In the early 1990s auditors (internal or external) never really looked inside the IT infrastructure of a company and it was treated like a black box. During an audit transactions were audited as if the IT applications did not exist.
Then came the wave of specialised IT audits who could open the black box and identify numerous new risks associated with the complex workings inside the servers, computers and applications used. The financial/operational auditor could never really understand these risks and full reliance was placed the IT auditor.
However, in this day and age when the business processes are completely embedded into the IT applications, can we still have two specialists auditing within the company? One being the IT auditor who typically has ownership of risks arising from the IT infrastructure (i.e. your networks, applications, operating systems etc.) and the operational auditor who typically looks at risks in the business process and people managing the business process.
I don’t think so, its time we had non-IT auditors get into the IT infrastructure to audit it from a business risk point of view. This will ensure all risks associated with transactions as they weaves in and out of the IT infrastructure is well understood and audited holistically.
One would argue that there are some purely IT risks, where the operational auditor has no skill to audit and I agree there are some areas like that e.g. IT general controls, network security, database security etc. where specialised skills are required. However, in all the other aspects the operational auditors need to get deeper into the IT infrastructure, taking a simple example how do two applications interface and transfer data, can someone change the logic this stage or is the business management aware about points of failure in the interface and do they validate the transactions when a break occurs in the interface.
Further, even in highly technical areas working with operational auditors will help identify areas of high risk from a business perspective and may even identify risks which the IT team was not aware of. For example in one company while looking at the sales process we noticed a sales channel using a technology which the IT Audit team was not aware of being used in the company and in another audit we found out that the business was looking to implement a new software without even involving the IT team.
Also, there is the case of shadow IT, i.e. extensive use to excel and MS Access. However this is now being addressed atleast in financial services.
A business auditor having a basic understanding of IT concepts can help identify risks in the IT infrastructure which the IT may not focus on as those risks are not IT vulnerabilities but weakness in how a business process has been configured to run in the IT environment. This will help prevent risks related to company insiders taking advantage of weaknesses in the IT configuration.
To put it differently, a lot of IT audits right now focus on the external treats of hackers etc. but as its common knowledge companies suffer more because of insiders than outsiders. And increasing the level of involvement operational audits have in IT audits may help reduce that.