Internal Controls

What is an IT Audit? Exploring a New Modern Necessity

What is an IT audit? It’s a commonly misunderstood, all-too-often under-appreciated part of doing business in an increasingly high-tech, data-driven economy. As financial functions rely more and more on technology, public and private enterprises of all sizes will need to shore up the weak points and faulty logic in their accounting and reporting systems.

What are the usual reasons behind financial and IT audits, and how do those reasons differ?

Financial audits are usually regulatory in nature. Most public companies are familiar with the Sarbanes Oxley Act (SOX) and its requirements for Internal Controls over Financial Reporting (ICFR), since they put out information that heavily affects investors’ decisions. Likewise, most private firms recognize the need for financial audits. They’re not always required by law, but contractual obligations and best practices mandate that you ensure the accuracy and completeness of your financial statements.

Back to what is an IT audit. An IT audit ultimately assesses the accuracy and validity of the input (i.e., raw financial data) that is used to create an output (i.e., financial statements). For that reason, internal auditors will typically conduct their IT audits alongside their financial audits to make sure the information that’s feeding into their financial reports is correct.

Publically traded companies almost always conduct both types in tandem, but the same process makes sense for non-public firms. It’s just good practice because IT is the business, and the more you use technology, the more you rely on IT in your financial function. Overall, I wouldn’t really say the reasons behind the different types of audits differ, so much as they go hand-in-hand.

What do companies stand to gain by conducting thorough, well-planned IT audits? What do they stand to lose by neglecting or avoiding the process?

One of the main things they stand to gain is continuous improvement to their financial processes and procedures, and that’s relevant for any business. They’ll also improve their ability to proactively identify where their systems are vulnerable, so they can prevent mistakes or malicious actions from happening in the first place.

If a firm neglects or fails to optimize their IT processes, they leave themselves open to all manner of breaches, incorrect calculations and unauthorized actions. I’ll use a few use cases to illustrate.

Consider user access reviews – a critical part of IT audits. These reviews ensure that whoever can edit a given part of a system actually has the clearance to do so. User access is a big deal for employees who have left a company, and their permissions should be entirely removed from their employers’ computer systems. However, I’ve seen cases where they could still access financial data and use their company email addresses, which exposes a firm to all sorts of unauthorized requests and permissions, both internally and externally.

I’ve also seen a case where an employee had undue access to customer billing information. She changed rates for a big group of customers, and while her actions weren’t malicious, it took a great deal of time and labor to correct her mistake. All of that downstream work could have been avoided if a thorough audit had revealed her inappropriate access.

Finally, some IT errors do lead to fraud and theft. I’ve seen a $10,000 case where an employee had too much access to credit card information. She was putting customers’ refunds on her and her family’s credit cards, and they were caught when their company conducted a thorough review of transaction flows.

What are some of the important characteristics of an IT audit, and in what ways do IT and financial audits differ?

Most of the time, financial audits are heavily focused on your policies and procedures, and they’re very manual. For instance, a company might have a policy around issuing credit to customers. If a statement included a credit, the audit would uncover who made the request for the credit, who issued it, who authorized it and whether or not those employees had the proper clearance to make those decisions. Ultimately, the process heavily relies upon certain employees going back and reviewing other employees’ work.

IT audits differ in three important ways. First, there’s the critical concept that just because someone won’t do something doesn’t mean they can’t. IT systems are supposed to remove the risk that users will take unauthorized actions, but in many cases, the wrong people are given the wrong access and permissions. It’s not sufficient to believe that a certain user won’t make a certain mistake; the fact that he or she can make that mistake is the problem. As we illustrated before with the user access cases, IT audits are critical for uncovering these oversights.

Second, you have a different concept of materiality with IT audits. A financial auditor might not investigate every two-figure abnormality on a financial report – or any of them – but the IT problems that create those small errors tend to be cumulative. Whatever coding or logic error leads to a $50 loss in revenue can snowball into a six-figure mistake if it’s not fixed fast enough. For instance, a problem with the payment logic for a subscription product might automatically renew customers without billing them. If that faulty process continues for days, weeks and months, those losses become significant, to say the least.

Third, you have to make sure you uncover all of the points in your system where data can be changed. Using a bank as an example, the official channels for altering customer data might be an online banking portal and an administrator panel – just two points. But in reality, there are probably many more backend routes that the banks’ employees use to make things easier when helping customers. Whether or not any abuses have occurred, these are the kinds of unofficial access points you need to either patch up or incorporate into standardized workflows.

Overall, what are the most important points for firms to consider as they plan and implement IT audits in conjunction with their financial audits?

First, stay on top of user access. Cybersecurity has become more and more a topic of discussion for the American Institute of Certified Public Accountants (AICPA) and internal auditing boards. The more risk we have with cybersecurity, the more you have to stay on top of user access.

Next, don’t just look at an IT audit as a public company problem or initiative. Regardless of whether or not you go through a complete, mandatory financial audit, you’re still basing your company’s livelihood on your financial IT system. It’s in your best interest to do the audit!

Finally, understand that IT audits don’t need to be extremely costly, time-consuming or scary. With the right upfront planning, you can efficiently identify the weak spots in your systems’ logic and code. Focus on finding out where data can be changed, who can change it and how the system treats that data once it’s been entered.

If you’re considering implementing IT audits at your firm, or if you need to optimize your current auditing process, contact us. If you’re trying to make your reporting and analysis work amid difficult or longer-timeline implementations, we also offer this free whitepaper:

financial reporting and analysis solutions whitepaper

Categorized in: ,

similar articles

Learn to think and approach problems like our financial consultants.

Financial Reporting & Accounting

What You Should Know About Project Accounting

During a prior engagement, I spent several years as the CFO of a construction company during a rapid growth phase. One of the most valuable lessons from that opportunity was learning how to implement and utilize project accounting, a specific type of accounting used to track the expenses and revenue of a standalone project. Project-based… View Article

September 17, 2020Gregory Gorman

Financial Systems

Spreadsheet Server Review: Live Reporting from insightsoftware

insightsoftware is a leading provider of financial reporting and enterprise performance management software. Their reporting integration software helps companies turn their financial and operational data into better business outcomes, driving growth and ROI. Over 25,000 organizations worldwide rely on insightsoftware’s portfolio of best-in-class reporting, analytics, budgeting, forecasting, consolidation and tax solutions to provide them with… View Article

September 15, 2020Anthony Granato

Financial Systems

10 Tips for a Successful ERP Implementation

Many companies underestimate the effort required for successful ERP implementations. An ERP implementation is not simply an advancement of technology or a change to a new, trending system. It’s also an opportunity to re-engineer accounting processes, procedures and controls. It’s a chance to transform the ways accounting and finance professionals work on a day-to-day basis…. View Article

September 10, 2020Dan Lauten

See All