Management and Audit
Information Technology Auditing: A Value-Added IT Governance Partnership between IT
Management and Audit
Summary
In the article Information Technology Auditing: A Value-added IT Governance Partnership between IT Management and Audit, which was published in Communications
of the Association for Information Systems, the authors Merhout & Havelka (2008) discuss the importance of information technology in corporate governance. They argue that aside from providing assurance, the establishment of partnerships between the audit function and the IT management team can provide organizations with additional value. They posit that the successful implementation of IT audits requires sound project management principles and a quality audit process that, when successfully executed, can lead to audit resources being freed; thus, allowing more resources to become available for enterprise oversight and value-added projects.
“An audit is an independent examination of an organization’s management assertions that must follow a set of guidelines and standards promulgated by an external sanctioning body” (Merhout & Havelka, 2008, p. 44) where the audit can be conducted by either by an internal or an external auditor. In particular, an IT audit requires that information technology be involved, ether as the means of completing the audit or as the specific focus of the audit. External auditors perform an IT audit as part of the annual financial statement audits. They aim to test the internal control structures that surround key information systems. Internal auditors, on the other hand, aim to fulfill management’s responsibility with regards to governance. In addition, an audit may be performed as a way of reviewing business processes and as part of a bigger audit imitative where technology and financial auditors work together.
IT governance involves various levels of the organization, namely the strategic, management, and operational levels. This means that IT audits can be used in each of these levels. It should also be noted that IT audits use a risk-based approach, which involves the identification and prioritization of potential risks, the assessment of control mechanisms, and the testing of controls.
A major corporate governance requirement is compliance with laws and regulations such as those imposed by the Sarbanes Oxley Act of 2002. In particular, this law requires the personal certification of large and publicly traded U.S. organizations’ financial statements by their CFOs and CEOs. These financials in turn largely rely on the organizations’ information systems, which results in these organizations needing to invest more on their IT infrastructure. In addition, compliance with SOX requires that more frequent and highly detailed IT audits be performed, which organization leaders find very costly, disadvantageous, and unreasonable.
However, Merhout & Havelka (2008) assert that IT audits do provide organizations with many benefits. One of these is that the IT audit determines whether the information system meets the organization’s stated objectives and ensures that the system does not create an unacceptable level of risk for the organization. Another benefit is that the IT audit ensures the proper functioning of the system, in turn providing confidence in the organization’s financial statements and in the investment environment in general. Moreover, the benefits of an IT audit extend to the investment community and to the stockholders and result in compliance with other government regulations such as the HIPAA (Health Insurance Portability and Accountability Act).
In addition, IT audits enable organizations to identify control mechanisms that are effective as well as those that need to be improved. IT audits also enable organizations to improve their business process and information systems documentation, as well as their systems security. As well, IT audits enable the identification of irregular acts such as the intentional or unintentional violation of regulations or policies.
In an effort to ensure the successful implementation of IT audits, the authors of the article propose a framework that can be used to achieve a high quality and successful IT audit. Although they recognize that the success factors for an IT audit vary, depending on the nature of the project, they assert that it is still possible to come up with “a comprehensive set of critical success factors” (Merhout & Havelka, 2008, p. 466) that are recognized and acknowledged as critical by business managers and auditors.
The authors conducted a field study in order to create a model of IT audit quality. The study involved focus groups where participants included IT managers, operational and financial auditors, and IT auditors. The study consisted of two stages where the first stage was aimed at developing an initial framework and the second stage was aimed at validating and refining the framework. Nominal group techniques were used where fact gathering was the main objective.
The study resulted in two types of qualitative data, namely a comprehensive set of factors that were identified as affecting the quality of the IT audit process and a more reined set of factors that were identified as critical to the quality of the IT audit. After further analysis of the data gathered, six critical factors were identified. These consisted of the following: “1) Audit method; 2) Sufficient time allowed for the audit; 3) Support from the client/auditee and management; 4) Client relations; 5) Organizational change and 6) Clear scope and objectives for the IT audit” (Merhout & Havelka, 2008, p. 468).
