How Does Governance Impact Information Security?
Internal audit (IA) can be a great benefit to an organization. In accordance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, “The Chief Audit Executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.” Such a program must include both internal and external assessments. However, while a requirement of the standards, there is a much better reason for performance of such an assessment—the value it can add to IA activity.
While internal Quality Assessments (QA) include ongoing monitoring of the performance of the IA activity and periodic reviews through self-assessment, external QAs should be conducted at least once every five years by a qualified, independent reviewer from outside the organization. Whether internal or external, the QA will focus on six areas that we’ll cover in this series of blog posts. The first area is internal audit structure.
The foundation of an IA department is its structure, providing basic guidelines by which it operates. The audit charter outlines the purpose, authority and scope, independence, responsibility and reporting requirements of the IA activity. Formal reporting lines—typically to an audit committee or senior executive—indicate the level of internal support and guidance the activity will receive to maintain independence and objectivity throughout execution of the internal audit plan.
Independence is of utmost importance, and care must be taken to ensure the IA reporting structure does not compromise this independence. Even if independence exists, the appearance of a lack of independence sometimes can be a result of reporting structure. For instance, IA may report to the vice president of finance, who in reality understands the need for and grants true independence to the activity. However, if the VP of finance is responsible for the chief audit executive’s (CAE) compensation review and adjustment, the appearance of independence might be compromised if IA performs audits of functions (such as treasury) that also report to the V.P. of finance. There could be concern that since the V.P. of finance is responsible for the CAE’s compensation adjustments, the CAE may issue favorable results for audits of functions that report to the V.P. of finance.
The QA reviewer must decide whether the various policies and procedures, coupled with the activity’s purpose and reporting structure, provide an appropriate infrastructure to add value to the company while following the strict guidelines of the profession.
The Institute of Internal Auditors (IIA) guidelines focus on the idea of a “risk-based” approach to ensure activities focus on the most critical risk areas and allow IA activity to add value. While there are as many theories and approaches to conducting a risk assessment as there are auditors, the objective is to measure individual risks and develop an annual audit plan, regardless of the approach.
One of the biggest concerns in this area is that available staffing actually drives the audit plan, rather than a true risk assessment. Too often, an IA activity “backs into” an audit plan based on available staffing. A risk assessment should be completed first, and then consideration should be given to whether staffing levels are adequate to address the major risks identified. If audits identified as needed during the risk assessment process are deferred or rescheduled due to inadequate staffing levels, this must be communicated to management, and management must accept these risks during the current plan year or agree to additional hired or contracted staffing to complete the plan.
As with any profession, the tools of the trade are required. In this case, the auditor(s) must possess appropriate skills, experience and competencies to perform the work. In addition, the organization must provide ongoing support and continuing education to keep skills current. The chief audit executive must decide the makeup of the audit team based on the industry and risk assessment results. Degrees and certifications expected of each staff member, e.g., financial, operational or information technology, are driven by the audit base.
Many IA teams don’t have the appropriate IT skills to audit every identified risk. Rather than the organization acquiring the needed skill sets—either through hiring or a co-sourcing arrangement—many simply eliminate IT audits from their annual audit plan or “water down” the scope of the audits and have a financial auditor perform the work. In addition, many perform IT audits separately from the non-IT audits when an integrated audit approach is preferable. It’s rare for any organization to operate without significant IT applications, and controls related to these applications affect operations throughout the organization.
One common criticism of IA teams relates to the timeliness of reporting results—by the time results are tallied and reviewed and reports are drafted and scrutinized, audit results can be months old. Such an observation is often noted during a QA. However, data mining technologies now allow IA teams to immediately add value and improve timeliness by performing tests through continuous auditing techniques and methodologies.
Continuous auditing has been used for years and continues to gain popularity as data mining technologies improve. When continuous auditing is used, testing is performed by extracting current data on a continuous, routine basis, e.g., daily, weekly, monthly, and data reports are often generated by exception only. This results in a much more efficient use of the internal auditor’s time since exceptions requiring a follow-up already have been identified. It also allows for testing over an entire population versus a sample of items.
For example, an organization wants to implement continuous auditing procedures to help identify potential fraudulent payments made through the accounts payable process. Procedures could be implemented to identify real-time payments to vendors who share an employee’s name or address or payments sent to vendors at a post office box or mailbox service address. Real-time investigations of such payments could help quickly identify whether fraudulent payments have begun.
When assessing the value added by IA activity, a QA should determine if continuous auditing procedures are in place, and if not, whether implementing such procedures would benefit the organization.
The timely issuance of reports after field work and completion of planned audits are important metrics for gauging the effectiveness of the IA team, but the value added by the team is another metric that has gained importance. Chief audit executives are beginning to view the QA as an opportunity to validate their actions to their audit committees and build credibility. Recommendations that increase the value added to their organizations contribute to management’s perception of an IA group as a go-to partner and consultant that has the organization’s best interests as its top priority. Such recommendations typically include those that result in cost savings or increase process efficiencies.
The final area to consider is Engagement Planning, Execution, Workpaper Review & Reporting. Did appropriate planning and risk assessment take place for each engagement? Did the steps in the audit work programs achieve the engagement’s objectives? Were all the audit’s conclusions and results adequately supported in the workpapers? Did appropriate results reporting occur in a timely manner during the audit and after its completion?
A formal methodology and approach is required to ensure all work is properly planned and reviewed. Most internal audit (IA) departments are good at exercising basic procedures to review the quality of supporting workpapers for specific audits. Occasionally, exceptions are noted in relation to the evidence or timeliness of audit management signing off on the work as well as the ability of a reviewer to re-perform work to validate its completeness and accuracy.
Once the independent reviewer has assessed the six areas covered in this series, a report is issued that opines on the IA team’s conformance to the standards. Also included in this report are observations and recommendations to improve the IA department’s structure, staffing and deployment of resources and add value.
How BKD CPAs & Advisors Can Help
BKD’s Enterprise Risk Solutions (ERS) practice provides specialized resources that deliver the right combination of expertise and skills to achieve integrated results. Our ERS division features experienced professionals who provide Quality Assessment services to organizations seeking to improve their IA activity’s effectiveness and value. Contact us to learn more.