Audits are opportunities for companies to improve, based on auditor analysis and advice. To preserve the integrity and authority of audits, auditors maintain a delicate distinction between offering advice and making decisions. For each organization, the scope of auditor responsibility should be documented in the company’s internal audit charter and be approved by the audit committee. Because every organization has different goals and objective, and certainly different issues and challenges, there is no one ?ts with all audit process, nor one audit approach, that ?ts all situations. Historically, corporate governance has focused primarily on broad topics of leadership, management, ethics, and reporting. IT governance audits encompass many of the same issues and can include business plans, documentation and measurement of objectives, organizational reporting structures, contract management, and industrial and regulatory monitoring. It also has a signi?cant technology component. For example:
- Does the organization have an information architecture model?
- Do hardware and software acquisition plans exist?
- How are Web sites, blogs, and ezine and other managed?
- How are investments and development projects evaluated and do they meet business requirements?
- How does the IT organization ensure system continuity in case of disruptive contingencies?
The size and complexity of various organizations’ audit efforts differ due to variations in operating environments, risk priorities and thresholds, and business and audit objectives. In addition, the scope of audits can vary from project to project, depending on auditor’s focus for example, on various business processes, management controls, and technical controls. Ensuring appropriate audit focus is another reason management should communicate with auditors, and vice versa, early and often in every audit cycle.
Internal auditors should help management assess organizational risks. They must evaluate the audit universe and supporting audit plans at least annually and sometimes more frequently. At the micro level, an audit risk assessment of the various entities being audited is completed to support the audit project sometimes also referred to as the audit “terms of reference”. Planning for each audit requires serious consideration of the organization’s many risks and opportunities. Finally, in many companies, continuous auditing (ongoing audit evaluations) is being implemented for key systems and key transactions.
