Resources

New Global Internal Audit Standards Released

Blue Logo for ACUA with the text Journal Articles

New Consolidated Structure

On January 9, 2024, the Institute of Internal Auditors (IIA) released their updated Global Internal Audit Standards, which will become effective on January 9, 2025. The ACUA Auditing & Accounting Principles (AAP) Subcommittee advocated for ACUA members during the comment period and recently presented the changes at the 2024 ACUA Virtual Spring Summit.

The prior International Professional Practices Framework (IPPF), published in 2017, was decentralized into four different documents: the Standards, Code of Ethics, Core Principles, and the Definition of Internal Auditing. The new IPPF is one single 120-page document comprising of five domains, 15 principles, and 52 standards. Each standard has its own requirements, considerations for implementation, and examples of evidence of conformance. Additional guidance in the form of Topical Requirements is forthcoming.

Structure of the International Professional Practices Framework, slide courtesy of the IIA.

The Five Domains

The new Standards are now organized into five logical domains that contain the 15 key principles. During the public comment period, most respondents appreciated the organization of the new domains.

The Global Internal Audit Standards five domains, slide courtesy of the IIA.

  • Domain I: Purpose of Internal Auditing updates the purpose and describes how internal auditing enhances the organization and when it is most effective. The new purpose statement reads “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.”
  • Domain II: Ethics and Professionalism embodies the former Code of Ethics’ principles of integrity, objectivity, confidentiality, and competency, and adds maintaining confidentiality.
  • Domain III: Governing the Internal Audit Function includes “essential conditions” for an effective internal audit function, including organizational independence, internal audit charters, Board interaction, resources and support, plus external quality assessment.
  • Domain IV: Managing the Internal Audit Function describes Chief Audit Executive functions including departmental planning, managing resources, communicating, and performance measurement.
  • Domain V: Performing Internal Audit Services provides guidance on conducting engagements including planning, analysis, reporting, and confirming the implementation of action plans.

Major Changes

Overall, the biggest change to the new Standards is the consolidation and regrouping of topics. There is a new emphasis on serving the public interest and being able to apply the Standards to the public sector. The most significant changes include:

  • No more differentiation between assurance and consulting engagements. The Standards apply to all engagements.
  • There are new “essential conditions” in each of the nine standards in Domain III describing the appropriate governance arrangements essential for the internal audit function to be effective, which strengthens the importance of Board relations.
  • The Standards have become more prescriptive throughout. Recommendations that were previously labeled as “consider” or “should” have turned into “must.”
  • There is a greater emphasis on strategy, relationship building, and communication in the Management domain, along with new emphasis on internal audit performance measurement.
  • There is additional emphasis on performance management, where the CAE must develop performance measurement criteria and assess progress towards achieving the function’s objectives while promoting continuous improvement.
  • The final communication must include an engagement conclusion that summarizes the engagement results, and individual engagement findings must be prioritized based on significance but do not require rankings.
  • For external quality assessment reviews, at least one independent assessor must hold a Certified Internal Auditor (CIA) designation.

Topical Requirements

The IIA intends to release several Topical Requirements, which will cover aspects of governance, risk management, and control processes and include considerations related to a specific topic. This guidance will be required when auditing an area covered by a Topical Requirement. To date, the IIA has released a draft of their Topical Requirement on cybersecurity, which is for public comment through July 3, 2024. Please visit the IIA website to read the draft and make any comments. Other topics under consideration include sustainability, third-party management, IT governance, assessing organizational governance, fraud risk management, privacy risk management, and public sector performance audits.

ACUA’s Top Concerns

During the public comment period, the AAP polled the ACUA membership about their reaction to the proposed changes. Members appreciated the new organization, format, and clarification of roles and responsibilities of the internal auditors versus the Board, along with the de-emphasis on assurance versus consulting. Using membership feedback, ACUA President Melissa Hall formally responded on behalf of ACUA on May 31, 2023. In addition to the above-noted items of appreciation, this response also included top concerns, including the overly prescriptive nature of the Standards and its potential burden on smaller internal audit functions. The IIA considered the public comments and revised the draft Standards prior to publishing.
This is how the IIA addressed the top three ACUA concerns:

  • Domain III: Governance – ACUA members were concerned that the Standards pertaining to the Board were outside the control of the CAE. The final Standards focused on the CAE’s responsibilities and how the CAE can assist and inform the Board of their responsibilities.
  • Standard 8.4 External Quality Assurance – ACUA members were concerned the proposed Standards required external quality reviews be led by a CIA, and all team members needed to successfully complete an IIA training course. The final Standard does not require completion of an IIA course by external assessment team members, and only one team member (and not the lead) must hold the CIA designation. Also, the final Standards allows for self-assessment with independent validation.
  • Standard 15.1 Final Engagement Communication – The proposed Standard required findings be “ranked by significance,” generating concerns audit clients would be too focused on subjective rankings and unnecessary conflict between the internal audit function and management would ensueThe IIA removed the requirement to rank findings, instead requiring the final report include the significance and prioritization of the findings.

