets
▪ Application of proper authority levels
▪ Reliability of accounting and other data
▪ Quality of performance of assigned duties
▪ Extent of coordinated effort between departments
▪ Safeguarding of corporate interests in general

IT AUDIT MISSION

To review, appraise, and report on:

▪ Soundness, adequacy, and application of IT operational standards

▪ Soundness, adequacy, and application of systems-development standards
▪ The extent of compliance with corporate standards
▪ Security of the corporate IT investment
▪ Adequacy of contingency arrangements
▪ Completeness and accuracy of computer-processed information
▪ Whether optimum use is being made of all computing resources
▪ Soundness of application systems developed

The scope of work undertaken includes installation reviews, systems reviews, audits
of systems under development, as well as audits of the development process. Auditing
of the contingency planning arrangements, provision of in-department expertise, and
training of non-IT auditors may also be IT audit responsibilities. The specialist may be
required to assist in computerizing the internal audit function, to review logical secu-
rity, and to liaise with external IT audit functions.
Specialist tasks would include reviews of logical security, IT strategic planning,
efficiency/effectiveness, communications systems security, and IT technical support
functions.

c08.indd 94 1/31/2012 8:33:23 AM

 Audit Management ◾ 95

ORGANIZATION OF THE FUNCTION

The dividing line between what is a computer audit function and what is a general audit
function can vary significantly between audit groups. Some groups include what in
other audit departments would be a computer audit function in the general audit respon-
sibilities. There are three different views on computer audit as a discrete discipline.
The fi rst view, and one often held by computer auditors themselves, is that any
review of computer controls should be carried out by a specialist computer auditor.
Therefore, as computer systems are continuing to spread and increase in complexity,
the number of staff working as professional, full-time computer auditors must increase
correspondingly.
The contrary view is that computer auditors and general auditors must integrate
fully. Because most business systems are computer based, all auditors must be computer
auditors. Extreme proponents of this view see no future for separate computer audit
specialists, even for the most technical work.
Between these views is a third view, which has much to commend it. There is some
benefit in some areas of audit work involving the review of computer systems being
carried out by computer-literate general auditors. This includes the review of personal
computer (PC) systems, which tend to be highly integrated into the workings of user
departments, and many aspects of the review of both developing and live systems, which
again benefit from a detailed knowledge of the business environment. Some straight-
forward file interrogations can now easily be carried out by general auditors. However,
there is still a continuing and major role for specialist computer audit staff, particularly
in the more technical areas of developing or live application reviews, and for mainframe
computer installation and systems software reviews.
Such an organization will typically report independently to a level sufficiently high
to ensure adequate authority for access. Normally it is seen as a part of internal audit
and reports within that structure. The structure of IT audit itself is a factor of size,
which will determine the need for specialists as opposed to generalists, the complexity
of systems and the uniqueness of systems, and the extent of use of packaged systems.

STAFFING

Depending on the size and complexity, staffing could consist of a mix of:

▪ Computer audit manager

▪ Application auditors
▪ Trainee auditors
▪ Audit application development staff
▪ Technical support

Skill levels required of the manager of such a department would include special-
ized skills in both conventional and computer auditing as well as the managerial skills

c08.indd 95 1/31/2012 8:33:23 AM

 96 ◾  IT Audit Process

appropriate to handle a mix of technical specialists. Knowledge of the corporation would

be absolutely essential to ensure adequacy of risk coverage.
Tasks of the IT manager include the planning of the strategic direction of the sec-
tion, which must take into account corporate priority setting as well as the liaison inter-
nally and externally to ensure effective IT coverage in an efficient manner. As with
any line manager, the review and approval of all IT audit work and the controlling and
monitoring of the workflow are part of the normal managerial function. The staffing of
the department, defining of roles, sourcing of staff and training, motivating, and career
planning for acquired staff are part of the normal managerial process.
Once the audit universe has been defined, it will be possible to work out the types
of skill required to review the audit areas that have been identified.
Assuming typical IT audit coverage in a large organization, the following skills or
knowledge may be required in an IT audit department:

▪▪ IT security and control principles.

