Part III: Auditing Accounting Statements and Enterprise Resource Planning Records
Chapter 15: The Ongoing Change in Information Technology's Auditing Practices
Overview
It is no secret that since the early 1980s with the advent of personal computers, local area networks, client/servers, disk farms, expert systems, agents, real-time simulation, off-the-shelf enterprise resource planning, and other forms of advanced software, information technology has undergone a radical change. Equally profound, as documented in Chapters 13 and 14, has been the evolution in auditing policies and practices with regard to IT. Even leaving for a moment aside the question of auditor independence, the joint effect of change is that:
Auditors are getting a growing number of request to perform a thorough investigation of the status of IT in a given company.
Sometimes, the new demands exceed the confines of auditors' past training and exposure, and they do not feel sufficiently proficient to do them.
Therefore, before looking into specific issues connected with ERP auditing practices (presented in Chapter 16), this chapter concentrates on the task of bringing to the reader's attention specific problems posed in auditing IT — and how auditors have managed to go from "here" to "there" in their investigative work.
Speaking from personal experience, my first advice to IT auditors would be to know the strategy and core functions of the company for which they are working. Core functions are those essential to the engineering, manufacturing, and marketing of products, as well as in the provision of services. They include design, production, inventory management, sales, delivery, and quality control of what a company offers to the market.
It is only obvious that core functions vary from one sector of the economy to the next and from one company to another within the same sector. Take a credit institution as an example. In commercial banking, core functions are accepting customer deposits, making loans to customers, proceeding with credit and actuarial assessments, managing the bank's own investments, underwriting financial issues, developing and managing new products, and trading in securities. Information technology (IT) solutions should help all of these channels in an able manner, both individually and in the aggregate. Therefore, the implementation of IT should be rigorously audited to determine whether this has been done in the best way possible.
One of the core functions of some — but not all — credit institutions is to provide custodial services and to ensure trustee functions. Virtually all banks today are engaging in derivative financial instruments for hedging and for speculation, aimed at developing and sustaining fee services, and are capitalizing on the globalization of financial markets. IT's role is most crucial in all these channels, and effectiveness, efficiency, and return-on-investment of IT should all be audited.
When I perform an IT audit, I start with the premise that the IT applications the company undertakes are not necessarily an outstanding success in cost-effectiveness. The independent audit should therefore say what must be done in using IT to make the functions more efficient; swamp costs in all channels, including overhead; increase stockholder value; managing risk by instrument, desk, trader,
counterparty, and globally; and generally be equipped with the best that IT can provide. Issues such as top-notch information technology and effective real-time risk management are core for all companies, and they are in constant evolution. An independent audit might look at policy in IT at large, and the quality of its implementation. Or it might be specific, focusing, for example, on project management, return on investment, organization and structure of databases, database mining, software development and purchasing, the Internet connection, or security and privacy connected to computers, databases and networks.
15.1 A Model for Auditing the Implementation of IT on a Global Scale
The introduction to this chapter pressed the point that in addition to being a good technician, the auditor should know the strategy of the bank and its core functions. On the technical side, the auditor must be able to take a detailed inventory of current applications asking, at each step, a number of critical questions:
Do the applications under investigation fit the company's strategy?
Can the current hardware and basic software support this strategy?
How can the current applications be restructured to improve performance?
For example, if the mission of the auditor is to take an inventory of ongoing IT projects and critically analyze them, then pertinent questions include: Are the existing platforms able to effectively support current applications? Can they take over the new applications that enhance or succeed the current ones? Which project should be given priority? Which should be restructured? Which should be killed? In my personal experience, part and parcel of the IT audit is to offer documented evidence on:
Reconstructing current applications
Evaluating new systems design
Bridging the chasm that may exist between applications development and infrastructure
Targeting solutions that bring significant competitive advantages
Providing factual evidence about the quality and performance of IT personnel
Because the reason for investing big money in IT is to serve both management information
requirements and day-to-day operations in an able manner, the IT auditor should make it part of his or her mission to ascertain that technology investments are always commensurate with the importance of the function being served. As Exhibit 15.1 suggests, this is not currently the case. Hence, there is plenty of scope in auditing IT from a money allocation angle and a return on investment viewpoint.
Exhibit 15.1: Technology Investments Should Always Be Commensurate with the Importance of the Function, and the Same Is True of the Tools
The IT auditor should always keep in perspective that over the last 30 years, computer power has increased by 35,000 times, and communications channel capacity has increased by 40,000 times. A good question to ask in an IT audit is how much of this power has been allocated to top management functions? Also, what kinds of structural changes have taken place in the company during the last three years? Did the company profit in a significant way from technology's advances and from IT
investments?
Furthermore, with the Internet and the trend toward globalization, an IT auditor who is diligent in his or her work will search to ascertain whether IT management has developed a sound model for global operations — which respects and supports the strategy established by the board. This is one of the jobs I am doing. In my experience, a model for global management should incorporate:
Topology of the markets in which the company operates
Currencies in which the products are sold and materials/labor are bought
Customer profiles based on the business done; these must be served by knowledge-assisted artifacts[1]
For example, in finance there is a need for at least three customer profiles: treasurers, institutional investors, and high net-worth individuals. These profiles change from one area of operations to the next.
