Internal audit leaders looking for a way to improve staff skills and increase audit efficiencies would do well to consider integrated auditing, an approach that can help them on both counts.
The concept of integrated auditing, which first emerged during the 1970s to address the growing gap between business and technology auditors, has many definitions. A good one characterizes it as a synchronized effort between business audit and technical audit in order to provide application audit coverage of key business risks.
Integrated auditing’s objectives include providing full coverage of an organization’s or business unit’s risks; supplying management with a complete opinion on the control environment and how it impacts risk and audit coverage. This includes all aspects of the audit; both automated and manual procedures.
The initial focus of an integrated audit risk assessment is to identify critical information, business assets and the application systems based on business objectives, information assets and regulatory compliance. Beyond that, it involves understanding the underlying infrastructure (e.g., hardware, operating systems, database management systems, networks and information processing facilities).
In a typical audit environment, management receives two separate audit reports. One may paint a positive picture while the other may not be as rosy – yet both are right. The problem is that separately, they do not deliver as complete a picture as would a combined report. That is where integrated auditing’s efficiency comes into play: a single audit looks at both business risk and IT risk and presents management with a comprehensive look at all key risks.
To illustrate how risk management works in integrated auditing, consider the following accounts payable example. Procurement relies on a three-way match concept to recognize a valid financial obligation. Before payment to a vendor is authorized, an automated check of the invoice is made on a company’s supporting procurement accounts payable system that compares the purchase order to the received items, the quantity and agreed-upon price. All must be in agreement. So, is that a business risk or an IT risk? It is both, because it is a business control and it is done within the business system.
When I look at business and IT risks, I see them as one and the same because business controls and business risks are handled within the business application system. We have to get somewhat technical to address the IT aspects of those risks. Exactly how technical becomes a scoping issue that will determine the skills and number of auditors required to do the job and how long it will take.
A company just beginning to implement the integrated auditor concept will consider input, process and output controls, which get down to the basics of the reliability and integrity of its applications. To an IT auditor, system software, physical security, environmental controls and network controls plus logical security change management and business continuity/disaster recovery cover infrastructure; all seven are considered IT general controls.
Logical security, change management and business continuity/disaster recovery, in particular, should be strongly considered within the scope of an integrated audit. The first refers to those who have access to the systems based on their profile (i.e., access should only be for what employees need to do their job). This is critical because allowing too much access can open the door to fraud.
Change management is also critical to how we provide assurance. Consider the process IT goes through to change the application processing within the system. If changes are not made in a controlled manner, external auditors will not rely on the output coming from the system.
Business continuity and disaster recovery speak for themselves. Are adequate back-up processes in place in the event of a crisis that threatens the loss of critical data?
COSO Spells it Out
It became a requirement under Sarbanes-Oxley to follow an internal control framework like COSO (the Committee of Sponsoring Organizations of the Treadway Commission). And even though COSO does not mention integrated auditing specifically, it is an underlying theme within the framework. COSO stipulates that auditors must look at the underlying general controls and application controls and “need both levels to ensure completeness, accuracy and validity of information in the system.”
COSO’s framework highlights five application control areas:
- Ensuring the accuracy, completeness and validity of information in the system
- Preventing errors from entering the system
- Detecting and correcting errors on a timely basis
- Editing checks: format, existence, reasonableness
- Controlling interfaces
Application controls include computerized steps within the application software and related manual procedures to control the processing of transactions.
A primary objective of integrated audits is enterprise risk coverage, but many companies are struggling with how to plan the audit, line up the right audit skills and coordinate between IT and business auditors. The problems in implementing an integrated audit methodology are not technical, but rather require audit management to make a cultural change to consider both IT and business risks in the same audit.
Sometimes metrics need to be rethought; especially when audit management is evaluated by the number of audits performed. Integrated audits, by their nature, result in fewer audits. In addition, there is an intimidation factor. Business auditors, comfortable with an accustomed work flow, could be disinclined to embrace IT risk audits, while IT auditors themselves may want to shy away from the less familiar business audit side.
In January 2009, The Institute of Internal Auditors issued a Practice Advisory recommending that all auditors have a basic knowledge of IT risks and controls.
So what is a proper level of training to make the average auditor proficient at applying integrated auditing? The objective is not to turn business auditors into IT auditors, but rather to have them more comfortable with addressing some basic IT risks and to know when to get the IT auditor involved. It is important to put both IT and non-IT auditors on the same audit. Then, both can become more comfortable addressing things outside their comfort zone.
The single most critical factor for achieving success with integrated auditing is having the support of the chief audit executive who leads the charge and expects employees to follow. Other good practices include:
- Smooth communications between IT and business auditors
- Financial and IT auditors must plan well in advance of the audit to make sure appropriate IT audit and business – really all – skills are available on the same audit
- Train everyone on IT risks and controls. The IT auditors also have to become more comfortable assessing business risks
- Always consider IT risks on every audit
- Get the right IT and business auditors on the integrated audit team
Integrated auditing is a very logical approach; one that makes good business sense. Companies that have done it have met with great success.
The transition to integrated auditing never happens overnight; rather itis a multi-year undertaking. First, the decision needs to be made. Then, start people moving in that direction by getting them trained and the audit process in place.
One reason why more companies have yet to adopt integrated auditing is because auditors think they are doing a good job and cling to the perception “If it’s not broken, don’t fix it. We are doing our standard audits and everything is fine.” The downside is an opportunity lost. Bottom line: companies could be missing key risks they should be addressing.
To realize the benefits, companies also must plan on making a short-term investment for a long-term strategic direction – sometimes a difficult hurdle to surmount.
How do you quantify doing a better audit? I do not have an answer for that. You cannot put a dollar amount on it, but from experience with clients I know one can count on higher efficiency and better audits.