The Role of Internal Auditing in IT SecurityInterview with David Richards, President of the Institute of Internal Auditors
In this exclusive interview, David Richards, President of the Institute of Internal Auditors (IIA), discusses:
- The key differences between internal and IT auditors;
- The role of the audit committee and board of directors - what they need to know about IT governance;
- Frameworks to consider when establishing IT governance in your institution.
TOM FIELD: The topic today is the role of internal auditing and IT governance, and who better to speak to that than David Richards, President of the Institute of Internal Auditors? David, thanks so much for joining me today.
DAVID RICHARDS: Glad to be here.
FIELD: Just to sort of start out, why don't you tell us a little bit about your organization and your role there?
RICHARDS: Well, the Institute of Internal Auditors is a global organization about 160,000 members, and about 166 countries. We were formed in 1941 and have been around a good deal of time, and are the organization that issues the International Standards for the Professional Practice of Internal Auditing. We provide an international certification program, which includes a certified internal auditor designation. We provide guidance, training, and all sorts of resources for our members to help them in the performance of internal auditing.
FIELD: Very good. David, what is the role of internal auditing today in IT security?
RICHARDS: Well, I think it is one that is very much a risk-oriented roll. The helping the organization not only from a business sense, but an IT sense, to know what the risks are of the business and how to put focus on those risks as to what controls our most important for the organization to pay attention to. You know things to me, like access controls are really important and the intra-audit function helps the organization to identify where those key controls are around that particular subject. As well as classifying information, making sure that the systems in place have put the information in the right category so that when retrievable comes along, the reliance on that information to be appropriate to the decision maker is there, so that if they are using that information to make business decisions or report on that information that they can rely that the information is appropriate and correct. So this is one of the areas, and I think, as has been the case in the last few years, accessing those controls for effectiveness.
FIELD: Now a couple of questions I want to ask you about this. First of all, what do you find is unique about internal auditing in a banking institution?
RICHARDS: Well, each sector where internal auditing is performed offers uniqueness to the internal audit practice, although there are lots of commonalities. The degree with which the practice of internal auditing works in a particular business sector varies because of the nature of that business. In the case of banking, you find that a lot of the internal audit functions in those organizations are generally very large. They are probably relative to our organization the largest types of internal auditing of any other business type. Primarily, because they spend a lot of time with branches and there is a lot of branch auditing that's done where you are going and comparing and looking at the specific financial activities of those banks, looking at transactions, and looking at the security of those particular banks and so on. So there is a lot of replication and comparison between operations within those different locations, and depending on the complexity of the bank and how widespread it is and the diversity of that bank will determine the scope of the internal audit function. Now many of the internal audit functions I know of in the banking industry have moved on to, in addition to financial audits, doing operational type audits and then really the compliance type work to laws and regulations, and making sure that they are getting all the requirements that the bank relations have, as well as looking at those kinds of things that are more sensitive to the organization such as access controls. Given that the banks have a high degree of electronic transactions, which many other industries have just started in that route. Where the banking industry is much more advanced in doing lots of things over the internet, for example, allowing people and their customers to do transactions over the internet, which is a much more security issue than let's say the electric company, which I used to come from, where a lot of that was done by mailing to your customers and them writing a check and paying you that way, which is a lot more manual in nature.
FIELD: The other question I had for you -- you talked about IT auditing before. What is the primary difference between an internal auditor and an IT auditor, because I think sometimes those get confused?
RICHARDS: Well, it is kind of interesting. In my 25 years as an internal auditor myself and the 30-ome years of business that I have been working, I found that the internal auditor and the IT auditor very much cling closer and closer together as compared to once. They were very, very separate. And when I started in the 1980's, the IT auditor was very much a lone wolf and did their own thing. As time has gone on, the amount of knowledge that an internal auditor, a general internal auditor, needs to have has now crossed the line into a lot of the things that we have in past specifically identified as being more of an IT auditor role. And by this I mean, for example that the -- again a lot of this is the mechanization that has occurred in organizations over time and that the amount of transactions being done electronically haven't, have required the internal auditor to be able to operate in that environment, which is highly mechanized and highly computer oriented and therefore their needs [PH] and use of computerized information, getting access to that data, pulling it out of the computer, being able to do sample tests of it, being able to do comparisons, and operate using the computer is more of a general technique today, which it used to be more of a specialty technique reserved to the IT auditor. Which now, I think is more involved in the technical audits, where you need to get into the language of how a program functions to confirm that a particular control is actually operating as it was intended in its original configuration when the program was put in place. So being able to run test transactions, for example, through a system to see that you get the same answers that you thought you were going to get, is that something that they may now reserve to an IT auditor who is going to understand the system and know how to structure those transactions to enable them to get through the system and evaluate the back-end results to see that if put something in that I was going to create an arrow signal? Did it, in fact, create the arrow signal at the end so that I know that the control is buried in the programming and is still functioning? An example that I can give you is, years ago in accounts payable when I worked there, we used to have a control that would look for duplicate payments. And when the controls for that would come in to the system, the thing would be invoiced would pop out as being a duplicate payment because it would compare that invoice number to prior invoices in the system. And doing an audit we found later on that the operators had turn off that particular control so that they were no longer getting these duplicate payments lists that were potential duplicate payments, because it took them too much time to go down that list and to compare and figure them all out. So they just turned it off. Where in fact, everyone was sitting there thinking that control was still in place, and until you test the system you don't realize that it actually is not functioning that someone had designed it to be in the initial configuration.
So I think there are significant differences historically, but that gap is narrowing primarily due to the types of work conditions that are out there. I do think that the IT auditor tends to have much more of a computer background, and a computer science education, and a lot of times have worked in a computer department. So they tend to have the operational experience of knowing how a computer functioning in the computer environment is, where the internal auditor will come from wide variety of backgrounds that are business-related and will have a better understanding of the business and how the business functions. And see that marriage is really a very, very good function within the department.