▪▪ Audit principles. Auditors need to understand how to plan and undertake audits,
and how to document their work.
▪▪ Good interpersonal and communications skills, both oral and written,
because very complex technical information often has to be communicated in a
jargon-free way.
▪▪ Good sense of judgment because they need to analyze complex technical and
business issues, and to conclude on the security and control implications.
▪▪ Business-specific skills, for example, a bank will benefit in application reviews
if some staff have banking training.
▪▪ Systems-analysis skills to assist in understanding computer systems and review-
ing the development process.
▪▪ Data-analysis skills to assist the auditor in understanding the design and develop-
ment process, as data-analysis techniques are in widespread use.
▪▪ Some programming skill to assist in preparing computer-assisted audit tech-
niques (CAATs) and reviewing systems under development.
▪▪ Computer operations experience to help the auditor to review computer
installations.
▪▪ Networks for the review of data communications.
▪▪ Systems software to assist in the review of the systems software infrastructure
of the organization.
▪▪ PCs and minicomputers. This has now become a very significant area in many
organizations.
▪▪ Interfacing with the Internet. The extension of the Internet into all aspects
of business computing requires a knowledge of both the technology and the risks
faced.
▪▪ Cloud computing. The variations within cloud computing are rapidly becoming
the technology of choice for many organizations. Knowledge of the expanding risk
that comes with such technology is of paramount importance to the modern IT
auditor.

c08.indd 96 1/31/2012 8:33:23 AM

 Audit Management ◾ 97

In-depth and varied skills are therefore required and are rarely found in one indi-
vidual. Many computer audit departments are thus staffed by auditors from a variety of
different computing and audit backgrounds. It is management’s job to develop missing
skills in the group, and bring the group together as a team. Ongoing training is essential
to keep skills current in an ever-changing data processing environment.
In order to discharge their responsibility of identifying and analyzing risk in com-
puter systems, the computer auditor must, as is the case with all auditors, be able to
write reports in simple, jargon-free language. The auditor must be able to report on risk
in terms that management can understand; insofar as is possible, the effect of the risk
must be described in business terms for business management. While the final report of
findings to management, both orally and in writing, may take only a small percentage
of audit time, if it is not done professionally, much of the potential benefit of the audit will
be lost. Good written and oral communications skills are therefore essential.

IT AUDIT AS A SUPPORT FUNCTION

IT audit may also be viewed as support function to the rest of the internal audit function
and may be involved in the development of CAATs, the provision of assistance to non-
IT auditors, and even the internal training of non-IT auditors. They may also assist in
the development of control procedures for internal computer usage while ensuring the
appropriate research in advanced IT and IT audit techniques is conducted.
Organizational structures may be centralized or decentralized. Centralized has the
advantages of independence from local management and the maintenance of close ties
with corporate management. Availability is flexible but the centralized auditor may be
seen as an outsider by local management and this could offset all the aforementioned
advantages.
Decentralized IT audit with each division with its own IT auditors permits close ties
at the local level with an enhanced perception of benefits. The auditors may have a better
understanding of the local business functions but there is a possible loss of objectivity
and standard audit approach. It is also a costly approach.
The hybrid approach uses generalist groups in the field with technical support at
the head office. Rotation of staff through the specialist section may give the best of both
worlds, but it may fragment audit efforts and result in a loss of cohesion.

PLANNING

Planning the computer audit function involves defining the areas of audit involvement.
These could be the review of:

▪ Business systems
▪ Systems under development
▪ IT facilities management

c08.indd 97 1/31/2012 8:33:24 AM

 98 ◾ IT Audit Process

▪ Security and recovery controls

▪ Efficiency and effectiveness of IT

Of these we will focus primarily on the review of business information systems.

