During the course of an audit, the information systems auditor examines many records, studies different kinds of information, looks at screens and reports of many systems, observes work procedures and interviews operating personnel. All these activities provide valuable evidence relating to the system and function that is reviewed by the IS auditor. This evidence eventually is collected and evaluated to enable the IS auditor to form an opinion on the adequacy and effectiveness of internal controls, efficiency and other factors of the system under audit and to offer suggestions for improvements and corrective action.
Often the volume of evidence is significant. Another feature of IS audits is that all required information rarely reaches the IS auditor at once. Rather, audits more often are like jigsaw puzzles--the final picture is seen only after the last pieces are put into place. In such a situation, it becomes important that IS auditors record the work and observations properly as the audit progresses. Proper audit documentation can make the difference between a value-added audit with valid conclusions and useful suggestions and an audit that remains just a report.
Audit documentation also is referred to as audit working papers.
There are many reasons why audit work needs to be properly documented. Standards and the textbooks provide a long list of reasons and guidelines for audit documentation, but the most important reason is that it enables good performance of audit. The primary person who benefits from good documentation is the IS auditor. Good documentation enables audit work to be thorough and well substantiated and facilitates the timely completion and cohesive reporting of results.
What Is Audit Documentation?
As per the IS auditing guideline, Audit Documentation, issued by the Standards Board of ISACA®, information systems audit documentation is the record of the audit work performed and the audit evidence supporting the IS auditor's findings and conclusions. Everything seen, heard, observed and tested pertaining to the subject under review during the course of the audit is audit evidence and needs to be documented.
For audit documentation to be useful, it needs to satisfy certain broad criteria. These criteria include:
- All documentation should relate to the appropriate subject and audit objective.
- Documentation may be a record of points discussed in an interview clearly stating the topic of discussion, person interviewed, position and designation, time and place.
- Documentation may be a record of observations as the auditor watched the performance of work. The observations may include the place and time, the reason for observation and the people involved.
- Documentation may be reports and data obtained from the system directly by the auditor or provided by the audited staff. The IS auditor should ensure that these reports carry the source of the report, the date and time and the conditions covered.
- Very often IS auditors work with blank/template audit work programs and fill them in as the audit progresses. To improve this documentation beyond merely filling in the blanks in the work program, the IS auditor also should fill in the other details as mentioned in the previous points and cross-references.
- At various points in the documentation the auditor may add his comments and clarifications on the concerns, doubts and need for additional information in a different color ink/font. The auditor should come back to these comments later and add remarks and references on how and where these were resolved.
- Where the audit work is reviewed by a peer or a superior, the remarks arising out of the review also should be recorded in the documentation.
- The draft and final reports of the audit should form part of the audit documentation.
It is not easy to complete good documentation. On the other hand, finding reasons for not doing the documentation always has been easy. All audits are done under tight schedules, the operating staff may find it difficult to spend much time with the auditors and information always comes in late. It is tempting to scribble small notes on a piece of paper and call these working papers.
Notwithstanding these real-life truths, the fact remains that good documentation helps better performance of the audit. Good documentation also can help facilitate third-party reviews, evaluate the IS auditing function's quality assurance program and support in circumstances such as insurance claims, fraud cases and lawsuits.
The solution is to use simple tools and processes to make documentation a way of life.
Working Tips on Documentation
These days most work and documentation is done not on paper but on a computer. The first step in any audit is to create a separate folder for the audit with a suitable name. Within this folder, create subfolders for the different areas of audit or the different audit objectives. As a preparatory step to the audit, copy into this folder all the standard audit programs planned to be used during the audit.
For example, say the IS audit is of a payroll system running at a factory, the system is developed in Oracle and runs on a UNIX server, the IS auditor is using the audit software ACL for the substantive tests and there are some standard audit work programs available. The way these are organized in the folders in the computer would be as follows:
Word processor and spreadsheet software allows one to make good use of colors and fonts to mark statements, highlight doubts and questions and ensure answers are found at later stages of the audit. It also is a good idea to make liberal use of hyperlinks and build cross-referencing relationships between different parts of the audit documentation. Hard copy evidences also may be scanned and stored as image files so the documentation can be complete and self-contained in the media files.
At the end of the audit, the IS auditor can copy the entire folder with all its subfolders and files onto one or two CDs for storage and retrieval. The files then can be deleted from the auditor's PC, making space for the next audit. The CDs can be stored as the archive documentation for the audit. With one or two CDs per audit, the storage requirements are also drastically reduced and retrieval becomes simple.
Audit Documentation—The Next Steps
The obvious question that occurs to any experienced IS auditor who has battled with documentation issues is: "Why not automate the whole thing into a neat application package?" Currently there are a number of ready-made software packages that offer a combination of features related to audit planning, risk management and audit documentation and report writing features. It would be worthwhile to evaluate some of these packages to find which best suits the auditor's needs These packages include, but are not limited to, AutoAudit from Paisley Consulting, AuditAdvisor from Methodware, Audit Leverage by IAD Solutions and TeamMate 2000 from PricewaterhouseCoopers.
The process of putting these packages to work is not without the usual implementation issues. All require a certain amount of first-time master and document creations and alignment with the process flows. This is a good opportunity for IS auditors to go through a software/business process change implementation journey.
Another benefit of such packages is the creation of a knowledge management database. In any IS audit department with a number of auditors, there is a need for a common database where the observations, findings and recommendations of one auditor can provide valuable lessons for other auditors. Auditors would benefit from looking at previous experiences of similar applications and technology platforms. As such, tertiary benefits from documentation start flowing through innovative use of information technology, and the motivation for better documentation would increase among the IS auditors.
A Word of Caution
Of late there have been tendencies in some organizations to eliminate managerial reviews from the audit process, as has been done in other business process reengineering exercises, focusing on training and increasing the competencies of line auditors. While such changes have their pros and cons, it should be remembered that this change only enhances the need for better documentation. Documentation is used for review, but that is not its primary purpose. The most important purpose of documentation is to enable better performance of audit work and help the IS auditor.
IS Audit Guidelines, ISACA®
Sawyer, Lawrence G., Internal Auditing, 1996