Should Audit Have Access to IT Systems?

I’ve been involved in a number of debates lately regarding whether auditors should have READ access to IT systems and data. Surprisingly, I’ve found that there appears to be very little middle ground – auditors either get READ access to whatever they request or get no access at all.

At one company, I had READ access to help desk ticketing systems, financials, human resources, Bindview, the timecard system, and so on.

Having access to Bindview allowed me to run my own reports on Windows and Unix systems (user lists, hardware configuration, patch status, permissions on directories/folders/files, etc.). In the help desk system, I could locate my own tickets and determine whether the appropriate user account approvals were granted.

But having access to HR was most helpful, as I could look up employees and determine when they were hired, terminated, and the like. And since I had READ access to the ERP databases, I could write my own queries and pull whatever data I needed.

Begging Like a Dog

In other companies, I was forced to depend on IT for everything. I felt like a hungry dog begging for a dry bone.

In my opinion, having READ access is better. After all, the audit charter usually stipulates that auditors can access all the data and systems anyway. My challengers often say that I should not have access to any data unless I have a “need to know.”

I’ll admit that I don’t always have a need to know, as I don’t audit every system or database every month, and you can get the data from IT. However, I believe the benefits outlined below for giving auditors READ access make the decision much easier for management.

Why Auditors Need Access to Systems

Saves audit and IT time and effort, and speeds up the audit. A big money-saver and IT loves it!

Strengthens audit independence as IT is not relied on for the data, which IT can alter before providing it (Excel spreadsheet, anyone?).

Helps auditors better understand the IT environment and how IT handles the data, especially if auditors use the same tools that IT uses (like Bindview, Help Desk software, etc.).

Helps auditors discover data that IT would never have given them (heh, heh) or perhaps is not aware of!

Keeps investigations confidential. No one can tip off the dept/staff that are being investigated.

The one downside I ran into is that auditors can accidentally overtax the system due to inexperience, such as creating  a Cartesian join in one of their SQL queries. That’s a case where even READ access can cause problems. DBAs usually take access away from such auditors or insist they get training. Overall, this type of issue is fairly rare.

What do you think? Leave me a Comment.



Filed under Audit

2 responses to “Should Audit Have Access to IT Systems?

  1. Audit Monkey

    I’m always concerned or perturbed when Internal Audit haven’t got access to the firm’s IT systems. It begs the question ‘what an earth have the audit team being doing?’ in the past. Sure, it is sometimes easier for someone to show the relevant record or data in the system at their desk but having access oneself allows time for greater review and feel comfortable with the audit evidence.


    • ITaudit

      I agree. Too many auditors rely on questionable data. Once place I worked, you could seldom tie the data back to a particular system. It was just “this is a listing from the GL database.” If auditors don’t have access, what they are doing is eating IT dog food.

      I’ve heard the argument more than once that the auditor might accidentally alter the data accidentally. Isn’t that one of the issues that SOX controls are designed to prevent? I believe it’s mostly an issue of transparency–IT and the business don’t want you look in their underwear drawer for fear you’ll see their soiled processes.

      Giving auditors access to help desk ticketing systems can expose all kinds of things, like passwords, covered up problems, serious security issues, and plain incompetence. All the more reason to do it. And like I said, it saves all kinds of money in the process, especially when the external auditors come calling–it’s faster and more trustworthy for audit to pull that data for the externals than ask IT to do it.


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.