This article provides an overview of the key components used to monitor audit activities with an emphasis on information technology (IT) audits. Some aspects covered may be familiar, but the article will provide new perspectives on how to approach this key IT audit strategy. The auditee has to answer to executive management; executive management has to answer to the board of directors; and the board has to answer to the regulatory bodies, the shareholders and business owners. The article conveys what IT audit objectives are and why executive management and the board of directors must ensure that proper attention is paid to this fundamental key control objective for good audit governance.
During the course of reviewing and evaluating an IT audit function in a large financial institution, the following question was posed: Who should monitor the audit department’s conduct? In simple terms, who should audit the auditor’s work? To keep innovation alive and kicking, examiners began discussing and offering suggestions.
For example, in the US banking industry, the US Federal Financial Institutions Examination Council (FFIEC) member agencies believe and expect bank examiners to perform their duties by following its guidelines and regulations. Per FFIEC, bank examiners are responsible for evaluating the effectiveness of the IT audit function in meeting regulatory objectives. Examiners should take into account the institution’s size, complexity and overall risk profile when performing this and other evaluations, and consider the following issues:
- Independence of the audit function and its reporting relationship to the board of directors or its audit committee
- Expertise and size of the audit staff relative to the IT environment
- Identification of the IT audit universe, risk assessment, scope and frequency of IT audits
- Processes in place to ensure timely tracking and resolution of reported weaknesses
- Documentation of IT audits, including work papers, audit reports and follow-up
How does an IT examiner deal with these challenging requirements? A high performance is expected from the audit department to serve the FFIEC’s requirement for adequate audit coverage and work throughout the audit life cycle. There seems to be almost limitless work with the amount of research the examiner team must do, particularly in reading audit materials, where data sets must be shared with other examiners. When preparing for an examination by regulatory agencies, the IT examiner should review applicable laws and regulations and ensure that the bank complied with each requirement.
For most financial institutions, the standard for IT examination is the FFIEC IT Examination Handbook. The current Handbook consists of 12 booklets that have the primary purpose of providing guidance to examiners and financial institutions. The booklets are available on the FFIEC web site (www.ffiec.gov) for online viewing or downloading in PDF format.
The Audit Booklet is intended primarily for use by examiners of FFIEC member agencies as a foundation from which they can assess the quality and effectiveness of an institution’s IT audit program. Examination objectives allow the examiner to determine the quality and effectiveness of the audit function related to IT controls. Agency examiners use the procedures in appendix A of the Audit Booklet to assess the adequacy of IT audit programs at both financial institutions and technology service providers. These procedures will disclose the adequacy of audit coverage and to what extent, if any, the examiner may rely upon the procedures performed by the auditors in determining the scope of the IT examination. Tier II objectives and procedures provide additional validation as warranted by risk to verify the effectiveness of the institution’s audit function. Tier II questions correspond to the Uniform Rating System for Information Technology (URSIT) rating areas and can be used to determine where the examiner may rely upon audit work in determining the scope of the IT examination for those areas.
The FFIEC member agencies believe that a strong internal auditing function combined with a well-planned external auditing function substantially increase the probability that an institution will detect potentially serious technology-related problems. Per FFIEC guidelines, an effective IT audit program should:
- Identify areas of greatest IT risk exposure to focus audit resources
- Promote the confidentiality, integrity and availability of information systems
- Determine the effectiveness of management’s planning and oversight of IT activities
- Evaluate the adequacy of operating processes and internal controls
- Determine the adequacy of enterprisewide compliance efforts related to IT policies and internal control procedures
- Require appropriate corrective action to address deficient internal controls and follow up to ensure that management promptly and effectively implements the required actions
If bank examiners are required to attest to IT audit work in the financial world, who is doing similar work in other fields? Is IT audit work being monitored and audited in the private and public business (nonfinancial) worlds? If the answer is yes, who is attesting to that?
Obviously, other private and public industries would not operate under the same regulations as the financial world. Nonfinancial industries take a slightly different approach, using a pair of complementary rigid governance IT audit policies: audit committee oversight and the process of due professional care, including factors such as peer review.
That sounds straightforward, but there does not appear to be sufficient literature published on the topics of IT peer review audit and the process of professional due care in the nonfinancial world.
The opportunities to commit fraud are rising. Generally, these opportunities are created from the lack of adequate oversight functions within an enterprise. The existence of an oversight function does not guarantee the detection of fraudulent acts; the oversight functions must also respond effectively. The perception of detection, not internal control, is arguably the strongest deterrent to fraud. Accordingly, the role of the IT auditor has grown from being the police officer with the auditee as the suspect. Effective IT auditors possess a variety of skills that enable them to add value to their organizations and clients. IT audits that are inefficient, inadequate or inappropriate can also severely hamper the fortunes of the business.
