Information Technology: Producing More Effective Audits and Reports
by Martín Rubione, Chief of the Information Technology Audit Department, Supreme Audit Institution of Argentina
Information Technology (IT) audits are often complex, and audit outcomes tend to result in technical reports written in technical language. As noted in International Standards of Supreme Audit Institutions (ISSAI) 5300, very few people find such lengthy and complicated documents appealing or understandable.
The Supreme Audit Institution (SAI) of Argentina has performed IT audits for more than a dozen years and took steps to change this reality.
SAI Argentina is not a court of accounts; it is an audit office. While the SAI can make recommendations, it cannot enforce them. Because of this, persuading audited entities to improve IT management based on audit findings can be complex, diverse and often include stakeholder opinions (who must understand the report).
SAI Argentina’s vision—contribute to public management improvement—guided the journey toward creating more effective IT audits and more understandable reports for all stakeholders. Drilling down and simplifying this notion shed light on three main actions: shifting the annual planning approach, revising the scope and nature of IT audits, and discovering new ways to communicate.
Shifting the IT Planning Approach
SAI Argentina’s IT audit area began to systematize the annual planning process by (1) identifying public organizations subject to IT controls and (2) choosing a set of variables aligned with the nature of IT audits, which proved problematic, as the process required measuring and ranking each organization based on risk.
Lessons learned from the shift to this systematized annual process include:
- The originally identified “public organization” population should not be the sole aspect considered when choosing the best future audits to perform—other possible dimensions to analyze exist, including application software; and
- It is important to consider factors that concern stakeholders, which can vary in each locality and region.
Shifting the planning approach helps align audit work to the institutional vision and lends itself to more interesting, effective IT audit reports, particularly by measuring and analyzing social dimensions.
Revising the Scope and Nature of IT Audits
IT auditors possess special knowledge and skills—hardware, software, communications and security—whose audit scopes tend to focus on IT infrastructure and processes.
Standalone IT audits are valuable; however, they gain even greater value when broadened in scope. Revising the IT audit scope and nature to include the entire Information System (IS) process can lead to more effective IT audits.
The IS process involves many people, massive amounts of software, IT infrastructure, databases and manual procedures. It begins with budget coordination to obtain the right resources in the right way and doing so to generate timely and reliable information for decision makers.
While auditing the IS process may exceed the conventional range, it proves more useful, as audits centering on a particular aspect (such as a software application) without considering IS process steps, could render results where the IS (as a whole) is unreliable.
Some challenges to SAIs in broadening an IT audit’s scope and nature include the great diversity of organizational structures and varying contexts in which they operate. Also, while multi-disciplinary teams make IT audits possible, each auditor has a specific skill set and specialization. Thus, spreading auditors out among performance audit teams may not add the same value as having them share a common space. More in-depth analysis is needed in this area.
Discovering New Ways to Communicate
It is difficult to get people to read a good book, so how can we convince them to read an audit report? Communicating audit reports, IT audit reports in particular, has been a struggle for many years, as IT audit reports tend to be lengthy and full of technical jargon.
Many managers and authorities have requested IT audit reports be shortened, and appeals to auditors to use more practical language is on the rise.
SAI Argentina consistently references a weather-related analogy to help its auditors better understand the technical/practical language divide: Meteorology may be a harder science than computing, as it is based on chaos theories. However, “Accuweather” insists on showing us (non-specialists who understand almost nothing about isobars and isotherms) pictures of clouds, suns and umbrellas.
The spread of social networking, which more readily puts information in the hands of stakeholders, has increased the need to bridge the technical language gap and do so in new ways using fewer words, such as through video and infographics.
Responding to this need, SAI Argentina created a video production available here (in Spanish) that details results of an IT audit performed on the Fishing Industry Control’s (FIC) information systems.
The FIC audit fully reflects the three main actions SAI Argentina has found beneficial in creating more effective IT audits and more understandable IT audit reports:
- Shifting the IT planning approach: the audit would not have been considered important if SAI Argentina solely focused on ranking public entities;
- Revising the scope and nature of IT audits: SAI Argentina expanded the audit scope to incorporate the IS process as a whole; and
- Discovering new ways to communicate: To help better explain the audit to all stakeholders, it was visually translated into a video.