Monday, 1 March 2010

The Campaign for Real Audit

Matt Hooper recently mentioned on one of the excellent ServiceSphere podcasts that he and I have been discussing the use  and abuse of audit terminology in the ITSM world.  It is something I've got used to over the years, but then around the same time Matt was raising his queries my hackles were raised by someone on Linkedin claiming expertise in audit after completing just the ISO 20000 auditor's course - which actually presumes you should already be a qualified auditor, and then on my v3 Bridge Course the tutor made a throwaway comment that reminded me ITIL still doesn't seem to understand what audit is all about.

Why does this bother me? Have you ever noticed that the more familiar you are with a subject the less accurate and more controversial the Wikipedia entry for it is? Well as it says on the right somewhere I was a professional internal auditor before I got drawn into the crazy world of ITIL.

I'm actually going to leave ISO audit to one side for now. Let us just says it does what it says on the can and nothing more.

I want to focus in particular on internal audit. In fact let me say that again, slightly differently. I want to focus in particularon Internal Audit. Notice the difference? No? Oh well I guess that means you probably aren't cut out for a career as a stereotypical tick and turn auditor. You might still make it as a professional auditor though if once you spot the difference you can see the implications of it. Of course it isn't as easy as that. You'll need to do some exams, get some independently verified experience under your belt, and commit to adhere to your professional body's standards.*

If that sounds too much effort, what about reading a book?

Yes it is a little expensive, but then it does weigh in at 7.5 pounds and nearly 1500 pages.

Too busy huh?

A Brief Guide To Internal Audit

Well let me sum it up for you, though my apologies to any currently practising auditors if I'm a little out of date.

Let us begin with where audit should sit in the organization. Internal Audit should have no executive responsibilities and report to the board and/or the audit committee. In some organizations the Chief Internal Auditor can only be removed from post by a vote of the board. Why? Because internal audit needs to be, and to be seen to be, independent and objective in the assessments and recommendations it makes.

What does Internal Audit assess and make recommendations about? Systems of internal control.

In the words of Sawyer

"Control is a force, it gets things done"

A process without controls is, well, out of control.

So how do we assess the system of internal controls?
  • We need to understand the objective of the system.
  • From that we can derive the control objectives.
  • The control objectives allow us to identify appropriate control mechanisms.
  • We use techniques such as statistical sampling to check the controls are in place and working.
Just knowing about individual controls doesn't give us sufficient assurance. It might be there is a very good individual control but it can be circumvented, or is weakened because of a lack of control elsewhere. Alternatively it might be that a number of controls that are not individually effective work together to provide an acceptable level of control. That is why we look at systems of internal control. 

In theory if all the controls are in place and working we can predict that the process they are controlling will be effective, efficient and economical, which has led to the concept of Value for Money (VfM) audits where we assess activity against those 3 criteria.

Some of this might be starting to sound familiar to you, especially if you use COBIT, because COBIT was first developed as a framework for auditors.

Audit and ITIL
So what are the implications for ITIL?

To go back to Matt's original question to me I don't think we should use the term audit unless the element of independence and objectivity backed up by organizational position, reporting lines and adherence to professional standards is in place.

A review of your "ITIL maturity" carried out by a consulting firm with an interest in bidding to deliver your ITIL training and transformation programme is not an independent audit. Oh just sit bolt upright and smell that scent of freshly brewed Java with a double shot.

Neither is a review carried out by a function or an IT department to assess its own capability an audit. That doesn't mean you shouldn't do one, by the way.

I said I would leave ISO certification audits out of this discussion, but I will say that if I ever employed an ex ISO auditor as an Internal Auditor I would expect them to go through the full professional training scheme. I make that point without meaning to undermine what they do, but I want an IS auditor who can do things ISO auditors don't do, such as a code review or recreating an interrogation of the service management tool..

One of the biggest shortfalls for me with how  ITIL is currently understood is the willingness of professional advisor's to say IT departments have total freedom to pick and chose which elements they implement.  As an ex-auditor doing a review I would have to point out that leaving out certain elements of ITIL can effectively undermine the value of an entire process, and the processes that depend on that process.That in turn exposes the organization to enterprise level risks. If I didn't point out that to a client as an auditor I would leave myself open to a charge of professional malpractice.


*To avoid any allegations of misrepresentation I've used the IIA standards as an example because I find them accessible and straightforward. I will point out though that although I taught students undertaking the IIA UK examinations for seven years the professional standards I was bound by myself were those of the Chartered Institute of PublicFinance and Accountancy and the UK Government Internal Audit Standards (GIAS) . I am currently a member of ISACA and have passed their CISA examination, but since I do not practice I am not eligible to use the CISA designation.

Fore readers outside of the UK who might not be familiar with it here is a link to the real CAMRA 

1 comment:

  1. Jim,
    As always, thank you for the continued clarification. I first appreciate how your response is not self-serving. Research in this area is cluttered with consultant speak that is self-perpetuating.

    I am so glad you went to the V3 bridge course and felt first-hand what we "unauditacted" folk hear over and over. To the untrained ear, audit is a "review" and thus used this way in ITIL. However, when the auditor (internal or external) shows up at your desk, it's far from a casual review.

    I even just double checked and Service Strategy does not even have Audit in its index. Pages 154-155 on Governance - zero reference to auditing. It says in section 6.5.5 "Partnering with providers who are ISO/IEC 20000 compliant..."

    Ahhggg.. I hate the ambiguity.

    So I looked in Service Operations - Pg224 has definition. But again, not nearly as definitive or clear as yours.

    Thank you again and again for your clarity, experience and willingness to share with us.