IS Audit Basics: Innovation in the IT Audit Process

In June 2015, ISACA began publishing a set of white papers titled “Innovation Insights.”¹ The papers covered the top 10 emerging digital technology trends most likely to deliver significant value, in excess of cost, to the vast majority of enterprises.²

The topics covered included big data analytics, mobile, cloud, machine learning, the Internet of Things (IoT), massive open online courses, social networking, digital business models, cybersecurity and digital currency.

Unfortunately, from an audit perspective, the papers were targeted at business leaders and board members. While they are not all topics that an IT auditor can influence on a day-to-day basis, does that mean that IT auditors cannot innovate?

Innovation is defined as the introduction of something new or a new idea, method or device³; therefore, introducing something new to a process is innovating.

Further, if it is new to the enterprise, it is also innovation. So, how can we innovate throughout the IT audit process?. According to ISACA, the typical audit process consists of three phases (figure 1). The following are my thoughts for potential innovation during each phase. Please bear in mind that what may be new and innovative for enterprise A may be business as usual for enterprise B.

Planning—Collaborate

The Internet allows us to communicate with peers instantly and has enabled innovative ways of doing many things. Fundamentally, however, we are each still planning and creating audit programs as if this revolution had not taken place. In an earlier column,⁴ I advocated for the ISACA community to develop open-source audit/assurance programs. In the meantime, organizations can innovate by collaborating on audit/assurance programs through their local chapters or industry groups. For example, does the next seminar have to take the format of an expert explaining the fundamentals of a new law or regulation? Can it not be a facilitated open forum that results in, or at least is the basis for, an audit program for said regulation?

Also, please remember that collaboration is always possible in the ISACA Knowledge Center.⁵

Planning—Implement Audit Management Software

Over the years there have been several discussions on the ISACA Knowledge Center on the benefits (or otherwise) of adopting audit management software. Those against point to the inflexibility of many of the tools available and the fact that it is just easier to get things done with Microsoft Word and Excel. However, one of the real benefits is that they enforce a standardized process. This is the very essence of what we, as auditors, like to see in processes we review.

Standardization ensures that each audit goes through steps defined and agreed on by the enterprise. These will likely include risk assessment, peer review and audit management approval. They will, in turn, improve the quality and consistency of audits. Consistency of message is key for audit functions and, indeed, for auditees.

Further, it means that IT auditor A should be in a better position to pick up, understand and continue work initiated by IT auditor B.

Planning—Utilize Data Analytics Earlier

Traditionally, the use of data analytics is considered only at the audit fieldwork stage. However, if an engagement enables access to all the enterprise’s data for the subject under review, then it may be worth employing data analytics earlier. By mining the data, it is possible to determine which countries, business units, and business processes or other areas hide outliers that could represent increased risk or compliance issues. Once a business unit or geography is identified, the scope of the engagement can be further refined by drilling deeper into the data, increasing scope in higher-risk areas and reducing scope in sectors where analytics suggests the risk may be less. The overall result is a more dynamic audit plan based on continuous, just-in-time risk assessment; more efficient audits that are aligned with areas of risk; more effective results from audits that are focused on those areas of high risk; and automated reporting.⁶

Planning—Implement Control Self-Assessment

In enterprises where a sizable portion of the evidence is provided by interviewing and there is a good, proven working relationship between management and audit, one can truly innovate and save significantly on time by adopting control self-assessment (CSA). CSA was also discussed in a previous column.⁷ To recap, ISACA defines CSA as an assessment of controls made by the staff of the unit or units involved. It is a management technique that assures stakeholders, customers and other parties that the internal control system of the organization is reliable.⁸

CSA requires the auditee to answer a series of questions on the relevant criteria or the standards and benchmarks used to measure and present the subject matter and against which an IS auditor evaluates the subject matter.⁹ With management agreement, these results can be used as a basis for audit recommendations.

