Booklet: Audit
Section: Independence and Staffing of Internal IT Audit
 

 

 

 

 

Action Summary additional information.

INDEPENDENCE
The ability of the internal audit function to achieve desired objectives depends largely on the independence of audit personnel. Generally, the position of the auditor within the organizational structure of the institution, the reporting authority for audit results, and the auditor’s responsibilities indicate the degree of auditor independence. The board should ensure that the audit department does not participate in activities that may compromise, or appear to compromise, its independence. These activities may include preparing reports or records, developing procedures, or performing other operational duties normally reviewed by auditors.

The auditor’s independence is also determined by analyzing the reporting process and verifying that management does not interfere with the candor of the findings and recommendations. For an effective program, the board should give the auditor the authority to:

Bullet

 Access all records and staff necessary to conduct the audit, and

Bullet

 Require management to respond formally, and in a timely manner, to significant adverse audit findings by taking appropriate corrective action.

Internal auditors should discuss their findings and recommendations periodically with the audit committee or board of directors.

Ideally, the internal audit manager should report directly to the board of directors or its audit committee regarding both audit issues and administrative matters.additional information. Alternatively, an institution may establish a dual reporting relationship where the internal audit manager reports to the audit committee or board for audit matters and to institution executive management for administrative matters. The objectivity and organizational stature of the internal audit function are best served under such a dual arrangement if the internal audit manager reports administratively to the chief executive office (CEO), and not to the chief financial officer (CFO) or a similar officer who has a direct responsibility for systems being audited. The board or its audit committee should determine the internal audit manager’s performance evaluations and compensation.

The formality and extent of an institution’s internal IT audit function depends on the institution’s size, complexity, scope of activities, and risk profile. It is the responsibility of the audit committee and management to carefully consider the extent of auditing that will effectively monitor the internal control system subject to consideration of the internal audit function’s costs and benefits. For larger institutions or institutions with complex operations, the benefits derived from a full time manager of internal audit or an audit staff will likely outweigh the cost. For small institutions with few employees and/or simple operations, these costs may outweigh the benefits. Nevertheless, an institution without an internal auditor can ensure that it maintains an objective and independent internal function by implementing comprehensive internal reviews of significant internal controls. The key characteristic of such reviews is that the person(s) directing or performing the review is (are) not also responsible for managing or operating those controls.


STAFFING
Personnel performing IT audits should have information systems knowledge commensurate with the scope and sophistication of the institution’s IT environment and possess sufficient analytical skills to determine and report the root cause of deficiencies. If internal expertise is inadequate, the board should consider using qualified external sources such as management consultants, independent auditors, or other professionals to supplement or perform the institution’s internal IT audit function. In some institutions, a person or group that has no other responsibilities outside the IT audit function performs IT audits. Generally, institutions using this approach centralize IT audit coverage and assign one or more IT audit specialists to perform end-user application control reviews as well as technical system audits. A centralized IT audit department can ensure sufficient technical expertise, but can also strain technical resources and require multiple audits in a user department. Additionally, IT auditors in this environment may need to have a greater understanding of financial and business line audit concerns.

Other institutions may use an integrated audit approach. Using this method, IT audit specialists perform the technology system and other technical reviews, while generalist auditors perform the end-user application control reviews. Institutions should use auditors with technical knowledge appropriate for the areas reviewed.

An institution’s hiring and training practices should ensure that the institution has qualified IT auditors. The auditor’s education and experience should be consistent with job responsibilities. Audit management should also provide an effective program of continuing education and development. As the information systems of an institution become more sophisticated or as more complex technologies evolve, the auditor may need additional training.