Information technology (IT) auditors within internal audit departments are in a position to add great value to their organizations. Many IT auditors have found that continuous auditing (CA) and continuous monitoring (CM) provide effective control assessments at very low marginal cost. Managers have also quickly recognized the value added by CA and CM. However, a common unrecognized ethical dilemma exists when an IT auditor provides both CA and CM: the potential for losing long-term auditor independence and objectivity because of the different purposes each service has within an organization.
This article describes an occurrence of this dilemma that IT auditors at Amedisys Home Health Services, a publicly traded company with agencies located across the US, faced. The importance of maintaining independence and objectivity, both in fact and appearance, is discussed to show why a potential problem existed at Amedisys. An approach to analyzing the dilemma is presented, as well as the solution implemented by Amedisys, which allowed CA and CM to flourish while maintaining independence and objectivity.
This article reiterates the importance of independence and objectivity and reminds IT auditors that appropriately resolving ethical dilemmas helps reinforce their value to their organizations.
Implementing a Continuous Audit Initiative
While all had gone well up to this point, the internal audit department of Amedisys had a concern with its CA initiative. Internal audit, including the IT auditors, had been involved with helping meet the section 404 requirements of the US Sarbanes- Oxely Act, i.e., evaluating the system of internal control over financial reporting within their organization. As a result of this process, internal audit recognized that more repetitive and timely IT audit testing of certain key controls, such as CA, would provide more effective and efficient evidence of compliance. As a result, the IT auditors began to identify how CA could be performed in a cost-effective manner.
After careful consideration, Audit Command Language (ACL) was chosen to make CA a reality; automated testing using ACL scripts appeared to provide the ability to efficiently test certain key controls on a recurring basis. The IT auditors sought to identify potential CA opportunities based on risks/benefits, including:
- Identifying terminated users with continued system access
- Identifying dormant accounts of nonterminated users
- Closely monitoring security of critical data
- Identifying duplicate payments to vendors
Prior to considering the use of ACL, Amedisys had met its section 404 compliance needs by establishing a compliance department at the corporate level, assigning a Sarbanes-Oxley manager in the accounting department and assigning Sarbanes-Oxley compliance for IT-related matters to the compliance manager in the IT department. Specific scripts were designed, developed, maintained and used on a recurring basis by the IT auditors, which further assisted with meeting Sarbanes-Oxley compliance.
The ACL scripts were recognized as being so useful for testing key controls that management became interested in using the same or similar scripts for performing CM. The IT department, in particular, took an immediate interest in ACL. The department recognized the benefits of using scripts for its own testing of automated controls and reducing reliance on manual controls. As a result, the IT department made suggestions to improve existing scripts and generated ideas for potential new scripts. The IT auditors used the suggestions to improve the scripts they were maintaining and to create new scripts that they would also maintain, for their own use for CA and for auditee use for CM.
Multiple departments within Amedisys obtained value from the development and maintenance of ACL scripts within internal audit. Internal audit used several scripts for CA and also developed and maintained scripts for CM to help management meet its compliance responsibilities.
So, what was the concern identified by internal audit?
Many business persons, including the IT auditors, saw the scenario described as a win-win situation for all involved. No laws had been broken and persons inside and outside of the organization were better off. However, a serious concern was identified by internal audit at Amedisys; that is, was proper professional judgment being exercised in the application of ethical principles, so that problems down the road may be prevented and the auditors can maximize their long-term value to the organization?
The main point of all accountancy and auditor-related codes of ethics is that key ethical principles must be considered carefully when seeking to make sound professional judgments. Just because no laws are broken or no promulgated rules are violated, does not mean that the most ethically correct behavior is being exhibited. The professional responsibility of an auditor is to consider the ethical principles—the spirit of the rules—that require long-term consideration of the organization and the audit profession, as well as the immediate stakeholders.
All of the professional organizations that provide guidance for auditors and accountants place emphasis on independence and objectivity. A number of these organizations are listed in figure 1, along with a respective list of principles or standards. The intent of each list is for professional members of each respective organization to use broad ethical principles to determine the best response to an ethical dilemma.
