menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Student Benefits & Join
ISACA Student Groups
Educators
Model Curriculum
Downloads
Bookstore
IT Audit Basics
Career Centre
spacer image
Print this page
spacer image

Home Students & Educators IT Audit Basics

Journal Volume 3, 2009 Cover
 

IT Audit Basics:
What Every IT Auditor Should Know About Controls: The CDLC

By Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA
Volume 3, 2009
.

There has been a clear increase in the attention given to controls in the audit profession and business community. It could be argued that the new wave began with the financial scandals at the turn of the century, culminating in the passage of the Sarbanes-Oxley Act of 2002, or the scandals of the early 1980s, culminating in the Committee of Sponsoring Organizations (COSO) model of internal controls and the concomitant Statement on Auditing Standards (SAS) No. 70, “Consideration of Internal Controls in a Financial Statement Audit.” Add to these events the requirements of Sarbanes-Oxley section 404, the “Risk Suite” (SAS No. 104-111, especially 109), and the evolution of SAS 70 audits to IT audits of controls to get to the emphasis placed on controls today. Controls are clearly a key part of IT audits of the present as well as the foreseeable future.

But controls are not simply identifying a control that management has in place. Controls, like systems, have a life cycle. Much like systems development life cycle (SDLC), there is a controls development life cycle (CDLC). IT auditors can benefit from understanding the phases of the cycle and how they can be applied to IT audits of all types.

This article will present a model of CDLC for the purpose of describing the full cycle of controls development and presenting ways to apply these various phases in IT audits.

Controls Development Life Cycle

The controls life cycle consists of a sequential set of four processes:
  1. Design
  2. Implementation
  3. Operational effectiveness
  4. Monitoring

Design
The design phase involves the technical design of a potential control. In some manner, management, intentionally or unintentionally, provides for the design of all controls that are implemented or intended to be implemented.

Controls should be based on a risk assessment and/or management’s policies and procedures. But most of all, controls should be designed with the input of a controls expert. For example, the following should be asked:

  • What controls should be in place to detect or prevent material misstatements to financial reporting? The same should be asked regarding relevant assertions. (Note: Replace “material misstatement” with any other adverse effect.)
  • How does management ensure that expert input/feedback is consistently applied to the internal control system, beginning with design?
  • What does management do in a formal manner that ensures that changes or additions of business processes include the effective design of necessary controls?
  • Has management developed an adequate risk assessment? If so, have controls been designed to mitigate each of those risks (above some threshold)?

Occasionally, management, for a variety of reasons, does not have a formal approach to design. Controls are designed by happenstance or to the degree IT professionals and business unit managers are capable. The IT auditor should make an assessment to determine if an appropriately qualified person or group is providing this function at the front end of the CDLC. It could be that a member of the systems steering committee is an accountant or auditor (without frustrating independence), which could satisfy this necessity. If no one appears to provide this expertise and no formal structure exists to ensure it, the assurance that all necessary controls have been designed is impaired and there is a reduced assurance that the design effectiveness of controls is adequate.

The IT auditor should examine the design of controls, individually (key, relevant controls) and collectively (e.g., are some key controls missing?), to assess the effectiveness of the design in its ability to meet the goal (e.g., mitigate a risk, detect an anomaly).

Implementation
Did management and/or employees actually implement the control that was designed in the first phase?

In complying with SAS No. 109 in a financial audit, the standard states:

The auditor should evaluate the design of the entity’s controls, including relevant control activities, over such risks and determine whether they are adequate and have been implemented.

This phrase is repeated multiple times in SAS No. 109. The auditor has a responsibility to assess both the design of related controls and whether they have indeed been implemented. That responsibility is generally carried out with observation and/or inspection via a walk-through.

The IT auditor needs to make some determination on the proper implementation of all controls designed.

Operational Effectiveness
As long as auditors have been examining controls, they have been concerned with the actual operational effectiveness—that is, the control’s effectiveness in daily operations and its ability to perform its goal (e.g., prevent or detect a material misstatement).

Generally, controls are manual, automated or some hybrid of the two. To the degree that a control is manual, or partly manual (i.e., hybrid), the control is subject to human atrophy or neglect. An automated control should not be subject to these maladies, but may not function as designed because of faulty implementation. Therefore, there is a lot that can go awry between design and operational effectiveness. IT auditors have some obligation to ensure that controls operate effectively as separate assessments and were designed or implemented properly.

While a walk-through can provide some assurance of operational effectiveness, tests of controls are the ultimate procedure to make this assessment. Obviously, tests of controls in a financial audit are performed only when the auditor intends to rely upon the controls. Realistically, there are usually at least a few controls in a financial audit upon which an auditor will rely. In an internal audit of IT, those tests of controls are critical.

Monitoring
The last phase is monitoring of controls. Change is inevitable in business. Business processes, circumstances, risks and people change (e.g., turnover). The probability that a control will not need any change for several years is minimal. Over a period of one year, the environment will change enough that some controls within the control system will need to be changed, deleted or added.

So the question becomes: What formal structure should be in place to perform this function? Examples that should provide some assurance that monitoring exists include:

  • A cross-functional team that includes at least one control expert, where the group meets regularly to provide guidance and input into any changes in systems and technologies involving business processes and controls embedded therein (e.g., a major IT projects steering committee)
  • A consistent review of the existing internal controls system (that are required by Sarbanes-Oxley section 404 is an example)
  • A consultant or group of experts that evaluate the internal control system regularly
  • Continuous auditing/monitoring systems (a superior solution, when implemented and managed effectively)

Inspection of policies and procedures can provide some information as to whether monitoring exists. The IT auditor needs to make inquiries of management and/or key employees to determine if this piece of CDLC is in place.

Obviously, once this function determines a need for a change in the internal control system, the process returns to the design phase, and the cycle repeats itself. Monitoring is intended to determine when a control needs to be changed or deleted, or when a new control is necessary, and it thus leads to design/redesign of the control.

Conclusion

Controls are a key focus of all types of IT audits. The model presented here, CDLC, provides one approach that can be applied in IT audits to evaluate controls. IT auditors can use the CDLC model to enhance their ability to gain assurance about the reliability of the internal control system and the individual relevant controls.

Tommie W. Singleton, Ph.D., CISA , CITP , CMA , CPA
is an associate professor of information systems (IS) at the University of Alabama at Birmingham (USA), a Marshall IS Scholar and a director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value-added dealer of accounting IS using microcomputers. Singleton is also a scholar-in-residence for IT audit and forensic accounting at Carr Riggs Ingram, a large regional public accounting firm in the southeastern US. In 1999, the Alabama Society of CPAs awarded Singleton the 1998-1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His publications on fraud, IT/IS, IT auditing and IT governance have appeared in numerous publications, including the ISACA Journal.

ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25˘ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

Subscription Rates:
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2010 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA