August 3, 2011

Strategy Planning for Organizational Control

To be successful, management must define a strategy and provide for effective corporate governance. Strategy is defined as "an adaptation of behavior or structure with an elaborate and systematic plan of action." Another more specific definition of strategy is "to create a fundamental change in the way the organization conducts business." Obviously, the Second definition indicates that there are only a handful of people with that much authority. Corporate governance is often defined by ISACA as "ethical behavior of corporate executives toward shareholders and stakeholders to maximize the return of a financial investment." To clarify who is responsible for corporate governance, we could use this definition: "to lead by position or authority."
Three high-level management objectives to be verified by the auditor are as follows:
  • A strategic alignment between IT and the enterprise objectives (formal strategy). Proper planning is required to deploy resources in the right place for the right reason. Management is always responsible for getting it done (corporate governance, preventive controls).
  • A process of monitoring assurance practices for executive management. The senior executives need to understand what is actually occurring in the organization (staying involved by using detective controls).
  • An intervention as required to stop, modify, or fix failures as they occur (corrective action). Everyone has some kind of problem. Management should be working to resolve the issue immediately rather than covering it up by hiding the truth.
Each organization needs to develop their directional strategy. What direction should the business take to fulfill its goals? The strategy selected progresses to focus on client needs and how to fulfill that market. Critical success factors are selected. Marketing initiatives are designed to generate revenue with plans for fulfillment to the buyer. Figure 1 demonstrates the path of organizational requirements in conjunction with the IT requirements.

Figure 1: IT alignment with organizational objectives
The revenue process entails a significant amount of administrative overhead and record keeping. The expectation in every business is to make money and not be hampered by a particular technology nor tied to a particular vendor.
The IT department is looking for a clearly stated purpose that IT is expected to fulfill. The department looks at the demands and requirements necessary to be successful. A structured service-level agreement can be generated with this data, complete with staffing and technology growth plans.
Technology plans have to fulfill a business objective. For instance, take This very successful bookseller isn't necessarily hung up on using Microsoft Windows, Macintosh, or Unix. What the executives want to know is that all the money is processed and the product arrives on time to fulfill their customers’ expectations. Systems management and auditing on the back end will verify that all their bookkeeping and internal controls are functioning effectively. In an industry-leading move, Amazon added same-day shipping as a $5 option on select stock for customers geographically located near the Amazon warehouses. The bookseller downloads the daily courier route schedules and then compares the pickup and delivery schedule to the buyer's address. Orders placed in the morning can arrive the same afternoon in select major cities. A same-day delivery option is automatically added to the shopping cart for eligible purchases. Amazon demonstrates excellent integration of the business and IT strategy.
The top side of Figure 1 is motivated by gains in revenue. Executives take calculated risks to exploit new opportunities for their business to make more money. Conversely, IT is expected to prevent service failures that hurt revenue. IT may also be expected to focus on activities that enable revenue and concurrent activities to prevent loss based on risk management planning. This can make it difficult to determine which problem or goal is the priority.
Auditors can gain insight by looking into the IT reporting structure. The CEO is solely responsible for revenue-generating functions, and other revenue functions may be delegated to an underlying chief operating officer (COO). IT functions reporting to the COO provide services that generate revenue. If the IT operation does not generate revenue, it's a support function (aka cost center) reporting to the chief financial officer (CFO). Refer to Figure 2.

Figure 2: Reporting structure demonstrates IT's purpose
The principal mechanism for ensuring IT alignment is an IT steering committee. The business unit executives identify operating challenges in their workflow, priorities, and desired technical direction.

