Should Audit Have Access to IT Systems?

I’ve been involved in a number of debates lately regarding whether auditors should have READ access to IT systems and data. Surprisingly, I’ve found that there appears to be very little middle ground – auditors either get READ access to whatever they request or get no access at all.

At one company, I had READ access to help desk ticketing systems, financials, human resources, Bindview, the timecard system, and so on.

Having access to Bindview allowed me to run my own reports on Windows and Unix systems (user lists, hardware configuration, patch status, permissions on directories/folders/files, etc.). In the help desk system, I could locate my own tickets and determine whether the appropriate user account approvals were granted.

But having access to HR was most helpful, as I could look up employees and determine when they were hired, terminated, and the like. And since I had READ access to the ERP databases, I could write my own queries and pull whatever data I needed.

Begging Like a Dog

In other companies, I was forced to depend on IT for everything. I felt like a hungry dog begging for a dry bone.

This often results in extra time and wasted effort for auditors and IT, which are supposed to be on the same team.

In my opinion, having READ access is better. After all, the audit charter usually stipulates that auditors can access all the data and systems anyway. My challengers often say that I should not have access to any data unless I have a “need to know.”

I’ll admit that I don’t always have a need to know, as I don’t audit every system or database every month, and you can get the data from IT. However, I believe the benefits outlined below for giving auditors READ access make the decision much easier for management.

Why Auditors Need Access to Systems

Saves audit and IT time and effort, and speeds up the audit. A big money-saver and IT loves it!

Strengthens audit independence as IT is not relied on for the data, which IT can alter before providing it (Excel spreadsheet, anyone?).

Helps auditors better understand the IT environment and how IT handles the data, especially if auditors use the same tools that IT uses (like Bindview, Help Desk software, etc.).

Helps auditors discover data that IT would never have given them (heh, heh) or perhaps is not aware of!

Keeps investigations confidential. No one can tip off the dept/staff that are being investigated.

Allows auditors to do continuous auditing and monitoring. In this case, continued access is needed as data is obtained on a regular basis. Queries should be vetted by DBAs prior implementation, as well as all changes to queries before they are used. In the case of sensitive data access, a generic ID/system account for which the auditor does not have the password can be used.

The one downside I ran into is that auditors can accidentally overtax the system due to inexperience, such as creating  a Cartesian join in one of their SQL queries. That’s a case where even READ access can cause problems. DBAs usually take access away from such auditors or insist they get training. Overall, this type of issue is fairly rare.

What do you think? Leave me a Comment.



Filed under Audit

4 responses to “Should Audit Have Access to IT Systems?

  1. Audit Monkey

    I’m always concerned or perturbed when Internal Audit haven’t got access to the firm’s IT systems. It begs the question ‘what an earth have the audit team being doing?’ in the past. Sure, it is sometimes easier for someone to show the relevant record or data in the system at their desk but having access oneself allows time for greater review and feel comfortable with the audit evidence.


    • ITaudit

      I agree. Too many auditors rely on questionable data. Once place I worked, you could seldom tie the data back to a particular system. It was just “this is a listing from the GL database.” If auditors don’t have access, what they are doing is eating IT dog food.

      I’ve heard the argument more than once that the auditor might accidentally alter the data accidentally. Isn’t that one of the issues that SOX controls are designed to prevent? I believe it’s mostly an issue of transparency–IT and the business don’t want you look in their underwear drawer for fear you’ll see their soiled processes.

      Giving auditors access to help desk ticketing systems can expose all kinds of things, like passwords, covered up problems, serious security issues, and plain incompetence. All the more reason to do it. And like I said, it saves all kinds of money in the process, especially when the external auditors come calling–it’s faster and more trustworthy for audit to pull that data for the externals than ask IT to do it.


  2. Patrick Fletcher

    I believe granting anyone open/unending access invites abuse. I don’t care if you are auditors or the President. Auditors should have access to the systems they are auditing for the reasons they are auditing. In my experience auditors are given access relevant to their audit purpose for the period of time specified. That authority is granted by the business owner of the data system. Typically, I would never allow auditors to open query a system. They may present any query they would like to the DBA and the DBA will run the query and return the resulting dataset to the auditor. I employ the Principal of Least Privilege, that applies to myself, all executives and yes auditors.


    • Patrick,
      I’m not advocating granting anyone open/unending access; access needs to have a solid business case.

      While I agree with you from a pure security and availability standpoint, I have to disagree with you from a practicality standpoint.
      First, if you require everyone to go through a DBA, that will not be as efficient or reduce costs for your department or audit.

      No, I’m not suggesting you let any Yahoo query your systems. A person needs to prove they know what they are doing. If your DBA can make time to do this in a reasonable timeframe, then fine; I don’t fault you for wanting to protect your systems, assuming that my #2 reason is not in play.

      Second (my #2), this won’t work for continuous monitoring or auditing that audit departments are doing; to do this, they need continued access on a daily/weekly/etc. basis, depending on the objective. Typically a query that is already vetted by the DBA is used, and changes can be reviewed prior to making them.

      Workarounds may include building the controls./checks into the system, or exporting the data to a file that internal audit can automatically import into their analysis engine. However, auditors do not prefer this method because 1) it isn’t as efficient as direct query, and 2) exporting to a file usually means you use all the formatting, which then has to be redone when the auditor imports it.

      To me, the bottom line is that the world of data and audit has changed and will continue to do so; gatekeepers like yourself and DBAs need to work with auditors (and vice versa) to build the relationship, trust, procedures, etc., so that the amount of work and rework is minimized, and the overall risk of the process is reduced to a minimum. Auditors need to do their share and not be boneheads.

      Ultimately, both groups are on the same team, so reducing effort and costs while allowing you both to do your jobs is a win on both sides. The opposite is true when an adversarial relationship occurs.

      Regardless, thanks for you perspective. Based on our discussion, I updated the above post (see the last bolded point made).


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.