How To Survive, And Thrive, In An AuditBy Kevin Behr, Gene Kim and George Spafford For many IT practitioners, the entire audit function may be one of the most mysterious and misunderstood roles encountered, especially when the business unit is operating in a regulated environment such as financial services, healthcare or pharmaceuticals.
For many IT practitioners, the entire audit function may be one of the most mysterious and misunderstood roles encountered, especially when the business unit is operating in a regulated environment such as financial services, healthcare or pharmaceuticals.
In the high-performing organizations, there is a mutual respect between the IT teams and the audit teams they work with, which includes the internal and external auditors. In fact, in these high-performers, the IT teams even viewed auditors as additional resources to ensure that appropriate controls are in place and effective.
Typically, poor working relationships with auditors and painful audit findings are due to the absence of effective processes and controls. Just as the manufacturing world realized the need for repeatable processes and quality controls, IT is tasked with ensuring that processes are documented and controls are effective.
When these processes are well documented and documentation exists that can demonstrate the controls are working, audits usually go much more smoothly, because auditors have a readily identifiable desired state to audit against. When processes are not documented, auditors must grade against their own processes.
Worse, when controls do not exist to demonstrate that processes are being followed, auditors must go into "archaeology" mode to determine for themselves if the systems meet documented control objectives. For example, if you claim to have change management meetings but do not have any formally recorded meeting notes, how can auditors verify that the meetings actually happened? The level of documentation must be commensurate with the risks associated with the changes.
A substantial rewrite of the Enterprise Resource Planning (ERP) system is a matter with significant risk, requiring additional processes and proof that those processes are effective. Resist the urge to document everything and instead focus efforts on creating evidence that the right processes are in place and are being followed.
To explain this further, we will examine the way auditors view the world, which is through three broad categories of controls.
Auditors often view the world through the lens of risks and controls. Risks exist, and you can mitigate them by either preventing or detecting them, and you should always be able to make corrections and recover should the risks actually happen. To explain this better, here are the three categories:
- Preventive - controls that keep something from happening. For example, policy, separation of duty, and authorization processes are all preventive controls.
- Detective - analytical controls that monitor activity and processes to determine if the preventive controls have failed or if something is out of compliance. For example, change monitoring and verification are detective controls.
- Corrective - corrective controls restore the situation back to the expected state. For example, if a system crashes due to a failed change, reloading all applications from the last known good image to bring the system back online serves as a corrective control.
Separation of duties ensures that no single person has complete unchecked access to do unauthorized things. Because lack of segregation can create nearly endless opportunities to commit fraud, developers are not allowed access to production processes where they can directly make changes in regulated environments. Instead, they must develop the code, and then forward it to testing. Once there, the operations team can review the change, assess risks and deploy it into production if everything is acceptable.
These days, many audit concerns are driven by regulatory compliance needs that are required by the industry or that assure the integrity of financial reporting. At one time, auditors and bean counters checked to see if the financial statements were correct by opening up all of the warehouses and counting all the "beans." In this way, they could verify that the financial statements matched what they physically observed.
However, even the best auditors have finite time and resources. Instead of going into the warehouse and counting beans, they go to the bean counting machine and check the controls to determine whether the machine can be trusted. In most cases it is best to have a combination of preventive and detective controls. If neither exists, or if they are inadequate, the auditors cannot trust the results of the bean counting machine.
This is a very bad thing, because it erodes their ability to rely on anything the bean counting machine did, and requires opening up the warehouses, and, guess what, counting the beans. In other words, without assurance that proper controls exist, far more scrutiny is required, thus incurring substantial costs.
To create a more productive working relationship with auditors, IT must be able to clearly describe its preventive processes and the detective controls that prove they work as expected.
A main premise of this book is that controls serve an important purpose to ensure that our processes achieve the desired business objectives and that controls are not in place simply to generate positive audit findings or to comply with regulations. After all, a customer would not feel safe if the restaurant only complied with health codes just to keep the inspectors at bay. They would be happier if the restaurant handled food with care to keep customers healthy, happy and improve their overall dining experience.
IT is no different. An organization that uses effective controls to improve their processes typically has far better availability, lower amounts of unplanned work, better security, and incidentally, smoother audits .