Results of the study show that while there are many critical factors that are common across businesses and industries, there are also factors that are specific to an organization or an industry. In the Information Technology Audit Quality Framework that Merhout and Havelka developed, eight categories of success factors were identified. These consisted of the following in the order of their importance: Audit team factors; Audit process and methodology factors; Client-controlled organizational factors; IT audit-controlled organizational factors; IT audit personnel technical competency factors; IT audit personnel social and interpersonal factors; Enterprise and organizational environment factors; and Target process or system factors.
The authors propose that managers can use this model for analyzing and planning IT audits through the identification of the risk and opportunities relative to the 8 categories of factors. Clients and audit managers can also use this model for the establishment of metrics and for the evaluation of IT audit quality. As well, researchers can use this model for conducting more in-depth studies regarding the effects of these factors on IT audit quality and their relationship with each other.
The proper implementation of an IT audit, together with a culture that values the opportunity for a value-added experience and a partnership between management and the IT auditors, lead to value-added benefits from IT audits. For example, improved IT governance can lead to an improvement on the return on investment in information technology. In the same manner, the use of documentation through an improved business process management and a business process reengineering can lead to an improvement in the operational efficiency. The use of audit observations through enhanced enterprise risk management awareness can also lead to an improvement on risk mitigation. As well, facilitation among various stakeholders can lead to an increase in organizational communication and trust. Still, other value-added benefits include an improvement in associated systems disaster recovery planning and business continuity planning as well as an improvement in the quality of systems development. The authors also presented a caselet involving an international banking and financial services firm where the framework they developed could be applied.
The authors recommend that further research be conducted about the factors that affect the efficiency and effectiveness of IT audit quality. They also recommend making a comparison to a similar model that’s developed from research. Finally, they recommend a testing of their assertion that a quality audit process leads to a quality product. In conclusion, they suggest that a high quality IT audit enables an organization to meet the requirements of a risk-based assurance program while at the same time enabling the delivery of value-added governance services to the enterprise. These value-added services contribute to a high quality of IT audit process due to the nature of the partnerships developed so that in the end, IT governance partnerships prove to be a win-win situation for the whole organization.
Discussion Questions
What motivation should organizations have for properly implementing IT audits aside from this being a requirement and aside from the direct benefits they offer?
Organizations should also consider IT audits as an opportunity for the establishment of governance frameworks and the formation of value-added partnerships between IT auditors and IT management. These partnerships can lead to senior management’s better understanding of the role that IT plays in corporate governance, in turn leading to better decision making processes. These partnerships can also result in value-added services that can contribute to a quality audit process.
In what ways does the IT audit process at Company XYZ emulate the framework developed by Merhout and Havelka?
Company XYZ uses a consistent audit methodology, which maps to the framework’s audit process category. They also employ experienced staff who has the necessary technical skills and this maps to the frameworks technical competency category. Finally, they allocate adequate time for the utilization and engagement of automated editing tools, which corresponds to the framework’s IT audit-controlled organizational factors category.
How is the independence of the IT auditing function one of its major benefits?
As an independent entity, IT auditors are not involved in the politics of the daily operations, which enable them to provide honest feedback about the performance of various operations. They are also able to have a big picture perspective of the organization, which enables them to see the interaction among the different processes, in turn allowing them to identify any bottlenecks in the processes. As well, they can serve as effective liaisons among the different members of the organization.
Comments on the Article
While I agree that IT auditing provides organizations with great benefits, particularly in the improvement of their operations, I also understand why executive leaders see it more as a burden than as something helpful for the organization. For one, resource allocation would be a challenge – in terms of IT infrastructure, finances, time, and human resources. With product development and innovation as the top priority of organizations, it would be easy for IT auditing to be put in the back burner.
That said, I think that it would be helpful if companies can more easily relate to the benefits of IT auditing, that is, it’s all good in theory, but perhaps, companies should be able to see these benefits in action in order to get their buy-in. This can probably be done through more research, through education or promotion of awareness, and through more and more companies employing such practices, in turn becoming examples to other companies.
References
Merhout, J. W. & Havelka, D. (2008, November 1). Information technology auditing: A value-
added IT governance partnership between it management and audit. Communications
of the Association for Information Systems, 23 (1), 463-483.