As business models and new technology continue to change at a record pace, so must the role of the auditor. The technology evolution and new business models based on outsourcing, downsizing and decentralization have taken businesses and the audit profession through several changes during the last 20 years. Closed networks have evolved into virtual networks and the Internet, closed applications have progressed to applications integrated with business partners, applications now encompass ERPs and ASPs, and operations are no longer local but include e-business and m-business.
As these new ideas, models and technologies have been implemented in companies around the world, concerns have continuously increased about the ability to keep this new environment aligned with business objectives.
This is the point when the concept of governance as a more comprehensive way of dealing with the objectives and the interests of the entity and the stakeholders was first raised.
An analogy may help. Take the Argentine countryside (the Pampas), where the concept of the stakeholders can be easily mapped around a cow. At the Pampas the cow is the center of the universe; the best beef can be obtained from these cows, which will in turn result in the highest-quality leather, milk, bones, glandules, etc. So there are numerous stakeholders with different interests in the cow: the workers, the veterinary industry, the landowners, the breeders, the government (taxes, certification, development, export duties and social security), the butchers, the hamburger companies, the numerous dairy industries and the leather industry, to name a few.
Just as in the case of the Pampas, the concept of governance goes beyond the traditional board of directors' responsibility and subsequently the auditors' oversight. Within this framework, governance extends outside of the traditional limits of the organization to stakeholders with different but complementary interests where the governance activities have to be mapped.
IT governance is key to facilitating and encouraging the business side of the company and the auditors to work closely with technology managers and in line with board directions.
Effects of Technology on Auditors
As technology evolves, the auditor is required to anticipate the strategic direction of IT and the effects these directions, and consequently detailed implementations, may have on business objectives. A key success factor to achieve this objective is for his role to be fully understood by his business counterparts. Here a most critical area develops as the auditor starts to be involved in delicate political issues that may arise when he identifies weaknesses in the highest strategic planning processes.
In addition to these sensitive, internal political issues, the IT auditor's job is becoming more difficult because the pace of IT deployment has picked up as companies work to roll out Internet projects in Internet time.
As auditors attempt to deal with these new difficulties, they also are attempting to erase the image of the auditor as the "IT police" from the minds of the business and IT professionals. The auditor now has a key role in achieving business objectives.
Innovations within Audit
Despite new challenges that have arisen as a result of the technology boom, auditors have benefited from innovation within their own industry. One of the largest challenges in the job of the auditor had long been the lack of a common framework to use as a basis from which to work.
This problem was first addressed with the release of the COBIT (Control Objectives for Information and related Technology) framework, as an evolving international basis for audit planning, management requirements, discussion and agreement. However, auditors found that they needed a clear alignment with the institutional or corporate objectives.
IT Governance and Auditors
To meet business objectives, a common ground of proactive discussion among auditors, IT management and the board needed to be reached.
COBIT 3rd Edition© and the IT governance framework, developed by the IT Governance Institute, address these issues through several supporting tools and mechanisms.
These mechanisms have evaluated and defined the role of the auditor within IT governance.
IT governance activities are mapped within the four COBIT domains:
Planning and Organization
Acquisition and Implementation
Delivery and Support
Monitoring
The detail that follows shows the role of the auditor for each of the COBIT domains and processes.
Planning & Organization:
In this area, the board of directors and management decide the strategy and tactics concerned with how business objectives are achieved and ensure that a technological infrastructure is in place. This area requires the most political skill from the auditor, since an IT auditor might have to inform a powerful CIO what has gone wrong under his command and then break the bad news to senior management. This domain is basically under the scope of the board of directors and the management. The auditor's role under this domain is that of evaluation and/or to assess whether the delivery of these processes is in alignment with business objectives.
The only key process the auditor is directly responsible for within this domain is quality management. This process includes the development of the long-term strategic plan, aligned with the mission and vision of the entity and its stakeholders, and the measurement criteria to be applied, as well as the identification of specific projects and work plans.
The processes and auditor roles considered within this domain are:
Define a strategic IT plan (evaluate/assess).
Define the information architecture (evaluate/assess).
Determine technological direction (evaluate/assess/inform/support).
Define the IT organization and relationships (evaluate/assess/inform/support).
Manage the IT investment (evaluate/assess/inform/support).
Communicate management's aims and directions (evaluate/assess/inform).
Manage human resources (evaluate/assess/inform).
Ensure compliance with external requirements (evaluate/assess).
Assess risks (evaluate/assess).
Manage projects (evaluate/assess/inform/support).
Manage quality (evaluate/assess/responsible).
Acquisition & Implementation:
To realize the business strategies and tactics, IT solutions need to be identified, developed or acquired. Within this domain, the role of the auditor is still to assess the process, however, support should be provided in terms of control issues regarding the acquisition and maintenance of application software. The process and auditor's roles for this domain are:
Identify automated solutions (evaluate).
Acquire and maintain application software (evaluate/support).
Acquire and maintain technology infrastructure (evaluate).
Develop and maintain procedures (evaluate).
Install and accredit systems (evaluate).
Manage changes (evaluate/support).
Delivery & Support:
This domain is concerned with the delivery of services provided by IT, which range from operations through security, training and support. There has been great consensus on the IT Governance Board regarding the role of the auditor in this process. In this process, the role of the auditor is to evaluate and assess; however a greater involvement in the form of support is suggested in ensuring of systems security process.
The process and auditor's roles for this domain are:
Define and manage service levels (evaluate/assess).
Manage third-party services (evaluate/assess).
Manage performance and capacity (evaluate/assess).
Ensure continuous service (evaluate/assess).
Ensure systems security (evaluate/assess/support).
Identify and allocate costs (evaluate/assess).
Educate and train users (evaluate/assess).
Assist and advise customers (evaluate/assess).
Manage the configuration (evaluate/assess).
Manage problems and incidents (evaluate/assess).
Manage data (evaluate/assess).
Manage facilities (evaluate/assess).
Manage operations (evaluate/assess).
Monitoring:
All prior domains need to be assessed for compliance with quality and compliance with control requirements. This domain requires a direct responsibility of the auditor in terms of responsibility/owner and support. This includes performance measurement for specific indicators defined during the planning process. It also involves comparison against established parameters and objectives, achievement of critical success factors and comparison against expected outcomes and stakeholders expectations.
The process and auditor's roles for this domain are:
Monitor the processes (evaluate/assess/support).
Assess internal control adequacy (evaluate/assess/support).
Obtain independent assurance (evaluate/assess/support).
Provide for an independent audit (evaluate/assess/support).
Conclusion
Every day an auditor faces more critical challenges in terms of upgrading his/her technology skills to provide the assessment new technologies require.
While the enterprise may have an innovative or conservative approach in terms of technology, early involvement in new projects from strategic planning continues to be one of the highest returns areas. To make better use of the scarce audit resources, prioritize the areas of better value. COBIT 3rd Edition's maturity models provide metrics on the auditor's role that could be aligned with the improvement of the maturity level for IT governance.
The auditor's role is key in building a mature IT governance environment aligned with the business objectives and supporting the stakeholders' needs.
