The Internal Auditors Role in Mis Developments free essay sample

Internal Auditors Role The Internal Auditors Role in MIS Developments By: Larry E. Rittenberg Charles R. Purdy The MIS manager in many organizations is encountering a new group concerned with the data processing function — the internal EDP auditor. These auditors often have a broad role ranging from evaluating data processing controls to reviewing data security and new system developments. However, in many organizations, the auditors role is not clear. This article integrates the results of our own survey with a review of recent literature in an attempt to explain more precisely the potential internal audit roles in the systems development process. After describing the sample, we review the rationale for audit involvement and the constraints upon such involvement as perceived by the internal auditor. This is followed by a report of our study of design phase auditing activities in 39 large organizations. The boundaries and role of the audit function are simultaneously reviewed in light of these activities. Finally, the, potential contribution to the MIS manager is noted, and recommendations are offered to the MIS manager interested in promoting a constructive working relationship with Internal auditors. Abstract The internal auditors role during the design phase of an EDP application is unclear in many organizations. This article integrates recent literature with the authors survey in an attempt to explain more precisely the potential role(s) of the internal auditor in the systems development process. In practice, four roles appear to exist. In the order of their importance, they are: (1) audit of control adequacy, (2) audit of design process, (3) auditor as a user of the application, and (4) auditor participant in the design process. The rank ordering of these roles in practice is explainable in terms of three constraints upon internal audit involvement during the design phase. The identified constraints are those of audit approach, audit independence, and management objectives. Although EDP manager reaction to internal audit involvement is generally favorable, it could be stronger. Upgrading of internal auditor expertise in EDP systems appears to be the key to improved acceptance. Finally, the potential contribution to the MIS manager of internal audit involvement is noted, and means of constructive interaction are suggested. The Sample The authors identified 48 organizations with Internal audit departments which performed EDP audits. Within each organization the internal audit manager received a questionnaire on EDP audit techniques. Members of top management and data processing management received a questionnaire probing their attitudes toward the EDP audit function. A summary of the distribution of questionnaires and responses is shown in Table 1. Of the 39 responses from internal auditors, 31 (or 79%) indicated that they performed some design phase auditing. A further analysis indicated that over half of the data processing departments had monthly budgets exceeding $300,000 Our focus is on the internal auditor who is a part of the organization. It is argued that such an auditor can deveiop sufficient familiarity with the data processing environment to be constructive whiie still providing an independent viewpoint. Sincethe reiationship invoives two parties; our recommendations clearly apply to both. Keywords: Internal audit. Internal auditor, roles, involvement, MIS developments. MIS applications, design phase, rationale, constraints, practice, EDP manager, MIS manager Categories: 1. 3, 2. 2, 2. 41, 2. 42. 2. 45, 2. 49, 3. 59 MIS Quarterly I December 1978 47 Internal Auditors Role Table 1. Questionnaire Distribution and Response Rates Intemal Auditor Responses received Non-responses Total questionnaires mailed Response rate D. P. Mgmt. Top Mgmt* 39 9 46 81% 28 20 48 58% 25 23 48 52% Top management was defined as the person to whom the head of internal auditing reported. Representatives inciuded controiiers, financiai wice presidents, and, in some instances, company presidents. and 86% rated their data processing environment as either complex or highly complex. potential system or control weaknesses, why not have them point out weaknesses at a time when it is most economical to correct? This view was recently summarized in a Stanford Research Institute (SRI) study as follows: Internal auditors must participate in the systems development process to ensure that necessary audit and control features are built into new computer-based information systems. An evaluation of the adequacy of controls after a system is installed determines weakness too late in the development process. The cost and time for modifying the system after installation can cause operational delays and may be used to argue against the inclusion of desired controls [24, p. 5]. Rationale for Internal Audit Involvement The typically stated rationale for internal audit involvement in the systems development process is that of potentiai cost savings and management support of such involvement. We believe two presumptions underlie this rationale: (1) The internal EDP auditor is an independent control expert, and (2) the internal auditor shares a mutuality of concerns with the MIS manager. Cost savings Auditors have been accused of avoiding new system developments; remaining content to criticize system weaknesses after installation. Such an audit approach is both inefficient and dysfunctional to the organization, if an organization has internal auditors capable of analyzing Examined closely, the above statement implies that cost savings really means that the benefits of design phase involvement exceed their costs. Management support The same SRi study went on to conclude that auditors are less involved [during the design phase] than management thinks they should be [24, p. 37]. Over 80% of the members of management surveyed felt that internal auditors should have some design phase audit involvement. But, according to the study, only 50-60% The rating of complexity was 4. 32 on a 5. 