July 30, 2011

Exam Essentials - Secrets of a Successful Auditor

Know the purpose of policies, standards, guidelines, and procedures. Policies are high-level objectives designated by a person of authority, and compliance to policies is mandatory. Standards ensure a minimum level of uniform compliance to a policy, and compliance to standards is mandatory. Guidelines advise with preferred objectives and useful information in the absence of a standard. Guidelines are often discretionary. Procedures are a cookbook recipe of specific tasks necessary to implement a standard. Compliance to procedures is mandatory.
Know the ISACA standards governing professional conduct and ethics. The auditor is expected to perform with the highest level of concern and diligence. Each audit should be conducted in accordance with professional standards and objectivity, and should implement best practices.
Understand the general purpose of the audit and the role of the IS auditor. The purpose of auditing is to challenge the assertions of management and to determine whether evidence will support management's claims.
Understand an audit role versus a nonaudit role. There are only two roles in an audit. The first role is that of the auditor who performs an objective review, and the second is the role of everyone else. A person cannot be an auditor and also involved in the design or operation of the audit subject.
Understand the importance of IS auditor independence. It is unlikely that an auditor could be truly independent if the auditor were involved with the subject of the audit. Auditor independence is an additional assurance of truth.
Know the difference between discretionary and mandatory language. In regulatory language, the word shall designates a mandatory requirement. The word shall indicates that there is no excuse for failing to meet the stated objective, even if compliance would cause a financial loss. The word should indicates a recommendation that could be optional, depending on the circumstance.
Know the different types of audits. The types of audit are financial, operational (SAS-70), integrated (SAS-94), compliance, administrative, and information systems.
Understand the importance of IS auditor confidentiality. The IS auditor shall maintain confidentiality at all times to protect the client. Sensitive information should not be revealed at any time. Your client expects you to protect their secrets whenever legally possible.
Understand the need to protect audit documentation. The data must be protected with access controls and regular backup. Sensitive information is the property of the owner, and its confidentiality shall be protected by the auditor. A document archive is created during the audit and is subject to laws governing record retention.
Know how to use standard terms of reference. The auditor should communicate by using standardized terms of reference to avoid misunderstanding or confusion. The standard terminology should be defined through a mutual agreement at the beginning of the audit.
Understand application of the evidence rule. Audit evidence needs to be confirmed or verified to ensure that it is actually used in the production process.
Identify who the auditor may need to interview. The IS auditor needs to consider the roles of data owner, data user, and data custodian when selecting persons to interview. Data owners specify controls, data users are to follow acceptable usage requirements, and custodians protect the information while supporting data users.
Understand the organizational structure. Officers of an organization are usually persons with the title of vice president or higher, up to the board of directors. Department directors, managers, and staff workers are seldom liable for the organization, unless criminal activity is involved.

July 26, 2011

Identifying Roles in a Consulting Firm Organizational Structure

Now we will look at the structure of a typical consulting firm. A consulting firm is a hybrid organization. Internal clerical and support functions are similar to those in a typical business. The consulting side of the firm uses functional management positions. The staff is allocated according to temporary project assignments. At the end of each engagement, the staff will be reallocated by either returning to the available resource pool or by becoming unemployed until the next engagement.
Figure 1 illustrates the organizational structure of a typical audit firm.

Figure 1: A typical auditing firm organizational chart
We'll review the structure here:
Managing Partner A managing partner refers to a C-level executive in the consulting practice. This could be a position equal to a corporate president. Managing partners have the responsibility and authority to oversee the business divisions. Various partners in the firm will report to the managing partner.
Partner A partner is equivalent to a divisional president or vice president and is responsible for generating revenue. Their role is to represent the organization and provide leadership to maximize income in their market segment. Partners are required to maintain leadership roles in professional organizations and to network for executive clients. Most partners have made financial commitments to produce at least $15 million in annual revenue along with supporting other business management functions. The partner and all lower managers are responsible for professional development of the staff.
Engagement Manager This is a director-equivalent position with the responsibility of managing the client relationship. The engagement manager is in charge of the audit's overall execution and the audit staff. The engagement manager is responsible for facilitating the generation of new income opportunities from the client.
Senior Consultant This is a field manager whose responsibilities include leading the daily onsite audit activities, interacting with the client staff, making expert observations, and managing staff assigned to the audit.
Consultant This is a lead position carrying the responsibility of interacting with the client and fulfilling the audit objectives without requiring constant supervision. A consultant is often promoted by demonstrating an ability to fulfill the job of senior consultant or supporting manager.
Systems Analyst This is usually an entry-level position. Often the individual is selected for their ambition and educational background and may be fresh out of college. Systems analysts perform some lower-level administrative tasks as they build experience.

July 18, 2011

Identifying Roles in a Corporate Organizational Structure

Businesses are focused on generating money for investors. There will always be some type of management hierarchy in order to maintain control. Government and nonprofitorganizations will use a similar control hierarchy; however, the titles will be different. For government and nonprofit organizations, the term mission objectives would be substituted for the term revenue.
Figure 1 illustrates a typical business corporation.

