There are only two titles for persons directly involved in an audit. First is the auditor, the one who investigates.
Second is the auditee, the subject of the audit. A third role exists which is normally outside of the audit, known as the client. ISACA refers to these as audit roles versus nonaudit roles.
Let's clarify the titles and basic roles of these people by their relationship to the audit. We can refer to them as members of the following categories:
Auditor The auditor is the competent person performing the audit.
Auditee The organization and people being audited are collectively called the auditee.
Client The client is the person or organization with the authority to request the audit. A client may be the audit committee, external customer, internal audit department, or regulatory group. If the client is internal to the auditee, that client assumes the auditee role.
Everyone else is considered outside of the audit roles. Audit details should be kept confidential from persons not directly involved as auditee or the client.
Your purpose as an auditor is to be an independent set of eyes that can delve into the inside of organizations on behalf of management or can certify compliance on behalf of everyone in the outside world. Independent means that you are not related professionally, personally, or organizationally to the subject of the audit. You cannot be independent if the audit's outcome results in your financial gain or if you are involved in the auditee's decisions or design of the subject being audited.
When determining whether you are able to perform a fair audit, you should conduct an independence test. In addition, you must remain aware of your responsibility as an auditor under the various auditing standards.
Here is a simple self assessment to help you determine your level of independence:
- Are you auditing something you helped to develop?
- Are you free of any conflicts, circumstances, or attitudes toward the auditee that might affect the audit outcome?
- Is your personal life free of any relationships, off-duty behavior, or financial gain that could be perceived as affecting your judgment?
- Do you have any organizational relationships with the auditee, including business deals, financial obligations, or pending legal actions?
- Do you have a job conflict? Does the organizational structure require your position to work under the executive in charge of the area being audited?
- Did you receive any gifts of value or special favors?
If any answer is "yes," you are not independent. Any conflicts will place a shadow of doubt on the objectivity of the audit findings. Only internal auditors (whose aim is to improve internal performance) can answer yes and still possibly continue the audit. External auditors are required to remain independent during an independent audit. Any potential conflicts should be disclosed immediately to the lead auditor. You may be reassigned to eliminate the conflict. The lead auditor may determine that the impact is low enough that you can remain in the role as long as the client sponsor is aware of the situation. Attempting to hide the truth is a bad idea. No conflict means you are cleared to proceed.
Sir/Madam, In my role as external auditor, I must remain independent of design decisions; otherwise, I would not be able to provide you the independence and objectivity required. Providing design advice would be a violation of several standards governing auditor independence, including public corporation audit standard AS-1, GAAP audit practices, ISACA professional standards, and Statement on Auditing Standards 1, 37, and 74 (SAS-1, SAS-37, and SAS-74).
You are encouraged to explain what an auditor looks for during an audit. You must be careful not to participate in design decisions, detailed specification, or remediation during your role as the auditor. You may be hired to help with remediation; however, you will be disqualified from auditing any related work. The same principle applies to design work and system operation.
Auditors have the luxury of being able to rely on well-known accounting standards that have been accepted worldwide. The standards were originally developed for financial audits, but their spirit and intent also apply to IS auditing. Frequently, a minor adaptation will provide the foundation and detail necessary for use in IS audits. These standards allow you to render a fair opinion without fear of retribution or liability.
Understanding the basic types of audits: audits either verify compliance (compliance test) or check the substance and integrity of a claim (substantive test). Just how does an auditor know what to do in these audits? As an IS auditor, you are fortunate to have several credible resources available to assist you and guide your clients.
Among these resources are standards and regulations that direct your actions and final opinion. It would be quite rare to depart from these well-known and commonly accepted regulations. In fact, you would be in an awkward situation if you ever departed from the audit standards. By following known audit standards, you are relatively safe from an integrity challenge or individual liability. By adhering to audit standards, a good auditor can operate from a position that is conceptually equal to Teflon nonstick coating. Nothing negative or questionable could stick to the auditor.
You can learn more about auditing standards by reading and then implementing information provided by the following:
- American Institute of Certified Public Accountants (AICPA) and International Federation of Accountants (IFAC).
- Financial Accounting Standards Board (FASB) with Statement on Auditing Standards (SAS), standards 1 through 114, which are referenced and applied by the AICPA and IFAC.
- Generally Accepted Accounting Principles (GAAP).
- Committee of Sponsoring Organizations of the Treadway Commission (COSO), providing the COSO internal control framework that is the basis for standards used in global commerce. COSO is the parent for the standards used by governments around the world.
- Public Company Accounting Oversight Board (PCAOB) of the Securities and Exchange Commission, issuing audit standards AS-1, AS-2, AS-3, AS-4, and AS-5. PCAOB is the standards body for Sarbanes-Oxley, including the international implementation by the Japanese government and European Union (US-SOX, J-SOX and E-SOX).
- Organization for Economic Cooperation and Development (OECD), providing guidelines for participating countries to promote standardization in multinational business for world trade.
- International Organization for Standardization (ISO), which represents participation from more than member governments.
- U.S. National Institute of Standards and Technology (NIST), providing a foundation of modern IS standards used worldwide. When combined with British Standards/ISO (BS/ISO), you get a wonderful amount of useful guidance.
- U.S. Federal Information Security Management Act (FISMA), which specifies minimum security compliance standards for all systems relied on by the government, including the military and those systems operated by government contractors. (The U.S. government is the world's largest customer.)
- IS Audit and Control Association (ISACA) and IT Governance Institute (ITGI) issue the Control OBjectives for IT (CObIT) guidelines which are derived from COSO with a more specific emphasis on information systems.
- Basel Accord Standard II (Basel II), governing risk reduction in banking.
Although this list may appear daunting, it is important to remember that all these examples are in fundamental agreement with each other. Each standard supports nearly identical terms of reference and supports similar audit objectives. These standards will have slightly different levels of audit or audit scope. ITGA and ISACA have developed a set of IT internal control standards for CISAs to follow. These incorporate several objectives of the COSO internal control standard that have been narrowed to focus on IT functions. Let's look at a brief overview of the ISACA standards.