I’ve just read a short but interesting post from David Hoelzer over at SANS where he asks the question of whether as IT Auditors we audit IT or IT Security.
Quite an old post but only found its way to me via Twitter recently. Anyway, the conclusion is that we audit a little of both, in that we 1) must validate the internal control environment of systems, applications and infrastructure, and 2) to do this effectively (and in part to validate the control is sustainable) we must also look at policies, procedures and standards governing the control environment.
I certainly agree with this view, but do also feel that we have more to offer. The role of Internal Audit itself has evolved over the past decade and business is increasingly looking to us for assurance and more value-add. Thus there are other risks that we need to consider and report on, such as strategic risk and governance. IA needs to be closer to the business and follow a risk-based approach. As Mervyn King noted, “Internal Audit needs to move from the back room to the Boardroom”.
Through all of this we as Internal Auditors need to work smarter and closer with other assurance providers. additionally in today’s technologically pervasive environment IT Audit has a role to play in assisting the rest of audit to work smarter by harnessing electronic processes. By this I mean that IT Audit can make better use of CAATs and data analytics to improve business process audits (i.e. testing a broader data set and avoiding sample risk) as well as identifying and testing automated controls that can free up business auditors to focus on more procedural controls. Controls maintaining the integrity of Management Information may not be always be there to manage a security risk for example, but can be very important in the context of a business’ strategy and/or Board level reporting.
In summary, I agree that pure-IT Audit must include an element of IT Security into the audit, but that we must also innovate and strive to understand more of how the application environment works, and the information that flows through these systems, in order to validate non-security controls that also impact the business’ risk profile.