Flashes of brilliance - role of information system auditors

Internal Auditor, June, 1994 by Sara S. Patterson, Kimberly A. Svevo-Cianci

As the Information Systems Audit and Control Association, formerly the EDP Auditors Association, approaches its twenty-fifth birthday, members comment on the changes in information systems auditing and the electrifying challenges of the future.

In transportation, what started with the wheel has taken us to the stars. In art, what began with sketches on cave walls has given us the works by Michaelangelo on the Sistine Ceiling and paintings by the Impressionists and Surrealists.

In the profession of auditing, what perhaps originated as counting the beans has evolved into examining billions of transactions, verifying their accuracy and dollar value in minutes using computer systems. It has led to evaluations of systems that may cost organizations millions of dollars and recommendations for innovative, cost-effective measures. Further, the global reach of auditors today, using advanced technologies, enables them to review the internal controls of subsidiaries worldwide at a fraction of the cost, taking a nanosecond of the time it took just 10 to 20 years ago.

The modern-day heroes of information systems (IS) auditing and control play an important role in helping all industries and sectors to advance and improve their productivity and success. They strive to improve their organizations by helping them to look at things differently, so that existing structures, procedures, and systems can be fortified, and new opportunities can be seized.

The evolution of the IS auditing profession has only just begun. IS auditors, who have already established themselves as the backbone of progress, are positioning themselves for the next century, and not only with technological knowledge and skills. They are pioneers in their profession, open to the challenge of change, to breakthrough thinking, to the flashes of brilliance that will enhance the success and quality of their organizations.

Implementing New Systems

In 1993, John Klarquist, Director of Technical Audit, ITT Hartford, was called about a possible problem. A person was suspected of fraudulently making out a check to herself. Using the phonetics search software purchased only weeks before, an investigator keyed in the suspected name. "It was like hitting a slot machine," according to Klarquist. A report emerged showing that the suspected individual had nearly $106,000 in illegal checks in her possession. Before the search, no one had been aware of this individual's multiple illegal transactions.

"Someone was on a plane and out to California before some of the checks were cashed," Klarquist said. "This software paid off the first month. Now we use it with auditors and investigators, and we can assist business personnel who come to us to run specific reports they need."

Klarquist and his associates have used the software repeatedly over the past year to detect and quantify all sorts of internal and external fraud -- including premium and claim fraud by policyholders. Klarquist has also shared this valuable find with auditors in other insurance firms and believes that the software will enable companies to make inroads in thwarting fraud and help to control insurance rate increases for everyone.

Prior to the purchase of the pivotal software, ITT Hartford's auditing department had only one flat paid file that kept information on past payees. Weekly information from ITT Hartford's systems saved names and addresses, but they were in unformatted fields and could be tracked only by expensive and time-consuming methods. In fact, one search in January 1993, analyzing activities of more than 25 names during a five-year period, cost ITT Hartford $100,000. Today, the $48,000 software package runs on a LAN, and auditors don't even need to know exactly how to spell the name they are researching -- a vast improvement over the system of guessing and entering countless options on spelling in the past.

Continuous Processing

Finding ways to support improvements on traditional approaches is a constant challenge to IS auditing and control professionals, who must be open and receptive to change. Not being afraid of change isn't enough, however; IS auditors must be excited and motivated about new ways of doing things.

Michael Cangemi, Chief Financial Officer and Executive Vice President of Etienne Aigner, believes that continuous process auditing is being accepted all too slowly. Cangemi theorizes that banks will lead the way, because they can no longer wait six months or a year to audit transactions. "Too much happens too quickly," Cangemi said. "Smart auditors should monitor continuously with integrated test facilities. With today's high volume of transactions and complexities, the old audit model of coming in after one year to extract and analyze has to change."

Cangemi thinks that organizations need to move more quickly into evolving the traditional integrated test facility of old, which relies on samples taken at different points throughout the year, into continuous process auditing. The difference is that continuous process auditing is now built into the system itself.