Integrated auditing is like a disco ball, where each auditor’s expertise represents a mirrored facet casting a color on the business entity’s dance floor. Just like the disco ball lights up the stage, an integrated audit can add depth to the business and present a full stage of risk.
For those that do integrated audits, the concept is a no-brainer. Integrated audits are an efficient, holistic approach to the business. But, if the idea of integrated auditing is untapped, then it’s a brave new world to check out. Below are some points to get the conversation started in your company.
Know the types of integrated audits
Often, people associate integrated auditing with including IT auditors into finance audits. But an integrated audit can be more than just combining finance and IT disciplines.
Other potential definitions of integrated auditing include one, or a combination of the following:
- Competency/resource-driven audits that combine different skillsets to meet the objectives of an audit.
- Outcome-driven audits that integrate various business or internal control objectives to optimize the defined scope of an audit.
- Specific risk-driven audits that narrow the audit scope to cover defined risks across contributing processes, activities, or functions across an entity
- Financial/operational-driven audits may either include IT staff or increase the responsibility for non-IT auditors to cover basic IT risks or processes.
Not all audits need to be integrated either.
Brad Ames has more than 30 years experience in the audit industry. He suggests being rational and planning it out.
“Rather than driving every audit to be integrated, it’s more important to drive an integrated audit strategy to determine what audit and advisory engagements would deliver the most value to the company during the next two quarters.”
Decide what your team offers
Auditors have a universe of specific disciplines that include forensics, SOX control attestation, financial, account analysis, data analytics, automated application controls, and IT general controls (to name a few).
There is a definite skill to merging these audit disciplines into a single audit. The truth is, the first audit will probably not look perfect, and that’s okay.
Historically, each discipline, or group, has done its own thing. Finance audits finance and IT audits IT. But just because disciplines have always been separate doesn’t mean they should continue to be separate. Breaking down the barriers can be efficient for the auditor and the audit client.
Jump over the hurdles
The first barrier is change. Integrated auditing is a new way of auditing where you must leave the comfort of compliance (or other audit comforts) and delve into other deeper risks. The good news is, auditors can ask questions and learn from one another and even the business.
Another barrier is simply bandwidth. There might not be enough IT auditors (or other specific disciplines) to go around and support the audit workload. Going back to Ames’ statement, be realistic and determine where in the year an engagement would benefit from an IT auditor and schedule it out.
Focus on the benefits of integrated auditing
Integrated auditing benefits the company, the audit client, and the auditor. Hernan Murdock outlines some of these benefits below.
The audit client. Rather than doing one type of audit (e.g., financial), then coming back later to do another type of audit (e.g., compliance), and yet again to do another type of audit (e.g., IT), the audit team can do one audit and address these diverse topics. This is less time-consuming for the audit client and also helpful. The audit client may be just as eager to look at the full picture. A single report that corroborates all the specific risks across disciplines alleviates the guesswork for the client.
The company. Covering IT processes within other audits could help identify issues with reports, calculations, data feeds, access controls, data integrity, system processing speed, and some information security that impact operations, compliance, and financial outcomes.
The auditor. Figuring out the big picture is a valuable skill. Working on integrated audits is an opportunity to learn across disciplines in audit and synthesize the risks found in IT and other disciplines to gain a complete view of risk in the company.
Integrated audits are an opportunity to get out of the comfort zone and learn. Today is a good day to take advantage of the satisfaction that comes from learning something new.
Learn the fundamentals of IT audit (all auditors)
An effective audit team is cross-trained to understand different aspects of the business. A financial auditor can always learn more about information security or fraud. Get educated and talk to the business – they know their business minutely and can be a great resource. Take advantage of the many classes that MISTI offers on integrated auditing, security, fraud, risk, and more.
Because businesses are so dependent on technology, a component of audit is to look at the technical aspects of the business. To get better, companies need to train all of their auditors on the fundamentals of IT audit. Even then, not everyone is interested in the IT aspect of an operational audit, so it's critical to have the right audit team with the right set of capabilities.
Learn the business (IT auditors)
IT auditors aren’t off the hook. It’s important to understand exactly how the business uses the systems that are audited. When the correlation between IT systems and business processes is better understood, then auditors can make meaningful recommendations on improving the control environment. As information security takes on greater importance in business, being the person who connects the dots can make you a major player in helping the company.
Integrating auditing isn’t just checking the boxes. Staying up-to-date on IT technology can be challenging, maybe even intimidating. However, auditors are capable humans! Learning how IT works for the company is an opportunity to see the company from a different facet of the disco ball.
Sure, barriers exist to changing the audit culture and including integrated audits, but shaking it up a little could reap solid satisfaction. Does your company perform integrated audits? What takeaways can you pass on to the rest of us?