Feature story: A common necessity in the heterogenous ITWG
When I was thinking about a good parallel to taking over the chairmanship of the IT Working Group, the first that came to mind was a 1994 film “Speed”, where the main character had to jump on a speeding bus full of people and take over the wheel. It indeed seems that IT is a speeding bus in the world now and auditors’ community in Europe is in the middle of a digital transformation, having to evaluate the risks behind the technologies their governments are applying. To stay relevant, we have to keep up with the speed of this process.
So what is there for a small NAO of Estonia to put on the plate for this vast community?
ITWG is a heterogeneous community of 41 members with different needs. Even the definition of “IT audit” varies greatly. Over the summer, we performed a survey among the ITWG members to understand, how do European audit institutions define the concept of IT auditing and what types of audits IT auditors are conducting. As a result, we saw that many SAIs have integrated IT-related criteria into various audit domains and merged them into so-called comprehensive audits. On the other hand, many institutions focus on IT related questions mainly when auditing systems for payment and accounting, for them IT auditing has become an integral part of financial audit. Of course, there are still standalone IT performance and compliance audits carried out by IT auditors, but the trend seems to be integration of IT into different domains according to audit institutions’ strategic priorities.
As IT criteria are being implemented horizontally in various audits, not only IT auditors are expected to understand the prerequisites for effective IT infrastructure and operations. For instance, in Estonia, several audits have been conducted considering IT systems’ effectiveness, performed by environmental auditors, municipal government auditors and healthcare systems’ auditors. The questions they have asked from our IT auditors during their work are relevant, and the audits professional as always, but what concerns us, is what questions these auditors didn’t know to ask. Would our audits be more effective if the auditors would fully understand the risks related to the use of technology?
IT auditing capacity and utilization is something every audit institution is in dire need of these days.
This is something we also received as feedback from the ITWG members in the survey. Vast majority of institutions expressed great demand for auditors’ training and the needs were defined on a very broad scale – from the need for basic training for non-IT auditors with little knowledge about the value of IT and the IT risks in their field, to auditing complex information systems and use auditing tools and automation to shorten the audit cycle. IT auditors would need the guidelines, use cases and best practices regarding the integration of IT audit element in a performance or financial audits and how to manage audit quality in the IT field.
Moreover, a great number of SAIs stressed the need for advancing auditors’ data analysis skillset – this shows that data analysis is considered an important IT-component of auditing. Although this might not by definition be “IT auditing”, it is IT in action to promote better audit results. Using advanced methods in data analysis is the topic of most SAIs meetings these days, but we see room for development via sharing the best practices and technical background of influential audits. There is no level on which an institution can feel mature enough in this field – for instance just a couple of weeks ago we discussed with our ITWG colleagues, who could teach us, how to apply AI in financial auditing.
When talking about trainings provided to the IT auditors, the usual practice is providing ad hoc training and many institutions have encouraged their IT-auditors to pass the ISACA program, mainly to get a dedicated certification. Non-IT auditors, on the other hand, usually receive only an overview of IT audit practices during their introductory training. There is no arguing, that IT-related training for auditors could be more sufficient.
A training program for auditors has been proposed intentionally by us via the new ITWG initiative “Research and Training Hub” bearing in mind the heterogeneity of Europe and the 41 members of ITWG. Diversity should not be considered as a weakness of our group, but rather an advantage. Together we can develop a program suitable to every auditor and every institution, the examples of using several methods or technology can be taken from various audit practices. We have good potential for designing mutually beneficial training program together with 17 audit offices who expressed their readiness to support the program with cases, courseware and assistance (map below). The training program is not a single-institution project, but a mutually beneficial undertaking.