Figure 1: A typical business organizational chart
Let's start at the top of the diagram and work our way down:
Board of Directors The board of directors usually comprises key investors and appointed advisers. These individuals have placed their own money at stake in the hopes of generating a better return than the bank would pay on deposits. Board members are rarely—usually never—involved in day-to-day operations. Some members may be retired executives or run their own successful businesses. Their job is to advise the CEO and the CFO. Most organizations indemnify board members from liability; however, government prosecutors will pursue board members if needed.
Audit and Oversight Committee The members of the board will have a committee comprising directors outside of the normal business operations. Executives from inside the organization can come to the committee for guidance and assistance in solving problems. This committee has full authority over all the officers and executives. They can hire or fire any executive. Each audit committee has full authority with a charter to hire both internal and external auditors. Auditors are expected to discuss their work with the audit committee. An auditor has the right to meet in private to discuss issues with the audit committee once a year without the business executives present. If auditors discover certain matters that stockholders should be informed about, the auditor shall first bring it to the attention of the audit committee. Regulations such as SOX require that all significant weaknesses be disclosed to the audit committee every 90 days.
Chief Executive Officer (CEO) The CEO is primarily focused on generating revenue for the organization. The CEO's role is to set the direction and strategy for the organization to follow. The CEO's job is to find out how to attract buyers while increasing the company's profits. As a company officer, the CEO is liable to government prosecutors. Corporate officers have signing authority to bind the organization.
Chief Operating Officer (COO) The COO is dedicated to increasing the revenue generated by the business. This is a delegate in charge of making decisions on behalf of the CEO with assistance from the CFO. COOs are often found in larger organizations. As a company officer, the COO is liable to government prosecutors.
Chief Financial Officer (CFO) The CFO is in charge of controls over capital and other areas, including financial accounting, human resources, and IS. Subordinates such as the CIO usually report to the CFO. As a company officer, the CFO is liable to government prosecutors.
Chief Information Officer (CIO) The CIO is subordinate to the CFO. The CFO is still considered the primary person responsible for internal control. A CIO might not be a true company officer, and this title may bear more honor than actual authority, depending on the organization. An exception may be a CIO in corporate headquarters. The CIO has mixed liability, depending on the issue and the CIO's actual position in the organization.
President/General Manager The president, sometimes referred to as the general manager, is the head of a business unit or division. As a company officer, the president/general manager is usually liable to government prosecutors. Regulations such as SOX encourage management to require all divisional presidents and controllers to sign integrity statements in an effort to increase divisional officer liability.
Vice President (VP) The vice president is the second level of officer in a business unit or division. As a company officer, the vice president is usually liable to government prosecutors.
Department Directors (Line Management Position) Typically directors are upper-level managers supervising department managers and do not have company officer authority. In large organizations, you may encounter a major-level director and minor-level director.
Managers and Staff Workers Managers are responsible for providing daily supervision and guidance to staff members. Staff members may be employees or contractors working in the staff role. Managers and staff members are seldom held responsible for the actions of a company unless they knowingly participate in criminal activity.

July 2, 2011

Stakeholders: Identifying Who You Need to Interview

As an IS auditor, it is important for you to be cognizant of whom you should be interviewing, and how long those interviews should take. Every auditor will frequently face a time crunch due to the customer's schedule or other issues. You will need to pay particular attention to the value of the others’ time. Consider the work outage created when you take someone out of their job role to spend time with you. Will it be necessary to backfill their position by providing a substitute during this time away?
Think for a moment of what it would cost the organization for a key executive to spend 15 minutes with you. This executive's time may be measured in personal compensation or by the revenue they generate for the organization. Top executives, such as the CEO, will have compensation packages that include both money and substantial shares of stock. Based on total compensation, the CEO may be receiving several thousand dollars per hour or more.
Former Walt Disney CEO Michael Eisner received total compensation equal to $27,000 per hour, which was equivalent to approximately 0.18 percent of the revenue generated under his leadership during the same time period.
The moral is that to justify 15 minutes of somebody's time, you better have something to discuss that is of greater value than that person's prorated value to the organization (greater than prorated revenue + compensation). Consider the cost for a meeting of high-level executives. You need to ensure that the time spent is relevant and remains focused on the audit objectives. The savvy auditor respects the value of a person's time.
Every system will have an inherent need for controls. The auditor needs to ensure that discussions occur with the correct individuals concerning appropriate controls. Three basic IT-related roles exist for every system: owner, user, and custodian. Table 1 shows examples of individuals with their associated roles and responsibilities.
Table 1: Responsibilities of data owner, user, and custodian 
Basic Responsibilities
Data owner
Vice president
Determine classification
Specify controls
Appoint custodian
Data user
Internal business user
Business partner
Business client (web)
Follow acceptable usage requirements
Maintain security
Report violations
Data custodian
Database administrator
Production programmer
System administrator
Protect information
Ensure availability
Implement and maintain controls
Provide provisions for independent audit
Support data users
These individuals don't have to work in the IT department. On the contrary, these roles exist regardless of the individual department boundaries. If someone performs the function, the responsibility of the role applies to that person. No exceptions. If a person performs two roles, two sets of responsibilities apply. If someone performs all three roles, either it's a one-person operation or you need to have a talk about separation of duties and the value of their data.

