It skills for internal auditors; As technology plays a greater role in how organizations are monitored and controlled, internal auditors need to develop the basic IT knowledge to do their job

Internal Auditor, August, 2008 by Philip Smith

ACCORDING TO A SURVEY BY PRICE-WATERHOUSECOOPERS (PWC), business trends expected to have the most impact on internal auditing between now and 2012 are technology, new regulations, risk management, corporate governance, and ethics and compliance. Of these, technology is projected to have the greatest impact, a finding that sends a clear message to the internal audit profession: To provide a relevant service that adds value to their organization, auditors need to ensure their IT skills are updated continuously, relevant, and fit for the purpose (see "Three Categories of IT Knowledge" on page 46).

[ILLUSTRATION OMITTED]

Several of the chief audit executives (CAEs) who took part in the survey talked about the need to incorporate IT auditing within traditional audit programs. Such an observation has a further implication for the IT skills that will be demanded of the generalist internal auditor. This is summed up by the CAE of a Fortune 250 communications and entertainment company who said he expects the lines separating IT and non-IT audits would continue to blur over the next five years, given the need to leverage the power of technology to enhance audit efficiency. Another CAE reported, in response to this trend, that his company now provides IT training for internal auditors on a global basis.

"We are at a very exciting time because of the confluence of the old style manual, business-oriented auditing competing with the new style high-technology, automated world." says Nelson Gibbs, a senior internal audit manager with Deloitte in Los Angeles. Gibbs believes there is an opportunity to shape the way the profession will perform in the future. "Right now is where the tasks are being integrated and gaining popularity in terms of audit tools and methodology," he says. "This is all being decided now and will carry us forward for some time."

TWO AREAS OF KNOWLEDGE

In considering whether internal auditors' IT skills are relevant to today's business demands, there is a need to differentiate between those skills that allow auditors to carry out their day-to-day duties in an efficient and technologically enabled way, and those that allow them to have a greater understanding of the technology that supports the business as a whole. In addition, there is a difference between the ability to use IT tools and the need to understand the technology and its impact on business risk management.

Gibbs identifies two types of software with which internal auditors need to be familiar--the software that the auditor uses and the software that supports the business. On the business side are enterprise resource planning products such as SAP, Oracle, JD Edwards, and several others targeted at different markets. Essentially, these products all do the same thing--codify a business process into a repeatable activity, which then links together with other business reports, such as financial statements, sales activities, or inventory maintenance. Gibbs says it is not necessary for auditors to have an in-depth, technical knowledge of these programs, although a thorough understanding is important. "It would be difficult to know everything about a business in great detail, so it would be even more difficult to know everything about these software packages," he says.

Gibbs says auditors need a more detailed understanding of their own IT tools, which include two types of technologies. The first is stand-alone, task-specific software packages that help auditors organize and perform work, such as automated workpaper management systems. These products help auditors keep track of their daily activity. Linked to them are analysis tools, such as ACL and Excel.

The second type of audit tool is the integrated components within the larger business packages, which now have modules for governance, risk, and compliance. These tools attempt to collect metadata from within the big business packages and filter out those pieces of information of interest to the auditor in a way that they can be used. But, Gibbs warns, auditors may be relying on the IT department to provide this information, which gives them less control over its reliability. Auditors can provide greater assurance about the reliability of data when they have the expertise to obtain it without IT's assistance. "If they are managing it themselves, there is less chance of the data becoming corrupted or manipulated." he says.

BASIC SKILLS NEEDED

Others look for an even more basic set of IT competencies in their auditors' skill sets. "A good, general internal auditor should have the basic skills of Excel, Word, and Access, and also be able to actually understand the concept of the business' general controls," says James Reinhard, audit manager for Simon Property Group Inc., an S&P 500 real estate company based in Indianapolis.

But auditors should also be knowledgeable of the risks of spreadsheets. "This is an area that auditors on the business side should really be aware of," Gibbs warns. "There can be unthinking use of spreadsheets. We are so used to them, and they are so flexible, but there is very little security or reliability in spreadsheet applications. There is a danger of over-reliance on spreadsheets, and used incorrectly, they are easily manipulated."