It is no secret that businesses today increasingly rely on IT systems and automation to accomplish their objectives. Internal audit departments have evolved over time to consider IT risks as they relate to their organization’s objectives, in many cases developing in-house IT audit groups or contracting with external service providers to address risks in these areas. These groups may or may not collaborate on their audit plans and the inclusion of business processes or systems. We’ve observed in practice that operational auditors often audit “around the box” or focus only on what happens outside of an IT system, while IT auditors will focus on the system's layers underneath the core business application.
Our model for integrating operational and IT internal audit is designed to orient internal audit’s approach to addressing business risks to consider the technical factors that most closely relate to the achievement of the organization’s objectives.
The model for integrating the operational and IT internal audit begins with writing the intent of the organization into the organizational charter, operational manuals, and other policy and procedure documentation. Setting the tone and expectations for staff to execute against an integrated approach to audit execution is key to the effort’s success.
The organization should consider revising its risk assessment and planning methodologies so it can identify automated IT functionality the organization relies upon to execute business processes. These revisions ideally will be supported by creating standard work templates for internal auditors to execute against in their assessment of process risks and controls, including IT components. These revised templates and methodology will guide the auditor through identification and categorization of the risks and controls in the business process. They also will help the internal audit team match its IT scope to the business process risks relevant to the audit project.
Outcomes from integrating the operational and IT internal audit approach to specific projects may include:
- Opportunities for staff to cross train between traditionally separate internal audit functions
- New career opportunities for internal audit staff
- More well-rounded professionals in the internal audit function
- More timely coverage of IT business process risk within the internal audit plan
- Demonstrated internal audit value through modernization and alignment of the audit approach to the business
The organization also may realize benefits from having a reduced number of touches between internal audit and management due to increased coordination between teams.
For more information or to have a discussion about how this model could be implemented in your organization, reach out to a professional at FORVIS or submit the Contact Us form below.