Implementation Next Steps

The ACUA AAP Subcommittee recommends the following next steps in your institution’s journey to the January 2025 implementation effective date:

  • Get familiar with the new Standards.
  • Start to develop a plan for implementation.
  • Communicate these changes with your senior leadership and Board.
  • Update the internal audit function’s strategy “that supports the strategic objectives and success of the organization and aligns with the expectations of the board, senior management, and other key stakeholders.”
  • Update or create performance metrics and plan how to measure those metrics.

Consider performing an internal assessment using the new Standards this year and implement any changes prior to the January 2025 effective date. If your External Quality Assessment is due in 2025, consider completing it in 2024 before the Standards change and the CIA on the review team is a requirement. If your internal audit function is not conforming with all of the new standards by January 9, 2025, you must remove the phrase from audit deliverables indicating your engagement was performed in accordance with the Standards.
If you are considering becoming a Certified Internal Auditor, the IIA states there will not be any changes to the CIA exam before May 2025. The IIA plans on communicating any changes at least one year in advance and new study materials are not expected to be released before March 2025. Those candidates in-process will receive detailed information. In addition, there will be no changes to the Internal Audit Practitioner designation before the effective date, and the Certification in Risk Management Assurance (CRMA) exam is not affected by the changes.

DEI in Higher Education

Blue Logo for ACUA with the text Journal Articles

What is DEI?
Diversity, Equity, and Inclusion, commonly referred to as DEI, is a highly critical aspect of any organization; and DEI in education, specifically higher education, is especially important. DEI in higher education institutions encompasses the policies and practices designed to help ensure everyone in the institution, whether it is faculty, staff, or students, have equal opportunities for success and inclusion, no matter their background.
 
Understanding DEI
Diversity includes race, ethnicity, gender, religion, sexual orientation, geographical representation, and political beliefs, among many other factors. However, what diversity means varies amongst individuals. Studies have shown that race, gender, and sexual orientation are almost always the top three concerns for those working in the field, but inclusion is equally important.
 
DEI in Higher Education – why it’s important
Prioritizing DEI in higher education not only impacts students, faculty, and staff, but also the institution and entire campus. DEI provides advancement opportunities for underrepresented communities and comes into play when recruiting students, hiring faculty and staff, shaping campus culture, encouraging career advancement, setting up tenure processes, examining employment budgets, and making forward-looking decisions.
 
Benefits of DEI
DEI promotes personal growth, a healthy society, and fosters mutual respect and teamwork amongst the institution. DEI brings multiple perspectives and challenges stereotypical preconceptions, encourages problem-solving and critical thinking, and helps individuals learn how to communicate effectively with people of different backgrounds. Most importantly, DEI enriches the educational experience, as we learn from those whose experiences, beliefs, and perspectives are different from our own.
 
Why does DEI fail?
Although investing in DEI is never a waste of an institution’s time or resources, there are several reasons why DEI efforts are not as effective. Despite overwhelming evidence that institutions are becoming more demographically diverse, research has shown that more than half of employees feel excluded and isolated at work. Institutions with DEI initiatives are also experiencing employee fatigue because employees either feel exhausted, frustrated, or skeptical whether their DEI efforts provide expected tangible results.
Many employees are trying to improve DEI initiatives by starting either an employee resource group or a DEI Council to get things started. However, over time those same employees often end up feeling frustrated, burned out, and discouraged because they do not believe that their institution is equally invested and committed to advancing DEI due to lack of participation, support, and investment. Unfortunately, when employees feel their efforts are in vain, they eventually give up. This is especially difficult when management and those in leadership positions lack diversity and often underestimate and overlook the time, commitment, money, and effort needed to improve and sustain DEI.
 
How to build a more successful DEI strategy
For DEI initiatives and strategies to succeed, institutions need to set the tone at the top and have a top-down, systemic, business-led approach to demonstrate DEI is an essential part of the culture and institution. It is also imperative that institutions set clear, specific, and achievable goals, establish accessible protocols, build equity into the structure, and, most importantly, lead by example. Management and leadership need to take an active role in implementing initiatives and prioritizing DEI. This should not be the sole responsibility of the DEI employees.
 