June 20, 2011

Working with IT Professionals

Most IT professionals can be divided into two categories: supporting roles (IT) or programmers (IS). Let's take a moment to focus on their viewpoints and concerns:
IT Supporting Roles These individuals include help desk, user support, server administrators, and network administration. Their scope of influence is on purchasing, installing, and supporting off-the-shelf products. Therefore, the solutions they propose may follow a specific vendor's product line rather than consider other options. In the media business,99 percent of all solutions will be based on using Apple computers because of the well-known advantages in the complex media production workflow. Generally, Microsoft users work in an office environment, where productivity is based on a simpler workflow of independent tasks: email, word processing, spreadsheets, and less-sophisticated presentations such as PowerPoint. Whether it's Apple or Microsoft Windows users, we are usually referring to commercial off-the-shelf software.
The IT viewpoint of system security is limited to functions such as enabling/disabling settings, running system scanners (antivirus, port, or services analyzer), loading vendor patches, making data backups, and following physical security procedures. IT support systems are primarily geared toward detecting attacks through "known" system vulnerabilities. Utterly rare is any defense in place against attacks on middleware. Middleware is every program or driver existing between the user interface and their data. Actually changing a complete series of default settings when installing programs is extremely rare by IT staff for fear of creating support headaches. IT people almost never run the custom installation nor should the auditor expect IT operations to delete unnecessary lines of program code from an open source software package. The highest security impact rests on the programmers.
IS Programmers Programmers actually decide on the security architecture while designing and writing the software application. This applies to both end-user applications as well as to operating systems. Building in-depth security can be a real pain to developers because the user may never even see it. For programmers, the security is predicated on the services and protocols they choose to use, port numbers, add-in functions by embedding smaller programs, and logic procedures. Advanced yet required security functions such as encrypted databases are dependent on complex key management, often requiring skills beyond the typical programmer.
Today the vast majority of breaches occur through exploiting design faults in software applications. Common hacker targets include embedded login ID with passwords stored in scripts for the programs to interact with other programs. These new attacks against overlooked or ignored program weaknesses are referred to as zero-day attacks because they use specialized types of circumvention not previously known to IT support staff.

June 7, 2011

Secrets of a Successful Auditor

Working with Lawyers

There is much discussion concerning who should hire the auditor. Should it be the client or the client's lawyer? At stake is the legal argument of confidentiality under attorney-client privilege. Most communication between lawyers and the client may be exempt from legal discovery (disclosure). But there is no such legal protection to hide fraudulent activities or conspirators involved.
We suggest that you ask the client. If necessary, the lawyer could issue a letter authorizing the auditor's work on the client's behalf. As an auditor, you have to be able to do your job without intimidation in order for it to be fair and honest work. This should be spelled out in the audit charter or your engagement letter. A good auditor will leave the legal issues to the lawyers and focus on performing a good audit. Truth often serves as an excellent defense.

Working with Executives

New auditors will notice that pressing attitudes in executive management may be different from what you expect. Executives are usually very concerned about the following basic issues:
Current Sales This is the primary indicator of the health of a business. (In government circles, the same concern would be funding.) In a down economy, executives will be seriously focused on how to restore revenue. In executive circles, we regard our jobs as temporary—the job lasts only as long as we report good financial gains. It takes only a few months or two quarters of poor financials before investors will seek to replace the executives in charge, depending on the organization.
Operating Costs Executives keep a watchful eye on operating expenses, capital purchases, payroll, and anything else that has a major effect on financial reporting.
Opportunity Executives are watchful of the present market. What opportunities lay ahead that we should focus on exploiting? These opportunities will create interest in reorganizing the business, adding or reducing staff, and repurposing product lines or services to gain market share.
Executive interest in compliance is based on supporting needs in the pre-ceding three concerns: opportunity, sales, and reducing operating costs.
Most executives understand that legal interpretations usually immunize executives for business decisions made within the power of the organization charter, with proper authority and in good faith, using whatever information was available at the time, indicating due care was used. It is highly unusual to find any deep research was used in the initial decisions.

