Auditing is the compliance extension of your risk management program where operations, policies, and procedures are examined to determine whether operations are lawful, effective, efficient, and profitable. Auditing will determine that the organization's critical assets are accounted for, prioritized with adequate safeguards, and whether recovery and restoration procedures are implemented and tested. Fundamentally, auditing is also a comparison and analytical process comprised of collecting and evaluating evidence regarding management assertions and the actual state of the organization's operations. In fact, the most-critical part of auditing is the degree of separation between an organization's assertions and established system-addressed risk criteria. Any differences between assertions and the actual-state falls into a category called the "gap."
Information technology auditing is a carefully planned and executed business process involving the collection and evaluation of evidence to ascertain if a computer system safeguards critical assets and facilitates organizational goals being achieved.
Auditor Responsibilities
In the sense of their function, auditors must not have any direct responsibility or authority over any of the activities that they examine or could examine in the future. Operational assessments and employee performance appraisals do not, in any way, relieve employees of their professional responsibilities. Auditors must be authorized to have full and unrestricted access to relevant equipment and information including computer files, documents, records, property and employees. They must have a high degree of freedom in all audit-applicable business areas with the exception of specific restrictions imposed by law.
Internal Controls
Managing critical assets, their safeguards, controlling potential frauds and improving effectiveness and efficiency can best be achieved if senior managers establish a structure of internal controls. There really is not a great deal of universal details in this area as all organizations are different in their mission and function. Let's define internal controls here in the context of formal systems that prevent, detect, and correct policy violations, unlawful and abusive events. These are the three most important levels of general controls: prevention, detection, and correction.
General Controls
General controls are those internal controls having wide application to most areas of business operations. For the most part, they include but are not limited to specific system applications:
Planning and organization controls Physical and logical access controls Human resources Risk management Communications controls System development controls
Specific Controls
In broad terms these are controls with application to specific applications:
Access controls Data input controls (these include all system data inputs) Processing controls Output controls
The overarching governing structure for specific and general controls is that of CIA, confidentiality, integrity, and availability. In current auditing views, there are many components where internal controls apply for example, separation of duties and least privilege, clear lines of authority and responsibility, adequate documentation, access control, management supervision, individual accountability, performance checks, and audit trails to name a few.
Separation of Duties and Least Privilege
Separation of duties basically means that separate employees should be responsible for initiating transactions, processing transactions, recording those transactions, and maintaining custody of critical assets. Least privilege means that employees have the knowledge and authority to perform their jobs and nothing more. For example, in a small organization an accounts payable clerk has the responsibility of preparing billing payments. She reviews the billing for its correctness and prepares wire transfer documents. By observing the concepts of separation of duties and least privilege, she does not have the authority or the ability to release funds. So, she prepares a voucher with the attached billing documentation and submits these materials to the finance vice-president who authorizes the transfer of funds. In the event the payment amounts are over $10,000, the organization's policies and procedures mandate that two vice-presidents approve the electronic wire transfer. Once the payment is approved, the transaction information flows to another employee that is responsible for posting the transaction to the organization's financial records.
Authority and Responsibility
Clear and well-defined lines of authority and responsibility are essential in controlling systems. In today's business environment, the distinctions between authority and responsibility may not be clear. It is frequently difficult as many resources are shared among many users. For example, database use is common among many users in a business organization. When several authorized users have simultaneous access and, through some unknown means, the data becomes corrupted, it is not always easy to fix responsibility.
Documentation
Documents and records are essential in providing an audit trail of activities within any system. Electronic and paper-based documents are used to support the initiation, execution, payment, and recording of transactions. Documentation is intended to provide an accurate record of events and acts. Documents should provide a tangible record in which events can be reconstructed from their content. In a well-designed system, audit trails document the actions and events occurring during business operations as well as those documents required to administratively run the business.
Performance Checks and Accountability
Checks of performance and accountability are done by auditors because employees are likely to forget policies and procedures, make genuine mistakes, become careless and negligent, or intentionally fail to follow procedures. Individual employee accountability is tied to performance and competence as well as continuing responsibility.