“My work begins and ends prior to any of the year-end audit procedures commence. It’s called an IT Audit for good reason as it’s a detailed assessment of controls within the IT infrastructure as well as within the software systems clients use to execute their business processes,” says Christopher Hock, Assistant Manager, heading the IT Audit Department of Mazars in China.
It's like Triage - a quick expert assessment
An IT Auditor works hand-in-hand with both the financial auditors, to understand their requirements - and the client, to understand their business processes. So a thorough understanding of the Audit process, the client’s business processes as well as an in-depth knowledge of IT systems engineering and software is needed.
The IT Audit is usually done quickly, depending on the size of the business and complexity of its IT systems. For medium-sized companies, the process is usually complete within 2-3 days. For large enterprises with advanced and integrated systems, 5-7 days or more may be needed, depending on the task.
An IT Audit can uncover and resolve issues and risks across the board for a business and gives advice for improving systems and processes. After finishing the on-site work, the client and the Audit team receive an IT Audit Report revealing findings and recommendations.
The value of an IT Audit
For the client, identifying risks within the IT environment, as well as ways to increase the reliability and integrity of IT operations represent tangible value. Ideas to improve the efficiency of actual business processes can also surface.
For the financial audit team, knowing that all data comes from an effectively controlled IT environment means they can rely on the controls in place. This reduces the manual audit work required and accelerates the efficiency of a financial audit.
Hock recalls an example: “There are clients who process up to 100,000 invoices per day, each for a small amount. For these, manual audit procedures cannot provide the viability or assurance that a financial audit requires. The IT Audit gives a valuable systems review through the business, thereby giving the financial auditors the assurance they need to carry out their task of reviewing all financial data.”
Qualities of the IT Audit profession
Previously based in Munich, Germany, Christopher Hock is now located in China with Mazars and has a background that blends both IT and Auditing, equipping him well for the go-between role he plays.
“I’m a mix of both professions. I majored in Information Systems for business administration and have gained experience and certification as a Java software developer. But I started in the audit business, and have participated in financial audits large and small, so I know the process well.”
Christopher Hock is also a Certified Information Systems Auditor (CISA), a qualification acquired only through the international body of IT Auditors (ISACA) by formal examination and a proven track record.
The IT Audit profession remains a specialist arena but has virtually become a standard procedure for every major audit assignment. Considering the client’s IT is now mandatory for audits of major companies, according to International Standards on Auditing (ISA) and national audit standards in all major countries.
For Christopher Hock and Mazars, it’s a crucial first step that both clients and financial audit teams have come to rely on.
In addition to IT Audits as part of the Financial Audit assignment, Mazars’ IT Audit department also offers advice in the field of IT security, controls and processes, system implementation reviews, software selection support and consulting services to assist businesses fulfill the global regulatory and contractual requirements such as SOX and SAS 70.
For Christopher Hock and Mazars, reliability in IT equates to reliability throughout a financial audit.
The author, Christopher Hock is Assistant Manager, heading the IT Audit Department of Mazars China.