The audit profession is known to businesses of all kinds, especially those that are governed by regulation. While businesses understand the importance of audits, some people perceive audits as a postmortem exercise directed at finding faults and reporting to regulators, management and other interested parties. IS audit is a stream of the broader audit profession. It involves the audit of the business with respect to the usage of IT. While it is true and obvious that the IS auditor has the additional role of understanding the technology and its associated risk, the question persists as to whether the perception of the auditee is any different.
Most organizations have an audit function, whether it be a part-time internal auditor or full-fledged audit teams and independent audit committees. The role of auditors, in most cases, is to independently report on significant risk factors in the current environment. From the viewpoint of the auditee, the same auditor would identify risk in the auditee’s environment. After sharing this risk with management, management may conclude that auditees are not managing their area well, so during the audit, the auditees may be reluctant to share weaknesses with the auditor.
Technology advancements are occurring quickly, businesses are adopting new and dynamic business models, and there is an emerging trend of increasing cybercrimes and fraud. Because of these challenges, it is time that IS auditors play a more significant role. This article provides strategies for how the IS auditor can become the most wanted by auditees, meet expectations of the business, and gain true respect from one and all.
Be Passionate About the Profession
Auditors should be passionate about audits. When auditors are passionate, it creates a positive environment. Even the auditees can feel when the auditor is there in full heart and mind to do the assignment. Auditors with passion send positive signals, and auditees will potentially demonstrate more interest in the audit. Even if auditors are working in a familiar environment, they should look at it with fresh eyes every time they audit. The auditor knows there are changes in the environment, so there are definite areas for improvement. When auditors are passionate, they are able to continuously learn and contribute.
Respect the People and Culture and Use Soft Skills
Auditors need to recognize the fact that they are dealing with people. Auditees are the people who will provide the information and evidence needed to conduct a smooth audit. Auditors need to respect auditees’ time and what they do in their daily organizational activities. In addition, every organization has its own culture and way of doing things.1 Auditors need to understand and respect the company culture, or auditors may not be received with true respect.
Auditors should not create an environment of fear in the enterprise. When auditors better connect with people, properly explain the audit observations to the auditee in terms of risk and value, and obtain acceptance, a level of trust is created between the auditor and auditee. Communication throughout the audit engagement is important. Soft skills such as observation, listening, presenting, communicating, documenting and negotiating are important skills for an IS auditor. Soft skills are difficult to learn and apply in real-life audits2 when compared to technical skills.
Understand the Client’s Business Domain
Auditors need to understand the business processes of the client’s business domain. Though IS auditors are evaluating the IS controls, no IS controls work in isolation from business controls. Technology is important but is primarily an enabler. Without proper understanding of the business process, auditors may not be positioned to understand the real risk to the business process. In addition, the auditee may not share important information with the auditor if the auditor does not talk in terms of business processes.
Stay Up-to-date on Technology Trends and Industry Issues
Auditors need to be up-to-date on current technologies and upcoming technologies, how these technologies can be used for business advantage, the risk inherent in these technologies, and how various industry issues are related to information systems. The IS auditor should subscribe to audit journals, knowledge resources and industry newsletters to stay aware of the latest trends. When IS auditors explain real-time and current issues with examples, auditees may be more open to discussing the issues that may be present in their environment.
Auditors frequently face challenges while auditing the IT department in terms of the complexity of the IT systems they need to audit. When IS auditors are unable to speak the IT language, they may not get the respect they desire. Keeping up to date on technology concepts and asking the right technical questions will help in such scenarios.
Keep the Objectives in Focus and Provide Realistic Value
In the context of COBIT 5,3 any business would expect that if benefits are delivered and risk and resources are optimized, value would be created for stakeholders. While there would be specific audit objectives depending on the audit in question, audits generally tie back to value delivery, risk management and resource optimization.
The COBIT 5 framework is based on a holistic set of seven enablers. The seven enablers are Principles, Policies and Frameworks; Processes; Organizational Structures; Culture, Ethics and Behavior; Information; Services, Infrastructure and Applications; and People, Skills and Competencies. When IS auditors take all of these enablers into consideration, they provide realistic value added to the organization. When auditors are able to explain the larger picture of the audit to the auditees, e.g., what is in it for them and possible improvement actions, auditees are able to relate more. Keeping the audit objectives in focus, considering these important enablers, and recommending a practical and relevant assessment of the audit areas brings forth greater respect for the auditor and greater buy-in from all.
Follow the Agreed-upon Audit Process
The IS audit should be conducted by following the standard and well-known approach that is endorsed by recognized industry leaders. ISACA provides a number of IS audit-related standards and references.4 The Institute of Internal Auditors (IIA) is another useful source for such audit practices. There are auditing guidelines for the popular standard ISO 27001 for information security management systems.5 In some scenarios, auditors and client audit management can agree upon the audit process of their choice.
