IT audits are in most cases carried out within a short period of time – a few man days – depending on the size of the audit. During this short period evidence gathering could become a rather quirky task if the respondents of the audit aren’t revealing enough and all boils down to the inquiry skillset of the auditor.
We look at the types of inquiry, their effectiveness and their pros and cons.
Questionnaire is a set of predefined questions that an auditor would pass along to those participating in an audit. Standard, professionally developed questions known to be effective can be used by an IT auditor and through questionnaire; however, Questionnaire is like a line sketched with a pen that can’t be erased.
One of the primary advantages of questionnaire is that it fits perfectly in an IT audit scenario as they can be used to gather information on systems, their types, operating systems, applications, etc.
Some of the other advantages are the structure, conciseness, and ability to direct to the point questions at the auditees.
However, questionnaire has its own demerits. First and foremost is their inability to adapt based on the responses of the auditee. Questionnaire follows a specific structure and is always given to auditees to fill up in their own time without the auditor intervening in the process.
Further, interviewees tend to provide with short answers that lack substance thereby requiring more efforts from the auditor to gather evidence.
Interviews are one of the primary means of evidence gathering during any audit – be it financial or IT audit.
Interviews provide IT auditor the chance to not only gather evidence but also allows them to know the company, subject matter at hand a lot more thoroughly which in turn prove fruitful during evidence gathering.
The primary advantage of interviews is that they are far more superior to questionnaire because of natural interaction. No doubt interviews like questionnaire are planned, but they take a more natural course.
Once the interview begins, IT auditor can adapt it and gather more evidence as it progresses based on the answers and responses.
However, interview depends on the availability of interviewee and IT auditor – an administrative problem which is hard to solve if the interviewee isn’t willing to interact with the auditor face-to-face.
Further, transcribing of the responses takes more time. Also the interview may not proceed as intended because of reservations of either parties involved in the interview and may end up having a negative impact on the audit as against being fruitful.
Effectiveness of Inquiry
Inquiry method depends on the initial risk levels as seen during risk assessment & on the objective of the audit.
The effectiveness of the audit outcome is directly proportional to the level of resilience of the test results. If the organisation that is being audited and the auditor are after little resilience of the test results because the risk levels were low and acceptable, only inquiry would do just fine and evidence gathering may not assume greater importance.
However, if the risk levels are moderate or high or very high inquiry wouldn’t suffice and other means of tests including examination, re-performance, and inspection will be required.
Sometimes it may happen that IT auditors will receive responses that are questionable. In such cases the auditor can use inquiry outcome as a base and branch out to other forms of evidence gathering mechanism as required.
Considering an example, it may happen that during inquiry of the policy design and operations team, the IT auditor finds a huge gap in what is documented and what is being actually followed. This means that reliance on inquiry alone wouldn’t be justifiable and because of this the auditor will be required to drill down further and collect tangible evidence.
Scenarios where inquiry doesn’t always yield fruits:
- Policy / procedure design
- Policy / procedure execution verification
- Access control
- Change control
- Nefarious activities
- Internal audits
- Customer feedback
Inquiry has been a valuable tool in IT audits globally. However, auditors should give enough thought to the underlying objects of the audit, the risk involved in each of the process areas and the controls in place and decide on the type of inquiry to go for and whether inquiry alone will be sufficient.