IT不断发展的本质继续为IT审计行业提供机遇和挑战. While remote auditing is nothing new, 2019冠状病毒病大流行以及由此产生的保持社交距离的需求迅速推动了远程和混合审计的采用. 这些方法的主要好处包括由于费用减少而降低成本(例如.g., 旅行, 住宿), the ability to make use of global teams with varied skill sets, and time and resource flexibility regarding audit engagements. 另一方面, there are also several challenges, including increased privacy and security risk, complexities and nuances in what findings are considered accurate, and complete evidence provided remotely and limitations in evidence gathering.
To ensure that maximum benefits are realized when conducting IT audits, there are several factors to consider including the complexity of the IT audit, industry best practices and the audit objectives of each assignment.
持续评估风险
应该充分评估与执行远程IT审计相关的风险,以便在审计开始之前确定可行性,并在整个审计周期中不断进行审查,以确保满足关键的成功因素. 风险缓解战略为最佳审计方法提供信息,并允许根据范围的任何变化进行调整, 业务流程, 审计的时间等. 来自先前审核的反馈也可以用来确保改进点能够被纳入.
Assess the Auditee’s 资源
A successful remote audit utilizes technologies such as video conferencing software, 智能设备, drones and network connectivity. 需要考虑的关键是审核员和被审核方之间技术平台的兼容性以及任何可能的限制,如加密, virtual private networks (VPNs) and file transfer limits.
Common examples of pitfalls encountered by auditors include:
- 组织的政策限制,禁止审核员或被审核方安装未经对方组织授权的软件
- Failure to decrypt information shared between the auditor and auditee
- Failure to possess the ability to screenshare on legacy IT platforms or applications
- 由于IT系统托管在第三方平台上,对IT环境审计元素的访问受限
To overcome the pitfalls above, 考虑到可能影响审计成功完成的所有可能情况,为审计做好充分准备是很重要的. 在预算允许的情况下, 对被审核方的IT环境和流程进行审计前检查,将提供潜在挑战的指示,并可以指示被审核方对审计的准备情况. 另一种方法是分阶段规划审计工作,确保在进入下一阶段审计工作之前,能够解决初步评估中发现的挑战,并及时对审计方法进行任何调整.
Adequately Prepare: Scope, Timelines and Costs
充分的计划是理解实现审计目标所需的总工作量和远程执行IT审计的可行性的关键. 的程度, complexity and depth of the audit affect the proposed timelines, which can drive a decision to adjust the audit strategy. 由于技能要求是一个因素,范围和时间线会影响团队组成. 如果团队成员在多个地点,则需要考虑时差. While there could be a reduction in 旅行 costs and expenses, 支持远程工作的技术的许可费用和培训要求也会产生成本. 计划是确保在整个审计周期中充分评估和优化效益的关键.
充分的计划是理解实现审计目标所需的总工作量和远程执行IT审计的可行性的关键.
Consider Evidence Requirements
To perform a quality audit, sufficient and appropriate evidence must be obtained to draw reasonable conclusions. With remote auditing comes a higher risk of manipulation of evidence. Methods such as obtaining screenshots, 在虚拟演练和测试期间的系统摘录或记录可以为信息的完整性和准确性提供一些保证. 然而, 在某些情况下,被审计方需要在较长时间内运行脚本或报告, in which case the auditor cannot observe them continuously. This raises questions about the accuracy and completeness of the evidence provided.
注册会计师在评估这些证据时必须持专业怀疑态度,并应对不完整和/或不准确的风险. While gathering evidence, the auditor needs to consider:
- Delivery method of evidence and security during transmission
- Potential delays in the auditee providing evidence
- 当证据产生时无法观察时,实施适当的控制
- Possibility of using automated evidence-gathering tools to lessen the risk of manipulation
- Retention and destruction of evidence after use
- Potential privacy and confidentiality violations
Assess Communication Needs During the 它的审计
传统的/现场审核允许与被审核方进行快速的临时会议,以验证或澄清信息. 它还允许审核员在与被审核员互动时注意肢体语言和反应. With remote auditing, this may not be possible or timely. 审核员需要预测这些挑战并清楚地表达需求,同时还需要利用虚拟演练和测试会话.
在IT审计期间进行的通信可以提高通信的质量,并允许建立关系. This is necessary to avoid pushback from the auditee, 如果在整个审计过程中经常中断或长时间没有沟通,会导致什么结果. To remedy communication challenges, the auditee needs to provide regular feedback on progress, 延迟和其他更新. 提前提出审计要求也有助于被审核方准备信息,并确保信息由合适的人提供.
Address Teaming Considerations
执行远程IT审计需要被审核者具备评估审计领域的适当技能. It requires timely reviews and engagement with various stakeholders during the audit. 由于远程工作,可能很难确定团队可能面临的任何问题, 因此, 有必要确定并商定最佳战略,以确保及时发现挑战和延误,并实施解决办法.
被审核方还应确保根据拟提供的信息确定最佳联系人, 责任, competency and their availability to assist during the time scheduled for the audit.
结论
There is no one-size fits-all-approach to performing a successful remote IT audit. 在评估最佳方法时必须小心,平衡收益和遵从性需求. With more organizations opting for hybrid or fully remote audits, 在利用这个机会为组织增加更多价值的同时,需要不断地适应和创新.
编者按
Hear more about what the author has to say on this topic by listening to the “Key Considerations for Conducting Remote 它的审计sISACA的一集® 播客.
桑德拉Kuyengwa, CISA, CRISC, CDPSE
IT审计助理经理是否在英国有超过6年的经验,在包括金融在内的各个行业提供和领导复杂的技术风险评估, 矿业, Manufacturing and Telecommunications. 可以联系到她 http://www.linkedin.com/in/sandra-kuyengwa-26bb3823/.