This chapter is not intended to be an Auditing 101 course because entire volumes have been written on that topic. Nor is it intended to be a recitation of auditing standards and guidelines, which also are subjects of other books. However, this chapter will provide some guidance on how to best execute the audit process so as to ensure that your information technology (IT) audit team is as effective as possible.
After this chapter, we will have concluded our overview discussions and will be ready to move on to Part II, where we will discuss the specifics on how to audit various technologies and processes.
Before beginning our discussion of the audit process, it is important to ensure that we all have an understanding of one of the most basic concepts by auditing. All through Chapter 1 we discussed the fact that the real mission of the internal audit department is to help improve the state of internal controls at the company. But what are internal controls? If you don't know the answer to this question, then it will obviously be difficult to accomplish the department's mission. We won't spend much time on this, for fear of turning this book into the aforementioned Auditing 101 course, but the topic does warrant a few paragraphs.
Internal controls, stated in the simplest terms, are those mechanisms that ensure the proper functioning of processes within the company.
Every system and process within a company exists for some specific business purpose. The auditor must look for the existence of risks to those purposes and then ensure that internal controls are in place to mitigate those risks.
Controls can be preventive, detective, or reactive and have administrative, technical, and physical implementations. Examples of administrative implementations are items such as policies and processes. Technical implementations are the tools and software that logically enforce control (such as passwords). Physical implementations include controls such as guards and locked doors (Figure 2-1).
Figure 2-1: Types of internal controls and their implementation.
Preventive controls stop a bad thing from happening. For example, requiring a user ID and password for access to a system is a preventive control. It prevents (theoretically) unauthorized people from accessing the system. From a theoretical standpoint, preventive controls are always preferred, for obvious reasons. However, when performing audits, it is important to understand that preventive controls are not always the cost-effective solution. There are times when another type of control will make the most sense from a cost/benefit standpoint.
Detective controls record a bad thing after it has happened. For example, logging all activities performed on a system will provide the ability to go back and look for inappropriate activities after the fact.
Reactive controls fall between preventive and detective controls. They do not prevent a bad thing from happening, but they provide a systematic way for detecting when those bad things have happened and correcting the situation. This is why these are sometimes called corrective controls. For example, you might have a central antivirus system that detects whether each user's PC has the latest signature files. Ideally, it would be nice to disallow network access to anyone who is not in compliance. However, this might not be practical from a business standpoint. Therefore, an alternative might be to log those in noncompliance and perform some regimented follow-up activities to either get the PC in compliance or remove its ability to access the network.
Let's say that you're looking at your company's accounts receivable system. That system exists for the purpose of ensuring that you're tracking who owes you money so that you can nag the deadbeats who don't pay you and so that you properly record payments from those who do. The financial auditors will worry about risks within the accounts receivable process itself, but the IT auditors need to think about the risks to the system accomplishing its business purpose. Some examples are cited below.
If changes to the system code itself are not approved and tested properly, then we might find that the logic being executed by the code is erroneous. This might mean that we lose our confidence in the integrity of the data within the system, resulting in an inability to know for sure who has paid us and who hasn't. So what are some internal controls that would mitigate this risk?
One internal control might be that the programmers don't have logical access to update the production code.
Another internal control might be that the people who do have logical access to update the production code will not do so without evidence of testing and approval.
If access to the system is given to people who do not have a need for that access, then system data might be changed, added, or deleted inappropriately. What are some internal controls that would mitigate this risk?
Requiring a user ID and password to access the system is an internal control.
Having a limited number of application security administrators who control the ability to add new user accounts to the system is another internal control. Ensuring that those application security administrators are knowledgeable individuals who know which users really need access to the system is yet another internal control.
If the system or its data were lost, then system functionality would be unavailable, resulting in a loss of your ability to track outstanding receivables or post new payments. What are some internal controls that would mitigate this risk?
Backing up the system and its data periodically is an internal control.
Shipping those backup tapes offsite is another internal control.
Documenting a disaster recovery plan is a third internal control.
These are just a few rudimentary examples and are intended to illustrate the concept. The auditor must understand the business purpose of what he or she is auditing, think through the risks to that purpose being accomplished, and then identify any existing internal controls that mitigate those risks. The chapters in Part II of this book provide detailed guidance on internal controls to look for within various topic areas.
Hopefully, this discussion has put us all on a level playing field regarding what we mean by internal controls, a term used frequently in this book. The concept of internal controls is absolutely fundamental to the auditing profession.