Planning—Audit Horizontally

It is widespread practice to audit applications or subject areas horizontally, that is, reviewing all the selected risk areas for a given application. Each application or subject is audited independently (figure 2). However, auditing in this manner can result in recurring findings or common themes.

For example, several applications may not be fully compliant with the defined change management process. This will result in multiple similar findings across the different applications. In such circumstances, it may make sense to audit the change management process itself horizontally across all the applications (figure 2) perhaps utilizing the COBIT 5 enablers.¹⁰ The purpose of such an audit would be to address the underlying causes of the recurring theme and mitigate risk across several applications.

Fieldwork/Documentation—Get Primary Access to the Evidence

At the fieldwork stage of an audit, an IT auditor attains evidence to measure against the criteria. The traditional way to do this is via interviewing and walk-throughs, where the IT auditor will ask for a print screen, copy of a report or other evidence to confirm that the criteria have been met. However, if the IT auditor is given primary, read-only access to this evidence, it will reduce the time the auditor needs to spend with the auditee, ultimately saving the enterprise money.

Further, the IT auditor need not be limited to sampling. Some examples follow:

• Change management—If a change management application is in place and the IT auditors have direct access to it, they do not necessarily need to walk through the changes with the auditee. They can sample or test all changes directly on the application or by extracting the data from the application for further analysis.
• Vulnerability management—If the IT auditors have direct, read-only access to the vulnerability scanner, they can tell if the associated assets are being scanned by the tool. Further, by reviewing the results of previous scans they can gain assurance on whether an ongoing process is in place and vulnerabilities are continuously being mitigated.
• Audit and logging—If the IT auditors have direct, read-only access to the enterprise’s security information and event management (SIEM) tool, they can tell whether the related application assets are captured in the tool and the auditing is at a level that matches the required criteria.

This concept could also be applied to other processes where automated software is in use or evidence is captured and maintained by second-line functions.¹¹ This could include the leavers and movers process, disaster recovery testing, backup restore testing, and database scanners.

Fieldwork/Documentation—Repurpose Generalized Audit Software

ISACA defines generalized audit software (GAS) as multipurpose audit software that can be used for general processes, such as record selection, matching, recalculation and reporting.¹² From an IT auditor’s perspective, the use of GAS tools is traditionally restricted to supporting operational or general audits by aiding in the extraction and analysis of data from the database of a given application. However, these tools will equally support data extracted from servers, application logs and views, and meta data from databases. They can be used, therefore, to support IT audits.

Once extracted, the data can be analyzed and compared against known compliant data sets and other sources of data, such as the company payroll. Further, the process can be repeated and used as part of a continuous monitoring and/or audit. Examples of this approach in use include “Auditing Oracle Databases Using CAATs”¹³ and “Auditing SQL Server Databases Using CAATs.”¹⁴

Reporting/Follow-Up—Utilize the ISACA Glossary

In a 2015 white paper, ISACA defined the five attributes of an audit finding (figure 3).¹⁵ A potential issue with the condition attribute is that the report audience may not always be technical even though a technical finding is being described. Therefore, it makes sense to include a definition of the area under review with the audit finding (e.g., vulnerability management). An effective way to do this is to use the definitions from the ISACA glossary.¹⁶ This provides clear explanations and will also create consistency, in that vulnerability management, for example, will be defined in the same way across multiple audit reports. This, in turn, means that the audience will learn and understand the terminology over time.

Even, if the ISACA glossary does not currently meet organizational needs, it can be used as a baseline or starting point.

Reporting/Follow-Up—Use Video

IT audit reports can be complex documents containing layers of interrelated findings that affect multiple areas of the business and often require further explanation. This may be overcome by meeting the audience face-to-face and providing further detail. However, due to the size, complexity and geographical dispersity of some enterprises, this is not always possible.

I had the honor of working with a colleague on an ISACA committee who overcame this problem by recording the executive summaries on video. The videos were uploaded to a private YouTube channel with the required technical controls (e.g., two-factor authentication). Besides adding context and meaning to the audit reports, it also allowed him to deliver the results with empathy—something that is difficult to get across in a written report.