Therefore, they should be customized according to local cultures, business opportunities, and customer drives. In today's highly competitive business environment, average approaches are counterproductive.
The right way to implement CRM is not just a matter of running the programs on the computer. It is to grasp the possibility to improve, by an order of magnitude, marketing performance and compare it to marketing costs. Today, most sales programs fail to measure the potential value of a customer;
companies typically look only at past transactions, failing to appropriately consider future business prospects.
Business experience teaches that what someone spends today is not always a good predictor of what he or she will spend tomorrow, as life situations and spending habits change. Is the CRM
implementation the information technologists have put in place significantly increasing the focus of marketing? If no, why not? If yes, how are the deliverables comparing to what IT has promised? To what it offered prior to CRM?
The CRM example in Exhibit 15.2 stresses the importance of value-added modules that help to enrich a given solution. It is the mission of IT managers and of their project manager(s) to make this value differentiation. After implementation, it becomes the duty of the auditor to investigate if this indeed has been done in an able manner, and report accordingly.
Exhibit 15.2: Value-Added Modules Over Bought Software Help to Significantly Increase the Deliverables Another duty of the IT auditor is to examine how well bought software has integrated with the existing information technology environment of the company: How efficient are the interfaces that were
provided? How well is the data flow managed? How strong are the analytics? A key asset of a good IT solution is its ability to manage workflow. While many processes in an organization are reasonably standardized, others are not because they are presenting their own specific requirements.
Purchase order authorization is an example where many people may have to sign off a form. Is the ERP solution the company has chosen streamlining this process? Reducing the time lag? Ensuring that the right people see requests at the right time? Providing the information to deal with them promptly? A good way to demonstrate workflow capabilities is to determine if the software speeds up applications processing and provides greater accuracy in response to customer requests.
Gaining the advantages of speed and accuracy is a major "plus" because it is making our businesses more competitive; however, many companies using CRM and ERP programming products do not take advantage of this "plus." Has the IT department capitalized on all competitive features of the software the firm bought and implemented?
Another channel for investigation into IT by means of a focused audit is whether the technology the company uses integrates unstructured information from multiple sources in multiple formats. This should include text, graphics, pictures, and voice, and present to the user a visualization that is easy to
comprehend, access, and interact with.
As an example of flexible interaction, a replication feature of the software can ensure that the same version of information is available across different servers in the organization. In this way, all end users are accessing and employing homogeneous information elements, althrough each end user capitalizes on a personalized format. Such features are at the heart of a sound information management program.
It is inevitable that a model targeting the auditing of information technology and its implementation in a company will take the most careful look at IT management and ask, Is it up to the challenge? The model will also examine whether there is strong project management in place, which can be ascertained in every aspect of ongoing projects, and whether there is a clear structure of command and control.
Accountabilities must be properly outlined, and there must be in place real-time information technology that serves the business in the most able manner.
[1]D.N. Chorafas and Heinrich Steinmann, Expert Systems in Banking, Macmillan, London, 1991.
15.2 The IT Auditor's Obligation Is to Bring to Top Management's Attention What Is Being Done the Wrong Way
Perhaps no phrase can better describe the obsolete and ineffective mentality, coming from the 1960s but still commanding a large followership, than the one I hear quite often: "All applications can be done with the existing type of equipment and our traditional basic software." If the same statement was made 30, 20, and 10 years ago, a company would still have been a very happy user of punched-card
machines. And if the same concept prevailed in transportation, people would still have been traveling by horse and carriage.
Top management decisions are necessary to break out of this vicious cycle of EDP. The problem is that board members and senior managers in a large number of companies remain computer illiterate. This being the case, they do not understand that they are in a hole, even if IT auditors tell them so with plenty of evidence on hand. Yet, as the Law of Holes aptly advises: "When you are in one, stop digging"
(attributed to Dennis Healey, former Chancellor of the Exchequer in the United Kingdom).
The statistics shown in Exhibit 15.3 come from an IT audit I did in late 1997 at the request of the board of a well-known financial institution. This audit concerned five different channels, one of them being payments services. Classically, payments has been manual-intense, but it is only reasonable to expect that after more than four decades of spending money on computers, it would have been at long-last automated. It did not happen that way.
Exhibit 15.3: Even Among the Larger Banks, the Level of Automation in Payment Services Is Slow
More and more equipment and rather classical applications software put into payments services every year only absorbed the yearly increase in millions of transactions.
In contrast, the hard core of manual operations was a very tough nut to crack, primarily because the director of IT and his immediate assistants resisted the introduction of new technology such as expert systems and agents.
