IT Audit Should Be In Tandem With Other Audits

IT audit is a continuous process. Thus, setting objectives from daily audit exercises can be a difficult proposition. The operational nature of the business vertical determines the timing of certain types of audits. Irrespective of when a particular type of audit is slated to be done, every company should set specific objectives from its IT audit exercise. The report, Information Technology Audit has highlighted three basic objectives of IT audit- better risk management, improving business efficiency and enforcing continuous monitoring.

But, how can enterprises decide on the objectives to be achieved from the IT audit? This decision relies a lot on the dependence of business on IT and how the company defines IT audit.

Defining IT Audit

Deploying IT as a business enabler comes with its own set of risks, complexities that go into the making of the IT of an organisation. So, from an audit perspective, it is important to identify the risks that are specific to the particular organisation. “IT audit is a risk identification process, and the type of risk and complexity will determine what and when you would audit,” said Charan Kumar B., Principal - Fernhill Associates.

According to Abdul Hamid Bin Abdullah, CIS, CPA- Auditor General’s Office, Singapore, “IT Audit is the audit of information systems, infrastructure and the related processes. Conducting an IT audit in itself is not the objective, but to support other audits.”

IT Audit Should Be Well Knit With Other Audits

It is inevitable to begin stitching the IT audit process with other audits. This will expand the scope and interactivity of the IT audit process.

So how Should CIOs approach this process?

IT audit should collaborate with the financial statement audit to prove the authenticity of information provided by the accounting systems. It could also be done to support the performance audit to check the efficiency and effectiveness of business operations. Similarly there are various other kinds of audits. The auditors may come up with a master risk list from all audit types.

The list has to be prioritised in terms of how much risk the company wants to tolerate. It is a close call and thus it all boils down to the company’s risk appetite because audit has a cost attached to it. Synchornisation with other audits needs a well thought-out audit plan.

“Within the same industry two different companies can have two different audit plans,” said Kumar. This is because their maturity level could be different. So, one organisation that is strong in security and access but weak in change controls, might want to focus on a review process have the auditors come in look at the change control and explain where improvement has to be made. Within the same industry you might have a company that is good at change control but weak on security so it might want to schedule security over change control.

Disadvantages Of Multiple Audits

Multiple audits have a flip side too. The burden of many audits can weigh down the efficiency of an audit process as a whole, and can result in audit failures.

“Along with different kinds of audits, certifications and regulations are also increasing, and to add to the misery, they act in silos,” said Vishnu Kanhere, Senior CA and Fraud Examiner, ACFE USA. There is no super regulator, no one person, organisation or an entity that overlooks the inputs and observation feeds from all audit committees. Having such a person in place, would help companies give a single window view to the external auditor about the company operations.

To know what should be done to prevent audit failures, keep logged on to Biztech2.com.