Challenges to IT Auditors as Advisors & How ITAF Can Help

Challenges to Information Technologies (IT) Auditors as Advisors and How Information Technology Auditing Framework (ITAF) Can Help

Information Security are probably aware of the Security Principles Embodied in the CIA triad Confidentiality, Integrity and Availability.

The triad is a model that is used as a basis for security policies and practices.

The performance of advisory services could easily have a similar triad built on the principles of Independence, Objectivity and Professional Skepticism .

 Advisory Services Triad These principles, which are described in Information Technology Audit Framework—ITAF can form the basis of a model that addresses challenges to the IT auditor’s ability to function in an advisory role.

ITAF is a Comprehensive IT Audit Framework that:-

• Establishes standards that address IT Audit and Assurance Practitioners’ roles and responsibilities, ethics, expected professional behaviour, and required knowledge and skills
• Defines terms and concepts specific for IT audit and assurance
• Provides guidance, tools and techniques for the planning, performance and reporting of IT audit and assurance engagements, the IT auditor should confirm that entity’s expectations regarding advisory services.

Specifically, the audit function would have to clearly state to management that the work being performed was not an audit, and that its non audit services were not performed in accordance with GOVERNMENT ACCOUNTABILITY OFFICE GENERAL ACCEPTED GOVERNANCE AUDIT STANDARD (GAGAS).

Assuming, however, that an enterprise is not subject to a restriction similar to GAGAS, and that the enterprise’s audit charter authorizes IT auditors to perform advisory services, practitioners can rely on ITAF.

ITAF (INFORMATION TECHNOLOGY AUDITING FRAMEWORK) includes:-

• Perspectives on how to minimize potential impairment of independence or objectivity
• Advice on how Professional Skepticism can assist the auditor in the performance of advisory services Impaired Independence ITAF looks at independence from a functional- and administrative-reporting relationships view that ensures the IT auditor is not unduly influenced by the enterprise being audited, its managers or employees.

On occasion, the IT auditor’s expertise in a particular area may result in management seeking advice.

Providing this routine advice on IT risk or controls is viewed as assisting management in the performance of its duties, not assuming managerial duties.

Consequently, there is no impairment to independence.

 If, however, the IT auditor is called upon to make management decisions, the auditor may be influenced by senior management or the executive level of the enterprise.

As a result, independence may be impaired.

Examples of activities that could involve management decisions include:-

• Setting policies and strategic direction
• Directing and taking responsibility for the actions of the entity’s employees
• Authorizing transactions
• Deciding which recommendations of the audit function, internal audit function, organization, firm or other third parties to implement
• Taking responsibility for designing, implementing or maintaining internal controls
• Accepting responsibility for the management of an IT project

ITAF recommends documentation of the advisory service with IT audit management (and/or those charged with governance) regarding:-

• The objectives of the advisory services or roles
• The nature of the advisory services or roles to be performed
• The audited entity’s acceptance of its responsibilities related to the advisory services or roles
• Professional responsibilities related to the advisory services or roles
• Any limitations of the advisory services or roles
• On occasion, the IT auditor’s expertise in a particular area may result in management seeking advice. Providing this routine advice on IT risk or controls is viewed as assisting management in the performance of its duties, not assuming managerial duties.

 If the advisory services can result in any impairment of independence (in fact or in appearance), the IT audit function should discuss the potential impairment with those charged with governance and oversight of the audit function (e.g., the board of directors and/or the audit committee).

If the description of advisory services appears not to impair independence and the IT auditor begins the engagement, the IT auditor should remain mindful of undue influence, another potential impairment to independence.

Should impairment occur after the engagement is initiated, the IT auditor should immediately discuss the issue with IT management and the enterprise governance and oversight function.

Impaired Objectivity Impairments to independence can be identified easily through exploration of the IT auditor’s involvement in managerial activities.

 Impaired objectivity may be more difficult to identify, however, because of its broader scope. It may involve several elements, such as:-

• Potential for self-review—Should advisory services performed by the IT auditor become the subject of an audit or an assurance engagement also performed by that individual, the IT auditor would be involved in self-review.

This may happen when the IT auditor has expertise in a particular area and management has a challenge in that area or wants to launch a related project.

• Auditor-driven interactions that could impair the auditor’s objectivity—For auditor-driven interactions, the auditor is deemed as having some level of control over the potential impairment to objectivity. For example, it is not unheard-of for an auditor to pursue a transfer from audit to an operational IT role. While performing advisory services, it may become evident that both the IT auditor and the operational IT area would benefit from the auditor changing roles within the enterprise. The change could possibly align with enterprise needs and definitely meet the auditor’s career aspirations.

Performance of the advisory services and performance of an audit, the IT auditor may perceive that a career opportunity may be jeopardized if unfavourable findings in the audit are reported.

This vested interest in preserving the relationship with IT operations management could impair objectivity.

• Management-driven interactions that could impair the auditor’s objectivity—IT operations management may also drive impairment to objectivity..

It can create familiarity at a level that precludes the IT auditor from being objective when the auditor subsequently resumes audit work in the area. This impaired objectivity may range from management seeking a sympathetic ear from the auditor to enlisting the auditor as its advocate. To address these circumstances, if an auditor’s interest in a possible transfer to an operational IT role is known, the IT auditor should not perform audits in that particular area.

 Also, ITAF advises the IT audit function to rotate audit assignments periodically to mitigate familiarity between auditors and management.

Further, an IT auditor who performed direct management responsibilities in any given area should not audit that area.

 Professional Skepticism:- Unlike independence and objectivity, which can be impairments, professional skepticism is a potential safeguard. In the audit realm, professional skepticism is most frequently associated with the auditor making a critical assessment of audit evidence. ITAF requires the auditor to have a questioning mind and demonstrate professional skepticism.

 Professional skepticism is a skill that the IT auditor uses in audit and assurance engagements. Similar to these engagements, exercising professional skepticism during advisory services means asking the right questions.

The IT auditor should recognize that in some environments, professional skepticism is encouraged in principle, but not supported in practice. An IT auditor faced with a choice between exercising professional skepticism to avoid independence or objectivity impairment and ‘not making waves’ should opt for preservation of independence and objectivity.

The IT auditor should recognize that in some environments, professional skepticism is encouraged in principle, but not supported in practice. For advisory services, professional skepticism takes on additional importance because it can help the auditor navigate circumstances that may lead to impairment of independence or objectivity. Even if participation in an advisory engagement has been vetted and approved, the IT auditor benefits from continuing to question the work that is to be performed. The description of the project provided prior to the start of the advisory services may appear to be free of any potential impairment.

Once the work begins, however, the auditor should ensure that particular tasks (either unknown or undisclosed in the overall project description) do not impair (or appear to impair) independence and/or objectivity. To recap, prior to participating in an advisory service, the IT audit function should determine that its intended participation complies with the terms of its audit charter. If there are circumstances where the IT auditor’s participation in advisory services gives the enterprise’s audit committee pause, consideration should be given to the:-

• Perception of the relative value added by the potentially conflicting audit and advisory services
• Level of risk attached to advisory activities to be performed
• Effect on how the IT audit function is perceived should the IT auditor perform the advisory services
• Nature, timing and extent of the advisory services to be performed by the IT auditor If concerns surrounding the IT auditor’s participation in advisory services cannot be resolved, the audit function should explore the potential of recruiting alternative resources, either for the audit the IT auditor would normally perform or for the advisory services work.

Encourage IT auditors to gain reasonable assurance that the work is outsourced only to experts possessing the required professional competence. Furthermore, the IT auditor should collaborate with the alternative resources to facilitate personal development of knowledge and skills in the outsourced area.