What can Internal Audit do?
Internal Audit can get involved and support DEI initiatives by conducting DEI audits for their institution. The DEI audit will highlight how well the institution supports diverse and underrepresented employees and put a spotlight on areas where the institution is progressing, as well as identify issues and challenges that exist that need a little more attention. Having Internal Audit support DEI fosters an institution that embraces inclusivity, nurtures a sense of belonging, and amplifies opportunities for individuals from historically underrepresented backgrounds. Internal Audit’s strategic commitment aids in creating a stronger institution that thrives on a diverse array of perspectives and experiences. DEI audits are an opportunity to dig beneath the surface and reflect on the institution’s own priorities and goals. DEI audits are critical tools that, when done properly and consistently, can be a real advocate for institutional change.
 
Because DEI success does not happen overnight, creating a diverse, equitable, and inclusive institution is a continual process; one that requires constant growth from all levels: individual to the institute.
 
Editor’s Note: The ACUA DEI committee plans to send a survey to its members in the coming months. Your participation is greatly encouraged.

Poll: Who Is Using AI?

Blue Logo for ACUA with the text Journal Articles

With the explosion of free artificial intelligence software at our fingertips, are we ready to embrace the future and utilize AI in our audit engagements?

At the 2023 AuditCon, there were numerous presentations about AI capabilities and how they will affect our world. From the dangers of undetectable plagiarism to the ease of summarizing income tax rules, the applications are far and wide.

Attendees went to the Whova app to consult with their peers on the use of ChatGPT and other AI software in their audit work. One poll showed nearly half of the voters were starting to dabble in AI.

Many auditors said they are already experimenting with the technology for work or personal reasons. Those already working with AI use it to create email communications, identifying common findings, and creating custom photos for reports and presentations. Many have found ChatGPT useful during the planning phase of an audit to generate risks and audit step procedures as part of the brainstorming process. Members said they are “using it cautiously” and are testing search results before relying on the data.

Presenters encouraged universities to establish AI policies for students and researchers alike. Another Whova poll said half of the auditors surveyed have already discussed AI with senior leadership.

Granted, the number of poll respondents was limited, but we at the C&U Journal think these percentages will change soon and that most audit shops will adopt this new technology to enhance their engagements. Are you benefiting from using ChatGPT in your shop? Please share your examples of AI success with us at editor@acua.org for a future story.

ACUA History Challenge

Blue Logo for ACUA with the text Journal Articles

Did you know that ACUA used to give out numbered certificates to member institutions?  This fun fact was shared with the ACUA Board, prompting several ACUA members to share photos of their certificates. Many proud institutions still hang these certificates in their offices! 

Original ACUA Membership Certifications

The search was on for the oldest certificate. The University of Washington thought their September 6, 1961, certificate was the oldest until Tanya Satterfield at the University of Mississippi shared their certificate dating back to September 10, 1959, just one year after ACUA was founded. Tanya and her colleagues proudly displayed the certificate at the 2023 AuditCon in Miami. 

Tanya Satterfield and University of Mississippi colleagues with their certificate at AuditCon.
Currently the oldest membership certificate.

The ACUA booth at Audit Con also displayed other ACUA artifacts from the past 65 years, including directories, information packets, conference agendas, coasters, and even old diskettes.  

ACUA artifacts

For those of you who like a challenge, if you have a Membership Certificate older than 1959 or have any “vintage” ACUA artifacts, please send a photo of your items to Toni Stephens at tstephens@utdallas.edu.  ACUA plans to collect and share these artifacts to preserve our great history!

ACUA 2023 Award Winners and Board Members

Blue Logo for ACUA with the text Journal Articles

Member Excellence in Service Award

Justin Noble was selected for the Member Excellence in Service Award, which recognizes a member who has made outstanding contributions to the mission of ACUA through exceptional service.  Justin is the Chief Audit Executive at Virginia Tech and has served in numerous ACUA roles, including Distance Learning Chairman (2012-14), Board Member-at-Large (2014-17), Vice President (2017-18), President (2018-19), Immediate Past President (2019-2020), and Nominating Committee Chair (2019-20).

Outstanding Professional Contributions Award

Carolyn Saint was chosen for the Outstanding Professional Contributions Award, which recognizes a member who has made outstanding and noteworthy contributions to the profession of internal auditing in higher education.  Carolyn is the Chief Audit Executive at the University of Virginia and chaired the Institute of Internal Auditors’ (IIA) North American Board of Directors.  

Rising Star Award

Erica Smith received the Rising Star Award that recognizes an “up-and-coming” member who has made significant individual contributions in the areas of internal audit, compliance, or risk management that furthers the mission of ACUA.  Erica is a Principal Auditor at the University of Tennessee and has served as the ACUA Audit Interactive Conference Director.  Erica also is the incoming Professional Education Committee Chair.

Please make sure to congratulate our 2023 award winners and thank them for their outstanding work on behalf of ACUA and the profession!