May 29, 2011

Understanding the Importance of Auditor Confidentiality

Many people are envious of the CISA's position. They see nice cars, lunches with important people, expensive suits, and comfortable expense accounts. Nobody seems to pay attention to the humorous situation of six auditors sharing one folding table while sitting in a closet, balancing laptop computers with only one network jack and one telephone to share. Frankly, the auditor position grants you the luxury of being well-paid observers with professional benefits. Occasionally, your office and travel accommodations may not be the best. However, the reality is that most people look up to auditors with respect.
Your clients expect you to be authoritative and professional regardless of the circumstances. Your office is mobile, so you are depended on to handle decisions in the field. Your clients include the highest levels of management within an organization. Those clients expect you to assist them with your observations and occasional advice. You will deal with the challenges of providing advice in a manner that does not interfere with the independent audit. Remember the independence question raised earlier in this chapter?
Personnel at every level of your client's organization have an expectation of your appearance. You are going to be judged by your speech, mannerisms, clothing, and grooming. You should always wear professional attire to a level more formal than the attire of your client. Your neat and pressed appearance instills respect and confidence. Your courtesy of manner and speech dictates that you should use reassuring words. Any humor by the auditor should always be restrained and professional.

The client entrusts the auditor with sensitive information. A good auditor would never betray that confidence nor allow sensitive information to be revealed at any time. Any breach of confidentiality would be unforgivable. It is conceivable that during your audit, you may discover information that could cause some level of damage to the client if disclosed. You should prepare for the possibility of detecting irregular or even illegal acts that have occurred.
To protect yourself, you must exercise caution and least privilege in all activities. The concept of least privilege refers to providing only the minimum information necessary to complete a required task. It is the auditor's responsibility to implement security controls to maintain confidentiality. Auditors use working papers composed of reports, checklists, and spreadsheets that contain details plus secrets that need to be protected. The information you're privy to may be alarming to some, damaging to others, or trigger additional actions by a perpetrator.
To ensure confidentiality, the auditor should adopt the following operating principles:
  • Sensitive information is the property of the owner and should not be removed from the owner's office by the auditor.
  • The auditor should contact legal counsel for advice concerning confidentiality and laws that would dictate disclosure to authorities. You should follow basic principles of confidentiality at all times.
  • Many auditors use automated working papers (WPs) during an audit. Spreadsheets and report-writing templates are common tools to increase efficiency. We refer to audit checklists, procedures, computer-generated output, templates, and databases as working papers. The next level of automation is entering our workplace to aid even the smallest auditor. This includes more-advanced database automation, evidence tracking, and report-generation tools. The data must be protected with access control and regular data backup. Make sure to back up your work. It would be unforgivable to lose your audit work and client data by failing to implement your own recommended controls.
  • Every auditor should seriously consider using locking security cables and privacy viewing screens for laptops. You will gain respect by demonstrating your concern for maintaining confidentiality while protecting assets. The laptop could still be stolen with broken parts lying on the floor, but at least you would have some evidence that the theft was not completely your fault. At prior audit firms where I worked, these controls were mandatory for continued employment.
  • A document file archive is created during each audit. The archive is subject to laws governing records retention. Every auditor is advised to leave all records in the custody of the client unless criminal activity is suspected. The client shall maintain sole responsibility for the safe retention of the archive.