FIELD: Let me ask you now about the audit committee and about the board of directors. What should they know about IT governance and then sort of the follow-up to this, what should they be doing to ensure that their financial institutions particularly IT systems are secure?
RICHARDS: Well, I think it starts back with the subject of risk assessment that the board, and specifically the audit committee, generally has in their charter a responsibility to oversee a risk for the organization. And that doesn't mean that they have to know all the risks of the business, but they need to oversee the process by which management identifies the risks of the business and to understand where those risks have been mitigated and where a risk may not be able to be mitigated, or for which unmitigated risk might exist. In other words, to understand the exposure that the business has, and that is a daunting task, which the audit committee has oversight of. And so they need to be working with the internal audit function, which also needs to have that working understanding of the risk of the business. Our standards call for the internal audit function to do an annual risk assessment of the business and to base their annual audit plan on that risk assessment, so that the working hand in hand with management and understanding what the risk of the business, where the mitigation has occurred of those risks and what controls people are relying to mitigate a risk so that the audits will focus on the key risks and where those controls are most important to the organization. So the audit committee needs to understand that and they need to have, not only management, the external auditor, and the internal auditor providing them information so that they can access what a management has done the right thing and is in fact not giving a false sense of security in saying, well we have everything under control. They are getting verification through the internal audit function to and really to assure the audit committee that what management is telling them is in fact in place.
FIELD: Let's talk about frameworks a bit David. What sort of frameworks should an IT department look to when establishing IT governance, and I wonder what you might see most commonly in banking institutions.
RICHARDS: Well I think the most common framework that I'm familiar with out there is the integrated internal control framework, which was initially written in 1992 and has been updated several times here in the last few years, most notably in 1996 with the issue where we issued the 20 principles of good internal control. That document and the series of documents issued by Coastal, which the IIA is one of the five sponsoring organizations, has sought to try to provide a framework upon which the oversight of the organization falls into the key components of good internal control. And that provides a good framework so that if, let's say, a management of the business is looking at where are the areas that I need to paying attention to, there is a methodology that can be followed to give you some feedback as to how well your organization scores.
Now I know a lot of organizations from an IT governance standpoint rely on the COBIT framework, which was issued by ISACA, which is very prevalent. We use throughout business today as a in the IT department as being the principles that they follow in terms of good security and internal control subjects for IT.
The IIA has issued its own set of guidance to our members in helping them. It is a framework we call Gait, G-A-I-T, and it's available on our website free, which is intended to help the internal auditor determine what controls within the IT framework are the ones that should be tested. And it helps them to go through a methodology in doing that. And it provides a framework for isolating what are the most important controls.
So those are the most prevalent ones that I'm aware of out there, and I'm sure there are others that are available that people can use to help access where or not they're paying attention to the right types of subject matter.
FIELD: Very good. I have one last question for you, David. Given the economic challenges we are facing right now, what kind of advice do you have for financial institutions that find both your financial and human resources constrained when it comes to audit?
RICHARDS: One thing that I've found out, and I've talked around the world when I ask this question pretty frequently of all internal audit department, chief audit executives, do they have enough resources to do the work that they need to have done? And I have not found anyone who has raised their hand and said I've got people sitting on the sidelines with nothing to do. So, I know the subject of resource constraints affect many different areas of the business, but internal auditing very much as well because of the scope and responsibilities that we have. So to me, the real focus is on those risks that are generally important for the organization to pay attention to. And that is not an easy subject to orchestrate, but it is one that collectively the organization needs to understand and one that I think businesses have continuously failed to do is to understand the real risks that our organization has taken up on. And understand that if, in fact, management for purposes of good business decides to take on risks, which any growth in any business means you are going to have to take some risks, and you can't avoid risks. Risk is a part of any business. You need to understand where you are exposing the organization to a level of risk that may be in the past was not exposed to. So you're branching out into a new field or your taking on a new product line. What ever it is that you're doing that a new level of risk is being entered into the mix of the organization and so that level of management decision making should drive certain types of oversight of those new risks to the extent that the organization feels that it needs to monitor how that risk is playing out versus what you think it was going to do.
So it is important to understand where those risks are and to have a good internal audit department I think is very, very critical in monitoring the business. Because if you have a properly staffed internal audit function with the people who are qualified, certified and knowledgeable that there they can operate with a much smaller group of people from human resource standpoint and be much more importantly affective in the organization, because they will be qualified. As compared to having just populated it with resources and not being concerned about their education and their knowledge and their continuous involvement in knowledge of the profession and the subject areas that they are going to be auditing.
And too, finally, I think that needs to be the internal audit department needs to have a level of independence on reporting issues. Again and again, we find that those internal audit functions that have a strong working relationship with the board of directors and a strong working relationship with senior management, and a well-defined organization where people are very interested in doing things right, that when the internal auditor has that access and can take the issue to those two forums and be relied on to get, rely upon them to take the proper action. That is a healthy is a healthy environment. When that breaks down, that is when problems start, and when the internal auditors do not have that access to those organizational elements, the audit committee and the senior management, then the issues are not brought to the proper attention to the people who need to be aware of and to take the appropriate steps to ensure proper management response it take and accountabilities are put in place to ensure that things are corrected.
FIELD: Dave, well said. I appreciate your time and your insight today.
RICHARDS: Well, thank you for inviting me to speak, and anytime that I can help in the future, certainly feel free to give me a call.
FIELD: Very good. We've been talking with David Richards, President of the Institute of Internal Auditors. For Information Security Media Group, I'm Tom Field. Thank you very much.