Board Members

The 2023-2024 ACUA Board of Directors officially assumed their new roles at AuditCon.  Marion Candrea, Associate Vice President of Internal Audit & Advisory Services at Boston University, succeeds Melissa Hall as ACUA President; Melissa will continue her work with the Board in her role as Immediate Past President.  Laura Buchhorn, Assistant Audit Director at the University of Texas San Antonio, will serve as Vice President, and Eulonda Whitmore, Associate Vice President and Chief Audit Executive at Wayne State University, will serve as Secretary and Treasurer.  The following members will round out the Board in their role as Board Member-at-Large:

  • Jana Clark, Chief Audit Executive at Kansas State University
  • William Hancock, Jr., Audit Manager at Auburn University
  • Andre’ McMillan, Director of Internal Audit at the University of Delaware
  • Deidre Melton, Associate Vice President for Audit and Chief Risk Officer at Florida A&M University
  • Kara Kearney-Saylor, Director of Internal Audit at the University of Buffalo

Letter from the Editor

Blue Logo for ACUA with the text Journal Articles

Hello ACUA Members!

Last week my county’s Superior Court summoned me for jury duty. I wound up being Juror #9 in a short two-day trial. The experience was nowhere as humorous as the Amazon Prime Video series “Jury Duty,” but it had its moments. While doing my civic duty was a bit of an inconvenience, it provided an interesting mental break. My only job was to listen and apply reason. No phones, emails, meetings, or daily distractions. Just calming focus.

I realized conducting an audit is like serving every position in a trial simultaneously. Like the attorneys, we must find facts, both positive and negative, and learn from our key witnesses and subject matter experts. We carefully document our workpapers, like the tireless court reporter capturing every word. As a judge, we keep the engagement relevant and on track until we, as our own jury, come to our conclusions.

One key difference is in a trial, you only measure against the law. Not what you think it should be, not what would be best. As auditors we have the amazing opportunity to go beyond merely judging compliance. We create recommendations to make things better. That is our value.

Like a law library, this issue of the C&U Journal adds several great resources to our collection. Ken Lish and Billy McCain from the National Science Foundation share their Promising Practices for NSF Award Management report, a must read for research universities. In a nod to October’s cybersecurity month, Bruce Tong presents his favorite IT tests when performing departmental audits, David Clark from BDO shares ways to leverage technology during audits, and Sabine Charles discusses authentication factors. Agnessa Vartanova invites you to consider culture in audits. Our ACUA news section includes award winners, an AI poll, and an artifact challenge.

As we strive to complete our audits before the hectic holiday season, let’s not forget the importance of listening and applying reason.

Sincerely,
Kara Hefner

Letter from the President

Blue Logo for ACUA with the text Journal Articles

Hello ACUA! I’d like to start by expressing my sincere gratitude and excitement about serving as your ACUA President for the upcoming year. This organization is near and dear to my heart and has been my professional home for learning, growing, and serving for more than a decade.
 
We had a fantastic AuditCon conference in Miami in September, where we had the second highest member attendance in ACUA’s history with over 470 attendees! I want to take a minute to personally thank all of our Professional Education Committee volunteers and ACUA staff for their hard work in creating an exceptional conference experience. As I reflect on the week spent together, I am immensely proud of the dedication and enthusiasm displayed by our members. The exchange of knowledge and vibrant discussions within this organization is so inspiring and makes me very excited for the year ahead!
 
During AuditCon, I spoke to the continually challenging economic landscape within our industry. This year, it is imperative for us to remain adaptive and resilient as we navigate the complexities posed by these challenges. Our Professional Education Committee is already beginning to prepare for a virtual spring conference that will provide opportunities for continued learning and collaboration. Stay tuned for more details in the coming weeks.
 
There are many ways in which our members have the ability to share their knowledge and expertise, which is truly what makes this organization so great. I would encourage anyone reading this to reflect on how you might use your time and talent to share your insight with others. For some that might be writing a Journal article, for others it might be partnering up with another auditor to create a Kick Starter. And I would be remiss if I did not also plug the tremendous value of raising your hand for a volunteer role! It could be the opportunity that forever changes your professional future.
 
In closing, I would like to extend my gratitude to Immediate Past President Melissa Hall. Her unwavering commitment and leadership have guided this organization through a year of challenges and successes. She leaves big shoes to fill, but I look forward to continuing the momentum she has built over the past year.  
 
Wishing all happiness and health as we move into the holiday season,
 
Marion Candrea, Boston University
ACUA President

Multi-factor Authentication vs. Single-factor Authentication: Safeguarding Your Digital World

Blue Logo for ACUA with the text Journal Articles

Due to our society’s increasing interconnection, protecting one’s digital identity has become increasingly important. The authentication approach is often regarded as the most crucial component of information security since it serves to authenticate an individual’s stated identity. The most often used authentication mechanisms are multi-factor authentication (MFA) and single-factor authentication (SFA). 