Note the similarity among the lists of principles; in particular, all five organizations clearly list or imply independence and objectivity as principles that must be adopted and internalized. This emphasis is not just a passing wink at an ethical nicety, but rather the clear recognition that independence and objectivity are core principles and standards that determine the value of a professional's work, especially that of auditors.
Independence and objectivity are emphasized so strongly because when these principles are impaired, so too is the value of an audit. If the user of an audit report does not believe that the auditor is independent and objective, the reliability of information in the audit report is questioned. Therefore, all professional auditors need to be independent in both fact and appearance. ISACA, the Institute of Internal Auditors (IIA) and International Ethics Standards Board for Accountants (IESBA) codes extend the concept further by requiring organizational independence for the internal audit department as well as that of each auditor.
Reflecting back on the scenario at Amedisys, the concern identified by internal audit is justifiably warranted. That is, if ACL scripts are developed and maintained by IT auditors for both their use and the use of management, the IT auditors are being put in the position of auditing their own work. This would result in a clear impairment of both the fact and appearance of the auditor's independence and objectivity, thereby reducing the auditor's value.
Continuous Auditing Does Not Equal Continuous Monitoring
Despite the previous discussion, some readers still may believe that there is no impairment of auditor independence and objectivity when providing both CA and CM. This false belief may exist because of a misunderstanding of the roles of CA and CM. A difference does exist and it speaks directly to addressing whether auditor independence and objectivity are impaired.
This difference has been identified and emphasized by the ISACA Standards Board.6 CA and CM may be defined as:
- CA—A methodology used by auditors, typically assisted by technology, to perform audit procedures and issue assurance on a continuous basis (e.g., weekly, monthly)
- CM—A process put in place by management, usually automated, to determine on a recurring and repetitive basis (e.g., weekly, monthly) if activities are in compliance with policies and procedures implemented by management
Part of what it means for an auditor to be independent and objective is that the auditor cannot audit his/her own work. Associated with this is that an internal auditor cannot audit the work of others for which the internal auditor has ongoing ownership or maintenance responsibilities. CM is a management control function and "the use of continuous monitoring systems by IS auditors may create situations where the IS auditor's independence is impaired."7
So, what is the solution to the ethical dilemma facing the IT auditors at Amedisys?
The solution is not to find a loophole in an ethics rule that allows the work to be done within the internal audit department.
Rather, the question to be answered is this: How can the IT auditors help management with CM, but also strictly adhere to the principle of maintaining both the fact and appearance of independence and objectivity so that the auditors' work is highly valued?
While there may be no "right" answers that allow a perfect win-win solution for all involved, there are methods that can be used to better understand the consequences of how to react to dilemmas such as those involving CA and CM. First, auditors need to increase their sensitivity to problems that involve ethical principles. Multiple internal auditors with whom the CA vs. CM situation has been discussed had not previously seen a difference between CA and CM. However, upon further discussion and consideration, auditors have recognized that a clear difference does exist between CA and CM, and along with it, a definite threat to the impairment of independence and objectivity.
Once the problem is identified, the auditor must find the best available solution. A six-step model for helping address ethical dilemmas can be used to identify the best available solution. This model has been widely endorsed by a number of accounting, consulting, journalism, legal, medical and religious organizations, and some variation of the model can be found in many accounting, auditing, management and psychology textbooks:
- Obtain as many available relevant facts about the given dilemma.
- Identify and verbalize the ethical issues included in the facts.
- Identify and list all known stakeholders (both internal and external).
- Identify and list the ethical principles involved.
- Brainstorm alternatives available as reactions to the dilemma, including the likely consequences of each alternative.
- Exercise judgment to determine the best course of action among the alternatives.
These steps have been used to help identify the best solution to the dilemma at Amedisys.
The Best Course of Action
Following the six-step model, there are three relevant facts in the CA vs. CM dilemma:
- IT auditors create ACL scripts to conduct CA
- Management personnel (auditees) recognize the value of the scripts and want to use scripts for CM of their own activities.