BUSINESS INFORMATION SYSTEMS

Reviews of business systems include audits of application systems, fraud audits, compli-
ance audits, financial audits, operational audits, recovery audits, and systems-develop-
ment audits.
Auditing computer systems of any kind is a systematic process commenced by
obtaining a business understanding of the system under review. From this understanding,
the auditor can define the business objectives of the system and verify them with user
management. The next stage would be the definition of the specific control objectives and
from there the auditor may proceed to identify and evaluate critical controls/processes/
apparent exposures and design the audit procedures to test the critical facets. Evaluation
of the results, reporting, and follow-up complete the process.
In designing the audit procedures, the auditor is testing to obtain evidence. This
means that the auditor must know what he or she is looking for. It must always be
understood that not all controls need to be tested and that, to provide cost-effective
auditing, the auditor should look for common controls, that is, controls that address a
variety of control objectives. As individual controls are identified, the auditor should
try to identify control structures or combinations of controls that serve to mitigate risk
areas and should establish the degrees of control effectiveness.

INTEGRATED IT AUDITOR VERSUS INTEGRATED IT AUDIT

For many years confusion has arisen as to the difference between integrated audit and
the integrated auditor. Contrary to what some believe, there are some simple and real-
istic answers to this question.
There are two readily identifiable approaches to integrated audit that have been
tried with varying degrees of success: integrated auditor and integrated audit.

Integrated Auditor
The basic concept is to develop an expanded auditor skill set, basically to train financial/
operational auditors to be “partial” IT auditors. Armed with a basic understanding of
computers—and general and application controls—all auditors would be able to include
IT control considerations in each and every audit, as well as use basic CAATs (without
being totally dependent on the IT audit staff). Basic training on information technol-
ogy and IT audit remains the first step in developing IT auditors (including integrated
auditors) at all skill levels.

c08.indd 98 1/31/2012 8:33:24 AM

 Audit Management  ◾ 99

Audit programs may then be modified to include IT control considerations, as well

as to identify opportunities for CAATs.
If extensive IT audit education is provided for the integrated auditor, standard “off
the shelf” IT audit programs might be used without modification. If the education pro-
vided is less extensive, audit programs may require significant modification to ensure
the auditor fully understands both the question and possible answers, and knows what
to do next based on the answer given.
The complete integrated auditor fully understands and will use CAATs in all audits.
Undertrained integrated auditors rely on others to do CAATs for them.
In today’s world, all auditors must have some level of IT expertise. All organizations
base audit staffing and training requirements on the audit mission and audit require-
ments, and are becoming increasingly sophisticated in accomplishing that process.
Thus, in reality, all auditors have become integrated IT auditors—some just have greater
knowledge and skills than others. Effective integration is therefore dependent on:

▪▪ Expanding the IT knowledge base of each and every auditor

▪▪ Realistic audit assignments based on knowledge and skill level
▪▪ Extensive IT audit tools and support
▪▪ Effective technical supervision

Integrated Audit
The alternate solution chosen by some organizations is to focus their resources more
directly by providing an integrated audit product rather than developing an integrated
auditor. Rather than attempt to expand the knowledge base of an individual, they seek
to apply the knowledge base that currently exists within their organization by assem-
bling an audit team including IT audit-trained as well as financial/operationally trained
auditors working together. This approach is obviously preferred by those organizations
that already use cross-functional teams extensively. Though it is not always a viable
alternative for smaller audit staffs, including a technical expert in an audit can have
major internal assurance and risk management advantages.
The key to successful team auditing is the building of team participation skills to
assure functional groups. Not all auditors are used to working as members of cohesive
groups, and some have had no training or experience whatsoever of working in a group
setting. This means that effective team building will involve expanding the group pro-
cess knowledge base of both staff and management. Realistic audit team assignments
based on knowledge and skill level are a prerequisite as IT audit management involve-
ment and participation.
The biggest barriers to achieving effective auditing in an IT environment include
the assumption that IT Audit is a separate and unique and special audit discipline, while
the fundamental internal auditor skill set is accounting and general business oriented,
with limited IT knowledge required.
Many organizations are redefining internal audit as the business processes are re-
engineered throughout the rest of the organization. The internal audit discipline is also

