GSA UK - Outsourcing IT systems audit: A new concept with new challenges.

DOING BUSINESS BETTER. TOGETHER

Home
NEWS & INSIGHTS
Industry News
Outsourcing IT systems audit: A new concept with new challenges.

Outsourcing IT systems audit: A new concept with new challenges.

12 Mar 2010 12:00 AM | Anonymous

Introduction – knowledge is power

For many years now, IT risk management has been taken extremely seriously by the ‘Big Four’ accountancy firms. These audit giants employ teams of dedicated IT risk management professionals who specialise in general systems risk management, as well as risks surrounding IT security in the specific financial systems that their audit clients run.

Auditing large enterprises employing complex ERP systems such as SAP often requires a more risk-based approach, which means understanding those risks which threaten the achievement of an organisation’s business objectives. Determining what those risks are at the application security level, and the necessary mitigating controls which should be in place, requires system-specific knowledge. Despite this dependency on specialist knowledge, gaining confidence over the integrity and security of data in a client’s core financial systems can save significant effort and cost in terms of reducing the level of substantive audit testing required. Therefore, taking a risk-based systems auditing approach is smart auditing.

Small and medium enterprises – welcome on board

As recently as 10 years ago, the suggestion that a county council would be running SAP R/3 would have been ridiculed. SAP systems were expensive to implement and support and were almost exclusively the domain of the blue chip corporation. It was rare to see a client outside of the FTSE 250 using SAP in the UK.

By the turn of the millennium SAP had saturated the blue chip market and turned their attentions to SMEs, releasing SAP Business One and steering their marketing machine in the direction of the middle market. Several years on SAP is commonplace in mid-tier companies and has become an integral part of their systems landscape. Consequently, this presents both the mid-tier accountancy firms that perform their external audits, as well as the internal audit departments of these SAP organisations, with a unique set of challenges.

Auditing ERP systems – it’s a tough job but someone’s got to do it

Auditing an ERP system is not an easy task. IT risk management teams at the ‘Big Four’ accountancy firms specialise in ERP systems security, and they invest much time and effort in developing and maintaining audit work programmes for each variety of these systems. Keeping this knowledge base up to date and in touch with the fast pace of change in ERP technology is an expensive business. ERP systems such as SAP incorporate complex security configuration and whilst basic in-built audit tools are provided there is no substitute for a solid understanding of the underlying authorisation (security) concept.

Whilst both mid-tier external auditors and organisations' internal audit departments encounter SAP more and more frequently nowadays, it is difficult to maintain and retain an internal team with the necessary expertise to audit an SAP system with the thoroughness and know-how required to really drive out meaningful audit points. Often general systems auditors will attempt to audit an SAP system but will overlook all but the most obvious security flaws. This means there is a real danger that significant risk exposures will go undetected due to this deficiency in system-specific knowledge.

Outsourcing solutions – closing the knowledge gap

An emerging alternative for external and internal audit departments is to outsource IT systems audit to a third party specialist.

For the medium sized / smaller audit firm the advantages of outsourcing IT systems audit are often quite compelling:

- Systems specialists will perform an IT systems audit rather than 'IT generalists'.

- You will gain access to proven methodologies, maintained and updated by the provider.

- Tools will be licensed and maintained by the provider, reducing licensing, training and support costs.

- The risk of missing significant audit points due to limited system-specific knowledge is reduced.

- There may be an opportunity for cross-selling follow-on work, revenue from which can be shared with the provider.

- Staffing costs are reduced, as there is no need to keep expensive in-house specialist skills.

However, there are also a number of things to be considered before choosing the outsourcing route.

1. Understand organisational competencies…

Auditing an SAP system requires specialist technical knowledge. Without a good understanding of the underlying authorisation concept it is very easy to overlook security loopholes or segregation of duties conflicts. Missing audit points like this could expose the firm.

2. Work with a trusted provider…

An audit relationship is one of trust. Clients expect many things from their auditor but the most important of these is integrity. Consequently, any outsourcing of IT systems audit must be based on a similar level of trust with the provider.

It is important to think carefully about the available options and select the provider carefully. Find a suitable partner and work hard at building the relationship to ensure the trust with clients is not broken. Consider trialling the outsourcing provider chosen with a small project where the relationship can be developed without risking an important and established client. This will provide the opportunity to outline rules of engagement and build trust in a low-risk environment.

3. Establish the rules of engagement…

Establishing the rules of engagement with the provider is essential in any outsourcing arrangement, but it is particularly important when it comes to outsourcing systems auditing. To succeed, it must be agreed in advance with the provider how they will represent themselves and the company for whom they are performing the audit with the end client.

- Whose business cards will they use?

- Will they provide their own hardware or use the firm’s laptops?

- Will they require access to the networks?

- If a SoD review is to be undertaken will they provide software and licenses for this or will the organisation license software for them to use?

- Who will be the initial point of contact for the client during the engagement – the outsourced auditor, or the audit firm?

- Should the provider follow the organisation's sample testing guidelines or utilise its own?

4. Agree a position for follow-on work…

An IT systems audit will more than likely identify points for remediation. Often clients will request assistance with this. This can lead to lucrative follow-on work for SAP Security implementation specialists. It is important to establish the ground rules for follow-on work prior to engagement.

- Should the outsourcing provider be allowed to accept follow–on work from the client?

- Will an additional consultancy role compromise the provider’s position of acting internal/external auditor depending upon the nature of work and individual resources proposed?

- Should any follow-on work be channelled through the firm or should the provider deal with the client directly?

Conclusion

In conclusion, there are many challenges presented to the internal/external audit department considering outsourcing IT systems audit. However, if managed well, outsourcing of IT systems audit presents an opportunity to deliver a considerably improved client service at a significantly reduced cost.