In response to requests from Journal readers, columnists Fred Gallegos and S. Anantha Sayana will explore the basics of the IT audit field in each issue of the Journal in 2002.
As mentioned in the column on due professional care in Volume 2, 2002, of the Journal, the audit report is the key deliverable of the audit. It reflects the quality of the audit work performed and the judgment and integrity of the role of audit in the organization. There is no lack of guidance on what an audit report should include. The guidance in the recent draft of the US General Accounting Office's Government Auditing Standards, also called the "Yellow Book," is comprehensive in reporting on financial audits and performance audits. (Its latest draft is available at www.gao.gov.)
An audit organization's efficiency, effectiveness and accountability in audit reporting must start with the establishment of metrics. The starting point is the establishment of criteria for assessing the audit. The next step is the development and establishment of criteria for assessing auditors and their performance. Both are critical ingredients to supporting the audit process within any organization. These two steps are the basics that anyone entering the audit profession must understand.
Assessing the Audit
The audit methodology, supervisory review and working papers are critical to the audit process. Working with evidence that is in transparent form (e.g., CDs, magnetic tapes, magnetic disks and optical disks) requires complete, pertinent and accurate reports. The audit and working papers should be evaluated on the basis of the following criteria:
- Completeness--An audit must cover every element of the audit subject. For example, the IS auditor should ensure that all applications currently in use by end users are examined during the audit.
- Pertinence--The audit should be free of extraneous or unnecessary elements. For example, the IS auditor should examine only key fields and records that directly relate to the audit objective.
- Accuracy--All elements of the audit must be precise and error-free. The auditor must verify that all procedures and computerized processes produce correct results and that the measures used to evaluate these processes are error-free. When developing computer-assisted audit routines, for example, the auditor must test and validate all program code and algorithms before the routine is used.
- Appropriate Conclusions, Findings and Recommendations--The audit must present appropriate conclusions and findings that lead to recommendations reflecting cost-conscious, workable, and timely solutions to audit objectives.
- Follow-up to Findings and Recommendations--The value of the audit must be assessed to assure that the findings and recommendations, reflecting cost- conscious, workable and timely solutions, have been achieved to some quantifiable degree and provide value to the organization.
Assessing the Auditor
To objectively assess the performance of an IS auditor, the manager must develop the criteria that are important to the organization and environment and applicable to existing professional standards and government regulation, if required. This must reflect due professional care to the organization and the practice of professional ethics. From this, the auditor can identify key performance areas and evaluation criteria. When such an evaluation is performed, it can help the auditor identify areas for improvement or further training. The following criteria might be used in the auditor assessment process:
- Timeliness--The auditor is punctual and finishes work within time objectives.
- Inquisitive--The auditor questions, tests and investigates to gain relevant facts. The auditor demonstrates a need to understand all aspects of the system under investigation.
- Decisive--The auditor is willing and able to make timely decisions.
- Initiative--The auditor is self-reliant and works well with minimal supervision.
- Resourceful--The auditor seeks alternative paths when initial plans are precluded or impeded.
- Communication Skills--The auditor writes, speaks and relates to others clearly and effectively.
- Judgment--The auditor chooses proper and timely courses of action and makes sound decisions based on the best data available.
- Tact--The auditor is helpful and respectful toward others and encourages their help and cooperation in the successful completion of audit tasks.
- Auditing Knowledge--The auditor understands and conducts the audit according to generally accepted audit techniques and procedures.
With the above mentioned as a basis, the major deliverable and the additional tasks that provide feedback to the audit director, management and the audit board should be reviewed to determine the audit's effectiveness.
