IT Audit assesses risk related to the use of IT through planned and unplanned projects. Depending on different factors, the team will perform its work as a traditional audit, assessment or advisory project.
Audits – Traditional audit projects seek to provide assurance that controls are in place and are operating effectively over a period of time. Internal Audit’s planning, executing, and reporting methodology needs to conform to Institute of Internal Audit (IIA) standards. The outcome of audits performed result in an audit report, which includes an overall audit rating and risk ratings assigned to observations. Other than minor risk observations identified in an appendix, all other observations include an agreed-upon action plan and expected completion date. OACP tracks the progress of open audit observations on a quarterly basis and reports this progress in quarterly Audit Committee meeting materials. Distribution of the final audit report is sent to a broader audience, including executive management.
Assessments – The objective with these projects is similar to audits – identify risks and control enhancement opportunities – but is not intended to provide assurance that controls are operating effectively over a period of time. This type of project is typically performed in lieu of an audit when the area under review has never been evaluated (e.g., Medical Device Security) or where policy and processes have only recently been implemented. These projects give Internal Audit flexibility in terms of how the project is executed and reported. It also provides management insight where risks and control enhancement opportunities exist and time to develop a remediation strategy before potentially being subject to an audit at a later date. Internal Audit is not bound to conforming with IIA standards, which allows Internal Audit to use its judgment on how much testing needs to be performed to evaluate the area under review.
The outcome of assessments result in a memo or a report highlighting observations and recommendations. The deliverable does not assign an overall audit rating and may not assign risk ratings to individual observations. Agreed-upon action plans are not required and OACP will not track the progress of open observations. If OACP continues to feel that the area reviewed is important or risky enough to evaluate at a later date, particularly if we sense that management may not be taking action to address observations identified, we could include an audit project on a subsequent FY work plan to elevate visibility for the area under review and hold management accountable for remediating identified observations. Distribution of assessment memos and reports is much more limited than traditional audit reports.
Advisory – This type of project has Internal Audit in a consultative role only. The most common example of an advisory project is working alongside management during large system implementations. To be transparent with our clients, we will typically develop a statement of work outlining areas Internal Audit would explore with management. Sometimes this can be accomplished through participation in committee meetings; other times, we request information/documentation and hold periodic working sessions with management to address areas under review. Internal Audit’s goal is to add value by providing feedback on potential risks or process/control enhancements as close to real-time as possible, which provides management an opportunity to revise processes or controls before the project moves too far along.
The outcome of advisory projects varies. Sometimes no written deliverable is provided to memorialize observations identified by Internal Audit during the advisory effort. Other times Internal Audit will develop a memo highlighting observations and recommendations. The deliverable does not assign an overall audit rating and may not assign risk ratings to individual observations. Agreed-upon action plans are not required and OACP will not track the progress of open observations. Distribution of a memo also varies. However, senior management/executive management who are sponsors of the project or who would have significant interest in our results are normally included in the distribution of the memo.