c08.indd 99 1/31/2012 8:33:24 AM

 100 ◾ IT Audit Process

undergoing a massive re-engineering and reorganization as new philosophies, meth-

odologies, and techniques such as control self-assessment are tested and implemented.
What better time to restructure based on an IT philosophy?
IT is pervasive within the organization. Structures that seek to make IT distinct and
special are obsolete and counterproductive. As auditors we have created the artificial
functional designations of financial audit, operational audit, and IT audit because that
suited our purposes at the time. In today’s business environment we must use functional
specialization to our advantage, not be ruled by it. We must eliminate over-specializa-
tion and correctly reclassify IT as a pervasive and critical organization resource rather
than a special organization function that can only be audited by function specialists.

AUDITEES AS PART OF THE AUDIT TEAM

Effective internal control can only be achieved when everyone wants to have effective
internal control and work together to achieve that goal. Team-based auditing has long
been a preferred integrated audit approach. As in any team effort, success is dependent
on shared objectives and full participation. In today’s world, however, the team audit
approach needs to be taken to the next level, including management and staff of the
area undergoing evaluation.
True team audits can provide team access to the broader specialized knowledge
content of its individual members, and also identify those areas where critical special-
ized knowledge is absent.

APPLICATION AUDIT TOOLS

The tools available for computer auditors include not only CAATs but also the standard
tools such as interviews, system questionnaires, control questionnaires, and documen-
tation. Control evaluation tools such as CAATs, test data generators, and flowcharting
packages may be combined with specialized audit software, generalized audit software,
utility programs, and non-audit-specific software such as reporting programs and gen-
eral query languages.
Risk analyzers, audit planning software, and automated working papers may also
prove useful tools in this environment.

ADVANCED SYSTEMS

The audit of advanced systems such as paperless systems (e.g., electronic data inter-
change [EDI]) or decision support systems (e.g., Executive Information Systems) involves
a risk-multiplier factor. The risk is limited only by the corporate dependency on the
system. This is normally unevaluated and normally understated because risks in
these areas could threaten the ongoing existence of the organization. The use of cloud

c08.indd 100 1/31/2012 8:33:24 AM

 Audit Management ◾ 101

computing and enterprise resource management (ERM) systems to drive the funda-
mental business of the organization means the risks within these areas must be clearly
understood by the IT auditor and that the IT audit program must be tailored to meet
these advanced risks.
Advanced systems are an enormous corporate investment designed to maintain the
corporate competitive edge. In some cases they may lead to a complete re-engineering
of the organization with major impacts on efficacy, efficiency, and economy.

SPECIALIST AUDITOR

Many organizations make use of specialists within their IT audit function to carry out
tasks classed as being beyond the scope of the conventional IT auditor. These include
such audit areas as performance auditing of computerized systems, auditing logical
computer security, auditing telecommunications, auditing that technical specialist’s
area, and auditing IT strategic planning. In all of these areas a higher level of tech-
nical competence is normally required and for many organizations it is neither cost
effective nor desirable to retain such skill levels in-house. In these circumstances, the
organization would rather outsource to a technical specialist or use consultancy skills
as required. Where the specialist IT audit capability is in-sourced, career progression
can be a problem because such high levels of technical skills are normally only required
within IT audit, IT security, or IT itself.

IT AUDIT QUALITY ASSURANCE

As with any other audit area, quality assurance remains the responsibility of the audit
manager. In practice, this will normally involve review of audit work by other IT auditors
as well as audit management. It is critical, to maintain the confidence of the auditee and
the IT department in the IT audit function, that IT audit work be seen to be technically
competent in all of the areas addressed. Once more, where such assurance cannot be
given in-house, outside sources may be used as external quality assurance (QA) review-
ers. Such external resources can come from a variety of sources including specialist
consultancy firms and independent external auditors.

c08.indd 101 1/31/2012 8:33:24 AM