Conclusions, Findings and Recommendations
The audit must present appropriate conclusions and findings that lead to recommendations reflecting cost-conscious, workable and timely solutions to audit objectives. The content of this final report and its results should not be a surprise but a result of interim reports provided to the auditee and management throughout the audit engagement. Whether through midpoint briefings or preliminary findings, auditees should be given the opportunity to provide the basis for their actions or provide their response to interim findings before they become final. Such reports can be given as an oral or written presentation and labeled as "preliminary findings." As mentioned previously, communication skills play a critical role in the dissemination of such information. Also, auditors must be resourceful in using the institutional knowledge of their audit director, manager, supervisor and coworkers in the development and delivery of such interim reports. This is where judgment, tact and auditing knowledge play a key role.
The final report must present a current and objective picture of the situation, allowing management to take the action deemed necessary. Management uses the audit report as a basis of accurate, reliable and useful information from which an informed decision can be made. Management also realizes that its effectiveness is measured by external reviewers who may use the audit report as a gauge for investment or regulatory decisions, if the report is made public or required by law to be made public.
The report must be supported in what it says and linked, or crossreferenced, back to the supporting working papers. This is where today's IT auditor can excel in the use of technology and support tools to link the actual report to the audit work performed. Thus, in closing dialogue with managers over audit findings, the actual examples or analysis can be brought in full view with references, pictures, documents, etc., that support the audit step. Today's technology is a powerful tool in supporting the audit process, development of the final report and communication of the results. It also can be an excellent support tool for follow-up as cited in the next section.
Follow-up to Findings and Recommendations
The value of the audit must be assessed to assure that the findings and recommendations, reflecting cost-conscious, workable and timely solutions, have been achieved to some quantifiable degree and provide value to the organization. Unfortunately, this does not happen as often as it should in practice. More organizations would not outsource their audit function if they gained a thorough understanding of the savings and improvement to operations and processes the audit can bring.
The bottom line is how does audit enhance an organization's value? Follow-up is the answer, if an organization is to understand what value audit can have to improving operational integrity, efficiency and effectiveness. By looking at the prior audit recommendations of earlier work, auditors are able to assess if the agency, company or corporation has taken any action toward the report recommendations. If it has, a process is in place to try to assess what impact those recommendations had and to formally report the assessment and findings. Often, auditors will receive direct feedback from managers, supervisors or staff that their actions were the results of an earlier audit report. In some instances, they may even provide direct information and cost figures on how much is being saved as the result of new controls in place or improvements to the existing processes.
Audit support systems can make this an integral process by looking at an example of the GAO's Status of Open Recommendation Support System in figure 1.
This example shows how an organization can follow up on earlier recommendations made by prior reports. The specific recommendations made to the organization and their status, the responsible GAO official contact and the report and date of report are shown.
The audit process is an old one. Assessment of an auditor's performance and the audit work and report undergoes a continuous process of self-improvement by the auditor and his/her organization. Yet, the importance of the audit report and follow-up is critical if the message is to be heard and acted upon by responsible managers. For the report and its recommendations to have effect, management must understand, support and value the role of audit in its organization and the value it can bring to enhancing control effectiveness and making the organization more effective, efficent and economic in competitive times. Audit follow-up easily can justify the value of audit to the organization. It also can tell outsiders how audit is recognized and valued by the organization and tell investors whether managers are acting responsibly and in the best interest of the organization and investors.
Finally, the audit report must be in the language of the business, so management can read, understand, assess, evaluate and take the action it deems appropriate based on the report, recommendations and supporting audit evidence. For example, the Standards for Information Systems Control Professionals state:
570.010 Periodic Reporting
The information systems control professional is to report periodically to an appropriate level of management on the extent to which control objectives have been achieved.
580. Follow-Up Activities
The information systems control professional is to monitor the performance of control procedures and review feedback on the efficiency and effectiveness of control activities and is to ensure appropriate corrective action is taken where necessary.
Frederick Gallegos, CISA, CGFM, CDE
is an adjunct professor and MSBA-information systems audit advisor for the Computer Information Systems Department, College of Business Administration, California State Polytechnic University, Pomona, California, USA. He has more than 30 years' experience in the information systems audit, control and security field. He has taught undergraduate and graduate courses in the IS audit, security and control field and is published widely.