May 20, 2011

Audits to Prove Financial Integrity

IS auditors may be engaged in a variety of audits. The only fundamental difference between internal and external audits is auditor independence. Although the focus and nature of the audit may vary from time to time, your audit function and responsibilities will remain constant.
Government interpretation of laws and regulations has determined that financial audits and internal controls are interrelated. Medium-to-large businesses undergo a quarterly audit for their financial statements. The goal is to ensure that the executives are held accountable for the accuracy of financial reports. IS auditors are called upon to determine whether the systems used for financial reporting are secure and trustworthy. This connects the integrity of the financial statement to the integrity of the IS environment. You could not ensure the integrity of one without verifying the other.
If financial integrity problems are discovered, a common legal strategy is to claim someone else committed any offenses creating misrepresentation. However, a well-managed IS environment prevents and detects unauthorized modifications. It takes a series of strong controls to help prove who to hold accountable.
As an example, consider the requirements specified under SOX for public corporations. There are two critical reporting functions that management must fulfill under SOX:
  • SOX Act section 906 statement, in which management attests to the integrity of finan-cials and indicates that no hidden or questionable transactions exist
  • SOX Act section 302 statement, in which management attests that full disclosure of the section 401–404 internal controls has been made to the audit committee, and that no deficiencies or weaknesses were withheld
Management must make their assertions of compliance without reliance on the auditor. The intention of these two statements is to bind management with liability. SOX is essentially a disclosure law. Its purpose is to provide government authorities with a method of ensuring criminal prosecution of corporate officers if management misrepresents the truth.

May 10, 2011

Specific Regulations Defining Best Practices | Implementing Audit Standards

Let's review the basic purpose of several major regulations (see Figure 1). These are predominantly U.S. regulations with worldwide compliance implications due to global outsourcing.

Figure 1: Sample of regulations defining best practices
Every regulation is designed to mandate the minimum acceptable requirements when conducting any form of business within that specific industry. The auditor must remain aware of two types of statements contained in all regulations:
Recommended (Discretionary) These are actions that usually contain statements with the word should—for example, suggested management responsibilities, staffing, control mechanisms, or technical attributes.
Required (Mandatory) These are actions that contain the word shall. Shall indicates the statement is a commandment of compliance. Shall is not optional. The auditor must remember that failing to meet a required Shall objective is a real concern. The regulations serve to protect the citizens at large.
Incredible justification would usually be required to prove the organization's actions do not fall under the jurisdiction of the regulation. The regulator will accept no excuses without a major battle, and on almost every occasion will win any potential disputes. Most juries are composed of individuals who will interpret claims by using a basic commonsense approach without detailed knowledge of a particular industry. Almost all excuses for violating the regulatory objective have failed in court battles.
Each organization in that market is required to meet the objective in spite of cost or revenue issues. In other words, the organization must comply even if it means that compliance will cause the organization to lose money. Failure to make a profit is not a valid exception from the law. The organization must strive to obtain compliance or can be forced to exit the industry with fines and sanctions. The auditor may need to consult a lawyer for advice upon discovery of significant violations.

April 14, 2011

ISACA IS Audit Standards

The members of ISACA are constantly striving to advance the standards of IS auditing. CISAs should check the ISACA website ( for updates on a quarterly basis. ISACA added five new standards during 2006-2007 to clarify our minimum level of performance. The current body of ISACA Audit Standards is organized using a format numbered from 1 to 16:

S1 Audit Charter The audit charter authorizes the scope of the audit and grants you responsibility, authority, and accountability in the audit function.

S2 Independence Every auditor is expected to demonstrate professional and organizational independence.

S3 Professional Ethics and Standards of Conduct The auditor must act in a manner that denotes professionalism and respect.

S4 Professional Competence The auditor must have the necessary skills to perform the audit. Continuing education is required to improve and maintain skills.

S5 Planning Successful audits are the result of advance preparation. Proper planning is necessary to ensure that the audit will fulfill the intended objectives.

S6 Performance of Audit Work This standard provides guidance to ensure that the auditor has proper supervision, gains the correct evidence to form conclusions, and creates the required documentation of the audit.

S7 Audit Reporting The auditor report contains several required statements and legal disclosures. This standard provides guidance concerning the contents of the auditor's report.

S8 Follow-up Activities The follow-up activities include determining whether management has taken action on the auditor's recommendations in a timely manner.

S9 Irregularities and Illegal Acts This standard outlines how to handle the discovery of irregularities and illegal acts involving the auditee.

S10 IT Governance This standard covers the authority, direction, and control of the information technology function. Technology is now pervasive in all areas of business. Is the auditee properly managing IT to meet their needs?

S11 Use of Risk Analysis in Audit Planning This standard provides guidance for implementing a risk-based approach in audit planning. Risk planning is used to determine whether an audit is possible. Auditors always weigh our level of competency to conduct the audit. Audit plans should be structured for the maximum return on investment when designing specific audits, aka impact for the dollar spent.

