Blogs
The Current State of Internal Auditing
 |
|
Norman Marks and Jay R. Taylor have been practitioners and thought leaders in the internal auditing profession for many years. In this article, they bring their combined experience and perspectives, as well as the results of their very broad networking with other leaders around the globe, to assess the current state of internal auditing and share their views on where the practice should be heading. While both have senior positions within their organizations, and are very active within the IIA and ISACA, the views expressed are theirs and theirs alone.
In this article, Jay and Norman review high-level issues such as standard-setting and leadership of the profession, and where internal auditing should report. They then consider each major aspect of internal auditing (such as audit planning and risk assessment; performance of individual audits; staffing and resources; the use of technology; fraud and investigations; the quality of audit reporting and other communications; and value-add consulting and other services). The authors discuss how internal auditing has improved and where opportunities for enhanced performance can be found in each area.
Norman Marks is the internal practitioner on SAP BusinessObjects' GRC product team.
Add to: del.icio.us | Digg | Reddit
Even though the article has only been in circulation for a couple of days, a number of leading internal audit (including IT audit) practitioners and consultants have already commended the authors on some of their more insightful comments, such as the need for the profession to have a single source of standards and guidance.
We welcome you comments. Feel free to share this document. We have been given free access for the next 90 days.
Comment on this weblog
| Showing messages 1 through 3 of 3. | ||
|
|
||
| Titles Only | Full Threads | Oldest First |
- Audit - Going Forward
2009-07-04 06:09:19 Babu Jayendran Business Card [Reply]
At the very outset, thank you for sharing the article and I must admit it is thought provoking.
Having spent many years in the audit profession, I do believe that there is a need for improving the skills and approach of audit. I am quoting below two points from your closing thoughts and would like to add my comments:
•Continued improvements are necessary in addressing IT as part of and not separate from business risk
•CAEs need to raise the bar on the level of IT-related risk and control knowledge expected of and held by the non-IT members of the team (business auditors), particularly those aspiring to supervisory or leadership positions within internal audit
Most organizations work today in two silos, i.e. business and technology. Both silos speak ‘different languages’. Organizations are busy interfacing systems using technology but the important part is to interface the two silos, namely business and technology. I suppose the BPX community has evolved due to this need. Technology is only a business enabler and I totally agree with your first comment, indicated above.
In terms of risks and controls and to be effective in internal audit, the auditor has to cover all the following areas:
•Application
•Database
•Operating System
•Network
I completely agree with Julius’s comment “…..The biggest problem in auditing in my opinion are the various check-lists which auditors (both internal and external) have….” Check lists are only a ‘road map’ and if the auditor does not have a very good understanding of its contents it is not possible to do justice to an audit. A general auditor will definitely not be effective if he or she carrys out the audit using check lists for covering Applications, Databases, Operating Systems and Networks.
Let us consider a scenario of an organization running SAP, with an Oracle Database on UNIX. In order to give comfort to the organization and to ensure that all risks are covered it is important that specialist auditors in each of these areas are used in the audit. The supervisor of the audit team should be aware of the risks in all the layers and consolidate the findings in the final report. I therefore fully endorse your second comment, indicated above.
Let us look at a review of Segregation of Duties (SOD) in the SAP environment. The auditor definitely needs to have a very good understanding of:
•The risks and controls of business processes in SAP
•The roles and authorization concepts in SAP
•The critical and conflicting Tcodes in SAP
•The working of Compliance Callibrator or any other SOD tool
•The SOD concepts pertaining to initiating, authorizing, recording, processing and reporting
The auditor’s knowledge should cover all of the above, if not there would be gaps in the review. A Check List cannot replace the in depth knowledge an auditor possesses.
- Try this different link
2009-07-02 15:27:37 Norman Marks
Business Card
[Reply]
http://www.informaworld.com/smpp/content~db=all~content=a912832223
- Link does not work and a comment.
2009-07-02 15:05:24 Julius von dem Bussche Business Card [Reply]
The link does not work, at least not for me.
The biggest problem in auditing in my opinion are the various check-lists which auditors (both internal and external) have.
They typically have many "check table xyz" and "run report abc" instructions in them.
Regardless of the skills of the auditor (particularly if they are skilled), this creates a problem in the SAP world as reports and tables are not classed as "entry points" such as tcodes, rfc's and services are.
Auditors, and the attempt to create a "diplay all" access and also use it for support etc is in my opinion a security hazard caused by this.
It would be nice to see some standardization which meets auditability requirements, and make this standardly available in the SAP system.
The AIS attempted to do this and is a cool tool - but few auditors stick to it or ask for it when they rock up on Monday morning, unprepared but with their check-list in hand.
Just my opinion.
Cheers,
Julius
| Showing messages 1 through 3 of 3. |