0 scale where a rating of 1 indicated a relatively simpie, batch processing system whiie a rating of 5 indicated a highiy complex, interrelated system in which an audit trail is not easily followed. 8 MIS Quarterly I December 1978 Internal Auditors Role of the companies with EDP audit staffs were spending time during the systems development phase (24, p. 38]. Further, the number of companies having separate EDP audit sections, although rising, is still a fairly low percentage of major companies. Our study described in Table 2 included six internal audit objectives which might be pursued during the design phase. Top management rated four of these six design phase objectives as important to very important, while two were in the somewhat important to important range. In brief, management support for design phase involvement apparently exists in the respondent companies, but it varies greatly among audit objectives. are experts in controls, yet they should not replace any ongoing activity of the firm. They evaluate the effectiveness of controls but are reluctant to assist data processing in designing needed controls. They have a mutuality of concerns with the MIS manager, yet they are often viewed as an adversary by the MIS manager. The audit role is often misunderstood by the auditee, and in some cases by the auditor himself. An understanding of the audit role should lead to more effective use of the audit function in the organization. The audit role is constrained by three major factors: 1. the basic audit approach, 2. the importance of audit independence, and 3. management and user objectives for audits. Mutual concerns We believe internal auditors have a mutuality of concerns with the MIS manager. Both are Interested in utilizing managerial controls to accomplish objectives* and minimize potential risks or exposures. Insofar as the internal EDP auditor is a control expert who can make a positive contribution (benefits exceed costs) to the achievement of common goals, design phase involvement is justified. The problem is one of delineating respective roles. To that end, we turn to potential constraints on the internal auditors role. Audit approach Internal auditing is defined as a managerial control which functions by measuring and evaluating the effectiveness of other controls [14]. The auditor is trai ned to be a control expert. The control orientation applies to overall organizational control as vvell as data processing and manual system controls. As applied to data processing, the auditor is normally concerned with two major types of controls: 1) control over processes, e. g. , the design process or data processing operations; and 2) controls designed within systems to ensure correctness of processing, safeguarding of assets, existence of an audit trail, and so forth. The audit approach will normally consist of evaluating and testing the adequacy of either existing or proposed controls and testing for compliance with management policies. A typical audit approach would find the auditor evaluating the potential exposures and complementary controls with the following questions: 1. Do standards or controls exist to minimize the potential risks? 2. Are the standards and controls adequate, appropriate, or cost-effective? 3. Are the standards and controls utilized as expected by management? 4. What is the effect if the standards and controls are not utilized? 5. Finally, can constructive suggestions be made? Constraints on internai Audit Involvement Internal auditors are unique. They are part of the organization, yet they are supposed to remain independent of the departments they audit. They Such controls might include time and dollar budgets, data processing standards, documentation requirements, performance evaiuation criteria, training, and reporting requirements. *An exposure represents a possible financial ioss to the organization. Mair, Wood and Davis [18, p. 11] iist the foiiowing exposures to be considered: erroneous record keeping, unacceptabie accounting, business interruptions, erroneous management decisions, fraud and embezziement, statutory sanctions, excessive cost/ deficient revenues, ioss or destruction of assets, competitive disadvantage. MIS Quarterly / December 1978 49 Internal Auditors Role Table 2. Ranking of EDP Audit Objectives* Ranking Importance by: Audit Objectives Top (Ordered by Top Management Ranking) Management EDP Audit Manager Performed During: Design Phase PostInstallation 1. Test controls of installed EDP application to assess reliability 2. Detect and/or deter fraudulent activity 3. Review new EDP application during design phase to assess adequacy of controls 4. Coordinate work with CPA to reduce or minimize external audit fee 5. Review EDP application development activities during design phase for adherence to stated policies and procedures 6. Conduct post audit of new EDP application to ascertain if projected results are achieved 7. Improve EDP application design activities by making constructive recommendations 8. Evaluate efficiency or effectiveness of EDP department operations 9. Assess appropriateness of new EDP application proposals; provide independent opinion to management 3. 71 3. 60 3. 52 3. 49 (2) 3. 14 (3). 3. 51 (1) No Yes Yes Yes Yes No 3. 25 3. 04 2. 21 (8) 2. 90 (5) Yes Yes Yes No 2. 92 2. 69. (6) No Yes 2. 80 3. 00 (4) Yes No 2. 44 2. 00 2. 