Business Services Industry

An Approach That Works - successful auditing technique

Internal Auditor, Dec, 2000 by Leonard P. Murray

I've always believed that the definition of success is finding a need and filling it. Now I know that success is not only filling the need, it's improving the process used to accomplish the task. Utilizing aspects of an integrated audit that your shop is probably familiar with and adding what we've termed a "systems learning team" (SLT) approach, my audit department not only dosed a critical gap in our coverage, it also brought together diverse players, efficiently combined their strengths and skill sets, and effectively synthesized and leveraged their expertise. Team members learned as they worked, raised issues, and made suggestions that increased the organization's risk control.

As auditors for a large regional bank, we knew that our reviews of the bank's computer applications were inadequate. To correct this, the audit directors--of which I was one--decided to adopt a more aggressive integrated audit approach of the financial and IT areas of the organization. Looking for a way to enhance our integrated audit, we were heavily influenced by Massachusetts Institute of Technology Professor Peter Senge's book, The Fifth Discipline: The Art and Practice of the Learning Organization.

Senge outlines five disciplines that successful organizations follow: personal mastery, shared vision, mental models, team learning, and systems thinking. We were intrigued with Senge's ideas on systems thinking--invisible fabrics of interrelated actions--and the team learning principle--building on a shared vision by aligning goals, dreams, and desires so that a group of people functions as a whole to achieve a common objective. We took most of his principles and used them to formulate the SLT approach, which helped us better assess controls over the bank's business applications.

How we put the project together is laid out below, but first I want to emphasize the unexpected enthusiasm generated within the team. After the directors decided on goals for the team members, we found it best to be involved only in an oversight role. The group became so enthusiastic about the project that the directors needed to get out of the way so as not to slow things down. We all know auditing can at times be dry, so it was great to add this excitement to the job.

The team was intentionally designed so the auditors didn't have to be concerned with their level of expertise--or lack of it. They also didn't have to worry about the political dynamics that are often involved in obtaining assistance from other teams or by asking IT audit for help, because experienced IT auditors were added to the mix as equals, not as leaders. But I'll start from the beginning...

BACKGROUND

Our audit shop consisted of six audit teams, each with its own director and specific line of business to audit. As one of those six directors, I was responsible for the IT audit team. In addition, my group had a subteam that performed application audits. This approach had some success in that it raised important control issues previously unnoticed. However, because of a lack of

personnel at its disposal, the subteam could cover only a few applications per year.

In an early effort to improve the situation, the senior audit officer directed the business audit teams to perform fully integrated audits of the applications that supported their clients. The business auditors were trained during the next 18 months using a core curriculum model from The IIA. Although somewhat helpful, the training proved to be ineffective for our purposes. We considered whether we should begin the next level of training, which was more advanced and costly in terms of time and effort, but there were some concerns that we had not benefited enough in our audits with the first level of training to justify proceeding to the next.

We were also having a lot of difficulty trying to fit the application audits into everyone's schedules. The five business audit teams had to coordinate with the clients as well as with the IT audit team, which provided technical assistance on these audits. Often, audits had to be rescheduled because of changing client needs and shifting auditor availability. We tried to improve the situation with better planning, but the frequent changes in the client environments and auditor availability proved to be too much.

IDENTIFYING OPPORTUNITIES

INCREASED AND IMMEDIATE COVERAGE OF HIGH- AND MEDIUM-RISK APPLICATIONS. Only a small percentage of applications in these categories had undergone an adequate control review.

Because of my prior experience in integrated auditing, I was asked to lead an initiative to improve our efforts. The first step was to determine what aspects of our current approach were not working. After I observed the process in place and performed several quality assurance reviews on application audits, I worked with the other directors and determined the following immediate needs:

COMPREHENSIVE REVIEWS. Our disjointed approach resulted in applications exclusively for either financial control issues or technical control issues. Insufficient training, inadequate tools, and a reluctance to expand the time and scope of an audit beyond the traditional review were contributing factors. Increasing the number of auditors possessing both financial and technical knowledge would have been an obvious solution to this problem. However, we had only a few individuals with a strong knowledge of integrated auditing, and recruiting and developing more of these multi-skilled individuals would be difficult and too time-consuming to be of immediate help.


 

BNET TalkbackShare your ideas and expertise on this topic

Please add your comment:
  1. You are currently: a Guest |
  4.  

Basic HTML tags that work in comments are: bold (<b></b>), italic (<i></i>), underline (<u></u>), and hyperlink (<a href></a)

advertisement
advertisement
  • Click Here
  • Click Here
  • Click Here
advertisement
Click Here

Content provided in partnership with Thompson Gale