An operational audit is designed to understand the responsibilities and risks faced by an organization, department, unit, or process; assess the level of control exercised by management; identify, with management participation, opportunities for improving control; provide senior management with an understanding of the degree to which management has achieved its responsibilities and mitigated the risks associated with the operation of the organization. This can include reliability and integrity of financial and operational information; effectiveness and efficiency of operations; safeguarding of assets; and compliance with laws, regulations, and contracts
Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.
Other Relevant Links:
An Information technology audit (or IT audit) is a review of the controls within an entity's technology infrastructure. These reviews are typically performed in conjunction with a financial statement audit, internal audit review, or other form of attestation engagement. Formerly called an Electronic data processing (EDP) audit, an IT audit is the process of collecting and evaluating evidence of an organization's information system, practices, and operations. Evaluation of the evidence ensures whether the organization's information system safeguards assets, maintains data integrity, and is operating effectively and efficiently to achieve the organization's goals.
An IT audit is also known as an EDP Audit, an Information Systems Audit, and a computer audit.
An IT audit is similar to a financial statement audit in that the study and evaluation of the basic elements of internal control are the same. However, the purpose of a financial statement audit is to determine whether an organization's financial statements and financial condition are presented fairly in accordance with generally accepted accounting principles (GAAP). The purpose of an IT audit is to review and evaluate an organization's information system's availability, confidentiality, and integrity by answering questions such as:
- Will the organization's computer systems be available for the business at all times when required? (Availability)
- Will the information in the systems be disclosed only to authorized users? (Confidentiality)
- Will the information provided by the system always be accurate, reliable, and timely? (Integrity).
In addressing quality and resource issues, many institutions engage independent public accounting firms and other outside professionals to perform work that has been traditionally carried out by internal auditors. These arrangements are often called “internal audit outsourcing,” “internal audit assistance,” “audit co-sourcing,” or "extended audit services."
Outsourcing such audit services may be beneficial to an institution if it is properly structured, carefully conducted, and prudently managed. To do this, management should ensure that there are no conflicts of interest and that the use of these services does not compromise independence. Potential conflicts of interest may arise if the outsourced auditing firm performs IT audit functions in addition to other audit services, such as providing the independent financial statement, or serving in an IT or management consulting capacity. The board of directors of an institution remains responsible for ensuring that the outsourced internal audit function operates effectively and complies with all regulations governing such arrangements.
Examiners should assess whether the structure, scope, and management of an internal audit outsourcing arrangement adequately evaluate the institution's system of internal controls. They should also determine whether or not directors and senior managers have fulfilled their responsibilities for maintaining an effective system of internal controls and for overseeing the internal audit function in an outsourced internal audit environment.
Co-sourcing is a partnership between a customer and an outside vendor, a professional service provider. A company chooses the vendor, which works with and often alongside—but doesn't replace—the existing staff based on specific skills needed to get the job done. When the project is finished, the professional service firm's job is over, too.
Although it may seem similar to consulting, co-sourcing is different because the company's personnel play an ongoing role in the project. In a typical consulting project, a consultant comes into a company, plans and performs a specific task and then presents a report, working independently most of the time. In a co-sourcing arrangement, the company staff takes an active part in project planning and decision making and may participate in preparing the final report. Instead of relinquishing control over an activity, as is the case with outsourcing and hired consultants, company managers involved in co-sourcing actively manage and work alongside the specially skilled outsiders.
Co-sourcing has helped many companies that don't have the staff capability to deploy new systems. For example, co-sourcing has been successful for information services projects ranging from consolidation of electronic mail to establishing electronic data interchange systems. Companies can also use co-sourcing arrangements to bring in needed expertise in fields such as engineering and architecture—or even foreign language skills to be used for a temporary assignment in an overseas location. Although initially only small to midsize professional service firms offered co-sourcing, larger firms now offer a wide range of co-sourcing services to partnering companies of all types and sizes. Examples of the diversity of services now offered are:
- Internal audit support, such as reconciliation of specialized accounts; valuation, disclosure and Environmental Protection Agency compliance issues for certain types of inventory; and reconciliation of foreign accounts where business customs pose review problems.
- Diagnostic review of specialized areas, such as secondary marketing in the mortgage industry; hedging practices and valuation methods for mortgage servicing rights; and valuation and accounting for securitizations, residuals or other hard-to-value assets.
- Evaluation of personnel, training or development of training programs; or development of specific reporting systems that use standard business software and database programs.