64 (7) Not Rated No Yes Yes No Based on 25 responses from members of top management and 39 responses from EDP audit managers. The ranking Is based on a 4 point scale: 4:00 = very important; 3:00 = important; 2:00 = somewhat important; 1:00 = not Important. The figures In parentheses represent the relative ranking within the EDP audit manager group. SO MIS Quarterly I December 1978 Internal Auditors Role In summary, the audit approach is, by nature, an ex-post activity. As such, it tends to prohibit direct involvement in the design process. Audit independence Internal auditing is an independent appraisal function established within an organization. The key concept is independence. The auditors independence ensures an unbiased review which enhances the auditors eporting credibility. To maintain independence, auditors will avoid situations (e. g. , designing new systems) where they might have to audit their own work. Further, they want to report to organizational levels such that they are free of direct influence by potential auditees. potential design phase audit work. The major design phase, audit objecti ves, concentrates on the adequacy of application controls to ensure correctness of processing and to deter potential fradulent activity. In addition, top management also expressed some desire to have auditors review the design process to ascertain adherence to stated policies and procedures. Finally, It is apparent that management is not very interested in auditors duplicating existing data processing functions such as assessing the appropriateness of new EDP application proposals, or spending time evaluating the overall effectiveness of EDP operations. Interestingly, Table 2 also shows that the top management importance ratings are generally higher than those of EDP audit managers. Thus, EDP audit managers may have stronger management support in pursuing audit objectives than they perceive. Management objectives Audit activities should be responsive to the desires of both top management and the needs of the various segments of the organization. Our study asked members of top management and the heads of the internal EDP audit function to rate the importance of various EDP audit objectives. These ratings are presented in Table 2, and each objective is categorized as to whether it might be pursued during the design phase, post-Installation phase, or both. The data in Table 2 indicate that, with only minor variation, the objectives of the EDP audit manager closely parallel those of top management. Four of the top five objectives rated by management, ail with a ranking of 3. 0 or better, contain Current Internal Audit Involvement Reiative importance of design ptiase involvement Our study identified 39 large companies with separate EDP audit sections of which 31 (79%) indicated some design phase audit involvement. This may be compared with the 50-60% reported in the SRI study cited earlier. As sho wn in Table 3, an average of only 23% of EDP audit time was spent on design phase audit activities. Some internal audit departments, though, spent as much as 70% of their EDP audit time on design phase audits. Some respondents to our study indicated that their perception of internal auditor independence would be increased if steps were taken to ensure that the internal auditor involved in the design phase was not permitted to engage in post-installation audits of the application. Respondents also Indicated that direct involvement as a design participant would reduce perceived independence. A companys chief financial officer and its chief accounting officer are the wrong choices to oversee its internal audit staff, says SEC Chairman Harold Wiiiiams. In a recent speech in Los Angeles, he added that supervision by these two executives inevitably would place substantial conflicting pressures on the independence of internal auditors. The CPA Letter, October 23, 1978, p. 4. †¢The Spearman Rank Correlation Coefficient showed agreement at the . 02 level (two-tailed). The Krusal-Wallis Analysis ot Variance by Ranks showed a probability of disagreement of . 30 (two-taiied). †¢Using a sign test for matched pairs, this difference was significant at only the . 29 level (two-tailed). The MannWhitney U test gave similar results, the probability of difference being . 278 (two-tailed). MIS Quarterly I December 1978 51 Internal Auditors Role Table 3. Distribution of EDP Audit Time Percent of Audit Time Devoted to Area* 23% 33% 18% 17% 9% 100% Audit Area Design Phase Existing EDP Application EDP Facility Organization and Processing Efficiency Support Services for Management and Other Audit Personnel Other Totai 1. Audit of control adequacy. This design phase audit emphasizes the adequacy of both manual and computerized controls associated with the application. Audit invoivement might vary from: (1) no involvement, through (2) review of the application at key checkpoints, to (3) constant availability for consultation with system designers and users [7]. The MIS manager can expect an audit evaluation of the adequacy of controls and a specification of control concerns or objectives. The choice on how to meet the control objectives, however, lies with the system designer and user. As shown in Table 4, these are the most performed design phase audit activities. 2. Audit of the design process. This audit is designed to provide an outside evaluation of the development process. The audit approach begins with a sound set of system development standards and ascertains compliance with those standards. A lack of such standards would constitute a significant control weakness. The audit approaches utilized pay particular attention to existing policies and adequacy of documentation. 3. Auditor as a user, in many organizations the need for audit and control considerations to be assessed during the design phase has led to the recognition that auditors are a major user of many systems. Management is becoming more concerned that new systems will be auditable. At the same time there is pressure for the auditors to develop more sophisticated and efficient audit techniques such as an integrated test facility' or embedded audit routines. As reported by Rittenberg and Davis [21, p. 57] such audit techniques are perceived to be the most influential in Represents the mean of 36 responses from EDP Audit Managers. Three companies did not answer this question. Relative importance of design phase activities and roles The surveyed EDP audit managers were provided with a list of twelve potential design phase audit activities and asked . . to indicate the frequency with which you perform each activity during the design phase of significant new EDP applications. Thus, the relative importance of an activity is measured in terms of the percentage of cases in which it is actually performed; not in terms