Internal IT auditors: We’re advocates, not adversaries
Audit is a scary word that, for many people, implies other scary words like investigation, errors, and penalties. Most often associated with the Internal Revenue Service, an audit suggests scrutiny and being “in trouble.” In actuality, that’s an outdated take on the service, said Hollie Andrus, chief audit executive (CAE) for the University of Utah’s Internal Audit department.
“Unfortunately, the word audit will always be associated with a sheriff, a person who’s super strict and wants to always follow the rules — which is true — but our main goal is to help people understand we’re their advocates, not their adversaries,” said Andrus, who was hired as the U’s new CAE in June and previously served in the Office of the State Auditor. A recent Humans of the U piece contains more information about Andrus and her career.
Andrus recommends thinking of IT audits in terms of risk management. With dual reporting responsibilities toChief Financial Officer Cathy Anderson and the Board of Trustees Audit Committee, Andrus’ 11-person team, which includes a three-person IT audit division, is broadly responsible for independent and collaborative risk assessments and helping colleges, departments, and organizations better align with the university’s strategic goals and core values. The IT audit division was formed less than a year ago and has supported offices on main campus and health sciences through audit processes, with more to come.
“People at the university want to do their jobs well,” said IT Auditor Jose Bucaro. “As auditors and auditees, we share a common goal: We both want to help the organization achieve its objectives.”
At a high level, their job is to review internal IT and data controls and objectively determine if they:
- Are used economically and efficiently
- Comply with university policies, rules, and regulations, and state and federal requirements
- Adequately safeguard assets
- Meet operational goals and objectives
“I like to meet different people on campus and try to help them figure out a better way of doing things,” said IT Auditor Brad Zumbrunnen, who previously worked in UIT as a network engineer.
An electronic data processing (EDP) or IT audit, which evaluates the efficacy of computer systems and applications, is one of four categories of internal audits at the U. The others are financial, compliance, and operational. Audit activities run the gamut from asset management and inventory appraisals to consulting engagements and process reviews but, Andrus said, may also explore workplace culture or turnover and retention issues. For a closer look at internal audit functions and phases, check out the @theU article Beyond compliance: A look at the role of the U’s internal audit office.
When it comes to an IT audit’s scope, timeline, and report length, “the most common answer in audit is ‘it depends,’” Andrus said.
“It depends on the skill set of the person who’s auditing, the system that’s being evaluated, and how the client uses their system. It depends on what we’re looking at and what we need assistance with,” she said. “There isn’t a tried-and-true template. Every situation is different.”
Whatever is being looked at, IT Audit Manager Heidi Sieg said U auditors will ask specific questions, such as whether a unit’s staff has worked with Internal Audit before, if they know what auditors do, or if, for example, “they express concerns about, say, terminated employees who retain access [to IT systems]. They want to know how we’ve responded in the past and if they can replicate the process.”
Concerning data analysis, Sieg noted they seek the approval of data owners before gaining access to an IT system. She said Internal Audit employs the same tools used by other departments on campus, such as the Query Manager HR and payroll reporting tool, Caseware IDEA data analysis software used to comb through large data sets, and Tableau data visualization software, though Andrus would like to expand their data visualization resources in the future.
The U’s IT audits are based on Center for Internet Security 18 controls (CIS 18) controls, a series of recommendations for preventing the most prevalent types of cyberattacks, as well as National Institute of Standards and Technology (NIST) regulations, as required. Her team also partners with the U’s Information Security Office (ISO), particularly, the Governance, Risk & Compliance (GRC), Identity & Access Management (IAM), and Enterprise Security teams — if a security report or scheduled vulnerability scan adds value to analysis activities.
Decisions to pursue IT audits are informed by different sources, Sieg said, including surveys, concerns expressed by senior leadership, and news and industry reports.
“I’ve been asked, ‘What’s a way that we can be helpful to you?’ The primary thing is being available to us during audits,” Andrus said. “We fully recognize that we’re coming in on top of the regular job they have to do. The joke is, ‘What’s your favorite side of an auditor? The backside.’ We get that, you want to see an auditor leave as quickly as possible, and the more help and response we can get, the more timely and helpful the audit will be.”
“Engagement of the client, or the area being audited, is critical at every stage of the audit process,” she said. “An audit often results in a certain amount of time being diverted from your department’s usual routine so it’s helpful for a client to treat an audit like any other special project and allocate time for them and their staff to participate in the process. This minimizes the time necessary for the audit and avoids disrupting ongoing activities.”
If you have questions about how the Internal Audit department can serve you, please contact Andrus at Hollie.Andrus@admin.utah.edu.
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.