For internal audit functions, a worrying circularity occurs when auditing IT controls. And it’s this: to obtain the data that the audit function needs to check, it is necessary for them to go to a plethora of different business functions and request it.
In other words, the controls being audited, are owned by the very same people that are providing the data that is used to assess them.
And audit, as any auditor will tell you, isn’t supposed to work like that. An auditor is supposed to determine the risks on which assurance is required, specify the data which will determine if adequate assurance does indeed exist, request that data, and then examine it in real time. The function being audited is quite separate from that process.
Not always when it comes to IT, though. The IT function is often intimately involved—typically receiving a request for a pack of audit data, and subsequently delivering it painstakingly later. Worse, in some organisations, IT is intimately involved in specifying both the risks to be assessed, and providing the data with which to assess those risks.
To belabour the point, audit isn’t supposed to work like that.
Independent and objective
To be fair, audit functions know this. And they know it all too well. They’re supposed to be in the driving seat when it comes to risk auditing—and when it comes to IT, more often than not, they’re unable to have full confidence in the data they are assessing due to manual data collection and un-connected systems providing sample data only.
Audit functions also understand all too well that different parts of an organisation will have different views on constitutes risk, and what ‘good’ or ‘bad’ looks like in respect of that risk.
And they know that their role is to objectively define risk, and objectively assess the relevant data with respect to risk. Relying on other parts of the organisation to define risk and produce the data with which to assess that risk weakens the integrity of the audit process—much more so, of course, when the function is question is the very function that is responsible for managing the controls that relate to the risks being audited.
Simply put, an audit process that isn’t demonstrably independent and objective is an audit process with obvious weaknesses.
Driving seat
Now, there’s no suggestion that IT functions are actively ‘gaming the system’, and abusing the position of trust in which they find themselves. That would be dangerous, and short-sighted.
The problem is one of perception: the risk that this could happen is what degrades the objectivity and independence of the audit, rather than the fact that it is happening.
And it’s also true that everyone—audit functions, IT functions, and the broader organisation—has an interest in effective and objective audits being carried out. Audit, after all, is often called the ‘third line of defence’ when it comes to IT, after the IT function itself, and the organisation’s risk and compliance professionals.
So what can be done? How can truly independent and objective IT audits be carried out? Is there a way out of this impasse? And a way of putting audit functions back in the driving seat, where they should be, providing strategic insights back to the business confident in their data set?
Introducing Continuous Controls Monitoring
The answer: yes, thanks to a paradigm shift in how IT audits can be carried out.
Because a technology known as Continuous Controls Monitoring—a new, proven innovation being espoused by auditors and independent advisory organisations such as Gartner and Forrester—delivers just such a means of providing audit functions with the data that they need. Doing so in real-time, instantaneously and without requiring IT involvement at all.
Simply put, Continuous Controls Monitoring gathers—continuously, and in real-time—all the data and evidence required in order to audit IT reassuringly, by continually monitoring all of a business’s risk management systems and internal controls, direct from the source merging the metrics you require to automate the data gathering process.
It’s IT data that is factual and objective. It’s IT data that is immediate. It’s IT data that is drawn from right across the organisation’s risk and vulnerability landscape. And it is IT data that comes directly to audit functions, rather than through the auspices of the IT security function itself.
A better way of auditing IT? We think so.