The Internal Auditor's Role in MIS Developments
By: Larry E. Rittenberg Charles R. Purdy
The MIS manager in many organizations is encountering a new group concerned with the data processing function — the internal EDP auditor.' These auditors often have a broad role ranging from evaluating data processing controls to reviewing data security and new system developments. However, in many organizations, the auditor's role is not clear. This article integrates the results of our own survey with a review of recent literature in an attempt to explain more precisely the potential internal audit roles in the systems development process. After describing the sample, we review the rationale for audit involvement and the constraints upon such involvement as perceived by the internal auditor. This is followed by a report of our study of design phase auditing activities in 39 large organizations. The boundaries and role of the audit function are simultaneously reviewed in light of these activities. Finally, the, potential contribution to the MIS manager is noted, and recommendations are offered to the MIS manager interested in promoting a constructive working relationship with Internal auditors.'
The internal auditor's role during the design phase of an EDP application is unclear in many organizations. This article integrates recent literature with the authors' survey in an attempt to explain more precisely the potential role(s) of the internal auditor in the systems development process. In practice, four roles appear to exist. In the order of their importance, they are: (1) audit of control adequacy, (2) audit of design process, (3) auditor as a user of the application, and (4) auditor participant in the design process. The rank ordering of these roles in practice is explainable in terms of three constraints upon internal audit involvement during the design phase. The identified constraints are those of audit approach, audit independence, and management objectives. Although EDP manager reaction to internal audit involvement is generally favorable, it could be stronger. Upgrading of internal auditor expertise in EDP systems appears to be the key to improved acceptance. Finally, the potential contribution to the MIS manager of internal audit involvement is noted, and means of constructive interaction are suggested.
The authors identified 48 organizations with Internal audit departments which performed EDP audits. Within each organization the internal audit manager received a questionnaire on EDP audit techniques. Members of top management and data processing management received a questionnaire probing their attitudes toward the EDP audit function. A summary of the distribution of questionnaires and responses is shown in Table 1. Of the 39 responses from internal auditors, 31 (or 79%) indicated that they performed some design phase auditing. A further analysis indicated that over half of the data processing departments had monthly budgets exceeding $300,000 'Our focus is on the internal auditor who is a part of the organization. It is argued that such an auditor can deveiop sufficient familiarity with the data processing environment to be constructive whiie still providing an independent viewpoint. 'Sincethe reiationship invoives two parties; our recommendations clearly apply to both.
Keywords: Internal audit. Internal auditor, roles, involvement, MIS developments. MIS applications, design phase, rationale, constraints, practice, EDP manager, MIS manager Categories: 1.3, 2.2, 2.41, 2.42. 2.45, 2.49, 3.59
MIS Quarterly I December 1978 47
Internal Auditor's Role
Table 1. Questionnaire Distribution and Response Rates
Intemal Auditor Responses received Non-responses Total questionnaires mailed Response rate
39 9 46 81%
28 20 48 58%
25 23 48 52%
'Top management was defined as the person to whom the head of internal auditing...