of the time spent. Responses to the question are in terms of selecting percentage ranges on a five point scale rather than point estimates. Table 4 prese nts the twelve potential design phase audit activities and the mean percentages of actual performance by respondent companies. As an aid to comprehension, the means computed from the five point scale responses have been converted to roughly equivalent percentages. We have also categorized the twelve activities of Table 4 into four potential audit roles. In order of their relative importance, they are: audit of control adequacy, audit of design process, auditor as a user, and auditor as a participant. The nature of each role is discussed beiow. The Integrated test fadiity, also referred to as the minicompany approach, starts with an application designed to operate on separate organizational units such as departments or companies. The auditor establishes a unit solely for audit purposes. The auditors prepare transaction data, submit the transactions and analyze resuits as processed on the audit unit. For exampie, a payroll appiication might process data for departments A, B, C, D, and the audit test department at the same time, using the same program. In other words, testing Is conducted concurrently with regular operations. An embedded audit routine is a part of the processing program that does testing and collects data during processing for subsequent review. 2 MIS Quarterly I December 1978 Internal Auditors Role Table 4. Design Phase Audit Activities Audit Roles and Audit Activities Audit ot Control Adequacy Identify audit trail and control requirements Assess and report potential risks to management (Including DP management) Review conversion tests performed by others Audit of Design Process Review design documentation for compliance with company policy Review design activities for compliance with company policies Review feasibiiity study for reasonableness, compatibiiity with present facilities, etc. Auditor as a User Prepare audit guide for future audits of the application Sign off at end of each major phase noting approval or specifying deficiencies Design, or supervise development of, embedded audit routines to be inciuded in application Auditor Participation Participate as part of team performing conversion tests Act as liaison between programmers, users and systems design personnel Participate as member of feasibility study committee to assess appropriateness of proposed appiications 9 4 2 1 Overall Rank 3. 99 Performance Means (1-5 Scale)* % Equivalent** 80% 4. 64 91 3 4. 06 3. 28 3. 9 4. 12 3. 73 70% 81 7 58 82 5 72 8 3. 22 3. 32 3. 79 60% 57 73 6 3. 51 65 11 2. 67 2. 51 2. 82 2. 69 35% 39 44 10 40 12 2. 01 18 *Based on the responses of 31 EDP audit managers in companies which perform design phase audits. The other companies (approximateiy 20%) that do not perform any design phase auditing have tieen exciuded from the tabie. The fivo-point response scaie included the foilo wing captions: (1) never; (2) seidom (less than 35% of the time); (3) haif (35-65%); (4) usuaiiy (65-95%); (5) aiways or almost aiways (95-100%). †¢Conversion: 5:00 = 97. 5; 4:00 = 80; 3:00 = 50; 2:00 = 17. ; thus 3. 50 = 65%. MIS Quarterly I December 1978 53 Internal Auditors Role potentially reducing the scope of the work conducted by the external auditor. 4. Auditor as a design participant. Auditors will normally avoid participation as a designer for two reasons: (1) it may impair the auditors independence with respect to the system; and (2) the audit function is not designed to replace other activities. Therefore, as seen in Table 4, auditors have for the most part avoided participation in performing conversion tests or acting as a liaison between users and designers. The design phase audit activities shown in Table 4 represent a responsive approach to the management objectives presented earlier. For example, assessment of control adequacy is an important objective and it is frequentiy done. Conversely, assessing new proposals or evaluating EDP operations was not important, and this appears to be consistent with the infrequent role of the auditor as a design participant. ations of internal audit reports is shown in Table 5. Generally, the reports are perceived to be unbiased and within the scope of expected activities, but the thorough and constructive aspects could stand improvement. Technical correctness is the weakest item. We believe upgrading of internal auditor expertise in EDP systems is a likely first step toward solution. It should directly address the weakest link and, in turn, improve the next weakest areas. While the problem belongs to internal audit, MIS may have a role to play in its solution. Some data processing managers expressed concern that auditors may lose independence when performing such activities as acting as a liaison between users and designers, signing off on developments, or assisting in the design of controls. These managers felt that auditors could increase their independence by obtaining greater EDP technical competence. Many made suggestions that the audit function might recruit EDP employees and train them in auditing. In fact, some organizations have set up programs where selected data processing personnei will spend two to three years in EDP audit to gain a broad perspective of the data processing function. Reactions to design ptiase invoivement and reports The more frequently performed activities should provide the MIS manager with an independent analysis during the design of new systems. Weiss and Perry [26, p. 1] speculate that the majority of data processing managers: . . . welcome an independent appraisal of their systems to ascertain that there are no major deviations from control standards. No data processing manager can be personally involved In all systems of his organization. Hence, he is glad to have additional assurance to boost his confidence in the finished product. Weiss and Perry note that although many auditors have problems, when properly structured, an auditor playing the devils advocate role can help reduce the high risi