  • Single-factor Authentication (SFA): The traditional SFA authentication method, is based on a single, commonly recognized piece. Individuals may recognize, or have easy access to, this specific element. The data in question could be a personal identification number (PIN), a password, or any other type of information that is unique to the person doing the authentication.
  • Multi-factor Authentication (MFA): As its name would suggest, MFA requires two or more factors for access. For this reason MFA is regarded preferable to SFA for enhanced security. The attributes of authentication are typically classified into three main groups: possession (also known as ownership), knowledge (also known as cognition), and biometric (also known as intrinsic traits).

To protect the security of one’s online presence, it is critical to have a thorough grasp of the advantages and disadvantages between the many solutions accessible. A brief comparison analysis of the benefits and downsides of these authentication methods warrants a self-evident conclusion: SFA is the most viable authentication approach but has the most drawbacks.

Single-factor Authentication (SFA): The Weakest Link

SFA is the most viable authentication approach due to its simplicity. Users are only required to enter a single piece of information, such as a password, in order to obtain access to their accounts. Despite its widespread acceptance and ease of use, SFA has some important drawbacks:

  • Risk of Password Breaches: The weakness in SFA’s security is its password management system. Passwords have become a prominent target for hackers due to their susceptibility to misuse, theft, or compromise via data intrusions. If a password is overly simple or commonly used, its strength may be undermined.
  • Limited Security: Because of its single ingredient, SFA can only provide limited protection. If an adversary successfully discovers the password, obtaining unauthorized access would be simple.
  • Lack of Adaptability: The SFA needs to react more effectively to the ever-changing terrain of developing issues. The current level of security needs to be improved to combat the two sophisticated attacks of credential stuffing and phishing.

In view of these urgent threats, businesses are rapidly adopting MFA as a more reliable security approach.

Multi-factor Authentication (MFA): Layered Security

Implementing MFA improves security by adding levels of protection to solve the shortcomings of SFA. When users must meet multiple conditions, enemies find it much more difficult to get unauthorized access. Additional benefits to MFA include:

  • Enhanced Security: The use of MFA improves security by requesting the user to prompt multiple authentication factors at the same time. If a potential unauthorized user possesses only one of the crucial elements, such as a password, their ability to gain access to the system is reduced.
  • Resistance to Phishing: When done correctly, MFA can effectively prevent fraudulent attempts. If the user unintentionally discloses their password, the offender will have difficulties accessing the account without additional verification measures, such as a fingerprint or a paired smartphone. Despite the possibility of password leakage, the use of these supplemental components is still required.
  • Adaptive Security: The MFA program is capable of adapting and responding to various risk conditions. In the event a login attempt comes from a suspicious device or location, MFA can be enabled.

Common Mistakes in Installing Multi-Factor Authentication

Although MFA is recognized to considerably improve security, organizations should avoid making the following mistakes:

  • Weak Recovery Processes: Employers have the burden of ensuring secure access to user accounts, even when one of the authentication components is unavailable. More mechanisms for recovering lost or stolen accounts may expose a system to security risks if not properly secured.
  • Inadequate or Lack of Training: Inadequate MFA implementation can cause user confusion and displeasure. These difficulties can be avoided with proper user education. MFA program participants require extensive rules and thorough education.
  • Limited Device Options: Companies must provide a comprehensive range of MFA device solutions in order to meet the diverse demands and preferences of their clientele. This requires several authentication methods such as text message codes, mobile authenticator apps, biometrics, and hardware tokens.
  • Complexity of Implementation:  The effectiveness of overly sophisticated MFA systems is likely to be reduced. When it comes to accessing their accounts, the smooth coexistence of security and usability should not impose additional costs on consumers.

Balancing Security and User Experience

MFA provides a strong security mechanism; nonetheless, organizations should remember the importance of addressing the user experience. Users are likely to be dissatisfied if MFA solutions prove difficult to use or involve an excessive number of steps. The ideal balance between user experience and data security is critical in the effective deployment of MFA.

Conclusion: The Power of Multi-Factor Authentication

MFA has evolved into a dependable protection for our digital identities in the digital world resulting from the rising diversity of cyberattacks. This is because MFA needs the confirmation of many data elements. MFA fortifies a system’s defenses and boosts its resilience against a wide range of attacks by requiring the usage of several authentication factors.

Although single-element authentication is widely used, it is incapable of withstanding the frequent and sophisticated attacks that are common in today’s culture. Therefore, MFA should be part of every individual’s and organization’s security policy.

