May 2011

Assessing the Quality of the IT Audit Function

The table below highlights areas of the International Standards for the Professional Practice of Internal Auditing on which an IT audit quality assurance review should place extra emphasis.


International Standards Section
Common Weakness Found
in IT Audit Functions

Standard 2010 – Planning: The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals.

2010.A1 – The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

In most cases, the IT audit function has developed an IT risk assessment document that provides a basis for devising its IT audit plans and budgets. In addition, the IT risk assessment, audit plans, and budget have been approved by the audit committee. However, appropriate involvement of senior management typically has been lacking while performing the IT risk assessment.

At a minimum, the quality assessor should request the minutes documenting the meetings that IT auditors held with senior management and key stakeholders (IT department personnel and personnel from other departments) regarding the IT risk assessment and audit plan. The quality assessor should review whether management has given its input to the risk assessment performed and whether appropriate actions have been taken to update the risk assessment, IT internal audit plans, and budgets.

Quality assessors frequently find that wherever senior management has been genuinely involved in the IT risk assessment, important risks overlooked by the IT audit function have come to light that were subsequently covered by the IT auditors in their annual audit plan.

Many IT audit functions develop their annual audit plan based on the resource skills within the department and ignore high-risk areas simply because they do not have the ability to perform those audits.

The IT audit function may tend to document the IT risk assessment and develop audit plans based on what it can audit effectively and not on what is required most by the organization.

The quality assessor should map the risks noted in the IT risk assessment to the IT audit plan. The quality assessor should question the IT audit function about why any high-risk areas identified in the risk assessment have not been covered in its audit plan.

The quality assessor should recommend that the IT audit function develop its skill set internally, or hire personnel with the required skills, to audit high-risk areas.

Standard 1230 – Continuing Professional Development: Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development.


In most instances, the IT audit staff is actively involved in obtaining professional education and participating in technical training programs. However, these professional development initiatives may not be in line with the organization’s strategic objectives. IT auditors tend to be involved in activities related to their personal development needs rather than developing skills that will add the most value to the organization.

The quality assessor should obtain the professional training initiatives and plans developed by the IT audit function. The training plans should be related to either the IT audit plan (e.g., an audit has been planned for which the staff needs to develop a skill) or to the IT strategy document (e.g., a new technology is being implemented for which IT audit personnel will need to be trained). The quality assessor should question the IT audit function if any training activities are being performed that are not in line with the organization’s requirements.




Subscribe_June 2014 



IIA Academic_Nov 2013

IIA SmartBrief

 IIA Vision University



facebook IAO