Integrating Audit
It is no secret that the days of siloed Internal Audit processes do not lead to success in this day of fast-moving risks, demands for real time awareness and collaboration. Rather than auditors working and wading through opaque processes – lost in spreadsheets, internal check lists, and fractured auditing protocols across different business functions, we are seeing several cloud-based IA process automation tools (such as, www.auditprodigy.com) enable a unified framework and day-to-day processes. These tools allow IA to achieve more effective engagements – be it risk assessments, document requests, process mapping, financial or operational and internal control audits / reviews.
Integrated auditing is a symbiotic relationship between information technology as well as financial and operational controls in establishing an effective and efficient internal control environment. Public companies are already required to conduct integrated audits by mandating that auditors express an opinion on internal controls integrating the financial reporting audit with an internal controls audit. This is the legal requirement, but the process of holistic integration in audit is left undefined for companies to put together themselves. Management is responsible for designing the approach but Internal Audit can play a valuable advisory role. The ideal state should be setting an organized framework for establishing, maintaining, and reporting on an internal control structure and protocols for the auditors that are required to assess this internal control structure.
Not all controls reside in financial and operational processes. Issues identified in information technology may negate the effectiveness of the financial and operational controls and visa-versa. Therefore, an integrated audit evaluates the interplay between financial, operational, and technology processes on the achievement of control objectives.
The following areas deserve consideration in designing an effective integrated audit framework:
- How effective and accurate are the process maps? Does Internal Audit facilitate such a process to enable management take responsibility to document and maintain their processes?
- Are the business and information processing risks and controls understood and agreed upon by the stakeholders, IT delivery and support organization, and the integrated audit team?
- Are manual and automated feeds, system interfaces, and communications accurate, timely and secure?
- Manual and automated transactions are approved, timely and accurately processed?
- Information is secure and confidentiality controls follow current regulations?
- Do Disaster Recovery and Business Continuity (DR & BC) plans provide reasonable assurance that both the system and business operations can recover and continue when a system or business interruption occurs?
- Are program changes are tested, approved and migrated to production as prescribed by the business process owners?
Moving an organization towards an integrated auditing framework is a crucial step towards organizational maturity. A modern integrated audit doesn’t just adhere to the legal requirement but establishes precedent within the organization for how the compliance landscape will evolve taking into consideration technology, and thus preemptively being prepared.
Sarbanes Oxley is the mandate for public companies, but the regulatory requirements for private companies will inevitably follow suit as more organizations mature and opt to stay private. As regulation continues to mature around the technology space, how are internal control over information technology going to be managed, and how are organizations going to be prepared to manage that change if they are responding late rather than anticipating the inevitable.