Evidence Collection: Evidence Is not just Evidence
There are three techniques used by auditors in collecting evidence that allows them to understand an organization and its application systems:
Make a judgment about the levels of inherent risk associated with an organization's management and its application systems.
Obtain an understanding of an organization's controls sufficient to make a judgment about the types and levels of controls in the applications system.
Design and perform tests of the existence and reliability of controls on which the organization can depend.
Auditors commonly use the evidence collecting techniques of interviews, questionnaires, and flowcharts to complete their audits.
Interviews
Auditors use interviews to obtain qualitative and quantitative information during their evidence collection efforts. Their objectives are to elicit candid, complete and honest answers from the interviewees. At this point, it is important to differentiate between interviews and interrogations. The reason behind an interrogation is to elicit information about some wrongdoing. Inherently, it is an intrusive method of obtaining information using accusatory language and demeanor. Interviewing is a technique eliciting information from someone who has more information than the interviewer who is requesting a response from a fellow professional. It is a kinder, gentler approach to eliciting information than an interrogation.
Auditors must conduct effective interviews, but first, they must understand the interviewee's motivation for answering the auditor's questions. Usually, the respondent's motivation to reply to questions asked during the interview is a function of how they perceive the interview to be a means of reaching their goals or something the respondent wants. For example, if a respondent sees the audit as a process in assisting them in attaining their performance goals, they will likely answer questions frankly and directly. However, if the interviewee views the auditor's interview as a process hindering their work, it is possible their answers will be evasive, incomplete, and even antagonistic. Wise auditors ask themselves, "What's in the interview for the respondent?"
Interview Preparation
Auditors may control the amount of interview stress by limiting the number of difficult questions asked. In this fashion, more stressful interviews should be shorter. Experienced auditors take sufficient steps to alleviate any respondent fears before the interview begins. Interviewers should be aware of the interviewee's desire to pursue topics that interest them if they perceive the auditor to be a responsible person. The auditor's task is one of establishing a professional rapport as quickly and effectively as possible. This is another one of those good judgment areas for auditors. Adept auditors clearly communicate the purpose and intent of the interview at the outset to show empathy, professional and responsible demeanor, and promote mutual trust and respect.
Doing Your Homework
Before beginning an interview, auditors should be mindful that the information they require is not available from anywhere else. Frankly, if interviewees perceive the interview is a waste of their time, they may become disinterested and less than forthright. Doing their homework involves auditors identifying those employees who can provide them with the best information on a particular topic. Organizational charts are usually the first source.
Another good source of information is the organization's line-of-authority documentation and brief job descriptions. Through senior managers, auditors may obtain an idea as to the division of business units and corresponding employee responsibilities. Additionally, senior managers may wish to make introductions between their employees and the auditors. Senior managers can be very helpful in locating facilities for performing interviews where the atmosphere is not disruptive and scheduling mutually convenient times.
Interview content must be thoroughly prepared before beginning the interview. Nothing will leave a respondent colder than an auditor who has no idea about what they want to do during the interview. Auditors should make a list of goals they wish to achieve during the interview. Some auditors go so far as having a script of questions they want to ask divided by specific topic area.
Auditors may use open or closed questions in their interviews. Closed questions merely require a yes or no answer. Open questions usually begin with the words: how, why, when, who, or what. Open questions may be asked at the beginning of topic areas followed by closed questions where more clarification is needed. For example, "What are the types of controls you have over the entry of data from credit card applications?" This question might be followed by "Do you have manual or automated data input quality inspections?"
Subscribe to:
Posts (Atom)
Popular Posts
-
Often crisis responders will initiate a crisis notification through a verbal briefing. As such, it is imperative that a clear and accurate ...
-
Nessus is a popular open-source scanner for organizations that choose not to spend the money on other proprietary products. There are s...
-
Incident and problem management processes are intended to handle problems that are raised through the service desk as well as responses t...
-
The composition of the crisis and incident response teams should reflect the personnel required to analyze and deal with any events, fro...
-
Being able to classify and categorize different types of releases into release models allows one to determine the types of governance and ...
-
The IMP should be designed to follow some simple principles in order to be most effective. The plan should reflect the nature of the bus...
-
The inability to effectively gather and share information is a frequent management failure during many crisis events both within the incide...
-
The passive analysis approach has several advantages: The analyzer does not interact with the network to discover hosts and their r...
-
Many healthcare organizations confuse emergency operations planning with preparedness. In fact, developing an emergency operations plan (...
-
Each company will define the composition and structure of its own crisis response group dependent on the nature, size, and scope of the ...