Interviews can be very useful in obtaining evidence of the existence of controls and the procedures. By way of widely accepted measures, there are already formulated audit programs to address internal controls and their implementation. Examples of these programs are ISO 17799, available at www.iso.ch and COBIT™ (Control Objectives for Information and related Technology) and ISACA, available at www.isaca.org. These programs attempt to provide generally accepted internal control guidance for auditors and are worth reviewing before beginning an IT audit engagement.
The object of the auditor's employee interview is to determine the present condition of the system and compare this condition with the audit program criteria. In the pursuit of interviews, the auditor should ask employees for evidence of the controls in the form of questions:
May I see it? Please show me how you _______. May I observe you working? How do you perform the process of _______? Is it possible for you to delete transaction logs? Please show me if you can do this _______ operation.
An experienced auditor will interview several employees having similar jobs in order to compare results and decide whether policies and procedures are being practiced or not.
Interview Analysis
As soon as possible after the interview, the auditor should prepare a written report of the interview from the notes taken. Be certain to separate fact from inference and speculation.
Facts are those things that the interviewee has heard, seen, or in which she has materially participated. They know the facts because they were there. Inference is a logical extension of the interviewee's mind — for example, if a cat and a mouse were placed in a box and the top closed and placed where it is under constant observation. A few minutes later the box is opened; the mouse is discovered to be gone. It is inferred that the cat ate the mouse even though no one actually observed it. Speculation is merely that the interviewee is guessing about something. For example, if there is a sudden increase in system processing time and the interviewee indicates the reason is attributable to increased input error rates, but cannot offer any observation or other substantive proof, then the response is speculative.
Do not discount the value of speculation. Wise auditors give speculation due consideration depending on the credibility, experience, and training of the interviewee. Many experienced auditors include speculation at the end of their interview report accompanied by proper qualifications.
Interview notes and written reports should be retained as permanent parts of the auditors' work papers. Senior managers should not be surprised when knowledgeable attorneys or investigators request audit interview notes and reports as legal processes. They are looking for evidence that the audit work papers can reconstruct audit events.
Questionnaires
Auditors may use written questionnaires as effective means to collect evidence. Responses obtained to questions asked on questionnaires indicate the presence or absence of controls or the incorrect application of controls. They can elicit users' comments about the effectiveness and efficiency of a system or subsystems. There are basically three major aspects of their design:
1. Design of questions
2. Design of responses
3. Design of layout and structure
The primary focus on questionnaire design is the crafting of questions to ensure the respondents understand the facts required. It is not unreasonable that some questions are redundant ensuring the respondents understand which facts are being requested. Questions need to be self-explanatory. If the question asks about input field limits, then it is expected the anticipated respondent already knows what input field limits are and when they apply. Here are a few questionnaire best practices:
Make certain the questions are specific. Rather than ask if input fields are controlled, ask which applications examine input field correctness. Use simple, plain language. Avoid technical jargon. Avoid abbreviations; use specific language instead. Avoid ambiguous language. Avoid leading questions. Leading questions suggest answers that respondents should reply. For example, "Do employees use the human resources system interface?" A much better question is phrased as, "How is human resources information obtained online, and by whom?" Avoid hypothetical questions. Stick to the facts. Do not ask questions based on assumptions. For example, "How often would you use the human resources system in a month's time?" This presupposes that the respondent knows about the human resources system and uses it monthly. Avoid questions that require extensive and accurate recall. "How many times did you use the human resources system during the past two months?" This is a question that cannot be easily answered. Instead, ask the respondent if he/she keeps a record of their use of a particular system. If the questionnaire has a scale of responses, make certain they are applicable to the topic. If the questionnaire asks the location of fire extinguishers in the warehouse, then ask if fire extinguishers are present, how many are present, and their locations. Make certain the questionnaire is directed to the right employees. Asking the finance unit questions about the location of fire extinguishers in the warehouse is not going to produce relevant answers.
The layout and structure of a questionnaire affect its accuracy. If the questionnaire is mailed, its layout and structure will likely affect the response rate. Its objective is to be well-received with clear, simple, logical, and appealing construction. The length of a questionnaire also affects the success of completion. If questions and questionnaires are too long, respondents lose interest and provide answers that may not accurately reflect their observations. Care must be taken to craft the flow of questions through the questionnaire. At the beginning, general questions should be asked placing little stress on the respondent with more difficult questions placed toward the middle or end of the topic areas.
0 comments:
Post a Comment