I have had many discussions with individuals who despise the idea of all audits. Some people feel as if audits are a waste of time, money and resources because they tell administrators and management things that they already know, or don’t care about. I have to say that I agree with the people who feel that way. You must be surprised that I agree with that point of view. Well I agree with that point of view because many auditors simply produce reports that are a regurgitation of issues that are known to management. Many IT auditors are not experienced or knowledgeable enough to know how to think critically and dig deep enough to find the real problems and add value to the client.
The blame lies in a few places. Some IT audit senior staff generate faulty audit plans. If you were not taught how to be an independent thinking audit staff member, you will likely not transform into an audit senior staff member who can lead junior staff to become independent, critical thinkers. Instead of creating checklists and specifically identifying what junior staff should look for in an audit, senior staff should teach the junior members of their team how to think about the system which they are reviewing to figure out what questions and audit procedures will provide the most coverage for the particular system being examined. Every audit artifact is not equal, and one must think about the evidence provided to determine whether there is a gap or a way for a weakness to slip through the cracks and not appear in this particular piece of evidence. I cringe when I hear that one of the first steps an auditor has taken is to provide the client a checklist of audit artifacts to request from the client. One of the first things an auditor must do is interview the client (walk through the process)and gain an understanding of the client’s processes. After auditors understand the process, only then can a list of artifacts be requested. It is a grave mistake to assume that one can audit a process simply because you are familiar with the applications or systems in place.
Another place where blame lies is with audit managers who are more concerned with maintaining the contract than providing the client with the ability to decide which issues are significant enough to worry about. It is my belief that all weaknesses found during an audit should be communicated to the client in writing in some form. I am not promoting the idea that all findings should make it into the final report, or even that all findings are reportable. I am saying that in daily interactions, status meetings or briefings the client should be presented a list of every single finding that was observed, this is provides legal/regulatory coverage for the auditors, and it allows the client to make the decision to address or ignore each issue individually. The way I see it, my integrity as a professional is more important than the contract that I am working under. If my client is intimidated by a long list of findings, they can either keep me around to help them correct the situation or they can continue to bury their head in the sand and either terminate my contract or I may refuse to return upon the end of that contract. Auditors are a resource that should be used to help, if we are seen as adversaries to the system admins or management our work will not add any value to their processes.
The purpose of an audit is to find the issues that the client is either not aware of, or trying to hide. If you use checklists or ignore seemingly minor issues you are failing your client and you are failing the members of the IT audit profession who provide a high quality service to their clients. Articles such as the examples below can be avoided if annual audits are effective and the client takes steps to resolve the issues presented in their audits. A little background information for those who may say that these articles are the result of audits…Federal systems are subject to a minimum of 1 assessment (read: audit) each year, and the Inspector General generally only performs a spot check of a few systems each year, per agency. The system that is the subject of the articles and reports that below could have addressed the issues presented well before the Inspector General(IG) audited this system. If the annual audits were effective, and the client took actions to correct the findings during any prior year when the IG did not select this system for review these issues would not exist now.
