Professional Documents
Culture Documents
feature
The Interview as an Audit
Tool During an IT Audit
Conducting onsite interviews is a critical part of any possibly the related work papers can be helpful, but
IT audit and can lead to the gathering of information they should not influence the current audit as they
not readily apparent through reading documentation were from a previous point in time.
and examining physical evidence. A number of
articles have been written on this topic, although
they are primarily focused on financial audits.1, 2 This
article outlines steps toward conducting successful
interviews of IT staff about their processes, and Defining and
discusses the use of diagramming techniques to narrowing the
help document and facilitate these interviews.
scope of the
Interviews of key personnel during the course of
an IT audit are no less important than interviews
discussion will…
conducted during financial and business audits. facilitate the
Indeed, interviews and process walk-throughs
during IT audits are necessary to gain a deep construction of
understanding of the actual procedures followed questions to be
and identify possible control weaknesses in these
procedures that may not be evident in a review of asked during the
documentation and evidence.
interview.
Preparation
Defining and narrowing the scope of the discussion Questions to be used during the interview can be
are also important, as these steps will facilitate the developed through a combination of procedure
construction of questions to be asked during the documentation review, past experience with the area
interview. When preparing for an interview, a review being audited and past experience on similar audits
of the organization and process to be discussed is for other auditees. In general, it may be useful to have
critical. An understanding of the procedures that a general set of questions (topics) that outline what
are documented, along with the identified controls is to be covered during the course of the interview.
associated with the processes and procedures, is These questions and topics are based on the audit
necessary to be able to formulate questions and test objective, and the degree of detail is dictated by
follow along with interviewees as they describe their the level of the person being interviewed—the higher
job responsibilities. There may be occasions when the level, the less detail is expected during the course
existing controls are not well documented, if at all; it of the interview. Specific questions should not be
is in these cases where a process walk-through can provided prior to the interview, even when requested,
be useful in identifying control points. If there is a as the auditee may choose to simply provide a written
previous audit of the area, a review of the report and response to the questions without undergoing an
interview. Providing an outline of the topics to be
covered, rather than the specific questions, should
Henry Bottjer, CISA, CRISC provide the auditee the information needed prior to
Is an IT audit and risk control consultant with a focus on IT general conducting the actual interview. The questions asked
controls, application audits, and conducting pre- and postimplementation need to be open ended, resulting in a conversation
reviews. Bottjer has worked in this field for 15 years, working and eliciting a detailed response, not a simple “yes” or
predominantly in the financial services industry. Prior to working in the “no” answer.
IT audit and control field, he had 15 years of experience in IT program
and project management, network management and other IT functions in
The identification of staff to be interviewed is also
support of business needs.
important. Because newly hired staff are likely to know
Dev1
Checked
Out
V3.2.2
While V3.2.2 Dev2 Checks in
Checked out V3.3.1
Dev2 Requests
IDev1 Check in
V3.2.3
Dev1
Modifies Test
Code
Dev2 Rob
New Checked
Stream/Cancel? OK Modifies Test
Out Code
V3.3.1
Cancel
Version 3.2.3
1 5 6 11
(Users)
Identify 2
Document User Create and Verify
Change Test Submit Change
Need Changes
Changes RFC
Management
Business
3 8
Prioritize Approve
Change
Technology
4 RFC
Need
Code and
System Test
Change 7
Technical
RFC
Review
Operations
9
Create 10
Changes and Implement
Backout Change
Package
Conclusion Endnotes
Many times, an interview can help auditors identify 1 Leincke, L.; J. Ostrosky; M. Rexroad; J. Baker;
possible control breakdowns in an IT environment S. Beckman; “Interviewing as an Auditing Tool,”
or people performing their job in a way that does The CPA Journal, February 2005
not follow the documented procedures. While some 2 Seipp, E.; D. Lindberg; “A Guide to Effective
things identified in an interview are easily countered Audit Interviews,” The CPA Journal, April 2012
(e.g., “No, I misspoke. We do it this way.”), it may 3 Ibid.
lead an auditor to request evidence that would 4 Damelio, R.; The Basics of Process Mapping,
support something mentioned in the interview. While 2nd Edition, Productivity Press, USA, 2011
there is little formal training offered on this skill, it is 5 Sharp, A.; P. McDermott; Workflow Modeling:
definitely a skill worth acquiring. Learning how to Tools for Process Improvement and Application
develop and ask questions, establish rapport, and Development, 2nd Edition, Artech House, USA,
obtain information can only really be learned with 2009
practice. Confidence is built over time, and it can 6 Martin, J.; K. McClure.; Diagramming Techniques
lead to more effective interviews. Using diagramming for Analysts and Programmers, Prentice Hall,
tools, such as flowcharts, can greatly enhance the USA, 1985
quality of the conversation and understanding of key
process flows and controls.