How can I get into internal auditing?


IT managers need to get used to being watched as they work. Growing complexity and a lack of transparency in IT applications, as well as rising costs, prompted many companies to "set" IT auditors on data processing. Weak points should be identified and the profitability checked. Whether or not the IT auditors are accepted by the IT manager ultimately depends on their specialist knowledge and their demeanor. If the impression arises that you want to "kick the shin" of the data processors, you will not be recognized as a consultant, but only "accepted" as a controller. ih

Robert Hürten, Managing Director of Gnosis GmbH, Seeheim, guest speaker at ECU GmbH, Heppenheim

The tasks of an internal audit consist mainly of the monitoring function in the broadest sense. It is important to determine whether the work and results correspond to the plans and organizational rules or whether the criteria of functionality, organizational expediency, security and economic efficiency are observed. In particular, these are system and compliance checks, business studies, simplification and standardization of organizational processes, analyzes of costs and weaknesses, improvement of reporting and systematic (co-) development of target concepts (framework proposals).

In order to fulfill these tasks, an auditor needs in-depth IT knowledge and skills that enable him to check the software production including maintenance as well as the computer center operation for functionality, organizational appropriateness, correctness, security and economic efficiency during an IT audit. In addition, it is checked whether the EDP production is being processed on time and without any disruptions. Only if the auditor has the necessary IT knowledge will he be accepted by the data processors.

He must be able to assert himself with the IT specialists so convincingly that they are happy to follow his advice during system development (ex-ante instead of ex-post tests) by occasionally working in the project team. The criticism of an IT auditor should always be of a constructive nature. It is important for him that he uses his knowledge and skills in addition to business administration, organization and revision technology, especially in hardware and software, programming (at least as a beginner), principles and methods for efficient software production, GoB and test programs, IT applications, data security including data protection is constantly up to date for his company and in accordance with the revision program. To this end, participation in experience exchange seminars is recommended.

If EDP auditors have the current knowledge of an organizational programmer and have mastered the usual revision techniques (interview methods, report writing, report writing, report discussion, etc.), then they are also accepted by the IT people at any time as critical partners in the implementation of IT services in the company .

If, due to inadequate IT skills, they think they are unable and unfounded to be able to "kick IT people on the shins", the auditors will run into problems.

In our economically difficult times, internal auditing and IT departments in a company do not have to work against each other, but rather eliminate any remaining mutual distrust as quickly as possible. Acting on this is, after all, an important task of the responsible managers of a company.

IT committees, in which the heads of the internal auditing and the IT department should also be represented at all times, have also proven their worth in addition to the heads of the most important specialist areas. Here, above all, the medium and long-term IT planning is determined in coordination with the corporate planning. Among other things, the auditors report on their results from the success control of the implemented IT projects.

In a modern company, the internal auditing department does not only deal with the operational events in retrospect in isolation, but is a full-fledged, advisory and monitoring partner for the company management as well as for the IT department and the specialist areas in the fulfillment of all company functions. Your constructive criticism will always be accepted with an open mind.

Nikolaus Nowak, Head of Group Internal Audit, Salzgitter AG, Salzgitter

The IT audit is part of the Salzgitter AG group audit. It has existed since 1977, currently has seven employees and checks the IT areas of the Salzgitter Group. This currently has six data centers and numerous medium-sized data technology systems.

The EDP audit is advised by an EDP specialist from the group auditor.

The main task of the EDP audit is to check commercial IT application systems for correctness and security (system checks). The testing activities extend to both own and purchased software. If possible, our own programs and systems are also checked, i.e. the EDP revision is already active in the development phase. The EDP revision also intervenes when programs are changed. In the beginning, IT applications that were already in use had to be checked.

When using third-party software, the IT auditing activity is mainly aimed at checking that the company-specific conditions of the relevant application area have been properly integrated into the purchased software package.

The system tests are carried out on the basis of test data that you have created yourself. Testing software is not used.

The EDP revision pays particular attention to the process documentation and the work instructions to be created by the users. The basis of the audit is primarily the provisions of commercial and tax law, the statements of the FAMA, the regulations of the financial administration and the guidelines of the Salzgitter Group.

In addition to the activities described, the EDP revision also partly deals with the examination of organizational processes before and after the DP.

The EDP revision does not participate in the planning and procurement of hardware and software. Nor does she usually comment on detailed questions of system analysis and programming. The EDP revision attaches great importance to the question of the economic efficiency of EDP applications, but has not yet included such tests in its activities. The companies are responsible for monitoring the ongoing costs of IT operations.