Elevating IT audit from a pure spectator level to the governance level has been the natural fallout of the recognition of the pervasive monitoring of IT audit work on all aspects of business. No doubt the recent changes sparked by mandates in the regulatory environment (e.g., US Sarbanes-Oxley Act of 2002, Basel II in Europe, US Patriot Act of 2001, US Gramm-Leach-Bliley Act of 1999, US Health Insurance Portability and Accountability Act of 1996) shed some light on the need for IT audit governance. These and other similar initiatives in other countries have contributed to the realization that IT audit monitoring must be performed at almost all private industry enterprises or organizations and federally insured financial institutions. On the international level, there are quite a few supporting mechanisms developed to guide the implementation of IT governance, including:
- Control Objectives for Information and related Technology (COBIT®)—An approach to standardize good IT security and control practices, published by the IT Governance Institute. It provides tools to IT auditors to assess and measure the performance of the IT processes of an organization.
- The IT Infrastructure Library (ITIL)—A detailed framework with hands-on information on how to achieve successful governance of IT, developed and maintained by the UK’s Office of Government Commerce, in partnership with the IT Service Management Forum
- ISO/IEC 27001 (ISO 27001)—A set of best practices for organizations to follow to implement and maintain a security program. It started out as British Standard 7799 (BS 7799), which was published in the UK and became a well-known standard in the industry used to provide guidance to organizations in the practice of information security.
- AS8015-2005 Australian Standard for Corporate Governance of Information and Communication Technology
An IT governance framework with compliance in the forefront will provide the IT auditor with mechanisms to:
- Evaluate what is needed to create a strong IT governance framework for the organization
- Analyze best practice for COBIT and ITIL
- Evaluate the steps required to implement IT governance at the organization
- Ensure that compliance and governance are working hand in hand
Building an Audit Committee Governance Process
After the widely reported collapse of Enron in 2000, Marmalade in Europe, and the alleged problems within Arthur Andersen and WorldCom, the duties and responsibilities of the boards of directors and audit committee members for public and privately held corporations were questioned. Following corporate collapses in Australia around the same time, working groups were established to develop standards for corporate governance. As a response to this, and to attempt to prevent similar problems from happening again, the Sarbanes-Oxley Act was written to stress the importance of business control and auditing. Sarbanes-Oxley and Basel II have been catalysts for the development of the discipline of IT governance since the early 2000s. Additionally, a series of Australian Standards for Corporate Governance was also published in 2003:
- Good Governance Principles (AS8000)
- Fraud and Corruption Control (AS8001)
- Organizational Codes of Conduct (AS8002)
- Corporate Social Responsibility (AS8003)
- Whistle Blower Protection Programs (AS8004)
In the US, the Securities and Exchange Commission (SEC) has long recognized the important role of an audit committee. In its Accounting Series Release, the SEC encouraged public companies to establish an audit committee. The final rules published by the SEC to implement section 301 established the following minimum committee requirements:
- Each member of the audit committee must be a member of the board and otherwise be independent.
- The audit committee must be directly responsible for the appointment, compensation, retention and oversight of the work of any registered public accounting firm engaged for the purpose of preparing or issuing an audit report or performing other audit, review or attest services for the company. Each such registered public accounting firm must report directly to the audit committee.
- The audit committee must establish procedures for the receipt, retention and treatment of complaints regarding accounting, internal controls or auditing matters, including procedures for the confidential, anonymous submission by employees of concerns about questionable accounting or auditing matters.
- The audit committee must have the authority to engage independent counsel and other advisors as it determines necessary to carry out its duties, and the company must provide appropriate funding, as determined by the audit committee, for the payment compensation to auditors and advisors and the payment of expenses incurred by the committee.
Governance controls are those mandated and controlled by either the entire board of directors or a board audit committee in conjunction with the organization’s executive management. Typically, the primary responsibility for internal control resides with the board of directors in its role as keeper of the governance framework. IT audit controls at the governance level involve ensuring that an effective IT audit function, policies and processes are in place, and performance and compliance metrics demonstrate ongoing support for that framework. These controls are linked with the concepts of corporate governance, which are driven both by organizational goals and strategies and by outside bodies such as regulators. It is important to know that the board’s responsibility involves oversight rather than actually performing the monitoring activities. For example, the audit committee of the board does no auditing, but it does oversee both the internal and external auditing of the organization. Consequently, close collaboration among board members and executive managers (IT audit committee) is essential. Senior management must make sure that the IT audit needed to achieve the organization’s established objectives is applied and ensures reliable and continuous processing.
