Audit. In today s constantly changing business. The Relevant

Transcription

1 Edward Hill, CIA, CPA Executive Director Business Advisory Services Grant Thornton LLP The Relevant Audit IT GAIT-R provides a top-down, risk-based approach to scoping IT risks and processes into audits. In today s constantly changing business environment, with new threats and vulnerabilities emerging daily that put mission objectives at risk, auditors can make IT audits more relevant by tying them to the strategic objectives of the organization. In the past, IT audits typically focused on the IT control environment and technical infrastructure. As a result, auditors may have paid too much attention to details in IT-specific areas that were dated or irrelevant to achieving current business goals, rather than focusing resources on control and risk elements that support current mission-critical goals. Auditors must broaden the scope of IT audits to include the control and risk environment relevant to business objectives, which will differ based on each organization s dependence on technology to meet strategic objectives. Using this 57

2 approach and drawing on The IIA s Guide to the Assessment of IT Risk (GAIT) guidance, auditors will conduct a more meaningful audit that examines true business risk. As such, the level and type of IT support will be different for each organization. GAIT-R focuses on the likelihood of risk events occurring to determine the level of IT audit control testing needed. Under loss of the availability of applications and the infrastructure that supports them is almost always a critical risk if the applications are customer facing. Customers in today s information age demand 58 PRACTICAL GUIDANCE GAIT for Business and IT Risk (GAIT-R), issued by The IIA in 2008, is a method for scoping IT audits by sifting key controls through an eight-step series of top-down, risk-based filters. The result is a streamlined scope that focuses the IT audit on those key controls and risks across the enterprise that are essential to achieving business goals and objectives. The GAIT-R guidance takes a holistic view of audit scoping that includes financial, operational, legal, and compliance functionality as outlined in The Committee of Sponsoring Organizations of the Treadway Commission s (COSO s) Internal Control Integrated Framework. COSO identifies three broad internal control objectives: financial reporting, such as completeness, accuracy, proper valuation, and safeguarding of assets; operations, including items like price or customer service; and legal and regulatory. Of these three, only financial reporting requirements cut across all organizations. Operations and legal and regulatory requirements differ from company to company depending on its competitive niche and industry. A lowcost provider will have a different risk profile than a company competing on customer service in the same industry. GAIT Methodology Steps the model, the potential failure in an IT process, or risk occurence, is assessed to determine what effect the failure may have on the achievement of business objectives. If delivering timely information to customers were a critical business objective of a manufacturing company, the GAIT-R model would assess the potential impact that failing to meet this objective might have on the organization. To an e-commerce company, system availability is crucial to ongoing sales as well as an overall goal of customer confidence and loyalty. If the company has a technology failure that causes the purchasing system to go down, not only does that company lose sales, customers also may lose confidence in the company and migrate to other online providers. The These steps outline an approach to applying the GAIT principles to a business audit, which will identify the critical IT risks related to particular business objectives. 1. Identify the business objectives for which the controls are to be assessed. 2. Identify the key controls within business processes required to provide reasonable assurance that the business objectives will be achieved. 3. Identify the critical IT functionality relied on from among the key business controls. 4. Identify the significant applications where IT general controls need to be tested. 5. Identify IT general control process risks and related control objectives. 6. Identify the IT general control to test that it meets the control objectives. 7. Perform a holistic review of all key controls to ensure that considerations have been balanced between those controls that rely on IT and those that do not. 8. Determine the scope of the review and build an appropriate design and effectiveness testing program. The GAIT-R approach focuses internal audit effort where it is most needed, resulting in higher quality IT audits and making the internal auditor s role more valuable from a strategic planning perspective. immediate availability of information and lose confidence and interest when it s not available when they need it. As such, system availability controls and risks should be given audit priority to minimize the risk of key control failures. This approach focuses internal audit effort where it is most needed, resulting in higher quality IT audits. Internal auditors, and by extension the organization as a whole, also benefit from a better understanding of how particular IT processes and controls are designed to mitigate risk and contribute to the achievement of business objectives, making the role of internal auditors more valuable from a strategic planning perspective. RISK-BASED AUDITING Instead of focusing on specific controls, GAIT-R uses a top-down, risk-based approach written primarily for internal auditors. The methodology identifies risks, not specific controls, within IT business processes where a control or security failure could adversely affect the achievement of specific goals of an organization. The approach assumes that IT risk is most important when it relates to the potential failure of a key business process or objective. Once key IT controls are identified, GAIT-R uses structured reasoning to focus on those controls across the enterprise that are essential to achieving business goals and objectives. Used correctly, this filtering process streamlines the IT audit scope, minimizing resources spent on IT risks that are not critical to business objectives. Scoping IT audits using GAIT-R further refines the IT scope by adding a Internal Auditor june 2011

