When I read the following two descriptions together they sound like the business equivalent of Dr. Seuss:
"CISA is to Audit what CPA and CA are to Accounting" – ISACA
"The CITP credential […] focuses on information assurance and business insight required to bridge the gap between company management and the technology they leverage. The CISA credential strictly focuses on the skills and knowledge required to perform information systems audits." - AICPA
The implicit perspective is that there is a clear bright line between the business and IT. But how can we plan and execute an effective IT audit without a clear understanding of business process, or a financial audit without understanding the technology that powers our systems? How can we define material risk, plan sampling, or even understand the full implications of our findings?
In my opinion there is an endemic gap in the "big picture" audit process because we insist on structurally separating financial and IT audits. The tail is wagging the dog – the current framework is a reflection of the org chart when it could be engineered to add value. This separation does not reflect realistic needs; it is a product of segmented subject matter expertise on the part of business stakeholders and internal and external auditors. Few financial auditors (often CPAs) have deep technical knowledge and few IT auditors (often CISAs) have deep business expertise. This may be something we have to accept in the short run, but to make matters worse we don't do a good job of coordinating our audits. The segmentation is harmful in several important ways:
- Material risks are missed in the audit process
- Non material risks stack into unnoticed material risks
- Material risks are missed due to lack of expertise
- There is no central client stakeholder in the audit process
- Opportunities are missed to advocate throughout IT project lifecycle
- Opportunities are missed to scope auditing "hooks" into new systems
- The quality of peer review is affected by inconsistent subject matter expertise
- The business transforming value of the audit process is underestimated
Let's take a quick analogy break. A car adds value to its owner by serving as a reliable mode of transportation. An automobile inspection is like an audit. The inspection adds value by expressing an opinion on the ability of the car to continue adding value and the likelihood that it will do so. The way we approach Financial and IT audits today is analogous to an automobile inspection where one mechanic checks the engine and transmission while another checks the breaks and steering; the car passes inspection but may not run well when actually driven - because no one actually drove it during inspection.
An example of this critical gap occurs in IT service outsourcing. An unqualified opinion from a SAS 70 audit is typically accepted as evidence of the sufficiency of 3rd party (vendor) controls for the purposes of SOX compliance. But the scope of a SAS 70 audit is limited by the service vendor's own agreement with its external auditor. But this agreement can often scope only a subset of the products and services performed by the vendor for its clients (who are key stakeholders in the audit opinion). In other words companies that accept their vendors SAS 70 audit reports without detailed review can have serious blind spots.
This is not an academic topic. There is fiduciary duty as well as liability to both auditors and management to find and resolve material issues. As technologies become increasingly ubiquitous, courts will set the expectations of issue discovery during audits higher and higher.
Businesses should cross-train their stakeholders and attempt to integrate their financial and IT audits in a deeper and more meaningful way. Auditors should aggressively advocate for financial and IT audit integration. This means that IT auditors will need to deepen accounting and finance skills, and "traditional" auditors will need to increase their technological subject matter expertise.
/end Biggering the IT (in AudIT)