The dividing line between what is a computer audit function and what is a general audit function can vary significantly between audit groups. Some groups include what in other audit departments would be a com- puter audit function in the general audit responsibilities. There are three different views on computer audit as a discrete discipline.
The first view, and one often held by computer auditors them- selves, is that any review of computer controls should be carried out by a specialist computer auditor. Therefore, as computer systems are continuing to spread and increase in complexity, the number of staff working as professional, full-time computer auditors must increase correspondingly.
The contrary view is that computer auditors and general auditors must integrate fully. Because most business systems are computer based, all auditors must be computer auditors. Extreme proponents of this view see no future for separate computer audit specialists, even for the most technical work.
Between these views is a third view, which has much to com- mend it. There is some benefit in some areas of audit work involv- ing the review of computer systems being carried out by computer-literate general auditors. This includes the review of PC systems, which tend to be highly integrated into the workings of user departments, and many aspects of the review of both develop- ing and live systems, which again benefit from a detailed knowledge of the business environment. Some straightforward file interroga- tions can now easily be carried out by general auditors. However, there is still a continuing and major role for specialist computer audit staff, particularly in the more technical areas of developing or live application reviews, and for mainframe computer installation and systems software reviews.
Such an organization will typically report independently to a level sufficiently high to ensure adequate authority for access. Normally it is seen as a part of internal audit and reports within that structure. The structure of IS Audit itself is a factor of size, which will determine the need for specialists as opposed to generalists, the complexity of systems and the uniqueness of systems, as well as the extent of use of packaged systems will also play a part in deciding the structure.
STAFFING
Depending on the size and complexity, staffing could consist of a mix of:
■ Computer audit manager ■ Application auditors ■ Trainee auditors
■ Audit application development staff ■ Technical support
Skill levels required of the manager of such a department would include specialized skills in both conventional and computer auditing as well as the managerial skills appropriate to handle a mix of tech- nical specialists. Knowledge of the corporation would be absolutely essential to ensure adequacy of risk coverage.
Tasks of the IS manager include the planning of the strategic direction of the section, which must take into account corporate pri- ority setting as well as the liaison internally and externally to ensure effective IS coverage in an efficient manner. As with any line manager, the review and approval of all IS Audit work and the controlling and monitoring of the workflow are part of the normal managerial func- tion. The staffing of the department, defining of roles, sourcing of staff and training, motivating and career planning for acquired staff are part of the normal managerial process.
Once the audit universe has been defined, it will be possible to work out the types of skill required to review the audit areas that have been identified.
Assuming a typical IS Audit coverage in a large organization, the following skills or knowledge may be required in an IS Audit department:
■ IS security and control principles.
■ Audit principles. Auditors need to understand how to plan and undertake audits, and how to document their work.
■ Good interpersonal and communications skills, both oral and written, because very complex technical information often has to be communicated in a jargon-free way.
■ Good sense of judgment, because they need to analyze complex technical and business issues, and to conclude on the security and control implications.
■ Business-specific skills; for example, a bank will benefit in appli- cation reviews if some staff have banking training.
■ Systems analysis skills, to assist in understanding computer sys- tems, and reviewing the development process.
■ Data analysis skills, to assist the auditor in understanding the design and development process, as data analysis techniques are in widespread use.
■ Some programming skill, to assist in preparing computer as- sisted audit techniques (CAATs) and reviewing systems under development.
■ Computer operations experience, to help the auditor to review computer installations.
■ Networks, for the review of data communications.
■ Systems software, to assist in the review of the systems software infrastructure of the organization.
■ PCs and minicomputers. This has now become a very significant area in many organizations.
In-depth and varied skills are therefore required, and are rarely found in one individual. Many computer audit departments are thus staffed by auditors from a variety of different computing and audit backgrounds. It is management’s job to develop missing skills in the group, and bring the group together as a team. Ongoing training is essential to keep skills current in an ever-changing data processing environment.
In order to discharge their responsibility of identifying and ana- lyzing risk in computer systems, the computer auditor must, as is the case with all auditors, be able to write reports in simple, jargon-free language. The auditor must be able to report on risk in terms that management can understand; insofar as is possible, the effect of the risk must be described in business terms for business management. While the final report of findings to management, both orally and in writing, may take only a small percentage of audit time, if it is not done professionally much of the potential benefit of the audit will be lost. Good written and oral communications skills are therefore essential.