S12 Audit Materiality Auditors must use evidence that portrays the most accurate story. The absence of controls or a potential weakness may cumulatively result in unacceptable risk to the organization. Ineffective controls, absence of controls, and control deficiencies should be disclosed in the audit report.

S13 Using the Work of Other People It's impossible for the auditor to perform all the work alone. The work of other experts may be included in the audit, provided the auditor is satisfied with their competencies, relevant experience, professional qualifications, independence, and quality control. A scope limitation may be required in the final audit opinion if the other experts do not provide appropriate and sufficient evidence. An expert working in the same area as the one being audited should not be relied on.

S14 Proper Audit Evidence Appropriate evidence includes the written procedures performed by the auditor, source documents, corroborating records, samples, and corresponding test results. Reliable evidence is based on its source, natural state, and authenticity. Audit evidence must be specifically identified, cataloged, and cross-referenced in the audit documentation, via auditor notes and working papers.

S15 Effective IT Controls Working IT controls represent an integral foundation in the organization's overall internal control environment. IS auditors should monitor and evaluate the effect or absence of IT controls. It's necessary to help management understand the IT controls' design, implementation, and methods of improvement. The level of effective controls provided by outsourcing, or their absence, may help or hurt the organization.

S16 Electronic Commerce Controls E-commerce allows the business to conduct electronic transactions with other businesses (business-to-business, or B2B) and directly to consumers (business-to-consumer, or B2C) over the public Internet. E-commerce requires the auditor to implement risk-based audit plans with data-gathering techniques for continuous assurances regarding the security and integrity of the environment. ISACA standard S16 excludes non-Internet-based private networks such as Electronic Data Interchange (EDI) and Society for Worldwide Interbank Financial Telecommunication (SWIFT).
During the audit process, you will find clients are more receptive when your audit goals are linked to specific citations in the audit standards. You should aim to fill a known and defined point of compliance rather than provide a vague statement relating to something you may have read in a textbook. Don't make the mistake of trusting your job to misinformation, rumors, or free advice on the Internet.

Most of the IT controls originated from demands imposed by a government agency. Security started in the military. Budgets and financial tracking were introduced by the banking industry. In fact, the first internal control in business was the budget. Since 1998, additional internal controls have been added each year. Figure 1 demonstrates the relationship of these various sources.

Figure 1: Where I.T. control standards originate

April 12, 2011

Auditor Role versus Auditee Role

There are only two titles for persons directly involved in an audit. First is the auditor, the one who investigates. 

Second is the auditee, the subject of the audit. A third role exists which is normally outside of the audit, known as the client. ISACA refers to these as audit roles versus nonaudit roles.

Let's clarify the titles and basic roles of these people by their relationship to the audit. We can refer to them as members of the following categories:

Auditor The auditor is the competent person performing the audit.

Auditee The organization and people being audited are collectively called the auditee.

Client The client is the person or organization with the authority to request the audit. A client may be the audit committee, external customer, internal audit department, or regulatory group. If the client is internal to the auditee, that client assumes the auditee role.

Everyone else is considered outside of the audit roles. Audit details should be kept confidential from persons not directly involved as auditee or the client.

Your purpose as an auditor is to be an independent set of eyes that can delve into the inside of organizations on behalf of management or can certify compliance on behalf of everyone in the outside world. Independent means that you are not related professionally, personally, or organizationally to the subject of the audit. You cannot be independent if the audit's outcome results in your financial gain or if you are involved in the auditee's decisions or design of the subject being audited.

When determining whether you are able to perform a fair audit, you should conduct an independence test. In addition, you must remain aware of your responsibility as an auditor under the various auditing standards.

Applying an Independence Test

Here is a simple self assessment to help you determine your level of independence:
  • Are you auditing something you helped to develop?

  • Are you free of any conflicts, circumstances, or attitudes toward the auditee that might affect the audit outcome?

  • Is your personal life free of any relationships, off-duty behavior, or financial gain that could be perceived as affecting your judgment?

  • Do you have any organizational relationships with the auditee, including business deals, financial obligations, or pending legal actions?

  • Do you have a job conflict? Does the organizational structure require your position to work under the executive in charge of the area being audited?

