Jill Wyatt explains how internal auditors can offer more to their businesses and what skills, tools and techniques they need to do so.
An ICT audit is an examination of the management controls within an IT infrastructure. The evaluation of obtained evidence determines whether the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the business goals or objectives.
This was the language used in audit all the time, Robert Mackenzie – business technology and consulting partner, Scott-Moncrieff, pointed out to his audience at ACCA’s annual internal audit conference in London earlier this year. So why is it that ICT auditors, like so many other minorities, often feel misunderstood and under-valued, and often become isolated?
The issue, Robert suggested, is communication. ‘Integration of ICT audit into the planning process really shouldn’t be a problem because ICT is fundamental to nearly every business we work in,’ he said. ‘The trouble is that the associated jargon can get in the way of identifying the potential that ICT control weaknesses have to damage the business.
‘This is why my team carry folders with IT fraud stories in them. These highlight the weaknesses in the management of databases, such as who can access them, which is something that most internal auditors will understand. Internal auditors want to know what risks have been identified and what can be done about them.
‘I suspect that sometimes ICT auditors hide behind the jargon of the technology. As a result these two groups of specialists, who should be working as one team, don’t clearly communicate with each other, or recognize where and how they should be interacting. Making this interaction happen is key to the success of the planning process – how that happens depends on the culture of the organization.
‘However, what matters most of all is that all audit activity can to be linked back to the strategic business objectives of the organization.’
Robert stressed that many of the processes undertaken by ICT auditors, such as information governance, anyone in internal audit could do, but there were areas that required specialist input and this was easy to source as a sub-set of the auditing process. And it was essential to match skill sets to the technology in use.
Delegates at the conference were urged to make the best use of the software available by accessing computer-assisted audit techniques, data analysis, data extraction and data sampling.
‘It’s much easier than you think,’ he said. ‘For 20 years the bane of my life has been going into clients' offices, finding a box of audit software and blowing the dust off it!’
Moving on to one of the latest technologies available, cloud-based services, Robert said that, like many of the latest buzzwords, auditors need to translate new concepts such as the cloud into benefits and risks that management can understand.
‘Cloud-based services cannot be ignored,’ he said. ‘The key benefits of these include immediacy, efficiency, resilience and cost containment and these need to be communicated effectively to management.’
Robert concluded by again emphasizing the importance of seeking to integrate IT auditing into the day-to-day audit process. ‘Don’t try and shoe-horn this in at the end of audit planning because if you do the IT auditors will not be able to produce the results you expect of them,’ he said. ‘It is only by working closely together that you will get maximum value out of the process.’
Role of data analytics
The importance of working closely with key personnel in different areas of the business was a point also stressed by Hugo Alhinho – IT auditor, data analytics, CISA, Shell International.
In his organization, Hugo explained, IT supports all upstream (extraction of crude oil, gas, etc.) and downstream (transformation into finished product) processes. ‘Working closely with experts in every area of operation is vital to understanding the risks and controls,’ he said. ‘We have 8,000 applications, so this is a huge and complex area.’
Six years ago, Shell created a small team dedicated to data analytics, recognizing that it was impossible to train all 220 of its auditors in this area. The six-member team’s job was to help reduce the complexity of the IT and create a common layer that allowed auditors to identify which parts of the business were most risky and needed to be looked at more carefully. In 2013 efforts were concentrated on finance.
There were three types of deliverables:
So when should data analytics be used on an audit? Hugo suggested that the process could be used as part of the annual audit plan, to help understand the scope area, to help prioritize the scope areas, to test the effectiveness of controls and to quantify control exceptions.
Available tools suitable for varying levels of data analysis include MS Excel and MS Access, ACL, and customized data analysis tools. The latter are used for complex queries or routines involving the extraction and transformation of significant volumes of data and data that needs to be transformed, linked, translated or analyzed using complex data analysis routines.
Other techniques include decision trees, clustering, neural nets, logistic regression and text mining.
‘Leveraging analytics for risk-based auditing has many benefits,’ Hugo concluded. ‘It increases the performance of the internal audit department, reduces the costs of planning as a lot of this can be done remotely and – most importantly – reduces the risks in the business.’
Jill Wyatt is a business journalist. This article was first published in the Internal Audit eBulletin, a quarterly ezine for members of the Association of Chartered Certified Accountants (ACCA) who work in internal audit. Learn more and view the latest issue here: http://www.accaglobal.com/uk/en/member/uk-publications.html