Financial Auditor and IT-Auditor: from working together to yellow Post-Its!

The traditional accountant  that wants to have a client’s stock record printed on paper to work with during an audit is just about to extinct by now, but is a modern financial auditor with a laptop, checking a digital version of the same file ready for the future? The following question often pops up: what should the financial auditor do with the black box called IT? My answer is: seek cooperation with the IT-auditor!

Five years after graduating as financial auditor, I started to study IT-auditing. In a world where IT-systems are getting more and more important, I thought it was useful to have some more knowledge about IT myself. Because of that I have put more attention to IT-aspects in a firm during my work as a financial auditor. A benefit of that is that I knowledge about as well the world of a financial auditor as the world of an IT-auditor. I still haven’t regret my choice to do the study for IT-auditor!

Has the cooperation between financial auditors and IT-auditors improved in the last couple of years? Yes! Is there more room to improve? Again: Yes! However, how are we going to do this in practice? The cooperation already starts in the planning-phase of an audit, when the financial auditor determines the proper scope and gives the IT-auditor the appropriate research questions. For example, the financial auditor determines which systems are important for the numbers that end up in the financial statements. In this phase of the audit, the financial auditor and the IT-auditor jointly explore on which control measures in the automation environment the financial auditor wants to rely on for the system-based controls. The IT-auditor tests these automated controls in the system (the application controls) after it has been confirmed that the base of the automation environment is in order (the general IT-controls).

An example: in an audit, the term separation of duties is really important, as for instance a staff member that can manage invoice entries and also execute the payment might be undesirable. At the client of an financial auditor, the ERP-software is in use. Orders, receipt of goods, invoices, etc. all go through this system. There are no more paper documents in this process. Users of the system can have access to different parts of this system, which the system regulates. It is possible that certain users have multiple functions that break the desirable separation of duties. In these cases, the financial auditor asks the IT-auditor to check if the separation of duties is in order. The AO/IC (Administrative Organisation and Internal Control) description within a company can help determine this. The IT-auditor first checks if the basis of the automation is in order. When this is to the IT-auditor’s satisfaction, the IT-auditor looks, using the authorisation-matrix, to check if users can handle more than one type of function. However, this is not where the work of an IT-auditor ends, because for the financial auditor it is important to know if these users actually did transactions in multiple functional roles. This is because these transactions carry extra risk and need to be checked thoroughly by the financial auditor.

However, be aware, the real world is always more complex than the theory. For example: Imagine that the IT-auditor has found no exceptions. Does this mean that the right cooperation between IT-auditor and financial auditor mean there is no risk of a breach of the separation of duties? Certainly not! Because who hasn’t seen the yellow Post-its on company monitors? So keep your eyes and ears open during an audit. A critical mind set is important for both the financial auditor and the IT-auditor.

reactions