Audit and Assurance

Expand all | Collapse all

Quantifying the complexity or size of an audit

  • 1.  Quantifying the complexity or size of an audit

    Posted 20 Mar, 2020 09:18

    Is there an accepted or standard way to quantify the complexity or size of the audit you performed? How do you express the complexity of the audit? By listing the number of testing steps or standards in the audit? Let the complexity of the system or organization speak for itself? All of the above and then some?

    I ask this because I'm new to the professional and am trying to develop the ability to appreciate and express the amount of work I'm doing compared to other audits, and or my peers. It'll help me appreciate how well I'm performing and growing, and if I'm on track, advancing, or lagging.

    Thank you.

    Rick Infusino
    IT Auditor

  • 2.  RE: Quantifying the complexity or size of an audit

    Posted 21 Mar, 2020 11:19
    Hi Rick,

    I can only suggest a framework as every audit is different.  As well as what you have identified, categories could be:
    • audit scope (e.g. from a complete end-to-end process to just one segment of the process);
    • level of technical complexity (e.g. internal aspect only; cloud; blockchain/AI/ML/IoT; firewalls/routers; software; access/change/security/incident management);
    • audit skills required (e.g.very technical; code knowledge; business understanding);
    • number and type of risks associated with the process (e.g. those identified from past audits; what the business areas/process owners have identified as risks);
    • risk appetite and tolerances (e.g. zero tolerance for some systems such as financial settlement processes); 
    • testing capability (manual sampling/testing; available audit tools);
    • amount of audit sampling needed (e.g. <10%, up to 100%, perhaps relating to risk tolerances);
    • relationship with auditees (e.g. good versus poor; risk and control appreciation; business knowledge); 
    • business capability to apply previous recommendations (e.g. complexity versus benefit; cost versus benefit; other conflicting or higher priorities).
    But I actually suggest you don't over engineer this.  You will gain a lot from each audit you do.  Use the points I've made above to have a useful discussion with the audit team members and then apply their and your ideas to your next audit.

    Sue Milton

  • 3.  RE: Quantifying the complexity or size of an audit

    Posted 24 Mar, 2020 10:38
    Very helpful suggestions, Sue! Thank you very much! I'll takes these and start crafting statements that speak to them, and use it to brainstorm additional categories.

    Rick Infusino
    IT Auditor

  • 4.  RE: Quantifying the complexity or size of an audit

    Posted 17 Apr, 2020 14:20

    I would echo what Sue said. Don't over-engineer your personal scorecard. First of all, as Sue said, it is quite difficult to make a one-size-fits-all that works for all projects. Second, you may spend a lot of hours wondering how well you are doing that you could use to make yourself even better regardless of whether you are on par with your peers, behind, or ahead.

    Complexity of an audit is nearly impossible to truly calculate and compare with others.
     - A large (scope) audit isn't necessarily more complex than a small (scope) audit.
     - Technical skills required could be different for different people. If you are a new IT Auditor straight out of business school, I would consider your first firewall audit quite technical for your skill-set, even if it is a rather simple, well controlled firewall.
     - If your job and career goals are to audit IT SOX systems, having a significant amount of coding knowledge may not make you better, having overall general knowledge about all aspects of your business may be better.
     - If your goal is to be an IT audit consultant, having knowledge about major systems (Checkpoint, SAP, Windows, UNIX, etc.) is likely a far better for your career than having a lot of business knowledge about a former client you may no longer serve.
     - Covering lots of risks or very high risk areas may be extremely easy. One of my IT controls is audited by a financial audit contractor because it is so straight forward and well performed, but it is one of the highest risk controls on our register. If you were my in-house IT Auditor, I would want your brain on messier controls even if they may be slightly lower risk.

    I think looking to improve and track progress is great! And, all the suggestions given by Sue are great starting points. Audit is just such a wide and evolving area it is very hard to create a good scoring system for complexity. My big suggestion would be assess how you feel after (or even during) a project or audit. Were there phrases or acronyms you didn't know? Look them up. Were there systems or tools referenced you didn't know how to use or use well? Learn to use them better. Everyone learns different aspects of the job at different speeds. If you assess yourself at a high, general level frequently and honestly, you will see where you can improve. Once you follow through on improving those areas, you will become great!

    Jake Davis
    IT Controls Analyst