Melissa Bartlett has over 17 years of experience in finance and accounting in industries such as manufacturing, retail, corporate housing and technology. She has held positions in compliance and internal audit, as well as leadership roles including NA Controller for Technicolor Home Entertainment Services and Corporate Controller and Treasurer at Oakwood Worldwide. Melissa’s core competencies include full-cycle accounting, GAAP, FP&A, internal controls and process improvement. She has extensive cross-functional experience, and her accomplishments including managing the reconstruction of three years of financial reports, leading global SOX/Compliance efforts and converting cash-basis accounting to accrual. Melissa is a CITP and has worked on several systems implementations, changes and upgrades. She has a BBA in Finance from the University of Texas and graduate and post-graduate degrees in Accounting, and she is a CPA and CMA.
Given Melissa’s extensive auditing experience, we asked for her input on IT auditing – a commonly misunderstood, all-too-often under-appreciated part of doing business in an increasingly high-tech, data-driven economy. As financial functions rely more and more on technology, public and private enterprises of all sizes will need to shore up the weak points and faulty logic in their accounting and reporting systems.
Q: For context, what are the usual reasons behind financial and IT audits, and how do those reasons differ?
A: Financial audits are usually regulatory in nature. Most public companies are familiar with the Sarbanes Oxley Act (SOX) and its requirements for Internal Controls over Financial Reporting (ICFR), since they put out information that heavily affects investors’ decisions. Likewise, most private firms recognize the need for financial audits. They’re not always required by law, but contractual obligations and best practices mandate that you ensure the accuracy and completeness of your financial statements.
As for IT audits, they’re ultimately assessing the accuracy and validity of the input – raw financial data – that is used to create an output – financial statements. For that reason, internal auditors will typically conduct their IT audits alongside their financial audits to make sure the information that’s feeding into their financial reports is correct.
Publically traded companies almost always conduct both types in tandem, but the same process makes sense for non-public firms. It’s just good practice because IT is the business, and the more you use technology, the more you rely on IT in your financial function. Overall, I wouldn’t really say the reasons behind the different types of audits differ, so much as they go hand-in-hand.
Q: What do companies stand to gain by conducting thorough, well-planned IT audits? What do they stand to lose by neglecting or avoiding the process?
A: One of the main things they stand to gain is continuous improvement to their financial processes and procedures, and that’s relevant for any business. They’ll also improve their ability to proactively identify where their systems are vulnerable, so they can prevent mistakes or malicious actions from happening in the first place.
If a firm neglects or fails to optimize their IT processes, they leave themselves open to all manner of breaches, incorrect calculations and unauthorized actions. I’ll use a few use cases to illustrate.
Consider user access reviews – a critical part of IT audits. These reviews ensure that whoever can edit a given part of a system actually has the clearance to do so. User access is a big deal for employees who have left a company, and their permissions should be entirely removed from their employers’ computer systems. However, I’ve seen cases where they could still access financial data and use their company email addresses, which exposes a firm to all sorts of unauthorized requests and permissions, both internally and externally.
I’ve also seen a case where an employee had undue access to customer billing information. She changed rates for a big group of customers, and while her actions weren’t malicious, it took a great deal of time and labor to correct her mistake. All of that downstream work could have been avoided if a thorough audit had revealed her inappropriate access.
Finally, some IT errors do lead to fraud and theft. I’ve seen a $10,000 case where an employee had too much access to credit card information. She was putting customers’ refunds on her and her family’s credit cards, and they were caught when their company conducted a thorough review of transaction flows.
Q: What are some of the important characteristics of an IT audit, and in what ways do IT and financial audits differ?
A: Most of the time, financial audits are heavily focused on your policies and procedures, and they’re very manual. For instance, a company might have a policy around issuing credit to customers. If a statement included a credit, the audit would uncover who made the request for the credit, who issued it, who authorized it and whether or not those employees had the proper clearance to make those decisions. Ultimately, the process heavily relies upon certain employees going back and reviewing other employees’ work.
IT audits differ in three important ways. First, there’s the critical concept that just because someone won’t do something doesn’t mean they can’t. IT systems are supposed to remove the risk that users will take unauthorized actions, but in many cases, the wrong people are given the wrong access and permissions. It’s not sufficient to believe that a certain user won’t make a certain mistake; the fact that he or she can make that mistake is the problem. As we illustrated before with the user access cases, IT audits are critical for uncovering these oversights.
Second, you have a different concept of materiality with IT audits. A financial auditor might not investigate every two-figure abnormality on a financial report – or any of them – but the IT problems that create those small errors tend to be cumulative. Whatever coding or logic error leads to a $50 loss in revenue can snowball into a six-figure mistake if it’s not fixed fast enough. For instance, a problem with the payment logic for a subscription product might automatically renew customers without billing them. If that faulty process continues for days, weeks and months, those losses become significant, to say the least.
Third, you have to make sure you uncover all of the points in your system where data can be changed. Using a bank as an example, the official channels for altering customer data might be an online banking portal and an administrator panel – just two points. But in reality, there are probably many more backend routes that the banks’ employees use to make things easier when helping customers. Whether or not any abuses have occurred, these are the kinds of unofficial access points you need to either patch up or incorporate into standardized workflows.
Q: Overall, what are the most important points for firms to consider as they plan and implement IT audits in conjunction with their financial audits?
A: First, stay on top of user access. Cybersecurity has become more and more a topic of discussion for the American Institute of Certified Public Accountants (AICPA) and internal auditing boards. The more risk we have with cybersecurity, the more you have to stay on top of user access.
Next, don’t just look at an IT audit as a public company problem or initiative. Regardless of whether or not you go through a complete, mandatory financial audit, you’re still basing your company’s livelihood on your financial IT system. It’s in your best interest to do the audit!
Finally, understand that IT audits don’t need to be extremely costly, time-consuming or scary. With the right upfront planning, you can efficiently identify the weak spots in your systems’ logic and code. Focus on finding out where data can be changed, who can change it and how the system treats that data once it’s been entered.
If you’re considering implementing IT audits at your firm, or if you need to optimize your current auditing process, please call us at (855) 367-8020.
Categorized in: Internal Controls