Challenges to Information Technologies (IT) Auditors as Advisors and How Information Technology Auditing Framework (ITAF) Can Help
Information Security are probably aware of the Security Principles Embodied in the CIA triad Confidentiality, Integrity and Availability.
The triad is a model that is used as a basis for security policies and practices.
The performance of advisory services could easily have a similar triad built on the principles of Independence, Objectivity and Professional Skepticism .
Advisory Services Triad These principles, which are described in Information Technology Audit Framework—ITAF can form the basis of a model that addresses challenges to the IT auditor’s ability to function in an advisory role.
ITAF is a Comprehensive IT Audit Framework that:-
Specifically, the audit function would have to clearly state to management that the work being performed was not an audit, and that its non audit services were not performed in accordance with GOVERNMENT ACCOUNTABILITY OFFICE GENERAL ACCEPTED GOVERNANCE AUDIT STANDARD (GAGAS).
Assuming, however, that an enterprise is not subject to a restriction similar to GAGAS, and that the enterprise’s audit charter authorizes IT auditors to perform advisory services, practitioners can rely on ITAF.
ITAF (INFORMATION TECHNOLOGY AUDITING FRAMEWORK) includes:-
On occasion, the IT auditor’s expertise in a particular area may result in management seeking advice.
Providing this routine advice on IT risk or controls is viewed as assisting management in the performance of its duties, not assuming managerial duties.
Consequently, there is no impairment to independence.
If, however, the IT auditor is called upon to make management decisions, the auditor may be influenced by senior management or the executive level of the enterprise.
As a result, independence may be impaired.
Examples of activities that could involve management decisions include:-
ITAF recommends documentation of the advisory service with IT audit management (and/or those charged with governance) regarding:-
If the advisory services can result in any impairment of independence (in fact or in appearance), the IT audit function should discuss the potential impairment with those charged with governance and oversight of the audit function (e.g., the board of directors and/or the audit committee).
If the description of advisory services appears not to impair independence and the IT auditor begins the engagement, the IT auditor should remain mindful of undue influence, another potential impairment to independence.
Should impairment occur after the engagement is initiated, the IT auditor should immediately discuss the issue with IT management and the enterprise governance and oversight function.
Impaired Objectivity Impairments to independence can be identified easily through exploration of the IT auditor’s involvement in managerial activities.
Impaired objectivity may be more difficult to identify, however, because of its broader scope. It may involve several elements, such as:-
This may happen when the IT auditor has expertise in a particular area and management has a challenge in that area or wants to launch a related project.
Performance of the advisory services and performance of an audit, the IT auditor may perceive that a career opportunity may be jeopardized if unfavourable findings in the audit are reported.
This vested interest in preserving the relationship with IT operations management could impair objectivity.
It can create familiarity at a level that precludes the IT auditor from being objective when the auditor subsequently resumes audit work in the area. This impaired objectivity may range from management seeking a sympathetic ear from the auditor to enlisting the auditor as its advocate. To address these circumstances, if an auditor’s interest in a possible transfer to an operational IT role is known, the IT auditor should not perform audits in that particular area.
Also, ITAF advises the IT audit function to rotate audit assignments periodically to mitigate familiarity between auditors and management.
Further, an IT auditor who performed direct management responsibilities in any given area should not audit that area.
Professional Skepticism:- Unlike independence and objectivity, which can be impairments, professional skepticism is a potential safeguard. In the audit realm, professional skepticism is most frequently associated with the auditor making a critical assessment of audit evidence. ITAF requires the auditor to have a questioning mind and demonstrate professional skepticism.
Professional skepticism is a skill that the IT auditor uses in audit and assurance engagements. Similar to these engagements, exercising professional skepticism during advisory services means asking the right questions.
The IT auditor should recognize that in some environments, professional skepticism is encouraged in principle, but not supported in practice. An IT auditor faced with a choice between exercising professional skepticism to avoid independence or objectivity impairment and ‘not making waves’ should opt for preservation of independence and objectivity.
The IT auditor should recognize that in some environments, professional skepticism is encouraged in principle, but not supported in practice. For advisory services, professional skepticism takes on additional importance because it can help the auditor navigate circumstances that may lead to impairment of independence or objectivity. Even if participation in an advisory engagement has been vetted and approved, the IT auditor benefits from continuing to question the work that is to be performed. The description of the project provided prior to the start of the advisory services may appear to be free of any potential impairment.
Once the work begins, however, the auditor should ensure that particular tasks (either unknown or undisclosed in the overall project description) do not impair (or appear to impair) independence and/or objectivity. To recap, prior to participating in an advisory service, the IT audit function should determine that its intended participation complies with the terms of its audit charter. If there are circumstances where the IT auditor’s participation in advisory services gives the enterprise’s audit committee pause, consideration should be given to the:-
Encourage IT auditors to gain reasonable assurance that the work is outsourced only to experts possessing the required professional competence. Furthermore, the IT auditor should collaborate with the alternative resources to facilitate personal development of knowledge and skills in the outsourced area.