It is December again and many of us are looking to Christmas and the holiday season with joy and anticipation. However, our accounting brethren are looking to yearend work and the closing of the year’s accounting records. It is the time of year when the IT department is asked to produce an abundant amount of reports and endure many requests from the auditors.
Auditors have souls too so don’t blame them. It is an unfortunate coincidence that the yule time is the same as the close of the accounting year for many companies.
What is the auditors’ goal? The Auditor’s goal is to provide reasonable assurance to shareholders that the financial statements are materially accurate as presented. The processes that support the financial records must be reliable to develop this opinion so auditors must understand all processes and controls (including IT.) In some ways, Auditors understand the importance of IT more than anyone.
As auditors ask questions remember that there are reasons for their requests. First off, auditors must follow professional rules like everyone else. One new item for many is the emphasis on completeness. Don’t be offended by the request to observe the reports being produced. We, as auditors, must be sure that we understand how a report is produced and have confidence that the report is complete and accurate. We live by the rule “Trust but verify.” We must have professional confidence that the report provided is complete and accurate and there have not been any changes to the report parameters from what we expect.
It is important for IT people to understand that auditors understand that IT controls are pervasive to all processes and controls in the company. IT folks complain that they are only thought of when there is an issue. Auditors know the importance of IT and their appreciation should be welcomed.
Here are some of the basic auditing concepts that IT professionals should understand:
- Auditors must be confident that the IT general controls support the reliability of the financial information.
- We all know the term “garbage in… garbage out” so it is important for auditors to understand the controls at the input and the output processes.
- Reliability of a system is based on the security, availability, and processing integrity of the system.
- We are reliant on outside vendors for our infrastructure, applications, and other system processes so Vendor Management is critical to the overall governance of the IT process. You need to be sure that their processes and controls are sound. Look back at our SOC articles for more information.
- Change Management helps make sure that changes are controlled and tested.
- User access is one of the most important controls in the company. Controlling access supports the segregation of duties and proper review processes.
We know that IT is critical to the operations of the organization so it is important to remember that the IT department must be part of the audit process.
It is a busy time of year for everyone! I would like to remind both auditors and auditees that we are all just trying to do the best for the company. No one is trying to create undue work or avoid answering questions. If we all work together, we will get through another yearend.