I recently conducted an internal auditor training program for a major firm in India. One of the questions asked during the course of the training was regarding audit checklists. The participant wanted to know if an IS auditor really needed a checklist during the course of a systems audit. He also said that some auditors in the past sent him the checklist to obtain his responses, and some only asked the questions mentioned in the checklist. He felt that auditing was a bit boring as it was just about checking a few things, filling out a checklist and submitting a report. Here I had a participant who was not at all happy about the state of audit.
I had to explain to him that IS auditing is not just about preparing and completing a checklist and submitting a report. An audit checklist is a useful tool, but no auditor needs to be confined to the questions in the checklist. A checklist is useful to ascertain that the auditor does not miss reviewing any important and significant areas as agreed upon in the scope of the audit engagement. I showed the participant how complex the IT setup can be and quickly gave an overview of ISO27001 and COBIT as reference guides to explain to him all the items an auditor can assess during a systems audit. When I explained the concept of risk and value for IT controls, he was able to appreciate the value that an auditor can bring to an enterprise.
Whether auditors need to carry a checklist during systems audit is their choice, but what is more important is the overall audit process that the auditor follows. Auditors are appreciated when they perform an objective assessment of the environment from a risk and value perspective. Merely asking questions is not what auditing is about. Auditors need the skills to obtain evidence from complex IT systems within the context of a client's business to reach a conclusion.
So here comes the challenge—if concerned auditors do not have a fair idea about client business processes and are not confident with the technology environment of the customer, then they should enlist the help of senior auditors who have such skill sets. Auditors need to go beyond the checklist to assess an IT setup, as no single checklist is enough for a variety of IT setups.
There are many other perceptions and unpopular beliefs regarding the IS audit profession, such as audit is a fault-finding mission, audit is a post-mortem exercise, auditors make recommendations that are not practical or auditors are scary. All of these issues can be addressed when auditors understand the business processes of the client, understand the client culture, conduct audits as per standard audit practices, involve the right competent audit professionals for any engagement, and submit reports with proper sign-off from the auditees with recommendations that do, in fact, add value to the business.
Read Sanjiv Agarwala’s recent Journal article:
“How to Be the Most Wanted IS Auditor,” ISACA Journal, volume 1, 2016.