References

Cherry, D. (2022). Multi-Factor Authentication. In Enterprise-Grade IT Security for Small and Medium        Businesses: Building Security Systems, in Plain English (pp. 83–96). Berkeley, CA: Apress.

Karie, N. M., Kebande, V. R., Ikuesan, R. A., Sookhak, M., & Venter, H. S. (2020, March). Hardening SAML by Integrating SSO and Multi-Factor Authentication (MFA) in the Cloud. In Proceedings of the 3rd International Conference on Networking, Information Systems & Security (pp. 1–6).

Sharphathy, M. N., & Sumalatha, V. (2023, July). SSS-EC: Cryptographic-based Single-Factor Authentication for Fingerprint Data with Machine Learning Technique. In 2023 2nd International Conference on Edge Computing and Applications (ICECAA) (pp. 308–315). IEEE.

Leveraging Technology and AI Tools in Internal Audit: Enhancing Efficiency and Effectiveness

Blue Logo for ACUA with the text Journal Articles

As colleges and universities continue to experience a changing operating environment and the world experiences political and economic challenges, higher education institutions are looking for ways to gain efficiencies within their processes and procedures. At the same time, in the past year, the world has been introduced to astounding technological advancements with the public launch of ChatGPT and availability and improvement of similar Generative Pre-Trained (GPT) Transformers.

As institutions are identifying ways to leverage technology in many areas of operations, Internal Audit also has the opportunity to enhance the efficiency and effectiveness of its work. The use of technology and data analytics have transformed the internal audit function by enabling data-driven insights into new and emerging risks, productivity gains with the automation of labor-intensive audit tasks, increased risk coverage, and repeatable processes for continuous risk monitoring.

The Evolution of Internal Audit

Internal audit functions play a crucial role in ensuring the integrity, compliance, and effectiveness of an organization’s operations. However, Internal Audit is no longer tasked with simply performing evaluations and assessing the effectiveness of risk management, control, and governance processes. Internal auditors are now being tasked with playing a more active role in guiding executive decision-making, leveraging data to identify anomalies and vulnerabilities as well as identifying opportunities to optimize operations across the organization. Further, the nature of risks or activities in which internal audit engagements have become more dynamic and complex.

With the rapid advancements in technology and the rise of artificial intelligence (AI), internal auditors now have powerful tools at their disposal to enhance their work. Today’s technology and digital tools can be utilized throughout the internal audit lifecycle: from information gathering and goal setting, development of risk assessments and audit plans, assessments of plans, performing audits, and reporting results. Automated workflows and data visualizations have improved the process to be more cost-effective and collaborative to allow for more informed decisions.

Leveraging Technology for Internal Audit Effectiveness and Efficiency

When fully integrated, technology tools can be embedded into all elements of the audit lifecycle providing valuable efficiencies and risk insights in the areas below:

Planning & Scoping

Auditors can use technology tools to provide a deeper view of risk when conducting annual audit planning or in scoping each individual audit:

  • Enterprise Risk Assessment and Audit Plan Creation: AI and GPT tools can be used to brainstorm risk areas or industry challenges or assist in creating questions to ask in risk assessment surveys or interviews. Data analytics can be leveraged to help institutions quickly gain insights into enterprise risks and controls, and to prioritize management’s actions by analyzing historical risk factors or identifying areas of lesser controls or ineffectiveness. Technology tools can also be leveraged to provide data visualization of key performance indicators (KPIs) that more readily identify outliers or target areas of greater performance challenges.
  • Audit Planning: Like the items noted above, technology tools can be leveraged for planning specific audits as well. Providing deeper insight into transactional information to better understand key operational activities and risks involved in the audit area allows auditors to prioritize and focus efforts. Further, GPT-style tools can help auditors to develop draft audit plans and identify work steps.

Fieldwork

Technology tools can deeply enhance and streamline fieldwork activities, primarily through leveraging data analysis. Examples below highlight how analytics can be used across a number of common audit areas to provide greater coverage and visibility, with the potential to leverage such actions either for building continuous monitoring programs or for completing distinct audits within the plan.

