Recently, the COVID-19 pandemic and its effects on the IT industry triggered a memory in my mind as an auditor. It took place some years ago when I had just passed my Certified Information Systems Auditor® (CISA®) exam and was eager to conduct system audits. I had prior auditing experience and had implemented IT measures across organizations with appropriate controls. My CISA certification added value to my experience by providing me insight into how to evaluate decisions from a risk and control perspective. Hence, I was eager to apply them in practice.
There were more than 1,200 offices across my organization that required aggressive IT implementation. As a result, management wanted an implementation that was appropriate and aligned with organizational goals. To enable the assessment, our management decided to have CISA-certified officials impart training to internal auditors on how to conduct technology audits.
During one such training, there was a discussion about an auditor’s responsibilities. One of the participants, the head of internal audit and a member of top management, referred me to a news item published in the newspaper about Parliament’s Controller and Auditor-General raising a question about a policy decision by Parliament. One of the senior Members of Parliament (MP) and a lawyer by profession challenged the auditor, stating “Parliament is the highest authority in the country, and the Controller is appointed by, and reports to, Parliament. How can the Controller raise a question against the policy that has been approved by Parliament?” The query was “The MP is right, how can an auditor question the highest authority that is empowered to make policy decisions?”
For a minute I was confused, since prima facie the logic of the MP appeared palatable. That made me recall the basics of auditing. One of the key principles of audit is that auditors should always focus on the interest of stakeholders. I posed the principle to the audience and asked the question, “Who is the main stakeholder in this case?” After a few minutes of silence, the participants answered, “I get your point. Parliament is the highest authority, however, that authority has been given to it by the citizens of our country and, therefore, if the Controller finds the Parliament decision detrimental to the interest of the citizens, the Controller has the right to challenge the decision of the highest authority.”
In my audit role, I have come across many such situations where I had to raise queries against the decisions made by senior management and boards of directors of auditee organizations, particularly in respect to IT outsourcing or acquiring IT solutions. These questions were challenged and argued vehemently by members of senior management. Their favorite defense has been: “We are business experts, not technology experts.” I used to counter them with, “I agree that you do not understand technology, but if you are business experts, you should ask this question: ‘How can this technology help my business?’” In most cases, I was able to convince them of my findings.
Some important auditing best practices to remember are:
- Auditors should always focus on the interest of highest stakeholder.
- Auditors are independent to the auditee and should not be a stakeholder, except during normal courses of business.
- Auditors must ask questions without hesitation. There is no such thing as a stupid question. Getting answers will always help in performing audits appropriately.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.