IT Audits; Today and in the Future
  • Matthew Abela

As the saying goes ‘the only constant is change’ and like most professions around the world, the accounting and audit professions are constantly evolving. Arguably, our profession has entered a phase of hyper-evolution with changes and other considerations being proposed both from within the profession and by external forces at a much quicker rate than in the last decades. The reasons are numerous, however chief among them we note that the profession is under considerable pressure from authorities as it tries to weather an extended negative news cycle locally and, more so, internationally.

Similarly, the pressures brought about by COVID-19 pandemic. Besides financial pressures and Going Concern considerations, audit teams around the world are facing complexities in running through their Audit procedures. As tends to happen in these situations, and simply because necessity is the mother of discovery, audit teams significantly increased their references towards IT Auditors, seen as a mitigating measure towards audit testing in ways that could not be done due to COVID-19 situations.

“SIMPLY STATED, IT AUDITORS HAVE BEEN INUNDATED WITH WORK AND GENERAL AUDIT TEAMS FOUND THAT THE PROCEDURES UNDERTAKEN BY THE IT AUDITORS WERE ALSO MORE COMPREHENSIVE AND MORE EFFICIENT.”

It was predictable that many audit teams concluded that in future periods more IT Audit involvement would be staggered throughout the audit process. The COVID-19 emergency may have shaved off a couple of years of conservative, inefficient audit methodology and shocked the system into accepting IT Audit into a generalised and instrumental tool in every audit engagement.

Internationally many setups within audit firms silo off IT Audit/Assurance as a separate service line, with a separate Partner heading these important resources. The reason for this is largely a historical one but, predominantly, also a practical one, arising from difficulties in finding personnel experienced in both Financial Audit and IT Audit. This walled-up approach is a hindrance to efficiency and may even reduce the audit quality while opening Audit engagements to miscommunication risks. Locally, empirical research on the setup of IT Audit teams is limited but the same deficiencies are likely to be present. Throughout this year, noticeable movements, especially in agile mid-tier entities have resulted in merging or part-merging the previously distinct Financial and IT Auditors.

Towards the Future: The Hybrid Auditor

Gone are the days when only a limited number of audits required IT Audit support. As mentioned, IT Audit procedures serve not only as stop-gap measures when other more traditional procedures cannot be performed, but offer a more efficient methodology. It is now customary to include an IT Auditor as part of the audit planning phase, in fact, not availing of these IT Audit procedures has become an exception not the rule.

The next obvious evolution of this approach shall again be borne out of necessity, this time the lack of resources in the current IT Audit teams. It takes more investment to train resources into good, professionally sceptic IT-centric auditors than training more traditional Financial Auditors. This sudden and plateaued spike in IT Audit resource requirement and the very limited supply, coupled with the change in mentality will likely mean that the distinction between IT Auditors and Financial Auditors will grey out, leading to the emergence of the Hybrid Auditor.

The Hybrid Auditor will be well versed in carrying out all audit procedures, both those traditionally carried out by a Financial Auditor and those carried out by an IT Auditor. The synergies involved in this change of mindset could be ground-shaking, potentially giving the profession important new tools and opportunities in tackling quality, ethics and other issues.

The auditor of the future will be better equipped, more adaptable, more profitable, and able to mitigate risk in a more optimal manner.

It is likely that a proactive move towards a Hybrid Auditor approach will still not lead to the full elimination of the other roles before another decade. One may even envision a happy medium int the short-term whereby audit procedures are guided by Hybrid-IT-centric Managers and Hybrid-Traditional-centric Managers.

Such a shift in mindset requires investment, time, and ample discussion within the profession. Education campaigns at firm level are needed until the initial seeding ideas are fostered and properly managed to ensure that the process does not shock professionals who are unsure or uncomfortable with new procedures.

Published

May 5, 2021