As such, the role of the audit committee encompasses oversight of financial issues, internal control assessment, audit risk management and ethics. IT control is a strong element of each of these duties and calls for overseeing the overall assessment of IT controls, assessing the quality of audit work, reviewing the results of audit work and monitoring the resolution of issues raised. Other typical audit committee monitoring includes vetting procedures for new staff members, engagement arrangement, performance measurement, provision of specialist training for IT audit staff members and disciplinary procedures.
Organizations that implement an effective audit committee experience improvements in efficiencies, reliability of services, flexibility of systems and availability of assurance evidence— all of which add value and increase stakeholder and regulator confidence in the organization.
Due Professional Care
ISACA® sets forth the Code of Professional Ethics to guide the IT audit professional and personal conduct of members of the association and/or its certificate holders. Apparent failure to comply with these codes may result in an investigation into the member’s or Certified Information System AuditorTM (CISA®) holder’s conduct by ISACA or an appropriate ISACA board or committee. ISACA’s IS Auditing Guideline G7, Due Professional Care, directs the IT audit professional to possess more technical competence and to conduct their audits in the professional image expected of an auditor toward the auditee. Due professional care is to be exercised in all aspects of the information systems auditor’s work, including observance of applicable professional auditing standards. There are seven areas that are the foundation of the subject of due professional care: peer review, auditor conduct, judgment, technical competence, business knowledge, certification and standards. Peer review will be the focus of this article.
Peer Review Today
Firm-on-firm peer review emerged in the 1970s, partly as a result of SEC disciplinary actions against some of the larger firms. There was no real uniformity to the process until 1977, when the American Institute of Certified Public Accountants (AICPA) Governing Council established the Division for CPA Firms to provide a system of self-regulation for its member firms. Two voluntary membership sections within the Division for CPA Firms were created—the SEC Practice Section (SECPS) and the Private Companies Practice Section (PCPS).
Peer review was initially designed as an educational and remedial program to strengthen quality control, prevent recurrences of problems and correct deficiencies in the practice of member firms. It was intended to supplement the enforcement and corrective action rather than to be disciplinary. Since its inception nearly 20 years ago, participating firms have reaped the benefits of having colleagues assess the quality of their work. Now, after almost two decades, the AICPA has taken a look at the program to strengthen the process.
Peer review can be defined several ways. Some describe it as a way of conducting continuous reassessment of audit work quality and assuring the client that the auditor is capable of performing the job duties as required by the guidelines of the audit. Others define it as a system of internal inspection first used regularly in the early 1960s, when a number of large firms used it to monitor their accounting and auditing practices and make certain their different offices maintained consistent standards.
Peer reviews are supported by ISACA, the US General Accounting Office (GAO), AICPA and Institute of Internal Auditors (IIA).
In July 2002, the Sarbanes-Oxley Act established the Public Company Accounting Oversight Board (PCAOB) as a privatesector regulatory entity to replace the accounting profession’s existing self-regulatory structure as it relates to public company audits. One of the PCAOB’s primary activities is the operation of an inspection program that periodically evaluates registered firms’ SEC issuer audit practices. As a result, effective 1 January 2004, the SECPS was restructured and renamed the AICPA Center for Public Company Audit Firms (CPCAF). The CPCAF peer-review program became the successor to the SECPS peer-review program, with the objective of administering a peer-review program that evaluates and reports on the non-SEC issuer accounting and auditing practices of firms that are registered with and inspected by the PCAOB. Since many state boards of accountancy and other governmental agencies require a peer review of a firm’s entire auditing and accounting practice, the CPCAF peer review provides a bridge from the PCAOB inspections to allow member firms to meet their state board of accountancy licensing and other state and federal governmental agency peer-review requirements. In current day, with two instituteapproved practice-monitoring programs, approximately 900 firms are subject to the CPCAF peer-review program, and about 33,000 firms are subject to the AICPA peer-review program.
AICPA believes that peer review is an outstanding tool, not only for the reviewed firms to improve their practices and users of audit services to make decisions on whom to hire, but also for governmental entities and regulators. Furthermore, the AICPA recognizes that when peer review was created, it was intended to be a remedial and educational process to assist members and improve the quality of their accounting and auditing practices.
The audit profession relies heavily on peer review. Consequently, as regulators and others have come to rely more on peer review, the peer-review process has been enhanced to address the needs of these users as well. In recognition of the current regulatory environment and the needs of the various users of peer review, the AICPA Peer Review Board (PRB) and the CPCAF Peer Review Committee created a task force and revised the peer-review standards, effective 1 January 2005 and early 2004, respectively. The task force recommends that the PRB reevaluate the reporting model and consider changes that will enhance the understandability and usability of the reports. The task force believes that the strong and transparent oversight process helps ensure that reviews are being performed, reported on, and accepted consistently and in accordance with the standards.