Once the process is decided upon, it is best to follow the process as it helps in the smooth conduct of the IS audit. Typically, drawing up the audit schedule, conducting the audit and drafting the final audit report are essential components of any audit assignment. A risk-based audit approach is a popular IS audit approach in the banking and financial industry; auditors need to follow the approach best suited as per the audit engagement. Auditor knowledge of all of these audit standards and best practices increases the confidence of the auditee and client audit management.
Be Innovative When Stuck With Challenges
It is not uncommon that during the course of audits, auditors will face various challenges, such as the auditee not being available due to emergencies in the operational environment, the auditee not understanding the question being asked, the auditee being defensive about providing more details and other similar situations.
Sometimes the audit schedule agreed upon previously may be difficult to implement, and auditors are tasked with the challenge of doing proper audits and producing a report. While the audit schedule is important, there are moments when the auditor needs to be dynamic to make changes in the schedule to accommodate unforeseen challenges in the business environment. Auditors need to come up with innovative approaches to gather audit-related information, restrategize on how to audit an area in limited time, collect relevant evidence and reach an opinion.
Create a Proper IS Audit Report
The IS audit report is an important component of the IS audit process. When possible, IS auditors should explain the audit findings to the auditee in terms of risk, value and benefits to the organization. Doing so during the audit and obtaining an agreement with the auditee ensures that the audit observations will be taken seriously and the auditee will not be caught by surprise.
When the findings are properly communicated, it creates a good impression and corrective actions can be initiated. Audit reports should be drafted with proper recognition of the accomplishments in each of the audit areas; otherwise, the report looks like a fault-finding mission and gives a bad reputation to the IS auditor.
Considering the importance of the IS audit report, auditors should spend 40-50 percent of their time on the audit report preparation and finalization. IS audit reports can be sent to many interested parties, including some that the auditor may not have even met during the engagement, so the report has to properly communicate the results of the audit.
Embed the Lessons Learned Into the Audit Process
Audit management may be tasked with the important job of independently identifying risk factors and areas of concern that need improvement. Auditors verify if the process owners have a lessons learned process to improve on the issues reported. But there is a high likelihood they may not properly follow the lessons learned process for the IS audit process. Auditors may not achieve the intended objectives for various reasons, or there can be some formal and informal feedback from auditees and the audit client.
Postaudit, it is good practice for an auditor to perform a root-cause exploration for the feedback obtained, if any, and also perform a self-assessment of how the overall audit process went and areas for improvement, e.g., the need for better planning, improving soft skills or training in upcoming technologies. Doing this will help auditors improve their audit skills.
Acquire Popular Audit Certifications
Many organizations have a minimum requirement for IS auditor qualifications. Popular IS audit certifications test the candidate on recognized audit practices, and acquiring certifications demonstrates the minimum level of understanding of IS audit practices. Acquiring a popular, industry-recognized IS audit certification, such as the Certified Information Systems Auditor (CISA),6 Certified Internal Auditor (CIA),7 GIAC Systems and Network Auditor (GSNA)8 and other similar certifications, boosts auditee confidence and increases recognition. When the IS auditor systematically applies lessons learned from obtaining these certifications in real-life audits, it helps the auditor to gain more respect.
Conclusion
Organizations are increasingly adopting technology to fuel their business growth engine. Data security threats, fraud and advanced attacks are on the rise. Boards of directors are increasingly concerned with whether the system on which the business is dependent is secure enough, optimized and contributes value to the entire enterprise.
Auditors play a critical role by being an independent entity and being the eyes and ears for the organization. It is time that IS auditors understand the expectations of various stakeholders. Auditors need to effectively fight the negative perceptions that are in the minds of many auditees to become the most wanted IS auditor.
Endnotes
1 White, S.; “How Internal Audit Can Assess and Support Culture,” CGMA Magazine, 12 August 2015, www.cgma.org/Magazine/News/Pages/how-internal-audit-can-assess-and-support-culture-201512818.aspx
2 Chambers, R.; “Five Things Internal Auditing Has Taught Me About Human Nature,” Internal Auditor Online, 11 February 2013, http://iaonline.theiia.org/five-things-internal-auditing-has-taught-me-about-human-nature
3 ISACA, COBIT 5, USA, 2012
4 ISACA, ITAF, 4crt.rf518.com/itaf
5 ISO/IEC 27007:2011, Information technology—Security techniques—Guidelines for information security management systems auditing, www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42506
6 ISACA, Certified Information Systems Auditor (CISA)
7 The Institute of Internal Auditors, Certified Internal Auditor (CIA), http://na.theiia.org/certification/CIA-Certification/Pages/CIA-Certification.aspx
8 Global Information Assurance Certification, GIAC Systems and Network Auditor (GSNA), www.giac.org/certifications/audit
Sanjiv Agarwala, CISA, CISM, CGEIT, BS 25999/ISO 22301 LA, CISSP, ISO 27001:2013 LA, MBCI, is currently director and principal consultant at Oxygen Consulting Services Pvt. Ltd. Agarwala has more than 17 years of experience across multiple industry domains in various information security roles and has expertise in areas such as information security management systems, risk management, cybersecurity, systems audit, IT governance and business continuity management.