Organizations that seek excellence tend to maintain a sharp focus on their strategic objectives. Information systems (IS) auditors who wish to add value to their organizations—and surely that is all of them—should do the same.
There are two phases of the audit process where IS auditors can leverage tools to make their work align to and support the organization’s strategic objectives.
Planning Phase—Being Alert to Organizational Changes
The planning phase of the IS audit should consider both organizational objectives and engagement-specific issues.1 The engagement-specific issues relate to systems, applications or processes that support the organization’s existing processes as well as new initiatives. In determining whether to assess these matters, IS auditors evaluate the potential increase in risk or the introduction of new risk to the organization. Consideration of risk-based matters is a cornerstone of audit planning, but real value is added when IS auditors are alert to strategic initiatives, then leverage audit planning to ensure continuous alignment of the IS audit function’s efforts with the organization’s strategic objectives.
In most instances, IS auditors’ direct involvement in organizational progress toward strategic objectives means evaluation outside the scope of a planned audit. Creation of a specific project around the organization’s new initiative relies on skills auditors use routinely; however, the approach to the deliverable is different. Unlike an audit, where a report signals the end of an effort, participation in a strategic initiative requires IS auditors to assess and report on a repeat basis. Given the ongoing nature of this work, a supporting tool can prove helpful.
Informal tracking of the project can be done through readily available tools such as Microsoft Word and/or Excel, and that level of tracking may be adequate, depending on the organization. However, because strategic projects generally have higher visibility within the organization, IS auditors should explore tools that better support centralization of project data and reporting. An example of such a tool is open-sourced Eramba (www.eramba.org).
In addition to modules that document organizational structure, assets and controls, Eramba offers several modules that can be used to track IS auditors’ strategic initiative efforts. For example, in Eramba’s Risk Management module, there is a business impact analysis component that supports documentation of the revenue associated with each project risk. Going beyond simply identifying a risk (during audit planning) to monitoring and reporting customized, specific information on that risk enables IS auditors to add value to the organization.
Recommendations and Remediation Phase—Understanding and Innovating
Having identified areas of concern during fieldwork, IS auditors can proceed to making recommendations and tracking progress toward resolution (remediation), remaining mindful to maintain independence. ISACA’s Information Technology Assurance Framework™ (ITAF™) notes that as long as management retains responsibility for oversight and results of services, the IS auditor’s independence should not be impaired.2 Notwithstanding the need to maintain independence, the recommendation and remediation phase is the IS audit function’s opportunity to reinforce its trusted advisory/consultative role to the organization.
Interacting with most, if not all, groups throughout the organization places IS auditors in the unique position of having a comprehensive view of the organization’s people as well as its processes (technological and nontechnological). This insight can, and should, be leveraged to make innovative audit recommendations. “Innovative” is the key word; the recommendations must be progressive and look to the future, even when they are addressing deficiencies that occurred because of past practices. For example, a few years ago, when employees started using personal devices at work and kick-started an ad hoc bring-your-own-device (BYOD) approach, some IS auditors recommended that their organizations design and launch policies to prohibit BYOD. A more innovative recommendation examined how employees use mobile devices and determined how the IS audit function could collaborate with the organization to address concerns around securing devices while supporting employees’ workstyles.
While innovation depends strongly on culture and mind-set, it can be helped along with the appropriate tool. For example, an exception tracking tool can support the IS audit function’s ability to expend resources and time more efficiently, thereby enabling a focus on crafting innovative recommendations.
MantisBT (www.mantisbt.org) may serve that need by allowing users to document the following features for each audit recommendation—category, severity, status and summary—which, in turn, can inform IS auditors’ consideration of how each feature can impact the organization’s strategic objectives. If the strategic initiative is based on processes, the exception management category can be process-based. If, on the other hand, the strategic objective is driven by business units, the exception management category can be the business unit. Grouping recommendations in this way has several benefits, such as allowing the IS audit function to identify significant trends, such as patterns related to resource constraints or repeated instances of technology underutilization. After identifying the trend, the IS auditors can make recommendations and track them, but the more value-added outcome is the ability to report how these enterprisewide patterns may reflect challenges or barriers that will affect achievement of strategic objectives. This demonstrates the IS auditors’ profound understanding of the organization and its goals.
Conclusion
IS auditors have an opportunity and obligation to use the audit phases to add value to their organizations by leveraging audit information to further the achievement of strategic objectives.
Endnotes
1 ISACA, Information Technology Assurance Framework (ITAF), USA, 2003
2 Ibid.
Robin Lyons, CISA, CIA
Is a technical research manager in ISACA’s Knowledge and Research department. In that role, she contributes thought leadership by generating ideas and deliverables relevant to ISACA’s constituents. She partners with Learning Solutions as a subject matter expert on audit and CSX-related projects. She also writes audit programs, narratives and blogs as well as leads projects when any of these functions are co-sourced with external resources. Prior to joining ISACA, Lyons was a Payment Card Industry (PCI) subject matter expert for a Fortune 200 corporation, and the internal audit director for an institution of higher education.