Both the specialist departments and the IT department now regard EDP auditing as a partner, although it is perceived more as a consultant than an auditor. This has not always been the case; In its initial phase in particular, the EDP revision had to overcome a number of hurdles, particularly in its relationship with the DP. In particular, it was not easy for the IT managers to accept that their work, which until then had not or hardly been interfered with from outside, was henceforth subject to critical examinations by an entity outside their area under certain aspects. In addition, the IT managers saw the qualifications of the IT auditors as inadequate; they did not emerge from the ranks of the IT and therefore did not have any special IT knowledge, for example in the areas of system analysis and programming. The considerable results of the IT auditing activities, however, convinced the IT managers more and more that the IT auditors, apart from sound specific audit knowledge and experience, needed solid IT basic knowledge in the performance of their tasks, but not perfect IT specialist knowledge is important. The already mentioned audit aspects are decisive.

The phase of getting used to each other has now been completed. In any case, the collaboration between specialist departments, data processing and IT auditing can now be described as problem-free without any restrictions.

Bernd Wittek, Head of Internal Audit, Alte Leipziger Lebensversicherung AG, Oberursel

The tasks of the internal auditing and thus also of the IT auditing are determined by the company management. The task delegation includes the possibility of the management influencing the audit planning and using the audit in the IT area or postponing it. Due to the increasing use of EDP in all areas of the company, it is increasingly necessary to include the EDP audit in the overall audit. EDP ​​revision in this context means not only checking the program-controlled EDP procedures, but also assessing the economic use of the EDP. However, this requires knowledge of programming, system development, organization in operating and the documentation process.

In order to be able to cover the EDP area in terms of auditing, the auditor must not only have business and industry-specific knowledge, but also have the tools necessary for an EDP revision. The revision is of particular importance in the development of new EDP processes because it can introduce its requirements for the process in the course of a project-accompanying revision in good time, so that greater effort resulting from subsequent changes is avoided. Whether an auditor is ultimately accepted by the IT manager and his employees depends on his professional knowledge and his demeanor. In general: Tensions will always arise when auditors tend to emphasize formal competence in order to cover up inadequate expertise.

Mind you, it does not matter that the auditor has the same programming skills as an IT employee, but he must be able to recognize and evaluate the relevant facts. In any case, the auditor should not be faced with a subject that is overwhelming for him.

For auditors who do not have the necessary IT knowledge, it is therefore advisable to first "approach" data processing, that is, to check EDP marginal areas. Areas such as the revision of the data center organization, backup of the data center, data storage media archiving form an important preliminary stage for the examination of the other IT areas, which then require further specialist knowledge in addition to the basic knowledge already acquired. The considerations that have just been made about the requirements profile of an EDP auditor raise the question of whether it is more expedient for an EDP auditor to come from (if possible) external EDP areas and be trained as an auditor, or vice versa. In my opinion, satisfactory revision results can be achieved more quickly if the revision criteria are conveyed to employees who have previously worked in IT.

It is absolutely essential for the employees entrusted with the EDP revision that they adjust to the rapid development of the IT and continuously train them.

Rainer Zirn, head of the working group "Revision of IT in Credit Institutions" of the German Institute for Internal Revision e.V., Frankfurt

The EDP audit is mostly a sub-area of ​​the internal audit in the company. Their position is therefore derived from the monitoring function delegated by the company management. The focus of her work lies in the examination of the development and application of EDP processes as well as EDP operations (especially data centers), whereby security and economic aspects are equally valid as criteria. In order to improve the system, the auditing department also submits proposals for the creation / updating of all IT guidelines (e.g. documentation, test, data center guidelines). With the advance of EDP in the last few decades, with the growing complexity and lack of transparency in EDP applications, as well as the increasing magnitude of EDP investments and costs, the importance of EDP auditing increased further. IT specialists with their "specialized Chinese" and their practical constraints against management and users often hide behind high protective walls. In some cases, gray areas without regulated responsibility even emerged as a result of IT ignorance or disinterest. Here, too, the knowledgeable EDP auditor has a broad field. EDP ​​auditors are often consulted by executives because of their special experience and expertise. The IRR working groups have formulated the requirements for this profession in a requirement profile and are involved in the auditor training.

As far as we know, the involvement of the EDP revision in the development phase of EDP projects (ex ante examination) is carried out with varying degrees of intensity. For reasons of economy, corresponding statements from the EDP auditing department are often obtained very early on in order to take account of the requirements (e.g. for the control and coordination system).

A review of the procedures used, taking into account the running costs and the benefits achieved by the user (investment recalculation) is carried out by some IT auditing departments as an important task. In addition to security aspects, data center audits primarily concern capacity utilization and running costs.

The aim of the EDP revision is to identify weak points or inefficiencies and to make recommendations for cleaning up and improving the systems. It should not be overlooked that in practice the EDP auditor is still too often seen as a mere "supervisory authority". However, this view often results from the ignorance of the audited bodies about the above-mentioned objective. The aim here is to break down prejudices and to find a better basis for professional work through a cooperative examination style.