If you want to increase the effectiveness of your audits and find risks that haven’t been identified before, you need to shatter your silos so you can identify more risk.
Too often, audits are performed on one process, one category, or one system: Earning Commissions, Windows Servers, or Wire Transfer. Each one of those is a separate silo (one for oats, one for corn, one for rice).
What you need to do is to review and combine the data from multiple silos so that you can make some multi-grain cereal (so to speak).
So you might have an audit for commissions paid to salespeople for selling insurance policies. So you check whether the commissions were paid to those who actually sold the policies, whether the commission payments were calculated correctly, etc. So commissions is one silo.
Add other silos and combine the data and compare the results of one silo against another. So look at whether salespeople are paying for customer premiums (you need incoming payment data) or selling one type of insurance only to upgrade it 2 years later to gain additional commissions (you need additional sales data over a longer period of time)
Generally, you need to gather at least a year’s data (sometimes several years) from all of these silos and combine them, so you need to use data analysis software.
Now let’s look at Windows Server…
Instead of just looking at how Windows servers are spun up, maintained, and decommissioned; patched; how access is granted, etc., add some other silos like DNS, antivirus, and all the other consoles that servers are tracked on. Compare each of the lists to the other to see where some servers aren’t on that list (e.g., antivirus is not installed) or are on the list and shouldn’t be (DNS contains entries for decommissioned servers). See this post for more details: Server Audit for the Dauntless.
A Slightly Different Tactic
When I was doing a General Ledger (GL) audit, I focused on all the data coming in and out of the system (another auditor did the usual financial/operational stuff), and another application that was used to extract, transfer, and load (ETL) all the data between the systems. I found some concerns there related to GL, and we actually scheduled a separate audit of the ETL system in the next audit cycle.
This last example is different from the first two in that the latter wasn’t really a separate silo, I just dug a little deeper on the IT side of the system and other systems connected to GL. But the point is to go further than the traditional audit, especially when no issues were found during the previous audit.
Combining data from several different silos are an excellent way to identify fraud.
Internal audit is one of the few departments that have potential access to all the data–which is why it’s important for auditors to watch the flow of data and all the additions and changes made to it (as well as the decisions made based on the state of the data at each point of the process) as it flows between multiple departments, through multiple applications, and multiple processes.
This kind of analysis helps identify control gaps that exist, as well as fraud scenarios no one had considered previously. It also provides a great amount of data to analyze.
So when you’re ready to take your audits and your data analytics to the next level, explore multiple silos at once–cross those typical audit boundaries.
ITauditSecurity 