Post a Reply Start New Message

Weblog:    The Current State of Internal Auditing
Subject: Audit - Going Forward
Date: 2009-07-04 06:09:19
From: Babu Jayendran  Business Card

At the very outset, thank you for sharing the article and I must admit it is thought provoking.


Having spent many years in the audit profession, I do believe that there is a need for improving the skills and approach of audit. I am quoting below two points from your closing thoughts and would like to add my comments:


•Continued improvements are necessary in addressing IT as part of and not separate from business risk
•CAEs need to raise the bar on the level of IT-related risk and control knowledge expected of and held by the non-IT members of the team (business auditors), particularly those aspiring to supervisory or leadership positions within internal audit


Most organizations work today in two silos, i.e. business and technology. Both silos speak ‘different languages’. Organizations are busy interfacing systems using technology but the important part is to interface the two silos, namely business and technology. I suppose the BPX community has evolved due to this need. Technology is only a business enabler and I totally agree with your first comment, indicated above.


In terms of risks and controls and to be effective in internal audit, the auditor has to cover all the following areas:


•Application
•Database
•Operating System
•Network


I completely agree with Julius’s comment “…..The biggest problem in auditing in my opinion are the various check-lists which auditors (both internal and external) have….” Check lists are only a ‘road map’ and if the auditor does not have a very good understanding of its contents it is not possible to do justice to an audit. A general auditor will definitely not be effective if he or she carrys out the audit using check lists for covering Applications, Databases, Operating Systems and Networks.


Let us consider a scenario of an organization running SAP, with an Oracle Database on UNIX. In order to give comfort to the organization and to ensure that all risks are covered it is important that specialist auditors in each of these areas are used in the audit. The supervisor of the audit team should be aware of the risks in all the layers and consolidate the findings in the final report. I therefore fully endorse your second comment, indicated above.

Let us look at a review of Segregation of Duties (SOD) in the SAP environment. The auditor definitely needs to have a very good understanding of:


•The risks and controls of business processes in SAP
•The roles and authorization concepts in SAP
•The critical and conflicting Tcodes in SAP
•The working of Compliance Callibrator or any other SOD tool
•The SOD concepts pertaining to initiating, authorizing, recording, processing and reporting


The auditor’s knowledge should cover all of the above, if not there would be gaps in the review. A Check List cannot replace the in depth knowledge an auditor possesses.

No Previous Message Previous Message Next Message No Next Message

Showing messages 1 through 2 of 2.
Titles Only Main Topics Oldest First
  • Audit - Going Forward
    2009-07-04 07:20:59 Norman Marks SAP Employee Business Card [Reply]

    Babu, thank you for your comments. They are much appreciated.


    With respect to understanding the business risks, I have too often seen internal and, especially, external auditors perform an audit of segregation of duties based on a checklist of the conflicts they are used to seeing. For example, when I was at Maxtor the external auditor's tests looked for and found individuals with access to both the HR and payroll modules in the US. However, Maxtor didn't use the SAP payroll module in the US, only in Asia. So they wasted their time and our money.


    That is why I believe auditors need to understand the business risks, how technology failures might affect them, and only then audit the controls that would prevent/detect these critical technology failures.


    The same concept applies within the organization. Security professionals should not implement and apply resources managing risks that don't exist. That can happen if they don't understand business risks but work from a technology-only risk assessment or vulnerability study. They are also likely to fail to address a risk - such as when critical information is on assets managed outside IT, or when departments outside IT (such as in Engineering) manage servers and routers.


    Thanks again
    Norman

    • Audit - Going Forward
      2009-07-07 22:21:02 Krishna Mohan Unnam Business Card [Reply]

      Very interesting and relevant discussion.


      As an auditor, the knowledge you acquire always seems to be insufficient because very nature of the audit profession is to review various different systems / processes etc.


      The check lists are there only to guide us as baseline to start with. These check list save lot of time and also transfer knowledge very structured manner. The business knowledge and business risk knowledge for considering what needs to be checked or audited is part of the audit planning, where auditors as part of the scoping exercise map the business processes and identify various applications to be reviewed. There are chances of errors and hence audit planning, scoping and checklists, audit programs do change as we progress conducting audits. However check lists have their own important and limited role in the process. The minimum we expect them to do is to cover testing of important controls. Check lists, however exhaustive they are, they cannot become end or final source of conducting the audits.


      Auditor’s endeavor is to reduce the chances of errors in scoping, coverage and relevance etc. All these things put together makes audit a challenging profession.


      The need to improve on skills and knowledge in audit profession is high and it is increasing due to convergence of technology and business processes.


      Regards,
      Krishna

Showing messages 1 through 2 of 2.

SAP, mySAP, mySAP.com, xApps, xApp, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product, service names, trademarks and registered trademarks mentioned are the trademarks of their respective owners.