IN THIS ISSUE
Balancing Value-Added Audit Services With Independence
Thinking out-of-the-box may be just the creative edge chief audit executives need to accomplish organizational goals while maintaining independence.
AS COMPANIES CONTINUE TO DO MORE with less, traditional business roles are being redefined, not only in the internal audit function, but also throughout organizations as a whole. This often requires a creative approach, taking into consideration internal controls and independence, without increasing headcount. The Kentucky Lottery Corp. (KLC) faced such a challenge three years ago when merging the information security (IS) function with the internal audit department.
Faced with the need for oversight of its IS function — created only a year earlier — KLC management decided to look at their current reporting structure, with the possibility of consolidating IS into the internal audit department. A review team — composed of KLC senior management, information technology (IT) management, and the chief audit executive (CAE) — jointly reviewed individual IS responsibilities, focusing on similarities with traditional internal audit roles.
The analysis revealed that, in many respects, the IS group performed an audit-like role. On a regular basis, the group monitored server loggings, unusual transactions, and sensitive data files for extraordinary or unexpected activity. IS also performed routine — daily, weekly, monthly, quarterly — audits to ensure security controls were functioning properly. In short, the department used continuous monitoring techniques — a common internal audit tool — to examine the day-to-day processes of the IT function.
One difference between KLC's IS role and traditional internal audit responsibilities was that IS personnel also had functional responsibilities, such as administering user access rights. The merger team knew they needed to maintain independence and proper internal controls — specifically separation of duties —without increasing headcount.
To enable separation of functional responsibilities from oversight roles, every IS task was documented and assigned to a designated functional manager. Personnel responsible for oversight duties were assigned to the CAE, while employees with functional duties were to report to KLC's chief operating officer (COO). The CAE, who was originally responsible only for audit functions, would now wear two oversight hats — one for internal audit and the other for information security.
As the COO was first to admit, she was not a technical IS wizard. The merger team agreed that the CAE, who had more IS experience, was the most qualified to supervise IS staff on day-to-day administrative tasks. Out of necessity, the CAE was assigned supervisor responsibility of the IS staff, with the COO having direct access to the IS staff members and their work at all times. With this arrangement, KLC management and the COO understood that the CAE technically lacked independence, especially where user administrative rights were concerned. This was addressed in two ways: 1) KLC's senior auditor was assigned to perform all internal audits that related to IS functional processes, reporting directly to the COO, president, and the audit committee on these audit projects; 2) IS functions would be included in the third-party enterprise security audit, to be performed every three to four years by an independent audit group under contract by KLC. An additional factor that helps support this management structure is that the Kentucky State Auditor of Public Accounts — the office that performs annual financial and general controls audits required by state law — reviews the IS function.
To justify and enable an effective IS/internal audit merger, coordination and consensus-building was required between the four key groups involved — IT management, the audit committee, the State Auditor of Public Accounts, and the firm hired to perform the enterprise security audit. KLC's chief information officer was also involved in all discussions held as part of the process development of the merged structure.
A good working relationship with IT was essential to the new structure. With the goal of mitigating potential independence issues, a security team was formed — including key members from IS and IT — to jointly assess KLC's IS practices, processes, and controls, as well as the practices of systems development personnel. In addition to adding independence to the equation, the goal was to maintain a focus on security when new applications are developed.
The support of the audit committee was also critical to the mission. The merger could not move forward if the committee members did not understand and support merger efforts. Committee members were provided a charter for the realigned IS function, which clearly defined each party's role and responsibilities, as well as regular updates to the merger progress. The audit committee's involvement in the merger of IS and IA resulted in added value to the organization, because the committee regularly receives and reviews updates on IS projects. If traditional roles had remained in place, this additional oversight may not have occurred.
The remaining groups, the Auditor of Public Accounts and the third-party security auditor were included as necessary in the planning and implementation process.
An important resource used to facilitate communication efforts in gaining oversight support, was The Institute of Internal Auditor 's (IIA's) information repository. Using IIA resources helped the merger team present concepts in a way that was understandable to the audit committee, management, and other interested parties. The resources were also useful to the team in applying control concepts to each task and re-establishing management's desired level of audit independence.
The success of this entire process boiled down to three key elements: coordination between interested parties, explicit documentation of roles and responsibilities, and a continuing focus on redefining traditional roles in the organization. Of these elements, the most important was redefining roles within the organization. Evaluating each role and identifying each control point in the various tasks performed helped with the application of control and independence concepts inherent in traditional audit roles, while reassigning duties in a more efficient manner.
One final value-added benefit of KLC's newly aligned IS function is the thorough and complete documentation of the organization's overall information security program. The IS unit was first developed because management recognized the importance of IT resource growth to the overall success of the company, and from management's desire to protect those resources. Re-evaluating the tasks performed by this group resulted in a formal document that reflects management's security and audit philosophies.
The merger of internal auditing and information security resulted in many value-added benefits. This will be confirmed when an analysis is performed to determine exactly how much money KLC has saved over the last two years by merging the two functions. Management is certain that the benefits far outweigh the costs — the only issue is, by how much?
Gale Vessels is the vice president of Internal Audit and Information Security at the Kentucky Lottery Corp. She can be reached at firstname.lastname@example.org.
Copyright © 2004 The Institute of Internal Auditors
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.