Post a Reply Start New Message

Weblog:    The Current State of Internal Auditing
Subject: Audit - Going Forward
Date: 2009-07-04 07:20:59
From: Norman Marks  Business Card
Response to: Audit - Going Forward

Babu, thank you for your comments. They are much appreciated.


With respect to understanding the business risks, I have too often seen internal and, especially, external auditors perform an audit of segregation of duties based on a checklist of the conflicts they are used to seeing. For example, when I was at Maxtor the external auditor's tests looked for and found individuals with access to both the HR and payroll modules in the US. However, Maxtor didn't use the SAP payroll module in the US, only in Asia. So they wasted their time and our money.


That is why I believe auditors need to understand the business risks, how technology failures might affect them, and only then audit the controls that would prevent/detect these critical technology failures.


The same concept applies within the organization. Security professionals should not implement and apply resources managing risks that don't exist. That can happen if they don't understand business risks but work from a technology-only risk assessment or vulnerability study. They are also likely to fail to address a risk - such as when critical information is on assets managed outside IT, or when departments outside IT (such as in Engineering) manage servers and routers.


Thanks again
Norman

No Previous Message Previous Message Next Message No Next Message

Showing messages 1 through 1 of 1.
Titles Only Main Topics Oldest First
  • Audit - Going Forward
    2009-07-07 22:21:02 Krishna Mohan Unnam Business Card [Reply]

    Very interesting and relevant discussion.


    As an auditor, the knowledge you acquire always seems to be insufficient because very nature of the audit profession is to review various different systems / processes etc.


    The check lists are there only to guide us as baseline to start with. These check list save lot of time and also transfer knowledge very structured manner. The business knowledge and business risk knowledge for considering what needs to be checked or audited is part of the audit planning, where auditors as part of the scoping exercise map the business processes and identify various applications to be reviewed. There are chances of errors and hence audit planning, scoping and checklists, audit programs do change as we progress conducting audits. However check lists have their own important and limited role in the process. The minimum we expect them to do is to cover testing of important controls. Check lists, however exhaustive they are, they cannot become end or final source of conducting the audits.


    Auditor’s endeavor is to reduce the chances of errors in scoping, coverage and relevance etc. All these things put together makes audit a challenging profession.


    The need to improve on skills and knowledge in audit profession is high and it is increasing due to convergence of technology and business processes.


    Regards,
    Krishna

Showing messages 1 through 1 of 1.

SAP, mySAP, mySAP.com, xApps, xApp, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product, service names, trademarks and registered trademarks mentioned are the trademarks of their respective owners.