Integrated Audit Approaches
Part 2 of 2
By: Mitchell H. Levine, CISA
The Integrated Audit is intended to ensure that IT systems adequately support the needs of the business operations. The Integrated Audit would still incorporate all of the traditional components of an operation audit which is the reason that an Integrated Audit requires representation from both operation and IT auditors. The first part of this article focused on the analysis of the components of traditional IT audits which could be applied to an Integrated Audit.
Audit Serve, Inc.
After the steps are taken to define the business processes which comprise the Integrated Audit, the applications systems in which these business processes use need to be identified.
The starting point of the field-work is the interviews which are conducted with the representatives which support the critical business processes. Information needs to be obtained which allows for the identification of business process rules. Business process rules are then enforced by either an entirely manual control or an IT automated control which translates into a detective control or a preventive control.
Example of manual and automated process to enforce business process rules:
Business process: The processing of a residential loan application
One of the business process rules is that the loan cannot be approved unless an independent appraisal has been performed and the appraised value of the house must be at least 25% more than the loan being requested.
A manual process to enforce this business process rule would be case folder which includes all loan documentation and the review of the physical appraisal document to determine whether the appraised value of the house is at least 25% more than the loan being requested.
Another variation of this manual process which entails the use of IT systems is for the loan processor to look-up the value of the appraisal on the Loan system to determine whether the appraised value of the house is at least 25% more than the loan being requested. The only automated component of this process is that the appraised value of the house was entered into the Loan system and the record was linked to the Loan Requestor’s account number. In this case the decision process to enforce the business rule is still a manual control which involved a detective review process.
The first alternative to implement IT automation to enforce the business process rule would be to attempt to finalize the loan processing in which the Loan system would indicate either that (1) the required loan processing steps have not been completed because the house appraisal was not loaded into the system (2) Loan was accepted because a cross validation check was made to the house appraisal amount which met the business process rule (i.e., house is at least 25% more than the loan being requested), or (3) the Loan was rejected because a cross validation check was made to the house appraisal amount which did not meet the business process rule.
The primary issues which are raised during the integrated audit would involve not using automated IT controls to enforce business rules. In the absence of automated controls to enforce business process rules, the traditional operations review would need to be performed. This would involve the manual tracing through the various operation steps to determine whether business process rules were being followed.
Data extracts are also critical to support the audit issue of a missing detective review process or preventive control. Unfortuntately, if the business process rule has exception processes which cannot be automated, a preventive control cannot be used. Therefore, a detective review would need to be deployed.
An Integrated Audit is the cornerstone for all types of audits which include standalone audits, pre-implementation and post-implementation audits. The key to the audit is for the IT auditors to be willing to spend the time necessary to understand the business process rules.
Mitchell H. Levine, CISA of Audit Serve, Inc. has established a one and two-day seminar entitled “How to Perform an Integrated Audit” which is being offered by several local ISACA & IIA chapters. Refer to http://www.auditserve.com for additional information on this seminar.
Audit Serve also conducts Vulnerability Assessments, Integrated & IT Audits, SOX Control Design & Testing and PCI Assessments. Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.