control, and governance
Assessing the Quality of the IT Audit Function
Performing regular reviews of IT audit activities can provide assurance that practitioners are doing what is necessary to help the organization mitigate technology risks.
Syed Salman, CISA
Manager, Enterprise Risk Services
Deloitte & Touche (M.E.)
Today’s organizations rely significantly on IT to manage and operate their business. This growing trend requires chief audit executives (CAEs) to plan and devote more time and effort to audit controls implemented by management to mitigate risks to the IT environment. Given IT’s importance, it is essential for organizations to perform a quality assurance review (QAR) of the IT audit function to ensure that auditors are assessing all controls in the IT environment effectively to help mitigate the organization’s risk exposure.
A QAR is an independent strategic assessment of an internal audit department, including its infrastructure, staff experience, and performance relative to business goals, best practices, and applicable standards. Typically, this review will assess:
An IT audit function complying with all sections of the IPPF and its International Standards for the Professional Practice of Internal Auditing (Standards) will be in a good position to deliver the greatest value to the organization. Standard 1300 – Quality Assurance and Improvement Program directs CAEs to implement a quality assurance program covering all aspects of internal auditing. IT audit functions can be well-served by performing an internal assessment of their IT audit practices to see to what extent they conform with the Standards. Standard 1311 provides further guidance for internal assessments, while Standard 1312 requires external assessments of the internal audit function by an independent reviewer at least once every five years.
The table on the next page highlights areas of the Standards on which an IT audit QAR should place extra emphasis.
To comment on this article, email the author at firstname.lastname@example.org.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.