From its inception, peer review has identified deficiencies within firms—a process that has led to those deficiencies being corrected. For firms that perform audits and certain other engagements, the peer review is accomplished through procedures that provide the peer reviewer with a reasonable basis for expressing an opinion on whether the reviewed firm’s system of quality control has been designed appropriately, and whether the firm is complying with that system. These procedures include determining whether the firm:
- Has policies and procedures that confirm that the firm is independent and objective in performing attest engagements
- Appropriately manages its attest engagement personnel
- Services only those clients it has the capability of serving
- Performs engagements in accordance with professional standards
- Appropriately monitors each of the above
The peer-review process was quickly recognized as a rigorous process that produced tangible results. In many members’ minds, it showed that the profession could effectively police itself. But the fact that peer-review participation was voluntary led many others, inside and outside the profession, to doubt that the profession could effectively self-regulate. Many members within AICPA believed that it would have to be made mandatory for all firms if the profession was to avoid legal or governmental action.
The peer-review task force has received additional criticism on several fronts, including the following accusations:
That while the task force faces many challenges when harnessing peer review, there is one challenge that renders all others moot—the challenge of continuing dialog between IT disciplines and the accountancy profession. If various industries and business enterprises are to drive benefit from the work of external auditors on a continuing basis, the accounting profession should discuss current areas of audit service quality with the IT governance bodies as a whole. This can be achieved through periodic discussions at the national and international levels between the IT governance authorities and professional accountancy bodies.
- That proponents of the task force indoctrinate the methodology with financial audit zeal at the expense of IT operational audit
- That many peer-review advocates think peer review is a holistic, all-encompassing framework for accounting professionals to stress the importance of year-end external auditing
Peer review is a necessary component of the audit service and its governance processes. A number of best practices have been successfully used by audit firms’ management, audit committee and senior management to instill peer review and due professional care. Furthermore, the IT auditor’s role in IT governance can be enhanced when it is mapped within the four COBIT domains:
- Plan and Organize
- Acquire and Implement
- Deliver and Support
- Monitor and Evaluate
Outside of COBIT, other IT service management approaches and frameworks exist, including ITIL, governing general issues of large-scale IT management.
All prior domains need to be assessed for compliance with quality and control requirements. Ultimately, peer review serves as a foundation to ensure that the client receives high-quality review. Certainly, peer-review challenges are essentially the same for all organizations, whether a bank or consulting service firm or a steel company. The only difference is that banks are more heavily regulated than some other industries and often do discovery specifically for regulatory requirements.
The process of identifying and assessing the IT audit services necessary to address specific audit risks is aided considerably by the organization’s adoption of a formal control framework. This framework should include peer-review reporting and audit committee oversight initiatives. The framework should apply to, and be used by, the whole organization—not just the board of directors or the audit committee. Although many frameworks exist, no single framework covers every possible audit type or technology implementation. A control framework is a structured way of categorizing controls to ensure that the whole spectrum of control is adequately covered. The framework can be informal or formal. A formal approach will more readily satisfy the various regulatory or statutory requirements faced by many organizations. Each organization should examine existing control frameworks to determine which of them—or which parts—most closely fit its needs.
Several existing frameworks and approaches can assist the audit committee members and other managers when determining IT audit monitoring requirements. Peer review can help audit committee members ensure that all relevant issues have been considered when planning and directing internal audit assessments of IT controls. The respective roles and responsibilities of banking supervisors, industry regulators, accountancy professionals and external auditors, and, where appropriate, communication among them improve the effectiveness of audits and regulatory bodies to the benefits of both disciplines. This article is not intended to challenge or change these roles or responsibilities. Rather, it is intended to provide a better understanding of the nature of the roles of companies’ boards of directors and management, external auditors, IT bodies and accounting professionals. Since misconceptions about such roles could lead to inappropriate reliance by one on the work of another, this article seeks to remove possible misconceptions and suggests how to audit an auditor’s work.
High-quality IT peer reviews should be performed on a regular basis and help reach the desired goals of management and the board of directors. The review should be given to assign criticism and praise where needed. Auditing the auditor’s work requires conducting peer reviews to directly assure the client that the auditor is capable of performing the job duties as required by the guidelines of IT audit. Consequently, the peer-review process ensures that the IT auditor possesses all the skills needed to perform the job duties and that the client receives a high-quality IT audit.
Omar Y. Sharkasi, CRP, CFE, CBCP
has nearly 14 years of IT governance, risk management and compliance experience in a variety of areas. He can be reached at firstname.lastname@example.org.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.