Integrated Audit Approaches
Part 1 of 2
By: Mitchell H. Levine, CISA
Audit Serve, Inc
Most audit departments have embarked on the road of transforming their audits into Integrated Audits. In the past, there was a “great wall” between the financial and operation audits as compared to the technical audits which were performed by IT Auditors. The first natural step to establish a structure for Integrated Audits was to join the Operations and IT Auditors into a single audit team. However, there was no change to the type of standalone audits that were performed as compared to past audits.
The operations audit and the application audits were always considered prime candidates to merge into one audit. It was always understood that application audits did not venture far enough into the understanding the business operations in order to yield quality issues. Instead, application controls were reviewed which related to generic edit checks such as format and reasonableness checks. Since the IT Auditors did not have the business knowledge of operation areas which used these applications, they were unable to evaluate the adequacy of the edit checks to determine whether they enforced the requirements of the business. These requirements are referred to business rules, which is the foundation for performing integrated audits.
Application audits also provided the basis for performing a focused review to evaluate the effectiveness of the application security design, application security administration, application software management, and application-level business continuity. These areas were included in the application audit because they could not be adequately covered as part of the IT General Controls audit.
Another problem with merging the operation and application audits is that the business area being reviewed in most cases would utilize multiple applications to support their business processes. The next part of this article will focus on the critical components that need to be included as part of the integrated audit which includes the need to focus on the business process rules which comprised the auditable entity. This approach would require several applications to be reviewed in order to ensure that application systems’ provides effective automation of processes to meet the requirements of the business process rules.
Mitchell H. Levine, CISA of Audit Serve, Inc. has established a one and two-day seminar entitled “How to Perform an Integrated Audit” which is being offered by several local ISACA & IIA chapters. Refer to http://www.auditserve.com for additional information on this seminar.
Audit Serve also conducts Integrated & IT Audits, SOX Control Design & Testing. Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to
establish a proposal of services.