After speaking about past disasters and their root causes as well as giving an introduction to the standard ERM objectives and components with a clarification about some myths, a key question still remains: After introducing an ERM, how do I know that the policies are correct and the personnel is following the rules? How do I know that the policies, that were once created, are still relevant and up-to-date?
At this moment, an auditing of the policies has to be conducted. Auditing can be defined as an “independent, objective assurance and consulting activity [which] helps organizations accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes” [1]. From a historical point of view, auditing was first developed to aid in controlling accounting and bookkeeping issues and gradually developed in a full business field in the early 1900s. The field of IT auditing developed slowly, starting in the 1950s, but was only fully acknowledged in the late 1970s and early 1980s, when the CISA exam was introduced [2].
There are several types of documents within an organization with different levels of controls and restrictions pertaining business operations that have to be taken into account during an audit [3]:
- Policies, these are high-level documents, signed by the highest authorities (e.g. Executive Board) that pertain to the most important control objectives. These directions are mandatory for every employee.
- Standards, these are the next lower-level documents that are ensuring compliance to the policies imposed by either the company itself or external sources e.g. Government laws in Accounting or IT. These directions are mandatory for every employee as well.
- Guidelines, these can be used if no policy or standard is giving a clear direction pertaining a situation. Most of the times are they giving general information how a situation should be handled. Guidelines can be mandatory, e.g. Code of Conduct, or optional like higher ethical standards.
- Procedures, these are normally step-by-step programs of how a certain task can be done through Best Practices. Compliance should be mandatory to ensure quality and reliability.
The key functions in an IT audit are [4]:
- Controlling the adherance of the set policies, standards and procedures, this is a major part of the audit function. Although employees may know the restrictions and standards that should be used, sometimes it would be easier to not follow them in order to simplify activities. Since too many activities occur during a given period, it would be impossible to control everything. With this in mind, many audits are just taking samples in the low percentage area and will only conduct a deeper audit if an incident occurred in the tests.
- Reviewing the limits and boundaries for all operations, the constant review of set boundaries are important to neither constrict an otherwise more economical outcome nor giving employees too much freedom which could result in high losses.
- Ensuring segregation of duties. By ensuring that each decision is at least being controlled by a second person, a willful misconduct of power, e.g. a manager is responsible for putting out a request for tender for materials and deciding himself on the company receiving the contract, can be averted. This keeps employees from wielding too much power that could hurt the company.
The auditing process itself is never finished and can be visualized as a cycle of assessment, reviewing and reporting:
Continuous Auditing Process [5]
There are several procedures and techniques that can be used during an audit. Especially the developments of tools, that nearly automatically ensure compliance with the set rules and regulations, can help in not only reducing the amount of time spent on a specific issue, but also increase overall quality. The next blog post will be giving a short overview of the traditional techniques, followed by a post about the recent new developments in the area of Computer-Assisted Audit Tools and Techniques (CAATTs).
References:
[1] The Institute of Internal Auditors, http://www.theiia.org/guidance/standards-and-guidance/ippf/definition-of-internal-auditing/
[2] Michael P. Cangemi and Tommie Singleton, “Managing the Audit Function: A Corporate Audit Department Procedures Guide”, Third Edition, John Wiley & Sons, 2003
[3] David L. Cannon, “CISA: Certified Information Systems Auditor Study Guide”, 2nd Edition, Sybex, 2008
[4] James Lam, "Enterprise Risk Management: From Incentives to Controls", John Wiley & Sons, 2003
[5] Sandra Senft and Frederick Gallegos, “Information Technology Control and Audit”, Third Edition, Auerbach Publications, 2009
