I NFORMATION S YSTEMS C ONTROL J OURNAL,VOLUME 5, 2003IT Audit Independence:What Does It Mean?By Fred GallegosThe Information Systems Audit and Control Association(ISACA) in one of its IS audit guidelines states:020 Independence020.010 Professional Independence—In all matters relatedto auditing, the information systems auditor is to beindependent of the auditee in attitude and appearance.020.020 Organizational Relationship—The informationsystems audit function is to be sufficiently independent ofthe area being audited to permit objective completion of theaudit.Organizational Relationship and IndependenceThe purpose of the 020 Independence guideline is toexpand on the meaning of “independence” as used in standardsset out in the 020.010 and 020.020 IS Auditing Standards andto address the IS auditor’s attitude and independence ininformation systems auditing.This guideline provides guidance in applying IS auditingstandards. The IS auditor should consider it in determining howto achieve implementation of the above standards, useprofessional judgment in its application and be prepared tojustify any departure.Never have the words above applied so carefully andmeaningfully as to today’s world of business. The world offinancial auditing has changed dramatically over the last decadeand will continue to change rapidly as more and more companiesrely on information technology to achieve their businessobjectives.It is no longer acceptable for auditors to audit around thecomputer, as was once the case. With the increase of fraud andceaseless corporate sandals over the past two years, it is evenmore imperative now than ever before that auditors have a fullunderstanding of both manual and automated internal controlprocesses. Also, it is critical that the auditor be “independent”to render an opinion or provide recommendation as to thestatus of processes and controls being reviewed. Theassessment of both the manual and automated internal controlsof any system can provide the needed assurance in whichauditors can base their professional judgment—as far as thequality of the information derived off the system. Thisjudgment is a key element in the risk analysis process that theauditor must perform during the planning stages of any audit.This judgment must be independent of any bias orinternal/external pressure exerted to bypass the operating procedures in place to develop and communicatetheir opinion and recommendations on controls’ status.External financial auditors are relying more on the processapproach today rather than the traditional transactionapproach. The results of an evaluation of an organization’smanual and automated internal controls can either increase orreduce the amount of transaction testing needed to render anopinion on financial statements. For internal auditors, internal controls are also very important.One of the main functions of internal auditors is to provideassurances to management that their approved internal controlsare in place and are working effectively and efficiently; and if infact there are problems, they are being addressed and corrected.It is important for both the manual and automated internalcontrols to be operational and effective since management willbase its business decisions on the financial results generatedfrom the information system.It is also important to external auditors that manual andautomated internal controls are operational and effective sincethis will provide assurance to external auditors thatinformation generated from the system is valid, accurate andcomplete. Based on this assurance from the system, auditorscan then place the appropriate level of reliance on the internalcontrols of the information system.If the necessary controls are not in place, or if they are inplace but not being applied effectively and as managementintended, then the integrity of the data and information generatedfrom the system should be called into question by both externaland internal auditors. They should have the freedom andindependence to make such an evaluation and report it.Even though it is essential that manual controls be in placeand be working effectively and efficiently to produce accuratedata output, due to the broadness of the subject matter, theauditor’s reliance on automated internal controls and theeffects of this reliance on his/her independent judgment aregenerated from the system.Good General ControlsGood general internal controls help ensure efficient andeffective operations that accomplish the goals of management.Good general internal controls usually consist of:• Independent management reviews of the organization toprovide assurance that the approved policies and proceduresare working as intended• A review of the organizational structure to ensure that thereis proper segregation of duties and responsibilities• Control points built into the system development life cycleprocess to ensure that users needs are met. The system isdeveloped with strict adherence to the design, and if not, theappropriate approval for changes is enforced; and there isenough documentation. Again, the word “independent” is used. That means free ofbias, internal or external pressure that would compromise or taintthe opinions of those responsible for performing the review.Auditors Must Have IndependenceAudit independence is a critical component if a businesswishes to have an audit function that can add value to theorganization. The audit report and opinion must be free of anybias or influence if the integrity of the audit process is to bevalued and recognized for its contribution to the organization’sgoals and objectives. Several professional organizations (such asCopyright © 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.I NFORMATION S YSTEMS C ONTROL J OURNAL,VOLUME 5, 2003Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc..Membership in the association, a voluntaryorganization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers.They may differ from policies and official statements of the Information Systems Auditand Control Association and/or the IT Governance
View Full Document