3 the relevant it audit relevant business filter. Traditionally, many auditors have viewed technology risk assessments in a silo, focusing audits on IT department objectives in a review of applications, technical infrastructure, IT processes, and IT projects across the organization. This traditional approach focuses on the effectiveness of technology against IT objectives rather than the supporting role of technology in achieving the goals of the business. GAIT-R takes the scoping process one step further by tying IT objectives to business objectives before taking a top-down approach. The refined scope on information systems that provide up-to-the-minute status of order processing and shipment tracking. The processes and applications are designed to achieve the goal of real-time and reliable customer support. If these systems are not available, the lack of timely information could impact customer satisfaction. If there is a goal of immediate shipping of in-stock inventory and the customerfacing system indicates that an item is in stock, but that system is out of sync with the warehouse and shipping systems, the order placed by the customer may not trigger the shipment of the item. The order on the trucks, and are rolling out of the warehouse by 7 a.m. the next day. The highly competitive restaurant supply business is reliant on processing accurate, complete, and timely orders. Therefore, the audit team should identify key risks in the process and understand how the company guarantees changes to this application are accurate and completely tested before being placed into operations. The IT assessment should include audits of all system applications and processes that affect key risk areas and contribute to the critical business objectives of on-time, accurate deliveries. Traditionally, many auditors have viewed technology risk assessments in a silo, focusing audits on IT department objectives in a review of applications, technical infrastructure, IT processes, and IT projects. should identify how technology is being used to enable business processes within the organization. As a result, audits of data security that use the GAIT-R methodology might focus on protecting the information assets that are required to support critical business operations, securing intellectual or proprietary property (such as the formula for a new product), and identifying where the damage to, or loss of, data could represent an immediate liability to the business as a whole. customer is likely to be upset and lose faith in the company. Identify the critical IT functionality relied on from among the key business controls For example, a food distributor that provides daily delivery of fresh produce and meats to upscale restaurants uses an automated pick-and-pack application. Orders for next day delivery must be placed by 10 p.m. through an online order system to ensure goods are sourced, sorted by restaurant, packed in the correct Identify the significant applications where IT general controls need to be tested In the restaurant supply example, audits should be tied directly to the achievement of key business goals. In the example, there most likely are several audits that would be associated with the business objective of achieving on-time, accurate deliveries. Based on the size and complexity of the systems, these audits would include change management over significant applications focusing specifically on the completeness of the testing before programs are moved into production. A complete analysis of the overall process also may identify IT infrastructure components critical to the achievement of the delivery goals. Identify IT general control process risks and related control objectives Key business-related risks could include: availability of the systems, consistency and accuracy of processing, ease of use and accuracy of customer-facing websites for entering orders or scheduling service, APPLYING THE METHODOLOGY The GAIT-R methodology covers the risk assessment and control identification process in eight steps, starting with understanding the business objectives for which controls are to be assessed and ending with a defined scope of work. The most significant and differentiating steps, with practical applications for clarification purposes, are summarized as follows (for the complete list of steps see GAIT Methodology Steps on page 58). Identify the business objectives for which the controls are to be assessed For example, an online retailer relies Top-down, Risk-based Principles The GAIT-R principles outline the overall approach to scoping IT audit work so that IT work addresses the most critical IT issues from a business objective standpoint. These principles will guide a user to the critical IT functions and will provide a business context to the IT audit work. Principle 1: The failure of technology is only a risk that needs to be assessed, managed, and audited if it represents a risk to the business. Principle 2: Key controls should be identified as the result of a top-down assessment of business risks, risk tolerance, and the controls required to manage or mitigate business risk. Principle 3: Business risks are mitigated by a combination of manual and automated key controls. Principle 4: IT general controls may be relied on to provide assurance of the continued and appropriate operation of automated key controls. 59

