Preventing IT Audit Failures

The Satyam saga was an eye opener to what an audit failure can do to the company. Although the audit process was not the sole culprit, the role of the auditors was crucial. In the aftermath, the enterprise community has started rethinking on how to conduct audits and prevent failures.

The skillsets of auditors have to be upgraded and they need to be better trained. There is one more element that is missing in audits- continuous monitoring. “The systems, process, people and numbers that flow into the balance sheet should be monitored continuously,” said Sunder Krishnan, Chief Risk Officer, Reliance Life Insurance.

This calls for risk assessment on-site and offsite depending on the size and importance of the transactions. Traditional chartered accountants need to adapt to the changes.

Vishnu Kanhere, Senior CA and Fraud Examiner ACFE USA, suggests forming a team of forensic auditors who would report to appropriate heads within the company or the shareholders. These heads would safeguard the interests of the various stakeholders and the company at large.

Automation of the IT Audit Process

Automating the IT audit process would facilitate the above measures as it would limit the intervention of the human element, and still keep human judgment alive by appropriate access controls, which can go a long way in reducing audit failures.

The automation of the audit process has two phases- automation of work papers by the auditors and using automated tools. Both are different and are often considered synonymous.

“When you look at the automation of the audit process, it translates into looking for a workflow kind of a solution wherein the enterprise is able to use the knowledge of an expert auditor who operates in a different country and the auditor at the other end can leverage his knowledge, the review process and the like,” said Krishnan. This is the first part.

The second part is using tools and techniques that are automated. This enables better risk assessment. One important technique that has evolved in the last decade is quantitative risk assessment as against qualitative risk assessment. Both are extremely important. Only quantitative risk assessment doesn’t help. It is an outcome of using modern technologies and predictive behavioural patterns. Qualitative risk management is the use of judgment, experience, and intuition to read that and use it to arrive at outcomes.