This resistance has been most regrettable in terms of end results. This is not the only instance in which the majority of IT professionals, and most particularly IT managers, fail to appreciate that the language that people use forms their minds and shapes their thoughts. If one uses obsolete tools and
programming languages — which is the case today with a big chunk of business and industry — the company is losing twice:
It is being damaged vis-à-vis its competition by falling behind in its technological infrastructure.
It is paying an inordinate cost for software that it develops with old, ineffectual, used-up computer tools.
If the IT auditor wants the company for which he or she works to overtake its opponents, then this entity must be much better equipped than it currently is. In other words, the company should take full
advantage of high technology rather than following the beaten path. This requires a steadily upgraded infrastructure that involves:
Enterprise architecture
Intelligent networks
Internet supply chain
Smart materials applications
Expert systems and agents
Enterprise resource planning
Customer relationship management
Distributed deductive databases
Seamless database access and datamining
Ease of use of the company's technology is another crucial issue to be audited. From the Internet to wireless networks and optical systems, there are innovations everywhere that should be examined for cost-effectiveness. IT auditors must be on the lookout not only for the most technically advanced solutions, but also for man-machine interfaces that often spell doom for new technologies.
As the global economy takes on speed, more questions have to be answered if the IT auditor cares to ask them: What data is available to the IT auditor? How dependable is it? Is it updated in real-time?
How can the IT auditor access it? How can the IT auditor get meaning out of it?
The IT auditor should also be aware that, to a significant degree, there is correlation between
organizational solutions and the way in which information technology is implemented and used. Exhibit 15.4 makes this point. There is a day-and-night difference between the information requirements of the two-dimensional organization of the 1920s defined by Alfred Sloan and the twenty-first century's federated entities and virtual corporations made possible by the Internet. Closely connected to this is the fact that the purpose of valid information technology solutions is threefold:
1. To offer and continue delivering competitive advantages
2. To provide sophisticated support to managers and professionals in real-time 3. To stimulate thoughts for new, more far-reaching value-added services to clients
Exhibit 15.4: Seventy Years of Evolution in the Dimensions of Industrial Organization and Structure The IT auditor should appreciate that a first-class solution is the one that can achieve all three goals admirably. This cannot be said of the large majority of current approaches characterized by low technology. Most companies suffer from technology despite vast IT outlays and, in many cases, because of them. They often do nothing more than throw money at the problem. When this happens, the source of the trouble is with the members of the board of directors, chief executives and senior managers, ossified policies and procedures, or IT practices followed over many years independently of the company's strategic plans.
These are the issues the IT auditor must have the courage to say wherever and whenever to whoever is in charge. Throwing money at the problem will not solve the current and coming challenges, and it may make matters worse by giving false hope that a better solution is around the corner because it bought ERP, CRM, or some other programming product that is en vogue.
In terms of priorities, immediately next to top management orders regarding the direction to be given to IT investments, comes the skill and know-how of the information technogists themselves. Are they able to design and support multidisciplinary interfaces to visualization and visibilization requirements? Can they manage heterogeneous databases? Do they understand the notion of metadata? Are they improving upon current approaches through the use of emerging technologies?
Part of the IT auditor's challenge is to comprehend both the end user's and the technical viewpoints, and reflect both of them in his or her findings. It is also necessary to appreciate the impact of different solutions being contemplated in terms of costs and effectiveness. As Exhibit 15.5 suggests, the
implementation of ERP, CRM, and Web-enabled processes, and their steady upgrade (see Chapter 7), is a good opportunity to rethink and optimize cost allocation.
Exhibit 15.5: Establishing and Optimizing the Cost Allocation Procedure
Chapter 13 emphasized that cost control is a steady preoccupation of modern industry. No company can escape from a steady, careful, continuous watch over costs and survive. Eventually, unnecessary costs in the ERP and CRM implementation, as well as in other domains, will find their way to the client, resulting in damage to the company's relationship and in lost clients and lost income.
No less important from an IT audit viewpoint is the fact that the company may have in its database a wealth of information, which it is not necessarily using in the best possible way. What is "best" at a given state-of-the-art the IT auditor can learn by visiting business partners in the supply chain and competitor firms, and even by investigating advanced applications in unrelated industries.
Retailers, for example, are using their customer base to sell financial products such as life insurance, market funds, and pension funds. Is the CRM solution that the information technologists have chosen able to provide such services? Insurance companies also come into the banking market, opening up deposit facilities. There is a proliferation of services in the financial industry, to take just one example, and plenty of opportunities for banks but also for non-bank banks to get ahead of the competition. It is up to the IT auditor to determine if the company gets a real competitive advantage from its investments in IT.
15.3 IT Auditing Must Be Done at Different Levels of Management Control
Because internal auditing is a tool of management, any organizational level can make use of it, even if regular annual audits are made for the board and exceptional audits are usually commissioned by the CEO. The possibility to ask for audits, particularly IT audits, up and down the organization leads to the notion that there may be different types of auditing reports customized by reporting level, such as:
Company proprietary
Senior management
Departmental supervision
Technical and security issues