Help Source Q&A

I am moving from IT operations and consulting to the IS audit area. What are the essential personal skills IS auditors should possess to effectively carry out audit work?

Welcome to the club. I moved to IS audit from operations approximately two decades ago. Initially, it was a struggle to develop what is called the “auditor’s mindset” and the only guidance available was from senior professionals. Although there had been guidance available from ISACA^® and the International Organization for Standardization (ISO), auditors had to work hard since the Internet had not yet proliferated.

ISACA’s IT Audit Framework (ITAF), 4^th Edition¹ and its Code of Professional Ethics² help auditors develop required personal qualities. ITAF helps auditors perform effective audit work professionally.

ISO standard ISO 19011:2018 Guidelines for auditing management systems³ provides detailed guidance for auditors. It also describes some desired personal qualities for those involved in audit of management systems and appropriate guidelines for implementing standards.

Some of those personal qualities include:

• Ethical behavior—An auditor’s behavior should be ethical, fair and truthful. Auditors should be sincere and honest to stakeholders and discreet about findings and decisions. Although ethical behavior is not defined explicitly, ISACA’s Code of Professional Ethics helps define what constitutes ethical behavior.
• Open to communication—Auditors must be open-minded and listen to different points of view from colleagues and auditees. This is important because at times it can be difficult for an auditor to move away from convictions.
• Observant and alert—An auditor should be observant. This is important because, often, observing an auditee performing tasks helps the auditor identify possible weaknesses.
• Adaptable and agile—Auditors should be able to perceive and adapt to different situations. There are many factors auditors need to understand about the auditee (e.g., size of organization, size of IT team, type of IT outsourcing the organization engages).
• Focused—Auditors must be focused to ensure that the objectives of an audit are achieved.
• Analytical—It is important that the auditor is able to analyze evidence and arrive at logical conclusions about control effectiveness.
• Self-reliant—Auditors should be self-reliant; however, while performing IS audits, auditors sometimes may have to rely on other experts. The auditor should be able to decide when to rely on such work and when to perform it again.
• Independent—Auditors must ensure that before accepting audit engagements they are independent of the auditee both personally and professionally to avoid any potential conflicts of interest.
• Competent—Auditors should perform with competence and should be willing to continue to learn and develop professionally while performing IS audits. To perform with competence, the auditor should also possess knowledge and expertise in risk management and project management. Risk management is required because auditors need to assess risk to the audit work and also be able to understand risk to auditee areas. Project management skills are necessary because every audit is a project that has to be completed in time and within budget, and deliver desired quality output in the form of the audit report.

Based on these personal qualities I have developed three rules that auditors should always follow:

1. Do not hesitate to ask questions. Some may say this rule is obvious―it is an auditor’s job to ask questions. However, when IS auditors are interacting with IT professionals employed by the auditee, the IT professionals often use technical jargon and abbreviations to explain the IT setup to be audited. This, coupled with fast-changing technology, often puts auditors at a disadvantage. In addition, many organizations have their own informal abbreviations that may be unknown to IS auditors. There is nothing wrong with using professional jargon as long as all communicating parties are familiar with it. Some organizations implement unique IT solutions required for their business process automations that auditors may not know.
   
   When IS auditors comes across unknown terms, some hesitate to ask for explanations out of fear that the auditee may think the auditor does not know technology or is asking silly questions. Auditors need to keep in mind that unless they understand the auditee’s technology setup and its uses, the audit cannot be effective.
2. Listen carefully and completely. During audit work, auditors must have discussions with auditees to understand the technology and processes in use. It may be that auditees have processes unique to their specific business requirements. In such cases, an auditor must ask for detailed explanations of a technology implementation. The challenge here is that when we are listening, our minds form images of the subject being described. If an auditor does not listen carefully and completely, the image formed may be different from what the auditee is describing. Auditors must apply the first and second rule in such cases to ensure that they and the auditee have the same level of understanding. This also happens when an auditee does not have complete documentation and demonstrating technology may not be possible. Auditors should first understand the business functionality supported by the technology. This helps with understanding the controls the business requires for implementation in technology solutions.
3. Focus on functionality and relate it to business. Innovation and emerging technologies in IT have made it impossible for one person to be expert in all of IT. Moreover, everyday, new solutions based on emerging technologies are developed and deployed. IS auditors may face challenges while conducting IS audits of such implementations because they need to understand new solutions. In these situations, important questions include “What is the purpose of this solution?” and “Which business function does it support?” An auditor who understands the business function knows what controls need to be implemented. Those business-related controls can be assessed, followed by technology controls, to provide the auditor with a basic level of assurance on the impact of controls on the business.
   
   Another important step is analyzing evidence and preparing a list of findings for discussion with the auditee. The best approach is to relate these findings to business objectives to determine the level of risk. Management may be interested in addressing high-risk areas as top priorities.

Once these three rules supported by the standards and guidelines from ITAF and ISO are adopted, IS audit becomes a value-added endeavor for auditees.

Endnotes

¹ ISACA^®, IT Audit Framework (ITAF), 4^th Edition, USA, 2020, https://www.isaca.org/itaf
² ISACA, Code of Professional Ethics, USA, https://www.isaca.org/credentialing/code-of-professional-ethics
³ International Organization for Standardization (ISO), ISO 19011:2018 Guidelines for Auditing Management Systems, Switzerland, 2018, https://www.iso.org/standard/70017.html

SUNIL BAKSHI | CISA, CRISC, CISM, CGEIT, CDPSE, AMIIB, MCA

Has worked in IT, IT governance, IS audit, information security and IT risk management. He has 40 years of experience in various positions in different industries. Currently, he is a freelance consultant in India.