  • Did you receive any gifts of value or special favors?
If any answer is "yes," you are not independent. Any conflicts will place a shadow of doubt on the objectivity of the audit findings. Only internal auditors (whose aim is to improve internal performance) can answer yes and still possibly continue the audit. External auditors are required to remain independent during an independent audit. Any potential conflicts should be disclosed immediately to the lead auditor. You may be reassigned to eliminate the conflict. The lead auditor may determine that the impact is low enough that you can remain in the role as long as the client sponsor is aware of the situation. Attempting to hide the truth is a bad idea. No conflict means you are cleared to proceed.

Sir/Madam, In my role as external auditor, I must remain independent of design decisions; otherwise, I would not be able to provide you the independence and objectivity required. Providing design advice would be a violation of several standards governing auditor independence, including public corporation audit standard AS-1, GAAP audit practices, ISACA professional standards, and Statement on Auditing Standards 1, 37, and 74 (SAS-1, SAS-37, and SAS-74).
You are encouraged to explain what an auditor looks for during an audit. You must be careful not to participate in design decisions, detailed specification, or remediation during your role as the auditor. You may be hired to help with remediation; however, you will be disqualified from auditing any related work. The same principle applies to design work and system operation.

Auditors have the luxury of being able to rely on well-known accounting standards that have been accepted worldwide. The standards were originally developed for financial audits, but their spirit and intent also apply to IS auditing. Frequently, a minor adaptation will provide the foundation and detail necessary for use in IS audits. These standards allow you to render a fair opinion without fear of retribution or liability.

Understanding the Various Auditing Standards

Understanding the basic types of audits: audits either verify compliance (compliance test) or check the substance and integrity of a claim (substantive test). Just how does an auditor know what to do in these audits? As an IS auditor, you are fortunate to have several credible resources available to assist you and guide your clients.

Among these resources are standards and regulations that direct your actions and final opinion. It would be quite rare to depart from these well-known and commonly accepted regulations. In fact, you would be in an awkward situation if you ever departed from the audit standards. By following known audit standards, you are relatively safe from an integrity challenge or individual liability. By adhering to audit standards, a good auditor can operate from a position that is conceptually equal to Teflon nonstick coating. Nothing negative or questionable could stick to the auditor.

You can learn more about auditing standards by reading and then implementing information provided by the following:
  • American Institute of Certified Public Accountants (AICPA) and International Federation of Accountants (IFAC).

  • Financial Accounting Standards Board (FASB) with Statement on Auditing Standards (SAS), standards 1 through 114, which are referenced and applied by the AICPA and IFAC.

  • Generally Accepted Accounting Principles (GAAP).

  • Committee of Sponsoring Organizations of the Treadway Commission (COSO), providing the COSO internal control framework that is the basis for standards used in global commerce. COSO is the parent for the standards used by governments around the world.

  • Public Company Accounting Oversight Board (PCAOB) of the Securities and Exchange Commission, issuing audit standards AS-1, AS-2, AS-3, AS-4, and AS-5. PCAOB is the standards body for Sarbanes-Oxley, including the international implementation by the Japanese government and European Union (US-SOX, J-SOX and E-SOX).

  • Organization for Economic Cooperation and Development (OECD), providing guidelines for participating countries to promote standardization in multinational business for world trade.

  • International Organization for Standardization (ISO), which represents participation from more than member governments.

  • U.S. National Institute of Standards and Technology (NIST), providing a foundation of modern IS standards used worldwide. When combined with British Standards/ISO (BS/ISO), you get a wonderful amount of useful guidance.

  • U.S. Federal Information Security Management Act (FISMA), which specifies minimum security compliance standards for all systems relied on by the government, including the military and those systems operated by government contractors. (The U.S. government is the world's largest customer.)

  • IS Audit and Control Association (ISACA) and IT Governance Institute (ITGI) issue the Control OBjectives for IT (CObIT) guidelines which are derived from COSO with a more specific emphasis on information systems.

  • Basel Accord Standard II (Basel II), governing risk reduction in banking.
Although this list may appear daunting, it is important to remember that all these examples are in fundamental agreement with each other. Each standard supports nearly identical terms of reference and supports similar audit objectives. These standards will have slightly different levels of audit or audit scope. ITGA and ISACA have developed a set of IT internal control standards for CISAs to follow. These incorporate several objectives of the COSO internal control standard that have been narrowed to focus on IT functions. Let's look at a brief overview of the ISACA standards.