I often go to conferences in which auditing is the central theme, or if not, is at least a major theme. I also know many professional auditors. From a very high level perspective, an audit function within an organization must determine whether that organization’s management is providing suitable oversight and direction, whether resources are being used responsibility and in accordance with major business and/or operational needs, whether other functions such as business units and risk management are fulfilling their purposes and if so, whether they are doing it efficiently, and whether or not fraud, waste and misuse are occurring.
In the past I have been approached with opportunities for audit positions. I’ve always turned them down, in part because I have not had auditor training, but also because I was concerned that the job of an auditor might be too repetitious for my tastes. It appears to me that auditors spend the preponderance of their work time preparing for upcoming audits, conducting audits, writing up audit results, and working to achieve resolution concerning deficiencies and other issues identified during audits. Even if my impressions are correct, however, the importance of the audit function is not in any way diminished. Audit provides an independent assessment of critical elements within organizations; this assessment in turn is part of a system of checks and balances that provides critical feedback so necessary in determining what needs to be corrected to make or keep an organization functioning healthily.
I also have the impression that most audit functions are not nearly as proficient as they could and should be. Why?
1. One of the main reasons is that auditors too often do not possess a sufficient amount of knowledge about technology. Consequently, when audits involve use of computing systems, auditors may not be aware of critical technical issues that need to be resolved or may gloss them over, thereby allowing an organization unit to pass an audit, even though many technical and procedural deficiencies exist
2. Auditors sometimes have incorrect or unrealistic views of technology. About seven years ago I came to the rescue of one of the best information security managers I have ever known. Her company’s audit function had decided that she had implemented intrusion detection, but not intrusion prevention throughout the enterprise. A senior auditor had attended a talk at a conference several months before the audit was conducted. Intrusion detection technology was deprecated, while intrusion prevention technology was pronounced the wave of the future. At the time, the fact that intrusion prevention technology was rather new and crude at the time, thereby introducing a significant amount of risk into IT environments, was never mentioned in this talk. I had to write a paper comparing intrusion detection and intrusion prevention capabilities and then present and defend the main points in the paper before the audit team that had rated my friend’s information security practice as unsatisfactory because of the lack of intrusion prevention capability.
3. Auditing tends to be a spot event, something that occurs at scheduled intervals, rather than a continuous process. As a result, to-be-audited groups and functions often expend Herculean effort in preparing for an upcoming audit. They are in reality “showing their best stuff,” and they have the luxury of being able to do so as a result of having time to prepare. But the way things actually work day-by-day within these groups and functions is too often completely different from the way they appear to work once an audit has become. I suspect that very senior auditors can tell when this discrepancy exists, but that many other auditors cannot.
4. The audit function too often exists as a silo with an organization. My main complaint here is from the perspective of an information security professional. In just about every audit of which I am aware, information-security findings are identified, yet too often the information security manager is not informed of the audit findings. (By the way, information security functions also too often fall prey to the “silo effect.”)
The bottom line is that the audit function is one of the most critical within organizations, but too often this function does not come close to reaching its potential. Dealing with the four issues I have raised here would go a long way in helping audit in doing so.