  • General Ledger Close and Financial Reporting: Analysis of journal entry data can assist institutions in quickly identifying unusual and unauthorized journal entries, automate completeness tests, and prioritize reviews based on risks.
  • Payroll: Payroll data can be visualized to obtain a high-level overview of payroll activity by employee, level, and location including deductions, pay rates, and overtime payments. Testing can be automated to identify payments made before hire date or after termination, excessive overtime per pay period and off-cycle payments.
  • Travel and Entertainment Expense Process: Analytics on travel and expense data can help institutions perform a more targeted and automated review of employee expenses by reviewing data by employee, period, and expense type. Search functions and drill down capabilities can help identify excessive spending, inaccurate or duplicate submissions, and non-compliance with company policy. Results can also be used to select a more targeted sample for detailed testing.
  • Vendor Master Management: An analytic of vendor master data can provide insights into top vendors, inactive vendors, and vendor data integrity. Predetermined tests can identify vendors with missing, inaccurate, or duplicate data which may lead to an inefficient business process or potential fraudulent business activity. 
  • Accounts Payable Process: Data analytics enables institutions to quickly identify inaccurate or duplicate payments, invoice processing delays, segregation of duties conflicts, and distribution of invoices processed and paid for a scope period. These results allow management the ability to drill down to root cause and perform timely resolution of risk areas.
  • Research Expenditures: Expenses charged to sponsored research activities can be reviewed to identify cost allowability concerns or provide opportunities for stronger risk identification. Tools can be deployed to evaluate against common standards (such as the Uniform Guidance or institutional policies) as well as built to leverage system data to check against items like an award’s specific budget.
  • System Access: Data analytics can be leveraged to ensure user access to enterprise systems is accurate and adherence to corporate policy is managed correctly during employee terminations and transfers.
  • Fraud Detection: Machine learning algorithms can learn from historical data to detect new and emerging fraud patterns, enabling auditors to stay ahead of fraudsters. By leveraging AI for fraud detection, internal auditors can enhance their ability to identify and investigate potential fraud, ultimately safeguarding the organization’s assets and reputation. 

Reporting

  • Drafting Reports: GPT technology can be used to write first drafts of audit reports or details for specific findings and recommendations.
  • Action & Issues Tracking: Analytics can be leveraged to continuously monitor audit issues and action plans to drive behavioral change with how issues are remediated.
  • Executive Reporting: The use of technology can optimize Board and Audit Committee reporting on the status of the overall internal audit program to guide executive decision making.

The integration of technology and AI tools in Internal Audit has the potential to revolutionize the profession. Advancements in digital technology can empower institutions to conduct detailed self-audits at regular intervals and continuously monitor risk in a timely, cost-effective, and collaborative manner.

However, internal audit functions must carefully consider how and where they deploy technology tools, especially GPT-type assistance. After attending the recent AuditCon in Miami and hearing the Tuesday morning keynote session from Paul Roetzer, it is clear that with great power comes great responsibility. Users of AI and other technology aided audit processes must ensure there is proper governance in place to support the use of such tools. Internal audit functions must consider any risks associated with the use of tools or other policies or restrictions implemented for their organization, and always remember that GPT-style tools are merely another tool in an auditor’s toolkit and not a fully vetted answer. Challenges include relevancy of data (most tools were last trained on comprehensive data sets from 2021) and accuracy and verifiability of the results provided. Additionally, many data analytics technologies or machine learning models require specialized skillsets and knowledge to appropriately design and deploy.

While the rapidly evolving enhancements to technology capabilities present a bevy of opportunities to increase audit efficiency and effectiveness, it must be done in a thoughtful and intentional manner to best elevate your specific audit function.

Basic IT Tests for Departmental Audits

Blue Logo for ACUA with the text Journal Articles

Audits tend to fall into two categories: process and departmental. Process audits focus on a single university process using a highly unique audit program. These often involve many clients and can take a lot of time. Departmental audits focus on a single client. These tend to be shorter engagements with repeatable processes, with the intent of systematically providing similar coverage for all departments. This article focuses on IT tests that can be applied at the departmental level by both IT and non-IT auditors.

Challenges in Creating a Departmental IT Program

The first challenge faced when creating an IT audit program for use in repeatable departmental audits is making assumptions about the computing environment. A typical office has numerous devices including laptops, desktop computers, and potentially tablets. The environment may also involve remote work, capabilities, employee-owned smartphones, one or more printers, workgroup storage, essential applications, a local network, internet access, and a source of technical support.

The next challenge is aligning information security goals to the environment. While our emphasis tends to focus on the disclosure of sensitive information, auditors should also consider the impact of disruptions to the availability of data and the computing environment. Auditors should be willing to look beyond cybersecurity to the physical world. Information on paper can be equally sensitive and unauthorized physical access to computers is undesirable.

Another challenge revolves around defining accountability for the state of the computing environment. Auditors may discover the business unit believes the IT department is responsible while the IT department believes it is the business unit’s responsibility. In reality, the responsibility is shared. The business unit establishes goals, manages day-to-day operations, and delegates technical issues to the IT department. The ultimate responsibility for securely handling sensitive information belongs to the business unit because they control the entire process.

Simplified IT Audit Tests

 What follows is a brief discussion of a number of tests that can be part of an IT audit program for a departmental audit that could be structured in a way to not need an experienced IT auditor.