- The expertise of writing and maintaining the scripts resides with the IT auditors.
The ethical issue is that the IT auditors want to add to total corporate value by assisting management with their CM efforts, but also need to maintain independence and objectivity when providing CA.
The primary stakeholders in the dilemma are the internal audit department and management. Other stakeholders include company employees, stockholders, other third parties, and other members of the IT governance and internal audit professions. The primary ethical principles at issue here are independence and objectivity. Three alternative actions have been identified, along with their associated consequences:
- IT auditors continue to create and maintain scripts to be used by themselves and management. This will result in the loss of auditor independence and objectivity.
- IT auditors stop sharing their scripts. Doing so forces management either to learn how to create and maintain its own scripts or hire consultants to do the work.
- Allow management to use scripts developed by the IT auditors as long as all parties understand their own responsibilities and parameters for creating and maintaining scripts once given to an auditee. Scripts developed by IT auditors are to be used by them for the purpose of CA. In turn, scripts, including those in which management participates in development, can be used by auditees for CM with the understanding that they must take total responsibility for learning to use and maintain the scripts for themselves.
Amedisys has chosen the third alternative as the best response to this dilemma. This alternative allows the IT auditors to maintain their independence and objectivity by permitting them to share scripts with management as a residual result from performing their primary function of CA. Auditor independence and objectivity are maintained by having respective management personnel accept ownership, performance and maintenance of the scripts given to them. With the choice of this solution, formal policies and procedures over the development of scripts by IT auditors have been drafted and implemented within Amedisys. These policies and procedures are shown in the CM agreement form provided in figure 2.
The CM agreement form must be signed before the auditee takes possession of a script of interest. The policies and procedures documented in the form are most explicit with identifying the activities of CA and CM, as well as what internal audit can and cannot do for the auditee. IT auditors provide the script, review script procedures with the auditee and walk through the initial execution of the script. After this, the auditee is responsible for testing, running, modifying and securing the script. These procedures provide the necessary level of independence and objectivity required by ISACA and the IIA for the IT governance and internal audit professionals who provide CA. The procedures allow auditees to leverage internal audit's expertise while accepting total responsibility for learning and maintaining the scripts received.
Ethical dilemmas are often described as slippery slopes; unseen until one falls and is unable to regain sure footing. One such slope facing IT auditors is how a misunderstanding of the difference between CA and CM can lead to impairment of their independence and objectivity. With sensitivity and awareness for identifying such a dilemma before the slope gets too steep, IT auditors can make certain they have sure footing by taking careful steps when making decisions that provide valued services to their organization and are enhanced by their independence and objectivity.
1 ISACA, Code of Professional Ethics, 2007, www.isaca.org/ethics
2 The Institute of Internal Auditors, Code of Ethics, 2000, www.theiia.org
3 Institute of Management Accountants, The Rights and Responsibilities of a Certified Management Accountant, 2006, www.imanet.org
4 American Institute of Certified Public Accountants, Code of Professional Conduct, 2006, www.aicpa.org
5 International Federation of Accountants, Code of Ethics for Professional Accountants, 2005, www.ifac.org
6 ISACA Standards Board, "Continuous Auditing: Is It a Fantasy or a Reality?," Information Systems Control Journal, 2002, vol. 5, p 43-46
Jill Joseph Daigle, CISA, CIA, CISSP
is the internal audit manager at Amedisys Home Health Services. She has 15 years of experience in internal audit, with 10 of those years as an IT auditor, primarily in healthcare organizations. She can be reached at email@example.com.
Ronald J. Daigle, Ph.D., CPA
is an assistant professor of accounting at Sam Houston State University (Texas, USA). He teaches auditing and accounting information systems and has published articles on the demand for continuous auditing. He can be reached at firstname.lastname@example.org.
James C. Lampe, Ph.D., CPA
is an associate professor in the School of Accountancy at Missouri State University (USA). He teaches ethics and professionalism, auditing, and IT auditing. He has published articles on professional ethics for accountants and auditors and on the demand for continuous auditing. He can be reached at email@example.com.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.