The more things change …: as automated technologies continue to advance and evolve, the underlying principles of IT auditing remain very much the same

Internal Auditor, August, 2004 by Norman Marks

SOME 25 YEARS AGO, I WAS A ROOKIE INFORMATION technology (IT) audit manager in London trying to understand new technologies and interpret them for a large international audit firm. My job included attending conferences and seminars about the latest trends in technology and writing about them for both financial and IT auditors. * I remember one seminar in particular--a presentation on database systems by Tom Gilb, author of the classic, "Principles of Software Engineering Management." Many of Gilb's insights have stayed with me over the years, and I find one particularly relevant today. When asked how much database technology would change the future of IT systems, Gilb responded that a database was "just another file structure." Although technology was changing, he said, the principles behind IT management would remain essentially the same.

How is this relevant to IT auditors today? Even as technology has progressed from clunky mainframes to sleek notebooks and wireless handheld devices, the principles of IT auditing have not really changed. At a time when a revolution in controls auditing is being brought to corporations by Section 404 of the U.S. Sarbanes-Oxley Act of 2002, a trip to the past to understand the roots and underlying principles of IT auditing is valuable, if not essential.

WHAT ARE CONTROLS?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines a system of internal controls as "a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives." Simply stated, controls are the procedures management puts in place to ensure activities happen the way management intends.

Controls generally consist of two components--a manual or user procedure and an automated procedure. Examples include:

* Inventory cycle counting. At first glance, this may appear to be a 100 percent manual procedure. However, the selection of items to be included in a cycle count is usually an automated procedure. In other words, the basis for the manual counting is the automated procedure of identifying and reporting the items to be counted.

* Bad debt reserve calculation. The process of determining the amount of reserve for potential bad debt is manual. However, its basis is a report of aged customer accounts and their details.

* Accounts payable update to general ledger. Many would consider this an entirely automated procedure. However, most good systems produce a report (an automated procedure) that indicates that the update was successful and provides control totals. This report is then reviewed (a manual control procedure) to provide assurance that the update was completed successfully.

* Security over access to the approval function in wire transfers. Security software, whether provided within an application (application security) or by a separate software program, limits user access to key application functions. However, unless the security software reports exceptions for human review, the security system will be found lacking.

[ILLUSTRATION OMITTED]

DEFINING APPLICATION CONTROLS

Application controls, which include both manual and automated procedures, are the controls over and around a computer system or application (e.g., accounts receivable). When experienced IT auditors complete an application audit--of either an existing or new system--they talk about whether there is an appropriate combination of user and automated control procedures.

Considering that most businesses are highly automated these days, application controls are really the normal controls found in any business process. Both manual and automated elements must be understood and documented, their design assessed, and their performance tested.

IT auditors specialize in the work performed on the automated procedures. When reviewing controls, it is critical that IT auditors understand on which automated procedures they are relying. Today's systems--whether integrated into enterprise resource planning (ERP) or not--contain many automated procedures, most of which do not need to be audited. The IT auditor should identify all the key controls in the overall process and then the relevant automated procedures. The auditor can then focus on documenting, assessing, and testing just those selected procedures.

Unfortunately, many internal audit functions allow IT auditors to audit automated controls without first understanding the overall business risks and identifying key process controls. As a result, the IT auditors may spend scarce--and expensive--resources auditing controls that are not key.

Several years ago, I worked at a company with an extensive retail network. The external auditor's IT auditors decided to audit the computer systems at each of the sites and, after a few weeks, they reported a significant weakness. The individual stores' systems did not confirm that all transactions had been uploaded into the corporate systems at the end of each day. When the auditors reviewed the issue with the overall audit manager, he pointed out that there was a daily review by a corporate accounting group that verified the upload. The financial audit staff had been reviewing and testing those controls for years. The external audit staff decided that no further work on the store controls was needed, as all the key controls were within that corporate accounting group.