Reporting/Follow-Up—Track and Measure Progress

ISACA’s Information Technology Assurance Framework (ITAF) recommends that a report on the status of agreed-upon corrective actions arising from audit engagement reports, including agreed-upon recommendations not implemented, should be presented to the appropriate level of management and to those charged with governance (e.g., the audit committee).¹⁷ This can be achieved by bringing the recommendations together in an assurance-finding register.

In addition, if these findings are allocated attributes (e.g., significance, status, owner, country, department, region), the data can be analyzed, summarized and presented in a meaningful manner—becoming information. This information can then be used to clearly show compliance to standards and regulations and even act as lead indicators for new initiatives. For further details, see “Enhancing the Audit Follow-up Process Using COBIT 5.”¹⁸

Conclusion

My overall message is that innovation, much like beauty, is in the eye of the beholder. If it is new to the enterprise, it is innovation. Furthermore, innovation does not have to include the latest technology, such as machine learning. Neither does it have to be a revolution; it can be an evolution. To innovate, we auditors do not have to be futurists; we can be “now-ists.”¹⁹

Endnotes

¹ ISACA, “Innovation Insights,” USA, 2015, www.isaca.org/Knowledge-Center/Research/Pages/isaca-innovation-insights.aspx
² Ibid.
³ Merriam-Webster, “Innovation,” https://www.merriam-webster.com/dictionary/innovation
⁴ Cooke, I.; “Audit Programs,” ISACA Journal, vol. 4, 2017, www.isaca.org/archives
⁵ ISACA Knowledge Center, Audit Tools and Techniques, www.isaca.org/Groups/Professional-English/it-audit-tools-and-techniques/Pages/Overview.aspx
⁶ Kress, R.; D. Hildebrand; “How Analytics Will Transform Internal Audit,” ISACA Journal, vol. 2, 2017, www.isaca.org/Journal/archives/Pages/default.aspx
⁷ Cooke, I.; “Doing More with Less,” ISACA Journal, vol. 5, 2017, www.isaca.org/archives
⁸ ISACA, CISA Review Manual, 26^th Edition, USA, 2016
⁹ ISACA, ITAF: Information Technology Assurance Framework, USA, 2014, www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IS-Audit-and-Assurance/Pages/ObjectivesScopeandAuthorityofITAudit.aspx
¹⁰ ISACA, COBIT 5, USA, 2012, www.isaca.org/COBIT/Pages/default.aspx
¹¹ Chartered Institute of Internal Auditors, “Governance of Risk: Three Lines of Defence,” https://www.iia.org.uk/resources/audit-committees/governance-of-risk-three-lines-of-defence/
¹² ISACA Glossary, www.isaca.org/glossary
¹³ Cooke, I.; “Auditing Oracle Databases Using CAATs,” ISACA Journal, vol. 2, 2014, www.isaca.org/archives
¹⁴ Cooke, I.; “Auditing SQL Server Databases Using CAATs,” ISACA Journal, vol. 1, 2015, www.isaca.org/archives
¹⁵ ISACA, Information Systems Auditing: Tools and Techniques—IS Audit Reporting, USA, 2015, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/information-systems-auditing-tools-and-techniques.aspx
¹⁶ Op cit ISACA Glossary
¹⁷ ISACA, ITAF™: A Professional Practices Framework for IS Audit/Assurance, 3^rd Edition, USA, 2014, www.isaca.org/ITAF
¹⁸ Cooke, I.; “Enhancing the Audit Follow-Up Process Using COBIT 5,” ISACA Journal, vol. 6, 2016, www.isaca.org/archives
¹⁹ Ito, J.; “Want to Innovate? Become a ‘Now-ist,’” TED, 2014, https://www.ted.com/talks/joi_ito_want_to_innovate_become_a_now_ist