The 21st Minute


Working Smarter: Getting the Most from IT Audit Resources and Skills

Jill Wyatt explains how internal auditors can offer more to their businesses and what skills, tools and techniques they need to do so.

An ICT audit is an examination of the management controls within an IT infrastructure. The evaluation of obtained evidence determines whether the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the business goals or objectives.

This was the language used in audit all the time, Robert Mackenzie – business technology and consulting partner, Scott-Moncrieff, pointed out to his audience at ACCA’s annual internal audit conference in London earlier this year. So why is it that ICT auditors, like so many other minorities, often feel misunderstood and under-valued, and often become isolated?

The issue, Robert suggested, is communication. ‘Integration of ICT audit into the planning process really shouldn’t be a problem because ICT is fundamental to nearly every business we work in,’ he said. ‘The trouble is that the associated jargon can get in the way of identifying the potential that ICT control weaknesses have to damage the business.

‘This is why my team carry folders with IT fraud stories in them. These highlight the weaknesses in the management of databases, such as who can access them, which is something that most internal auditors will understand. Internal auditors want to know what risks have been identified and what can be done about them.

‘I suspect that sometimes ICT auditors hide behind the jargon of the technology. As a result these two groups of specialists, who should be working as one team, don’t clearly communicate with each other, or recognize where and how they should be interacting. Making this interaction happen is key to the success of the planning process – how that happens depends on the culture of the organization.

‘However, what matters most of all is that all audit activity can to be linked back to the strategic business objectives of the organization.’

Resources required
Robert stressed that many of the processes undertaken by ICT auditors, such as information governance, anyone in internal audit could do, but there were areas that required specialist input and this was easy to source as a sub-set of the auditing process. And it was essential to match skill sets to the technology in use.

Delegates at the conference were urged to make the best use of the software available by accessing computer-assisted audit techniques, data analysis, data extraction and data sampling.

‘It’s much easier than you think,’ he said. ‘For 20 years the bane of my life has been going into clients' offices, finding a box of audit software and blowing the dust off it!’

Cloud-based services
Moving on to one of the latest technologies available, cloud-based services, Robert said that, like many of the latest buzzwords, auditors need to translate new concepts such as the cloud into benefits and risks that management can understand.

‘Cloud-based services cannot be ignored,’ he said. ‘The key benefits of these include immediacy, efficiency, resilience and cost containment and these need to be communicated effectively to management.’

Robert concluded by again emphasizing the importance of seeking to integrate IT auditing into the day-to-day audit process. ‘Don’t try and shoe-horn this in at the end of audit planning because if you do the IT auditors will not be able to produce the results you expect of them,’ he said. ‘It is only by working closely together that you will get maximum value out of the process.’

Role of data analytics
The importance of working closely with key personnel in different areas of the business was a point also stressed by Hugo Alhinho – IT auditor, data analytics, CISA, Shell International.

In his organization, Hugo explained, IT supports all upstream (extraction of crude oil, gas, etc.) and downstream (transformation into finished product) processes. ‘Working closely with experts in every area of operation is vital to understanding the risks and controls,’ he said. ‘We have 8,000 applications, so this is a huge and complex area.’

Six years ago, Shell created a small team dedicated to data analytics, recognizing that it was impossible to train all 220 of its auditors in this area. The six-member team’s job was to help reduce the complexity of the IT and create a common layer that allowed auditors to identify which parts of the business were most risky and needed to be looked at more carefully. In 2013 efforts were concentrated on finance.

There were three types of deliverables:

  • Predefined reports, for data profiling, process controls testing or substantive testing
  • Truth tables for transactions that displayed a combination of characteristics that might require follow-up (for example round sum amounts with no description exceeding £10m)
  • OLAP cubes, which consisted of different measures to provide a view of the information needed during an audit.

So when should data analytics be used on an audit? Hugo suggested that the process could be used as part of the annual audit plan, to help understand the scope area, to help prioritize the scope areas, to test the effectiveness of controls and to quantify control exceptions.

Available tools suitable for varying levels of data analysis include MS Excel and MS Access, ACL, and customized data analysis tools. The latter are used for complex queries or routines involving the extraction and transformation of significant volumes of data and data that needs to be transformed, linked, translated or analyzed using complex data analysis routines.

Other techniques include decision trees, clustering, neural nets, logistic regression and text mining.

‘Leveraging analytics for risk-based auditing has many benefits,’ Hugo concluded. ‘It increases the performance of the internal audit department, reduces the costs of planning as a lot of this can be done remotely and – most importantly – reduces the risks in the business.’

Jill Wyatt is a business journalist. This article was first published in the Internal Audit eBulletin, a quarterly ezine for members of the Association of Chartered Certified Accountants (ACCA) who work in internal audit. Learn more and view the latest issue here: http://www.accaglobal.com/uk/en/member/uk-publications.html

Best Practices

Posted By


Related Posts
Wayfair Woes One Year Later
Jul 24 The rise in online shopping has sharply impacted state sales tax revenue. Rather than increasing the tax rate, states are setting parameters to define nexus, wh...
Tech Tip: Understanding Join and Visual Connector
Jun 19 Using IDEA’s Join and Visual Connector features can help you search for matches and correlations between different data sets, but they are often confused with...
Uncovering Fraud Using Fraud Data Analytics
May 15 The days of exploring data, hoping to stumble across a fraud scheme have ended. In fact, auditors are now expected to integrate fraud detection into the audit p...

This website has been designed for modern browsers. Please update. Update my browser now