IT Audit Benchmarking Webinar: David Brand and Robert Kress Answer Your Questions

David Brand, Managing Director IT Audit
Robert E. Kress, Managing Director IT, Financial and Operational Audit, Accenture

It has been a few months since the release of Protiviti’s  5th Annual IT Audit Benchmarking Survey (conducted jointly with ISACA) – documenting the top tech challenges of executives and IT professionals around the world. We covered the highlights in a webinar and a blog post back in December. We’ve said a lot on the topic, online and offline, but what’s needed is a dialogue. To that end, we want to address some of the questions that were asked during our December webinar that we didn’t have time to address then. The questions are as relevant now as they were then, and will continue to be for some time. Protiviti’s David Brand and Accenture’s Bob Kress presented at the webinar and took the time to provide the answers below:

Q: What are some of the top customer relationship management (CRM) tools for risk assessments?

Bob: There are many reputable CRM systems in the market. We use the CRM contact management functionality to support our continuous risk assessment – tracking the people we have risk discussions with, scheduling meetings, tracking meeting notes and reporting. Accenture uses Microsoft Dynamics in a software-as-service model for this capability. This works well for us, as MS Dynamics interfaces directly with Office 365 Exchange for email, which enables easy scheduling and calendaring.

Q: Which framework would you recommend for IT audit? COBIT or COSO, or is there something else?

Bob: Accenture uses the COBIT framework for the IT risk universe. We use it to assess risk across all businesses and functions, with particular emphasis on those functions or businesses that contain IT infrastructure (e.g., data centers, hosting servers, networks) and those that manage confidential data. For IT audit reporting, we use the COSO framework to assess the severity of findings. The NIST cybersecurity framework is well-aligned with the major risk frameworks in the market, such as ISO, COBIT, and ISMS. NIST provides a comprehensive framework to assess cybersecurity and is becoming increasingly popular and accepted in the marketplace.

David: Frameworks are good tools to ensure that your thinking is broad enough to cover areas that might not be top-of-mind. But I’d also suggest that sticking to a single framework probably isn’t the right idea. You need to consider various frameworks that are out there and pick and choose the right framework components and points of focus that are going to work for your organization.

Q: For advisory projects, do you issue an audit report at the end of the project with detailed audit objectives and conclusions?

Bob: For advisory services projects we typically do not issue audit reports. Our observations and recommendations are communicated via a variety of forms, depending upon the nature of the advisory service. This includes a report, an email, verbally in review meetings, etc.

Q: Please elaborate more on the meaning of the term “integrated auditing.”

Bob: For Accenture, integrated audits typically combine an assessment of financial or operational risk and technology risk. A combined team of financial, operational and technology auditors is used for these audits.

Q: What are some best practices when developing an IT audit universe?

David: Start with an inventory of all the applications an organization has deployed, all the technology used to deliver products to market. List all of the databases, platforms, networks, etc. that those applications run on. Then look at all of the services required to manage all of those tools and infrastructure – user administration, configuration, patch management and so on. You really need to look at both halves – the technology infrastructure (software and hardware) and the processes that deliver and support the infrastructure, and assess the risk of each component. That gives you a bottom-up view of the technology risk environment. You also must seek to understand how technology supports and interacts with the achievement of the company’s strategies and objectives and how it is used to support key risk mitigation strategies. Mapping this thinking back to the infrastructure components and services inventoried above will provide you with a top-down view of technology risk. Both views are necessary to obtain a complete picture.

Q: Do you assess just inherent, or both inherent and residual risks, as part of the risk assessments? Would you recommend developing an audit plan based on inherent or residual risk rating of auditable unit risk rating?

David: Traditionally, we like to talk about inherent risk. The challenge is that a risk assessment is typically based on the perspectives of management, and getting management to understand the difference between inherent and residual risks, and divorce themselves from their knowledge of the control environment to answer in an inherent way, is too difficult. In other words, once a manager knows all of the controls that have been implemented to mitigate a risk, it is very difficult for that manager to step back and try to think philosophically about that risk and all of the things that are inherently risky about it, because that risk has already been addressed. So, I like to go in and talk about both the risks and the strength of the control environment, and then I can conduct audits from there.

Q: As you perform continuous risk assessments and note changes, do you issue a new risk assessment report with each change or just one annual report for the audit committee?

David: As you progress from performing annual risk assessments to performing assessments quarterly, or even continuously, you are not re-issuing risk assessment reports, but you might have a heat map or some other dashboard or indicator that is updated as the risk landscape changes. You’ll present risks to the audit committee based on that heat map – this is not really a report but more of an update, or a summarized updated view of risks. By the time you get to a true continuous risk monitoring model, there would no longer be a need for an annual report, because risks are being assessed and reported in real time.

Given the rapid and accelerating pace of change in data management, security and infrastructure, IT audit will continue to be a hot topic and one we will be monitoring closely, revisiting our survey results and webinars for more insights. In the meantime, feel free to share your experiences in the comment section below.

2 comments

  • Excellent view from David and Robert. I have just one question to them. When you send report via heat map, do you show risks in multiple maps or you combine them all in one map? Thanks.

  • Thank you for the great question. Typically I find that Audit Committees are looking for a summarized view of the information. To facilitate that, I try to present the heat map as a consolidated view of the top risks (not every risk, just the most important). Usually no more than 20, and with some highlight regarding the changes, adds and deletes with brief commentary on why things moved.