The constantly evolving nature of IT continues to provide both opportunities and challenges within the IT audit profession. 而远程审计并不是什么新鲜事物, the COVID-19 pandemic and resulting need for social distancing fast-tracked the adoption of remote and hybrid audits. There are key benefits of these methods including cost reduction due to decreased expenses (e.g., 旅行, 住宿), 能够利用具有不同技能的全球团队, 以及审计业务的时间和资源灵活性. 另一方面, 还有一些挑战, 包括增加的隐私和安全风险, 在哪些发现被认为是准确的方面存在复杂性和细微差别, 远程提供的完整证据以及证据收集的局限性.
确保在进行IT审核时实现最大的利益, 有几个因素需要考虑,包括IT审计的复杂性, 行业最佳实践和每个任务的审计目标.
持续评估风险
Risk associated with performing an IT audit remotely should be adequately assessed to determine feasibility prior to the commencement of the audit and continuously reviewed throughout the audit cycle to ensure that key success factors are met. Risk mitigation strategies inform the best auditing approaches and allow for adjustments to be made in response to any changes to scope, 业务流程, 审计的时间等. Feedback from prior audits can also be utilized to ensure that improvement points are able to be incorporated.
评估被审计单位的资源
成功的远程审计利用了视频会议软件等技术, 智能设备, 无人机和网络连接. Key to consider are the compatibility of technology platforms between the auditor and the auditee and any possible restrictions such as encryption, 虚拟专用网(vpn)和文件传输限制.
审核员遇到的常见陷阱包括:
- Organizational policy restrictions prohibiting the auditor or auditee to install software that is not authorized by the other’s organization
- 无法解密审核员和被审核员之间共享的信息
- 无法在遗留IT平台或应用程序上拥有屏幕共享功能
- Limited access to audit elements of the IT environment due to IT systems being hosted on third-party platforms
克服上面的陷阱, it is important to adequately prepare for the audit taking into considerations all possible scenarios that may impact the successful completion of the audit. 在预算允许的情况下, pre-audit checks on the auditee’s IT environment and processes will provide an indication of potential challenges and can indicate the auditee’s readiness for the audit. Another approach will be to plan the audit in phases ensuring that challenges identified in the initial assessment can be addressed and any adjustments to the audit approach made in a timely manner before proceeding onto the next phase of the audit.
充分准备:范围、时间和成本
Adequate planning is key to understanding the total effort required to achieve audit objectives and the feasibility of performing the IT audit remotely. 的程度, 审计的复杂性和深度影响拟议的时间表, 哪些因素可以推动调整审计策略的决策. The scope and timelines influence the team composition, since skill requirements are a factor. Time differences need to be taken into consideration if team members are in multiple locations. 虽然旅行费用和开支可能会减少, there are also costs that arise because of licensing fees and training requirements for technology that supports remote work. Planning is key in ensuring that benefits are adequately assessed and optimized throughout the audit cycle.
Adequate planning is key to understanding the total effort required to achieve audit objectives and the feasibility of performing the IT audit remotely.
考虑证据要求
进行质量审核, 必须获得充分和适当的证据才能得出合理的结论. 远程审计带来了更高的篡改证据的风险. 获取截图等方法, system extracts or recordings during virtual walkthroughs and testing can offer some reassurance as to the completeness and accuracy of information. 然而, there are cases where the auditee needs to run scripts or reports over a longer period of time, 在这种情况下,审核员不能持续观察它们. 这引起了对所提供证据的准确性和完整性的质疑.
The auditor must apply professional skepticism when assessing this evidence and address the risk of incompleteness and/or inaccuracy. 在收集证据时,注册会计师需要考虑:
- 证据的传递方式和传输过程中的安全
- 被审核方可能延迟提供证据
- Implementing adequate controls when it is not possible to observe evidence as it is produced
- 使用自动证据收集工具以减少操纵风险的可能性
- 证据使用后的保留和销毁
- 潜在的隐私和机密侵犯
评估IT审计期间的沟通需求
Traditional/onsite auditing allowed for a quick drop-in meeting with the auditee to verify or clarify information. It also allowed the auditor to pick up on body language and reactions during interactions with the auditee. 对于远程审计,这可能是不可能的,也不及时. The auditor needs to anticipate such challenges and clearly articulate requirements while also leveraging virtual walkthroughs and testing sessions.
Ongoing communication during the IT audit can improve the quality of communication and allow relationships to be built. 这对于避免被审核方的反对是必要的, which can result when there are constant breaks or long periods of no communication throughout the audit. 解决沟通问题, 被审核方需要提供关于进度的定期反馈, 延迟和其他更新. Requesting audit requirements in advance can also assist the auditee in preparing the information and ensuring that the information is provided by the right person.
地址组队注意事项
Performing a remote IT audit requires the auditee to have appropriate skills for assessing the audit area. 它要求在审计期间及时审查并与各种利益相关者进行接触. It may be difficult to identify any issues the team may be facing because of remote working, 因此, there is a need to determine and agree on the best strategy to ensure that challenges and delays are identified and solutions are implemented in a timely manner.
The auditee should also ensure that the best contact person is identified based on the information to be provided, 责任, 在安排的审计时间内提供协助的能力和可用性.
结论
执行成功的远程IT审计没有放之四海而皆准的方法. Care must be taken when assessing the best approach, balancing benefits with compliance requirements. 越来越多的组织选择混合或完全远程审计, there is a need to continuously adapt and innovate while making use of this opportunity to add more value to organizations.
编者按
想了解更多作者对这个话题的看法,请收听“进行远程IT审计的关键考虑因素ISACA的一集® 播客.
桑德拉Kuyengwa, CISA, CRISC, CDPSE
Is an 它的审计 Assistant Manager based in the UK with over 6 years of experience in delivering and leading complex technology risk assessments across various industry sectors including Financial, 矿业, 制造业和电信业. 可以联系到她 http://www.linkedin.com/in/sandra-kuyengwa-26bb3823/.