A small internal IT audit team had a complex and diverse environment that it needed to review, 评估和测试需要提供保证的内容. The enterprise to be tested consisted of 7 core divisions and more than 300 entities that varied across approximately 90 IT domains. Each of the management teams responsible for the IT domains had their own requirements and, 因此, 他们自己的系统, 标准, 和政策. 这 translated into a complex environment and an audit cycle of more than 2 years, 哪一个, 在一个充满活力和不断发展的技术环境中, 不足以处理相关的风险.
为了应对这一挑战, IT general control procedures were automated so that testing could be performed across all organizations in a continuous and/or periodic manner. 在这个过程中, the audit team learned multiple important lessons about things it could have done differently during the audit automation process.
发展审计程序, one should aim to demonstrate quick wins with scalable control tests to secure budget and goodwill for any complex evidence-gathering methods and control tests that may be sought later.
审核团队在审核自动化过程中得到了7个主要结论:
- 首先建立需要结构化数据的控制测试The audit team tackled complex controls that required machine learning (ML) to gather evidence very early on in the automation journey of internal audit. 在事后看来, team members felt they should have focused first on automating key controls that already had structured data available for testing.
- 专注于快速的胜利审核小组知道它想要审核什么,以及需要哪些数据, 但这些数据并不总是现成的. 而不是 of focusing on quick wins and automating the maximum number of controls with the data it could collect, the team spent a significant amount of time trying to create structured data from varying sources.
Evidence-gathering methods and control tests that use ML can make an impact in the long run (and can be fun to display proudly), 但这需要技巧和时间来培养. 而不是, the audit team would have gained more value from addressing the more analytical procedures that were well-defined and potentially already running as scripts. 发展审计程序, one should aim to demonstrate quick wins with scalable control tests to secure budget and goodwill for any complex evidence-gathering methods and control tests that may be sought later. - 创建一个数据收集框架-The audit team wished it would have researched data-collecting agents and technologies in more detail before tackling the IT landscape work. The team wrote its own tools to collect the evidence to perform the audit testing, 哪一个 resulted in additional maintenance and support responsibilities shifting to the auditors. 这, 反过来, shifted the focus to supporting IT in running and understanding outputs rather than providing insight to management and building more control tests.
- 〇利用第三方专家关于更复杂的措施,如补丁, 网络及网站安全, 审计团队更愿意尽早与第三方进行集成. 这些类型的供应商都有专门的安全专家进行研究, 收集和暴露漏洞. Their tools stay up-to-date with very low-level 标准 for 哪一个 the typical IT auditor would not know to look. 通过与这样的供应商合作, the audit team could have focused on identifying whether there was risk and whether it was being managed, 而不是更细致的细节.
- 定义一个度量框架The audit team felt it should have defined the risk framework being used by the audit automation in much more detail, 或者完全不定义每个控制的风险. The focus would have then shifted to a key performance indicator (KPI) framework instead. KPIs make more sense to the audience receiving the results and drive the correct governance behaviors. 因为门户的透明性, one might end up debating how risk is calculated rather than discussing the actual valid findings.
- 考虑对运营和审计的影响Often auditors must perform the control tests as designed and performed by management to determine if the task is being performed properly. 如果审查过程是自动化的, the organization will be inclined to include the outcomes of automated audit testing within its operational processes. 然而,这使审计师的独立性受到质疑. By leveraging third-party applications (apps) and views that are logically segregated between the organization and the audit teams, 操作过程和审计测试可以在同一平台上分开. 审计人员必须考虑什么是真正被审计的. Is it an audit to illustrate that the risk exists, or that management is not taking action? 有时两者都有.
- 不要忘记变更管理-最后,也是最重要的一点,不要忘记变更管理. The audit team found that the biggest hurdles to overcome were not the availability of data, defining the procedures to be automated or presenting the findings and reporting in a continuous manner. The most important lesson from implementing automated IT control procedures was not taking into account the people sooner. 当一个人踏上自动化IT控制程序的旅程时, it is very important to take the affected stakeholders into account from the start of the journey. Their buy-in should be granted and it should be confirmed that relevant stakeholders are on board.
结论
Considering these items when planning the automation of IT audit control tests makes the actual delivery easier, 从长远来看,更快,更可持续. 有了上述7个方面, it is possible to scale a solution to make maximum impact over multiple business areas.
编者按
想了解更多作者对这个话题的看法,请收听“自动化IT一般控制审计之前要知道的七件事ISACA的一集® 播客.
Frans Geldenhuys, CISA, CA(SA)
Is a chartered accountant and a founding member of Bidvest Advisory Services (Pty) Ltd, a South African software development and consulting company focusing on the automation of professional services through its platform, 爱丽丝. He has more than 10 years of experience in the audit industry performing financial, 运营和IT审计.
Gustav Silvo, CISA
是经验丰富的IT审计师和Bidvest旗下爱丽丝的联合创始人吗. His primary objective is to be an enabler for positive change by providing IT assurance and advisory services where needed. Silvo领导爱丽丝的IT审计研究和开发工作. His research focuses on future trends and implementing control testing and usability requests from IT auditors and managers.