Computer Inventories – A maxim posed by the Center for Internet Security is “you cannot manage what you don’t know you have.” Conducting an inventory can determine if the client is aware of      their entire computing environment. There can be computers that were never registered with IT and do not receive periodic updates. There can be computers transferred between departments that still show on the original department’s inventory. There can be mothballed computers which still contain sensitive data sitting on shelves or forgotten in closets with weak physical security. By rigorously maintaining an up-to-date inventory, organizations can ensure every component of their computing environment is accounted for and secured.

Review Installed Software – Collaboration with the IT department is crucial to reviewing installed software. Once an accurate inventory of computers is established in systems such as Microsoft Endpoint Configuration Manager (MEMCM) and/or Jamf (for Mac/IoS devices), those systems can provide lists of software installed. You can compare installed versions of operating systems and software packages to what is currently supported by their vendors. You will have to select software packages to monitor. Packages of concern are usually browsers (Chrome, Edge, Firefox, Safari, etc.) and applications used to interact with Internet content, such as Adobe Acrobat and other PDF readers.
You may find there is no existing standard embodied in your University’s policies or in industry best practices. In such cases, auditors must establish their own criteria. For instance, you may wish to accept that 90% of the installed browsers must be either the most current version or a version that was supported within the last 60 days. Achieving 100% compliance is impractical due to inevitable exceptions and the volume of ongoing updates across a sizable computer population.

The best results from this test will be realized over many departmental audits, perhaps combined with a periodic University-wide IT General Controls audit. While a one-time cleanup is beneficial, a sustained and widespread series of audits yields more substantial long-term benefits.

Auditors may find it best to partner with an Information Security Office to interpret the results. It is important for non-IT auditors and client departments to recognize that automation is the key to applying updates at scale. Reliance on manual updates is untenable across large populations of computers due to the sheer volume of patches required.

Review Service Level Agreements and Contracts – Internal agreements and external contracts that apply to computing devices or services can indicate who is responsible for maintenance and how frequently the maintenance should take place. Maintenance is important in eliminating known vulnerabilities. The lack of internal agreements is not necessarily an issue by itself as many internal processes are informal. The lack of a contract with an external source would be unusual.

Websites – Departmental websites present two principal risks: unintentional disclosure of sensitive data and non-compliance with accessibility standards. In both cases, specialized tools are needed to make an assessment because of the volume of pages and documents to be reviewed. A tool like Spirion can crawl through websites looking for unprotected sensitive data.

An audit function can partner with an accessibility office who might have a tool to generate accessibility reports that produce a scorecard to compare to Web Content Accessibility Guidelines (WCAG) and organizational goals. Auditors are likely to need assistance from an accessibility specialist to interpret details of the report. Expect accessibility issues to be persistent, expensive, and dependent on tools and vendors.

Social Media – A department may manage numerous social media accounts across various platforms. Additionally, there may be old or forgotten accounts, which can pose challenges in terms of tracking and management. Sometimes, the credentials for these accounts may be lost, especially if the individual managing the account has left the organization. In such cases, the recovery of account access might require collaboration with the legal department.

To ensure proper use of social media accounts, it is beneficial to conduct regular audits comparing account activity to the standards set by the University’s communications team. This can help identify any discrepancies or areas of non-compliance.

However, departments must also be mindful of privacy and reputation management. Sharing sensitive or inappropriate content can lead to privacy breaches. Additionally, how a departmental account interacts with individuals, such as students, on social media can impact the department’s image. For instance, a departmental account following students and engaging with their personal content could raise concerns and should be approached with caution.

Public Computers – Departments often provide kiosks and public computers to enhance customer convenience. A frequent issue arises when all users share a common account, potentially leaving files, including those with sensitive data, accessible to subsequent users. Additionally, there is the risk of these public computers being used for unintended purposes.
Conducting an audit on public computers need not be a complex task. Simple checks, such as inspecting download folders for sensitive data and testing browser settings to assess access to potentially inappropriate content, can yield valuable insights into the security and proper use of these resources.

Physical Security – The replacement cost of a computer may only be a few thousand dollars, but the value of sensitive data it holds could potentially lead to millions of dollars in damages if compromised. Additionally, the theft or vandalism of computing equipment can result in significant productivity losses due to the unavailability of essential tools.

Enhancing physical security doesn’t necessarily require advanced penetration testing skills. Simple tools such as traveler’s hooks, J-tools, and under-door tools, which can be acquired for around $100, can be used to assess the vulnerability of doors. Furthermore, conducting an after-hours walkthrough can reveal unlocked doors and windows, highlighting areas in need of improved security measures.

It’s also crucial to evaluate the management of physical keys, including maintaining an up-to-date inventory and records of issued keys, to ensure that only authorized individuals have access to secure areas.

Adding basic IT tests into departmental audits creates a repeatable process that increases your IT coverage across campus.