Internal audit challenges

• Although many potential benefits accrue to organizations that establish effective

internal IT audit capabilities, not all organizations have sufficient resources available
to dedicate staff to auditing, or to do so in a way that covers all the areas within an
organization that need auditing.
• Aside from the resource costs associated with internal IT auditing, other challenges
include the significant skills and expertise needed by internal auditors and the
perceived or actual lack of independence for internal audit activities, particularly in
smaller organizations.
• The range of operational processes, technical components, and internal controls
potentially subject to IT auditing is varied enough in many organizations, that it is
unreasonable to expect that individual auditors would have sufficient breadth of
knowledge and skills to address all of them. Even with detailed audit protocols in
place, organizations often need to enlist the services of multiple auditors (possibly
including outside contractors) to cover the scope of IT audits it wants to perform.
Internal IT auditing performed by employees of the organization also raises potential
questions regarding auditor independence and objectivity.
 Internal auditors
Internal IT auditors often have substantial prior work in information
technology, whether their experience includes broad IT knowledge
spanning multiple domains or more specialized areas of expertise. It is
certainly possible to begin in finance, accounting, or other business
domains associated with conventional auditing and move towards a
specialization in IT. IT-specific knowledge is required, however, to
understand IT audit criteria and being able to compare them to the
implementation, configuration, and operations and maintenance details
of IT systems and technologies. Additional IT skills may be required to
correctly run test procedures or apply examination methodologies used
in different types of IT auditing.
Common subject matter topics with which
internal IT auditors should be familiar include:
• Business domains and associated processes supported by IT systems.
• Data governance, data management processes, data backup and restoration,
and storage technologies.
• IT policies and procedures.
• Operations and maintenance processes.
• Systems development life cycle process and activities.
• Application, systems, and security.
• Computer operating systems.
• IT governance and risk management processes and frameworks.
• Internal control types and applicability.
• IT process management or security management models; and IT-related
standards and certification criteria.
 Summary
This chapter focused on internal IT auditing, contrasting it with external auditing
(the subject of the next chapter) and describing the structural and operational
features of internal audit programs that include IT audits within their scope. It
highlighted the purpose, objectives, and rationale for establishing and maintaining
internal auditing capabilities and described some of the potential benefits
organizations expect to realize from effectively managed internal audit programs.
The material in this chapter explains the typical positioning of the internal audit
function within the organization structure and its relation to governance bodies
such as corporate boards of directors. It also described some of the characteristics
of internal auditors and the relevant skills and experience auditors need to do their
jobs effectively.