4

5 the relevant it audit use of company systems by vendors or other outside users, and reliance on and enablement of applications and other technologies. For example, a manufacturing plant uses an automatic reorder system to order key production parts. If the reorder system fails and key parts are not available as needed, production could come to a halt. The technology risk of this failure would be felt throughout the organization in a monthly sales drop and failure to meet existing production commitments. By identifying this risk up front in an IT audit, the company can test appropriate controls for success and identify a backup alternative supplier before the need is critical. Determine the scope of the review and build an appropriate design and effectiveness testing program A critical step in the application of the GAIT-R methodology is the identification of those key/critical controls related specifically to the identified business process and the related risks/controls to achieving the objective. Using the same example goal of accurate and on-time delivery, practical application focuses on the program change control audit. In the overall change control process there are several steps that are critical to an efficient and effective method, but are less critical to the objective if only fully tested and evaluated changes should be promoted into production. For example, the accuracy and completeness of the user change request process is not specifically relevant to ensuring the changed code is accurate. However, if the audit is designed to evaluate the efficiency and effectiveness of the change process overall, these steps would need to be evaluated. A STRONG BUSINESS CASE Although GAIT-R changes the IT focus and selection of controls targeted in an IT audit, the top-down, risk-based approach ensures a more effective audit scope, lowers cost in the long run, and improves the strategic overview. In addition, aligning IT risks with business goals puts IT audit findings in a business context that is more easily understood outside of IT circles. For example, audit findings from an assessment of the availability of customer service applications and the infrastructure that supports the achievement of superior customer service can help management understand what puts this goal at risk and make adjustments before IT issues impact it. Adopting GAIT-R takes up-front time, effort, and resources. Some internal auditors may question whether they have the skills and knowledge necessary to implement the methodology. The higher quality audits that result from focusing on true business risks, not just technology risks, should be justification enough for moving to this approach. Making the change to a GAIT-R approach to IT audits also is beneficial for internal auditors themselves. With GAIT-R, internal auditors become the interface between management and IT specialists, breaking through technology jargon to give the organization s leaders the information they need to understand the strategic implications of IT risk. To comment on this article, the author at [email protected]. Results that are Vital to Corporate Stakeholders Require Sharpe Decisions Sharpe Decisions Executive Workshop Sharpe Decisions Voting Systems Sharpe Decisions inc. For more information, visit our Web site or us at [email protected]. Helping you balance your risk Effective risk management is key to the success of your business. More and more companies view risk management as an area of strategic importance. Professional risk management advice and effective assurance mechanisms can deliver competitive advantage and enhance value to your stakeholders. RSM member firms have a comprehensive range of services designed to bring a new perspective to your organisation and define clear risk strategies. Meet partners from RSM International member firms at the International Conference, July 2011 in Kuala Lumpur. RSM International is the brand used by a network of independent accounting and consulting firms. Each member of the network is a legally separate and independent firm. The brand is owned by RSM International Association. The network is managed by RSM International Limited, neither of which provide accounting or consulting services. The network using the brand RSM International is not itself a separate legal entity of any description in any jurisdiction. Intellectual property rights used by members of the network including the trademark RSM International are owned by RSM International Association, an association governed by articles 60 et seq of the Civil Code of Switzerland whose seat is in Zug. RSM International Association,