Skip to Content

Norman Marks and Jay R. Taylor have been practitioners and thought leaders in the internal auditing profession for many years. In this article, they bring their combined experience and perspectives, as well as the results of their very broad networking with other leaders around the globe, to assess the current state of internal auditing and share their views on where the practice should be heading. While both have senior positions within their organizations, and are very active within the IIA and ISACA, the views expressed are theirs and theirs alone.

In this article, Jay and Norman review high-level issues such as standard-setting and leadership of the profession, and where internal auditing should report. They then consider each major aspect of internal auditing (such as audit planning and risk assessment; performance of individual audits; staffing and resources; the use of technology; fraud and investigations; the quality of audit reporting and other communications; and value-add consulting and other services). The authors discuss how internal auditing has improved and where opportunities for enhanced performance can be found in each area.

To report this post you need to login first.

6 Comments

You must be Logged on to comment or reply to a post.

  1. Julius von dem Bussche
    The link does not work, at least not for me.

    The biggest problem in auditing in my opinion are the various check-lists which auditors (both internal and external) have.

    They typically have many “check table xyz” and “run report abc” instructions in them.

    Regardless of the skills of the auditor (particularly if they are skilled), this creates a problem in the SAP world as reports and tables are not classed as “entry points” such as tcodes, rfc’s and services are.

    Auditors, and the attempt to create a “diplay all” access and also use it for support etc is in my opinion a security hazard caused by this.

    It would be nice to see some standardization which meets auditability requirements, and make this standardly available in the SAP system.

    The AIS attempted to do this and is a cool tool – but few auditors stick to it or ask for it when they rock up on Monday morning, unprepared but with their check-list in hand.

    Just my opinion.

    Cheers,
    Julius

    (0) 
  2. Babu Jayendran
    At the very outset, thank you for sharing the article and I must admit it is thought provoking.

    Having spent many years in the audit profession, I do believe that there is a need for improving the skills and approach of audit. I am quoting below two points from your closing thoughts and would like to add my comments:

    •Continued improvements are necessary in addressing IT as part of and not separate from business risk
    •CAEs need to raise the bar on the level of IT-related risk and control knowledge expected of and held by the non-IT members of the team (business auditors), particularly those aspiring to supervisory or leadership positions within internal audit

    Most organizations work today in two silos, i.e. business and technology. Both silos speak ‘different languages’. Organizations are busy interfacing systems using technology but the important part is to interface the two silos, namely business and technology. I suppose the BPX community has evolved due to this need. Technology is only a business enabler and I totally agree with your first comment, indicated above.

    In terms of risks and controls and to be effective in internal audit, the auditor has to cover all the following areas:

    •Application
    •Database
    •Operating System
    •Network

    I completely agree with Julius’s comment “…..The biggest problem in auditing in my opinion are the various check-lists which auditors (both internal and external) have….” Check lists are only a ‘road map’ and if the auditor does not have a very good understanding of its contents it is not possible to do justice to an audit. A general auditor will definitely not be effective if he or she carrys out the audit using check lists for covering Applications, Databases, Operating Systems and Networks.

    Let us consider a scenario of an organization running SAP, with an Oracle Database on UNIX. In order to give comfort to the organization and to ensure that all risks are covered it is important that specialist auditors in each of these areas are used in the audit. The supervisor of the audit team should be aware of the risks in all the layers and consolidate the findings in the final report. I therefore fully endorse your second comment, indicated above.

    Let us look at a review of Segregation of Duties (SOD) in the SAP environment. The auditor definitely needs to have a very good understanding of:

    •The risks and controls of business processes in SAP
    •The roles and authorization concepts in SAP
    •The critical and conflicting Tcodes in SAP
    •The working of Compliance Callibrator or any other SOD tool
    •The SOD concepts pertaining to initiating, authorizing, recording, processing and reporting

    The auditor’s knowledge should cover all of the above, if not there would be gaps in the review. A Check List cannot replace the in depth knowledge an auditor possesses.

    (0) 
    1. Norman Marks Post author
      Babu, thank you for your comments. They are much appreciated.

      With respect to understanding the business risks, I have too often seen internal and, especially, external auditors perform an audit of segregation of duties based on a checklist of the conflicts they are used to seeing. For example, when I was at Maxtor the external auditor’s tests looked for and found individuals with access to both the HR and payroll modules in the US. However, Maxtor didn’t use the SAP payroll module in the US, only in Asia. So they wasted their time and our money.

      That is why I believe auditors need to understand the business risks, how technology failures might affect them, and only then audit the controls that would prevent/detect these critical technology failures.

      The same concept applies within the organization. Security professionals should not implement and apply resources managing risks that don’t exist. That can happen if they don’t understand business risks but work from a technology-only risk assessment or vulnerability study. They are also likely to fail to address a risk – such as when critical information is on assets managed outside IT, or when departments outside IT (such as in Engineering) manage servers and routers.

      Thanks again
      Norman

      (0) 
      1. Krishna Mohan Unnam
        Very interesting and relevant discussion.

        As an auditor, the knowledge you acquire always seems to be insufficient because very nature of the audit profession is to review various different systems / processes etc.

        The check lists are there only to guide us as baseline to start with. These check list save lot of time and also transfer knowledge very structured manner. The business knowledge and business risk knowledge for considering what needs to be checked or audited is part of the audit planning, where auditors as part of the scoping exercise map the business processes and identify various applications to be reviewed.  There are chances of errors and hence audit planning, scoping and checklists, audit programs do change as we progress conducting audits. However check lists have their own important and limited role in the process. The minimum we expect them to do is to cover testing of important controls. Check lists, however exhaustive they are, they cannot become end or final source of conducting the audits.

        Auditor’s endeavor is to reduce the chances of errors in scoping, coverage and relevance etc. All these things put together makes audit a challenging profession.

        The need to improve on skills and knowledge in audit profession is high and it is increasing due to convergence of technology and business processes.

        Regards,
        Krishna

        (0) 

Leave a Reply