ISACA in one of its IS audit guidelines states:
020.010 Professional Independence—In all matters related to auditing, the information systems auditor is to be independent of the auditee in attitude and appearance. 020.020 Organizational Relationship—The information systems audit function is to be sufficiently independent of the area being audited to permit objective completion of the audit.
Organizational Relationship and Independence
The purpose of the 020 Independence guideline is to expand on the meaning of "independence" as used in standards set out in the 020.010 and 020.020 IS Auditing Standards and to address the IS auditor's attitude and independence in information systems auditing.
This guideline provides guidance in applying IS auditing standards. The IS auditor should consider it in determining how to achieve implementation of the above standards, use professional judgment in its application and be prepared to justify any departure.
Never have the words above applied so carefully and meaningfully as to today's world of business. The world of financial auditing has changed dramatically over the last decade and will continue to change rapidly as more and more companies rely on information technology to achieve their business objectives.
It is no longer acceptable for auditors to audit around the computer, as was once the case. With the increase of fraud and ceaseless corporate scandals over the past two years, it is even more imperative now than ever before that auditors have a full understanding of both manual and automated internal control processes. Also, it is critical that the auditor be "independent" to render an opinion or provide recommendation as to the status of processes and controls being reviewed. The assessment of both the manual and automated internal controls of any system can provide the needed assurance in which auditors can base their professional judgment—as far as the quality of the information derived off the system. This judgment is a key element in the risk analysis process that the auditor must perform during the planning stages of any audit. This judgment must be independent of any bias or internal/external pressure exerted to bypass the operating procedures in place to develop and communicate their opinion and recommendations on controls' status.
External financial auditors are relying more on the process approach today rather than the traditional transaction approach. The results of an evaluation of an organization's manual and automated internal controls can either increase or reduce the amount of transaction testing needed to render an opinion on financial statements.
For internal auditors, internal controls are also very important. One of the main functions of internal auditors is to provide assurances to management that their approved internal controls are in place and are working effectively and efficiently; and if in fact there are problems, they are being addressed and corrected.
It is important for both the manual and automated internal controls to be operational and effective since management will base its business decisions on the financial results generated from the information system.
It is also important to external auditors that manual and automated internal controls are operational and effective since this will provide assurance to external auditors that information generated from the system is valid, accurate and complete. Based on this assurance from the system, auditors can then place the appropriate level of reliance on the internal controls of the information system.
If the necessary controls are not in place, or if they are in place but not being applied effectively and as management intended, then the integrity of the data and information generated from the system should be called into question by both external and internal auditors. They should have the freedom and independence to make such an evaluation and report it.
Even though it is essential that manual controls be in place and be working effectively and efficiently to produce accurate data output, due to the broadness of the subject matter, the auditor's reliance on automated internal controls and the effects of this reliance on his/her independent judgment are generated from the system.
Good General Controls
Good general internal controls help ensure efficient and effective operations that accomplish the goals of management. Good general internal controls usually consist of:
- Independent management reviews of the organization to provide assurance that the approved policies and procedures are working as intended
- A review of the organizational structure to ensure that there is proper segregation of duties and responsibilities
- Control points built into the system development life cycle process to ensure that users needs are met. The system is developed with strict adherence to the design, and if not, the appropriate approval for changes is enforced; and there is enough documentation.
Again, the word "independent" is used. That means free of bias, internal or external pressure that would compromise or taint the opinions of those responsible for performing the review.
Auditors Must Have Independence
Audit independence is a critical component if a business wishes to have an audit function that can add value to the organization. The audit report and opinion must be free of any bias or influence if the integrity of the audit process is to be valued and recognized for its contribution to the organization's goals and objectives. Several professional organizations (such as American Institute of Certified Public Accountants (AICPA), Institute of Internal Auditors (IIA), ISACA and others) have addressed this point in clear context and language. Governmental organizations such as the US General Accounting Office and the International Organization of Supreme Audit Institutions have also addressed this area in depth.
The Sarbanes-Oxley Act of 2002 in the US will be a vivid reminder of the importance of due professional care. The Sarbanes-Oxley Act prohibits all registered public accounting firms from providing audit clients, contemporaneously with the audit, certain nonaudit services including internal audit outsourcing, financial information system design, implementation services and/or expert services. These scope-of-service restrictions go beyond existing US Security and Exchange Commission (SEC) independence regulations. All other services, including tax services, are permissible only if preapproved by the issuer's audit committee and all such preapprovals must be disclosed in the issuer's periodic reports to the SEC.
The Act requires auditor (not audit firm) rotation. Therefore, the lead audit partner and/or the concurring review partner must rotate off the engagement if he/she has performed audit services for the issuer in each of the five previous fiscal years. The act provides no distinction regarding the capacity in which the audit or concurring partner provided such audit services. Any services provided as a manager or in some other capacity appear to count toward the five-year period. The provision starts as soon as the firm is registered, so, absent guidance to the contrary, the audit and concurring partner must count back five years starting with the date in which Public Company Accounting Oversight Board registration occurs. This provision has a definite impact on small accounting firms. The SEC is currently considering whether or not to accommodate small firms in this area; currently, there is no small firm exemption from this provision.
This act is a major reform package mandating the most far-reaching changes the US Congress has imposed on the business world since the Foreign Corrupt Practices Act of 1977 and the Security and Exchange Commission Act of 1934. Sarbanes-Oxley seeks to thwart future scandals and restore investor confidence by, among other things, creating a public company accounting oversight board, revising auditor independence rules, revising corporate governance standards and significantly increasing the criminal penalties for violations of securities laws.
Independence is a very important, if not critical, term in today's IT audit world. Auditors should revisit the ISACA standards from time to time to assess whether they are in compliance and as a way of performing a self-check on whether or not they have independence in their assignment. Be careful of nonindependent situations, especially in nonaudit roles where it may possibly taint future work or assignments. ISACA's and others' standards provide guidance for such situations, should they occur.
Cerullo, M. Virginia; Michael J. Cerullo; "Impact of SAS No. 94 on Computer Audit Techniques," Information Systems Control Journal, volume 1, 2003, pp. 53-57
Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control—Integrated Framework, American Institute of Certified Public Accountants, Jersey City, New Jersey, USA, 1994
Committee of Sponsoring Organizations of the Treadway Commission (COSO), report to the US SEC of 200 actual fraud cases, 2001
Gallegos, Frederick; "Due Professional Care," Information Systems Control Journal, volume 2, 2002, pp. 25-28
Gallegos, Frederick; "The Audit Report and Follow-up: Methods and Techniques for Communicating Audit Findings and Recommendations," Information Systems Control Journal, volume 4, 2002, pp. 17-20
Singleton, Tommie; "The Ramifications of the Sarbanes-Oxley Act," Information Systems Control Journal, volume 3, 2003, pp. 11-16
US General Accounting Office, "Assessing the Reliability of Computer Processed Data Reliability," External Version 1, issued October 2002
US General Accounting Office, "Federal Information Control Audit Manual," volume 1, Financial Audits, GAO/AIMD 12.19.6, January 1999
US General Accounting Office, "Government Auditing Standards," exposure draft, July 1999
US General Accounting Office, "Standards for Internal Control in the Federal Government," GAO/AIMD 00-21.3.1, November 1999