The first thing I try to explain to new auditors (or clients going through an audit for the first time) is what techniques IT auditors use to audit.
Most people unfamiliar with auditing have no idea what’s about to happen. Are the auditors going to run a magic tool? Are the auditors going to comb through every piece of paperwork in the office? Both?
The truth is all of auditing is pretty much broken down into four audit techniques: Inquiry (talking to people), Observation (observing processes), Inspection (looking over paperwork or system configurations), and Reperformance (reperforming a process).
IT Audit Techniques: Inquiry, Observation, Inspection, Re-performance
Inquiry
Inquiry is the process of gathering information directly from an individual who is familiar with the subject matter or control being tested. Inquiry may be written (i.e. email) or oral (i.e. interview).
When to use Inquiry: It is best to use inquiry to gain a basic understanding of complex processes and is always used in combination with observations and inspections.
Strengthen Inquiry with: Corroboration- inquire with multiple people when possible or use it to supplement another form of testing or evidence. Avoid relying on inquiry alone when possible.
Common Pitfalls to Avoid: Verify the person you are inquiring with has appropriate expertise, job title and authority to speak on the record concerning the control/process being verified.
Always note the time of inquire and job title of the people inquired with and obtain written inquiries when possible
Observation
Observation is the process or procedure of observing processes take place or witnessing physical items in place and operating as described. These might also be considered walkthroughs.
When to use Observation: It is best to use observations for controls related to physical security, logical security automated controls, data center hardware and for many process controls (this may overlap with re-performance).
Examples may include:
- Verifying that various data center safe guards such as fire suppression systems, UPS devices and HVAC systems are in place.
- Verifying that keycard and biometric access systems, security cameras and locked server cages are in place and operating effectively.
- Verifying that certain processes and automated controls in software exist and operate as described (this may overlap with re-performance).
Strengthen Observations with: Pictures of physical facilities if possible and screenshots of systems and processes in place- with system generated timestamps included on all pictures/screenshots collected.
Common Pitfalls to Avoid: Be sure to address all details of the control during observations the first time. Observations virtually always require the assistance of the client and sometimes travel, so carefully read each control and observe all aspects of the control, document sufficiently, and get it right the first time.
Inspection
Inspection is the examination of documentation that serves of evidence that a control is in place. Inspection often times involves gathering populations and creating samples for testing, but can also overlap with observations (e.g. inspecting fire suppression inspection records while observing that the fire suppression system is in place)
When to use Inspection: Inspection is appropriate when having to verify controls that pertain to entire populations are in place, such as those related to logical access and change management systems. Inspection is also applicable to reviewing company policies and verifying that proper segregation of duties is in place.
Examples may include:
- Verifying that users with access to corporate IT systems are all current employees and access is appropriate based on job title and responsibilities by assessing/testing a sample of users from a system generating population.
- Verifying samples of change management tickets and testing for appropriate segregation of duties, management approvals, roll back procedures, etc.
- Reviewing Master Service Agreements, organization policies and organization charts for various attributes.
Strengthen Inspections with: Thorough documentation that allows for recreation of the testing process during the review phase and through pairing with Inquiry and Observation when possible.
Common Pitfalls to Avoid: Pay attention to timing of population creation to avoid sampling outside the audit period. Take appropriate measures to gain comfort that populations are complete (through inquiry, inspection of query parameters and research of the systems in place).
Always insist on system generated populations that include system date and time, also observe the queries and parameters used to generate any populations/reports.
Re-Performance
Re-performance is independently recreating a process to verify that it is operating effectively. Re-performance may also include recreating a process in tandem with an observation to observe an otherwise automated process.
Re-performance offers the highest level of assurance that a process is in place and operating effectively.
When to use Re-performance: Re-performance is best used to verify automated IS processes are in place and operating effectively.
Strengthen Re-performance with: Complete documentation of the Re-performance process from start to finish, to help the reviewer gain assurance that the process was accurately re-performed. Include sample input values, query parameters or files used during the process and their output, in the documentation.
Common Pitfalls to Avoid: According to ISACA, a re-performance of a control is technically supposed to be independently performed by the auditor. Be aware of how client interactions might interfere or impact the re-performance process. For example, in cases where you must rely on the client to re-perform a control or process, abstain from leading the client or dictating the control to them.
Focus on re-creating the process as it operates in day to day operations then verify that it conforms to the official process and control description.
We welcome all critiques, improvements and comments! So please share below in the comments.
When working with application controls at an external audit client. In regards to a reliance strategy when looking at Internal Audit’s work, what is the difference in approach for Rely, Re-perform, and Test?