Recently I have had a number of people asking me, “How are you conducting your audits with the onset of the COVID pandemic?” Well, as any prudent auditor would do, once the pandemic broke, I began to read up on articles from different sources in order to learn how my fellow auditors were managing the “new normal” and its implications on the way we work.
In the midst of the pandemic, ISACA released its 4th edition of the IT Audit Framework (ITAF). Even though its release coincided with the onslaught of the pandemic, the framework was not released specifically to assist auditors in navigating the audit experience during the pandemic but rather was updated to reflect best practices in management and performance of IT audits. This framework served as one of the sources that provided me with a structured approach to determine the level of readiness of performing audits during this season. This was specifically so with standard 1004 “Reasonable Expectation,” the go-to standard to use in answering the question, “Can we perform the audit?” The standard takes the auditor through a structured way to answer this question.
At a high level, the standard wants the IT audit practitioner to consider the following:
- Whether the audit can be undertaken in accordance with IT audit standards or industry standards
- Whether the selected scope will allow the auditor to make a conclusion (opinion) on the subject matter
- Whether management understands its responsibility in supporting the auditor with relevant information to carry out the audit
These questions were easily answered during the pre-COVID era, as the risk of failing to follow the standards and/or scope limitation was relatively low.
The detailed guidance section of the standard covers the following main areas:
Standards
The auditor needs to understand the standards that the audit will follow. During the COVID-19 pandemic, the ability to fulfill certain standards has proved to be a challenge – for example, ensuring the sufficiency of the evidence collected. The auditor therefore needs to thoroughly review the approved audit process and determine to what extent he or she will be able to fulfill the requirements.
Scope
The auditor needs to clearly determine the scope and map out the processes and activities to be covered. Getting the scope right is important as it ensures that the auditors can come to the appropriate conclusion. The auditor’s opinion is largely pinned on the extent to which the auditor addresses the scope. In order to properly determine scope, the auditor needs to, among other things, understand the business area, the associated risks as well as the level of control effectiveness in the given business area. This process has proven to require additional care with the rising number of new and emerging risks resulting from changes to controls that have been brought about by new ways of doing business.
Scope Limitation
Scope limitation is determined by a number of factors, one of which is the level of the auditor’s skills. The availability of audit team members with the right mix of skills is critical. For small teams that rely on one or two skilled auditors, determining the availability of the team members is critical, as is finding ways to deal with the possibility of their unavailability during the audit. Likewise, the key stakeholders in the audit engagement should be identified and, where third parties are involved, a determination needs to be made on the level of interactions that can take place with them.
Audit timeframes also have been a challenge, as long, unending audits lead to exhaustion for both the audit team and the auditee, and can lead to unexpected scope limitation. The auditor should, at the start of the audit, assess possible scope limitation scenarios and determine what each of these scenarios mean to the audit. Whatever the reasons for the scope limitation, the auditors should ensure that they do not affect the ability to make an audit opinion.
Information
Understanding what information is available for review, where this information is located and if the auditor can easily access it is critical at the beginning of the audit.
Before COVID, having full access to information was simply a matter of applying one’s rights as an auditor as outlined in the audit charter. During the pandemic, though, information availability is determined by multiple factors. Are the auditors able to access the information taking into consideration restrictions imposed by governments? Is staff available to give access to the information? Some staff might not be available due to isolation and/or quarantine. How centralized and decentralized is the information?
Discussing and determining the level of information availability is therefore critical. Furthermore, it is important for the audit team to address the issue of what determines the sufficiency of the evidence provided.
Acceptance in Change of Engagement Terms
This was by far the most common request I have experienced during the pandemic. With the unexpected lockdowns and unavailability of staff, there has arisen a requirement to change the audit scope and determine if changes can be made to adapt to challenging requirements on the ground. It is important to get approval of scope change and also determine how the change will affect the audit opinion.
Other Considerations
The auditor should be comfortable that the scope is adequate to allow for the conclusion, that the team will be able to carry out selected audit procedures, that information is available for the audit period and that the audit team and the auditee understand the criteria selected, and how it is going to be applied.
Conclusion
When undertaking an audit, the auditor should be confident that his or her expectation is reasonable. Failing to plan and picture the audit process at the beginning can lead to a lot of frustration during the field work and create tensions between the auditor and the auditees.
Some of the conflicts that occur during the audit are simply because the expectations from the start of the audit were unreasonable. It is therefore especially critical for auditors during this pandemic to determine the appropriate level of expectations and discuss these expectations with their auditees.
