What is an Audit?
An audit is an “independent examination of information of any entity, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon”. Audits can be financial or non-financial like IT-based but the concept remains the same; i.e. examination with a view to express an opinion thereon.
Audits can be done externally or internally. External audits are commonly performed by certified firms while internal audits serve as a managerial tool to make improvements to processes and internal controls.
Types of Audits
Audits performed by outside parties can be extremely helpful in removing any bias in reviewing the state of a company’s financials. Financial audits seek to identify if there are any material misstatements in the financial statements. External auditors follow a set of standards different from that of the company or organization hiring them to do the work.
Internal auditors are employed by the company or organization for whom they are performing an audit, and the resulting audit report is given directly to management and the board of directors. Consultant auditors, while not employed internally, use the standards of the company they are auditing as opposed to a separate set of standards. These types of auditors are used when an organization doesn’t have the in-house resources to audit certain parts of their own operations.
Objectives of an IT audit
Most often, IT audit objectives concentrate on substantiating that the internal controls exist and are functioning as expected to minimize business risk. These audit objectives include assuring compliance with legal and regulatory requirements, as well as the confidentiality, integrity, and availability (CIA – no not the federal agency, but information security) of information systems and data.
IT audit strategies
There are two areas to talk about here, the first is whether to do compliance or substantive testing and the second is “How do I go about getting the evidence to allow me to audit the application and make my report to management?” So what is the difference between compliance and substantive testing? Compliance testing is gathering evidence to test to see if an organization is following its control procedures. On the other hand substantive testing is gathering evidence to evaluate the integrity of individual data and other information. For example, compliance testing of controls can be described with the following example. An organization has a control procedure which states that all application changes must go through change control. As an IT auditor you might take the current running configuration of a router as well as a copy of the -1 generation of the configuration file for the same router, run a file compare to see what the differences were; and then take those differences and look for supporting change control documentation. Don’t be surprised to find that network admin, when they are simply re-sequencing rules, forget to put the change through change control. For substantive testing, let’s say that an organization has policy/procedure concerning backup tapes at the offsite storage location which includes 3 generations (grandfather, father, son). An IT auditor would do a physical inventory of the tapes at the offsite storage location and compare that inventory to the organizations inventory as well as looking to ensure that all 3 generations were present.
The second area deals with “How do I go about getting the evidence to allow me to audit the application and make my report to management?” It should come as no surprise that you need to:
- Review IT organizational structure
- Review IT policies and procedures
- Review IT standards
- Review IT documentation
- Review the organization’s BIA
- Interview the appropriate personnel
- Observe the processes and employee performance
- Examination, which incorporates by necessity, the testing of controls, and therefore includes the results of the tests.
As an additional commentary of gathering evidence, observation of what an individual actually does versus what they are supposed to do can provide the IT auditor with valuable evidence when it comes to controlling implementation and understanding by the user. Also performing a walk-through can give valuable insight as to how a particular function is being performed.
The audit deliverable
So what’s included in the audit documentation and what does the IT auditor need to do once their audit is finished. Here’s the laundry list of what should be included in your audit documentation:
- Planning and preparation of the audit scope and objectives
- Description and/or walkthroughs on the scoped audit area
- Audit program
- Audit steps performed and audit evidence gathered
- Whether services of other auditors and experts were used and their contributions
- Audit findings, conclusions and recommendations
- Audit documentation relation with document identification and dates (your cross-reference of evidence to audit step)
- A copy of the report issued as a result of the audit work
- Evidence of audit supervisory review
When you communicate the audit results to the organization it will typically be done at an exit interview where you will have the opportunity to discuss with management any findings and recommendations. You need to be absolutely certain of:
- The facts presented in the report are correct
- The recommendations are realistic and cost-effective, or alternatives have been negotiated with the organization’s management
- The recommended implementation dates will be agreed to for the recommendations you have in your report.
Your presentation at this exit interview will include a high-level executive summary (as Sgt. Friday use to say, just the facts please, just the facts). And for whatever reason, a picture is worth a thousand words so do some PowerPoint slides or graphics in your report.
Your audit report should be structured so that it includes:
- An introduction (executive summary)
- The findings are in a separate section and grouped by the intended recipient
- Your overall conclusion and opinion on the adequacy of controls examined and any identified potential risks
- Any reservations or qualifications with respect to the audit
- Detailed findings and recommendations
Finally, there are a few other considerations which you need to be cognizant of when preparing and presenting your final report. Who is the audience? If the report is going to the audit committee, they may not need to see the minutia that goes into the local business unit report. You will need to identify the organizational, professional and governmental criteria applied such as GAO-Yellow Book, CobiT or NIST SP 800-53. Your report will want to be timely so as to encourage prompt corrective action.
And as a final, final parting comment, if during the course of an IT audit, you come across a materially significant finding, it should be communicated to management immediately, not at the end of the audit.
If you are passionate about a career in Audit, please check out the opportunities below: