A survey of EDP-audit departments in dutch banking

A survey of EDP-audit departments in dutch banking

A Survey of EDP-Audit Departments in Dutch Banking Marcel Bongers and Edo Roos Lindgreen inct- EDP auditing bturn~ a recognized specialism in the Net...

1MB Sizes 0 Downloads 1 Views

A Survey of EDP-Audit Departments in Dutch Banking Marcel Bongers and Edo Roos Lindgreen

inct- EDP auditing bturn~ a recognized specialism in the Netherlands in the mid-seventies. EDP auditors have accluired a prominent position in banking. According to the membership rostt’r of the Netherlands’ Order of Rcgistc-r EDP Auditors (NOKEA ). l>utch banks emplo)- over 22”,, of the rota1 number of Register EDP auditors ( REs). Kith the exception of the external audit firms, banking is the largest employer of EDP auditors in ‘I’hc Xethcrlands. 1)~ to its nature, banking - based on sol\-abilit!. and liquidity -- has ;tl~qs been audit-intensive. In 108X. rhe Dutch national bank (DC Nedertandsche Bank, DNB). recognizing thr mqx~ct of information technology (IT) 1111solvabilit), and liquidity, issued a binding memorandum prescribing that the external auditor must address the reliability and continuity of information systems in his annual management Iettcr. normally published \vith the ,mnual financial statement [DNB88). Reportedly. banks annually spend more on IT than any other sector. with tllc exception of computrr-service

compWes. Still, the number of incidents related to IT managcmcnt :mcl sccurit!, increases; see. for eraml~lc~ the December 199-i issue of Cowz;~zrtcr =Itirlit ITpclate presenting rcccnt findings and conclusions by the I ‘nit4 Kingdom’s



[ HurfW\.

These trends have crcatcd ;I need for top management: in&*pcndent and unbiased assessmt’nts :cnd r~~ommetidations, such as those performed by EDP auditors. art’ nova csstntial IT-management instrlmcnt~ EDP auditing ma)- bc defined ;.s the independent and impartial assessmrnt of and recommendation on the rcliability. security, effectiveness :inc cafficicncy of automated s!‘strms the organization of the infornmat~or~ 51-stems department, and the technic? organizational infrastructure 01’ alltomated data processing. I’hi\ Ixlpcr describes the results of ;I IW-t ~n\.t’stigation into the size and tasks ot EDPaudit departments in banking. Th: gc~1 of the sunny was to gain insiglht in and indicate norms for the size and tasks of EDPaudit departments Scvcn major Dutch banks coopcratccl in the investigation. thrtrc Ixgc

Computer Audit Update l March 1997 t 1997, $17.00 Elsevier Science Ltd.

banks (ABN AMRO Bank, Rabobank en ING Bank) and four medium-sized banks (MeesPierson, Credit Lyonnais Bank Ned&and, VSB Groep en SNS Bank). In addition to these banks, two other organizations joined in the survey: DNB and Sociale Verzekeringsbank (SVB), an organization effectuating part of the Dutch social security legislation. The survey was conducted by the Postgraduate EDP-Audit Course of the Faculty of Economics and Econometry at Vrije Universiteit, Amsterdam, and the Faculty of Technical Mathematics and Informatics at Delft University of Technology. The survey was supported by ITACS (IT Audit, Control & Security), a foundation for scientific research and education in the field of IT management; ITACS is a joint venture of Free University, the IPO Management School at University of Antwerpen, and London University (Royal Holloway). The contents of this report follows. We briefly explain the underlying this survey and the ods used for it and present the and the authors’ interpretation.

are as model methresults

Underlying model The survey was based on a simple model of the EDP-audit department as a producer of EDP-audit services consumed by management. In this model, the capacity of an EDP-audit department depends on endogenous and exogenous factors, both of which are discussed below.

Endogenous factors Two classes of endogenous factors were distinguished: (A) the organizational characteristics of the EDP-audit department, and (B) the amount and nature of the services delivered by it.

Computer Audit Update I$:;)1997, $17.00 Elsevier

l March 1997 Science Ltd.

A. Organizational characteristics of the EDP-audit department The following characteristics of the EDP-audit department were identified as potentially relevant: the number of EDP auditors; the department’s position within the organization; the department’s internal structure; and the specialisation, experience and education of its EDP auditors.

B. Services of the EDP-audit department For this survey, the services of each EDP-audit department were classified using a taxonomy based on audit type, audit aspect, audit object and audit principal.

Audit tyPe The audit type is determined by (i) the degree of independence from the audit object and (ii) the presence or absence of a formal assessment. The most formal and independent task of the EDP-audit department was defined as follows: AUDIT - all investigations performed by request of top management, concluded by a formal assessment and accompanied by a set of formal recommendations. In addition, two derived were distinguished:


ADVICE - all investigations and recommendations by request of top and middle management, or at the EDP-audit department’s initiative, without a formal assessment; PARTICIPATION - all active contributions to policy development and to tactical and operational tasks related to systems development and exploitation, without a formal assessment, and with recommendations implied.

Audit aspect The audit aspect was defined as the combination of quality aspects evaluated during an audit.

.-Iudit object ‘fhe audit object was defined as the set of components of the organization. processes and/or systems audited. The audit object was described I~!t\vo parameters: l

System phase: development exploitation

svstems. procedures and organ tzation on the one hand, and application systems, procedures and organ~ization on the other hand. For a more c’letailccl classification. the object Ievcl ma’,. Ix finer gained. Technical c ompc )nen th ma\ be subdivided into hardv,~arc. control software, data communicaric 111. programming environments\ ;ic‘~‘t’~scontrol tools, packages for prociu(. tion planning and control. and 40 on. Applicative components may be sub


This parameter reflects w.hethcl the process audited is a changcoriented process, such as system OI product development, or a continuityoriented process. such as system exploitation or administrative transaction processing. l

Object level: technical cation-oriented


into user functions

and po~~c-

durcs for process, e.g. treasury and object level.

each distinct bllsinc.ss credits, stocks, mortg;qe~. so on. With respect tcJ t lw specialisation has pn n c-n necessary and worthwhile; the cc)rrcsponding established EDP-audct l’unc~tions are Technical EDP audit (I’.1 I ;III~ Information Systems Audit (ISA I

versus appli-

This parameter reflects the le\rel of the audit object in a layered information system model, and hence the level 01‘expertise required for the audit. The distinction here is between technical

Lastly. audits were classified perspective. Fvhich depends

I>! thcl1 {NJ the --



Services ______,__-._. . . __


audit type








audit aspect

audit object

audit object

audit principal

_.-._.___._._______.____---.____________-.-____.-._ ..__.________.___.______..--__....-~-___...__....____._.._______-~___....._.....-~__.

technical object


applicative object


Figure 1: A taxonomy

of EIIP-audit


Computer Audit Update ( 1997. $17 OCRElsev

l March 1997 er Science Ltd.

party initiating the audit. In principle, an EDP audit is initiated by management; alternatively, an EDP audit may be initiated by the external auditor auditing the annual financial statement. Due to the binding DNB memorandum mentioned above, the external auditor must also report on the reliability and continuity of the organization’s information systems. Audits commissioned by the external auditor are also relevant for management, but typically have very specific audit objects and audit aspects. Based on the criteria listed above and inspired by discussions with Prof. M.E. van Biene-Hershey, we have defined the taxonomy shown in Figure 1. It does not pretend to be universally applicable, but is solely intended and used as an instrument for our survey.

Exogenous factors The following exogenous factors were identified as potentially relevant: The degree to which EDP-audit services are supplied by other parties, such as by the general and financial audit departments within the Internal Audit Department (IAD), by the specialised EDP-audit function within the computing centre, or by the external EDP auditor. The organization’s degree of automation, assuming that it can be represented by the organization’s IT costs in relation to its total costs. The degree to which the EDP-audit department is supported by the organization’s internal control, information security and quality assurance related to IT and information management; this factor was represented by the total size of the corresponding departments. The total number of employees and the number of IS personnel, distinguished as system development staff and system exploitation staff.

Computer Audit Update 0 1997, $17.00 Elsevier

March 1997 Science Ltd. l

The degree of IT decentralisation. The use of data communication networks.


The rate of strategic change, such as product innovation. The number of applications specifically developed for and proprietary to the bank. (The last four variables were gauged using a subjective ordinal scale.)

Results The above model served as the basis for a questionnaire, established after one trial interview, which was completed by conducting personal interviews with the managing directors of the EDP-audit departments of the cooperating banks. In two review cycles, the respondents were offered the opportunity to verify the results and to comment on the analysis and conclusions. The results are presented and explained below. The following remarks apply: The interviews were held in the period June 1994September 1994. Later changes are outside the scope of this survey. Dutch banking is highly dynamic. Mergers and reorganizations may disrupt the image sketched in this report. The significance of the results is not absolute, but relative. Any difference should only be considered significant if its relative magnitude is at least, say, root 2 [Hers95]. Size The size of each EDP-audit department was measured in terms of full-time employees (FI’Es). Included were all employees conducting EDP-audit activities from an independent position. In Figure 2, a distinction is made between EDP auditors employed within the EDP-audit department and EDP auditors conducting EDP audits from another organizational unit (for exam-

30 T 0


25 --

n EDP-audit


20 --

15 --

10 --

5 --

0 -large



Figure 2: Average number qf’FTEs EDP audit per categoq plc. other IAD departments or the computing centre). The latter catego? ~1ill further be termed “additional EDPaudit capacity”. Supporting pcrsonnrl (e.g. secretaries, system managers) was not included. Figure 2 sho~vs the LIverage size for each of the following c-;.itegories: (a 1 large banks, (I,) medium-sized banks. including SVB. And IINH.

EDP- audit semices

Ikisnlon the taxonomy defined above. LVC’h;n,c attcmpwd to invcstigatc ho\f. many and which senices the EDP audit department delivers per annum. and ho\v many man-hours are spent on c.Aach sen-ice. This has led to t\vo prt’liminaq conclusions: l


Since the methods and frequcnc!, of HDP audits are not standardized, it \vas difficult to compare the data obtained by measuring the number of audits. Consequently, EDP-audit senrices could only be expressed as ;I fraction of the total FDP-audit capacit), in FlYEs. Despite similarities among banking products, the EDP-audit sewices of the banks investigated showed a significant diversit!-. which may be

csplained ty differencc.s in Ihc business processes, in the inft:rniation systems, in management rit!9c. in their organization structlirc and in their organization cutturc. I:or this siin’ey. onl), a general cl;tssific:ltion of sen-ices (by audit t!yc. wclit aspect. audit object and autiit principal ) ~2s possible. Since IiDP-audit st’~~~c‘c’s in ~lrc banking sector have risen Ed ho:. no generic production norm4 for them can bc given

The notions

audit, advice and Jwrticipation are defined earlier. A:, 51atcd. the main difference betn-ccn .I formal audit and an advice is the prescnc c’ of’ a formal assessment on the audit 0 ,jcc,t.







count. ;rutiirs make up the majorit>. of total EDP-audit capacit).. varying 1,) category (see Figure 3 ). Atlr?c~ takes LII) approximately 25% of tot al c:tp;icity. The remaining capacity is spent c)n prtici$i tioll. Figure 3 suggests that the Fl)Paudit processes of large banks arc more formally structured Ghan those of medium-sized banks. &lot-cso\~er. the smaller EDP-audit dcywrtvnc~tits

Computer Audit Upclate l March 1997 ( 1997, $17 00 Elsevier Science Ltd.

100% 90% 80% 70%


60% 50%

0 advice


n audit

30% 20% 10% 0% /






I; Xgure 3: Average capacity dedicated to each audit type per category relatively



in opera-

tional, tactical and strategic manage-_

ment processes. ‘l‘his can be explained by the fact that the operational departments directly responsible for implementing the recommendations do not always possess the expertise and/or capacity required; apparently, within the medium-sized banks, top management considers the EDP auditor’s added value more valuable than his impartiality.

Audit object applicative



All EDP-audit departments perform technical as well as applicative audits. The ratio between TA and ISA differs from bank to bank. The average per category is shown Figure 4.

Audit object/development exploitation


Audit aspect

With audit more than

A majority of respondents indicated that audits comprise all quality aspects, with the exception of specific continuity audits.

A logical explanation for this is that preventive audits are preferred, since recommendations can be implemented more effectively and more effi-




q isa

51% El

Figure 4: Average capacity dedicated to Tech nical Audit (TA) and Information Systems Audit (ISA)

Computer Audit Update 8 1997, $17.00 Elsevier

l March 1997 Science Ltd.


one or two exceptions, the EDPdepartments investigated spend capacity on system development on exploitation; see Figure 5.

q 1




q other

Figure 5: Average capacity dedicated to systA development and exploitation


c,icwtl!. during the devclopmt-nt pro~(3s than after a system has lxcn taken into production. hdditionall!.. the fact that methods and techniques for auditing s!-stem development projects ha\~ not !.ct fully matured mav reduce the c*fficknc\. of such audits.

All Ixmks report that audits .w prinlarily initiated bv managcmvnt and target4 at opera&al husinvss proc~xses. Operational audits arc’ rvportcd to include audits in the contest of the annual financial statement and the l)\JB memorandum. hIan>, respondents intlicatc that the size of their EDPaudit department limits the package of EDP-audit semices offered; Lvithin the limited awilablc capacit!., the most important audit aspects and *audit objc.cts arc’ given highest prior-it!,

Characteristics of the EDP- audit department

tion i,4 largciy indcpencit~nt operational function.


v ---.-_I__--

i if’ tlrc,

Structure l‘lic larger department5 arc c.li\-d(xl mostly hv tiiih til )naI into groups. spec?alisation (Th,‘lSh) x-d. oc~~~i~ioiiall>., 13~ geographic and ‘or m3rkc.t oriented criteria.

Specialisation ‘I’ilc distinction bet\vccii t~c:li~~i~~,~l auditors and information-s!,st~rns ..~uditot-3 is common; the proportion IKtw.een TAs and ISAs corrcsl~ond~ 0) the propw-tion ktwec-ii their reslxc_w c activities (SW Figure f i Izi:gurc 0 she\\-s the lxoportion ixt\\xx.ii 3‘ \s. ISib and gcneraiists for the lot;~l population of EDP ;uiciitors 1111c’.qIgatcci. H&&5 0cc;tsional 5pc-c‘i;tlix[tion3 tor dat;i commiinic AI ioil, cqytography and end-user coii1l3~1ting. no exotic specialisation5 ux 17 I‘C ported. bidcntl),. most f;,l)P auditors apprar to be generalists withi!? thcil main speciaiisation. TA or IS;\.


Position within the organization W~ith one or t\vo exceptions. the EDPaudit department resorts under tlic Internal Audit Department (LID ). Within all hanks. the EDP-audit func-

100% 90% 80% 70% 60% 50% 40% 30% 20% 10% /


t Figure

large 6: Total number

medium of


TAs, ISAs and generalists



per cwtegow

Computer Audit Update . March 1997 (

1997. $17 00 Elwmet




proportion between experienced and relatively less experienced EDP auditors. The experience of EDP auditors within an EDP-audit department is not tightly coupled to its age or growth rate; some long-existing, established EDP-audit departments employ relatively many inexperienced EDP auditors. The EDP auditor’s noted career opportunities for internal as well as external positions (e.g. IT departments, information management or audit) and the resulting mobility of personnel offer a plausible explanation for this. Figure 7 shows the relative experience of the total population of EDP auditors employed within the EDP-audit departments.

Education With rare exceptions, EDP auditors have completed high-school or university, meeting the requirements of the postgraduate courses and the NOREA. Majors vary from psychology via electronics to accountancy. Figure 8 shows the education of the total population of EDP auditors employed within the EDP-audit departments.

Postgraduate education The EDP-audit departments are primarily occupied by Register EDP auditors @Es), and, to a lesser extent, by Register Accountants @As). [The RA is the Dutch equivalent of the Certified Public Accountant (CPA).] In our


Figure 8: Education for the total number o> EDP- auditors employed within EDP- audit de partments

enumeration, we have also included REs and RAs still following the postgraduate courses in EDP auditing and accountancy. Figure 9 shows the postdoctoral education of the total of EDP auditors employed within the EDP-audit departments. From these results, we may conclude that those in charge of the EDP-audit department’s employment and education policy do recognize the RE as an acknowledged expert.

Exogenous factors In this paragraph, the exogenous factors observed (see paragraph 2) are shown in relation to the size of the EDP-audit department; additional capacity is included. Some of the exogenous factors (a) could not be unambiguously defined within the scope of this survey; (b) were absent or unavailable, or were not discriminating, i.e. identical for all banks investigated. A brief explanation is in order. a.

10% 31%

Figure 7:Experience departments


Computer Audit Update 0 1997, $17.00 Elsevier

for all EDP-audit

l March 1997 Science Ltd.

The degree of decentralisation of information systems could not be satisfactorily measured. Also, the number of applications could not be determined due to the impossibility of a clear and uniform definition of the notion ‘application’.

b. We ing data the

have not succeeded in obtainreliable, let alone comparable on (I) the annual IT costs; (ii) number of FTEs dedicated to


large Figure

9: Postgraduate






of EDP-auditors

per categoq


and clua-


of employees

4 .I .5 1 3 --


n EA per Kfte

2.5 -2 --

cl 1oKfte

1.5 --


large Figure 10: Number of FTEs

medium of EDP

truditors per

-1000 FTEs, related

to the total number

Computer Audit Update l March 1997 1’ 1997. $17 00 Elsewer Science Ltd.

and DNB. With more than 4 EDP auditors for each 1000 employees, DNB holds an exceptional position. For the medium-sized banks (including SVB), the number of EDP auditors and the total number of employees is only half as great: 2 EDP auditors for each 1000 employees. The large commercial banks employ approximately 1 EDP auditor for each 1000 employees. According to a recent informal survey by KPMG, the financial sector employs 1 EDP auditor for each 1363 employees; in rough magnitude, this ratio matches the results of our survey. The observed differences can possibly be explained by economies of scale. DNB is a relatively small organization without a network of branch offices. The large banks have many branches and employ tens of thousands of employees, which facilitates a high degree of standardisation of products, technology and procedures. Under the assumption that EDP audit is concerned with functions, technology and procedures rather than with individual employees, this may lead to a lower demand for EDP-audit capacity. Moreover, existing differences may be amplified by the nature of a bank’s transactions. A medium-sized commer-

cial bank typically processes fewer transactions than a large bank with many individual customers, but the average amount for each transaction will be higher, and so will the associated risk. This specifically applies to DNB, characterised by a high concentration of substantial fund transfers, with their attendant financial and image-related risks.

Number of system-development staff This variable was defined as “the number of employees centrally involved in system development”; see Figure 11. Since the degree of decentralised system development and the use of external system development capacity was unknown, this ratio could only be roughly estimated. According to our estimate, it is highest for DNB: 1 EDP auditor for each 10 system developers. Medium-sized banks employ 1 EDP auditor for each 20 system developers, whereas, for the large banks, this ratio is 1:30. According to recent heuristics presented by Moret, Ernst & Young, the ratio varies from 1:lO to 1:50, depending on the number of system development staff. The KPMG survey mentioned above states a ratio of l:25 for the financial sector, the

100 80




10 fte SD





Figure 11: Number of EDP auditors per 1000 system developers, related to the number of system deuelopers

Computer Audit Update l March 1997 23 1997, $17.00 Elsevier Science Ltd.









Figure 12: Number of‘EDP auditors be?- 1000 FTEs exploitation stqfl related to t& numbw of FTEs kploitation sta*8 magnituck of which again matcks results of our sune)~.


Number of exploitation staff I‘his \3riablc \v;ts defined 3~ “the number of cmplo~ecs ccntr;tll! in\ olvcd in operations. preparation, syst(‘m programming and change m;magemc-nt”. The numbers underI>!ing Figure 12 are highly dependent on the presence and size of a computing cwitre and the associated dqq-ce 01‘ c)utsour~ing,



“lijrccd shopping”. This issue ti~lls outside the scope of this surve)‘; in this cc lntcxt, we refer to recent yualitativc rcwarch 13~ Paans et. 4. [ Paan?h I.

Size of the department



This variable is defined ~1s“the number of EDP auditors in relation to the size of the MD. including the H)P-audit department itself’. Only :tdditional capacity residing within the IAD is included. For all banks imestigated. the size of the EDP-audit department \.arics between 10% and $Y, of the 4iLc of thr IAD. For the conimcrcial hanks (including the SW%), the average is 15’&dO”,,. For DNH. it is approximatcl~ .W:~. (SW Figure 13)

11’ the percentage ot’ 15”tl-.3J”, i4 c~ompared to the number of centwl II staff as ;I percentage of the total number of cmplo)ws, it appears that centr;tl 1’1’ staff is audited more thoroughly I IXUI non-IT st;lff. If, on the other hand. t11(: percentage of 15’\~-20% is comp;trcd to IT costs ;LSa percentage of total costs. the picture changes. As stated, n. c hwc not succeeded in obtaining rclia’hlc and comparable data on IT costs; oi-bning ;wd comparing cost data is hampcrctl I)!- hidden costs, the ubiquitousness of IT in hanking. and the cIi\wsit~; in :iccounting and valuation system\. Flo\\ c‘\‘c’r. recent data by Nolan. Nwt(‘,n & (A. suggest that IT-relattxl cc)sts in banking x-c’ between 15,‘~~and .?i’,, ot tlw



If these data arc’ valid. it folio\\~ that. relatively. the audit of autr,matt-d data processing is assigned roughl!~ the same amount of capAt ~1s the .Ludit of notvautomatcd data proccssilq This LVOLA justif\. the conclusion tllat automated and non-automat~c1~ d.ua processing we audited cyuall\ iv1tc.n si\-cl!. ;Lt best.

Subscyuentl!~, one might ;isk Lvhcthcr this is desirable. Some .tuthors rtxwgnizc that automation lrads to t tic formalisation of business prc IC(.ssc’s. which facilitates :k ktter ;inki Iiiorc

Computer Audit Update SDMarch 1997 (‘ 1997, $17.00 Elseviw Science Ltd.









Figure 13: Number of EDP auditors per employee IALI

efficient audit strategy and reduces the number of vulnerabilities [Park9 11. However, we feel that the advantages of IT (higher processing speed, storage and communication capacity) also have their drawbacks, in that incidents may have a higher impact on the organization’s financial position and image than incidents in a non-automated environment. Since automated processes are usually more efficient, but have higher risks than manual processes, organizations should spend a higher proportion of resources on securing and auditing them. We conclude by noting that involving the EDP-audit department in system development (see Figure 5) creates more opportunities to automate financia1 and general audits, so that the capacity for these activities in other words: the relative size of the financial and general audit departments within the IAD may further decrease.

Development of the EDP- audit department During the past decade, the total number of EDP auditors employed by the banks investigated has increased

Computer Audit Update 0 1997, $17.00 Elsevier

l March 1997 Science Ltd.

from some 50 to some 130 EDP auditors (see Figure 14). According to the respondents, factors that influenced the size of their EDP-audit department were: l



The demand for services notably for advice has increased. Autonomous



The EDP-audit department grows and shrinks with the organization. Mergers When two banks merge, the size of the EDP-audit department grows immediately, but then shrinks due to “fusion synergy” l



New top management may bring a new vision of the EDP-audit function and the way it should be performed. l

External auditor/DNB

The size of the EDP-audit department is strongly influenced by recommendations issued by the external auditor and issued by DNB. Unfortunately, the scope of this survey did not allow us to relate the growth shown in Figure 14 to the development of the total number of


l I

q Other m Large bank:;



bigurc 14: Uaelopment

of the total populrrtion of EDP auditors cati sc’n’c .I\ %I for (ahcr c.m C’I4

t;l)l’-dc_parCtlients “lmxding lioiisc”

For 1)~ Udcrlandscl~c


I-~KXI h;~nl,s.

iiim-sixcl Ix1nks and larg:c tlic number of lT)I’ xditors

rc’l;ccxl to the total number of cmplo\ c’(:s 15 rcspccti\.el\, 1:150. I:500 ,lllCl 1 IOOO. Sinlilar difft-renccs \I'c'I‘c' ti~uncl for the ratio ot ttic I~II_II~I~~C~ of t:t>I’ auditors and ttw n111ntx~r of’

Conclusions \\ c lia~,c


;I t.isonon1\~


ICl)l'-audit xviccs

;incl 11scd it for 1X)1’-audit cl~p;1rtnicnts of this SLI~T’C’\.3.~:

\i11T.c!. 01‘ nine‘I‘li~ liiphliglits 0



situ;itions 0

arc’ highI!sl-u‘ific aind rquircnicnt~





Alost ~alxi~it~~ is drcli~x~d \ cnti\.c .iudits. ~ondi1~t~cl


to lx-c di.iring

S\'SCCllldc\-clol"llcllt. 0


arc’ priiiiaril~~



Ill;lll;l#c'lllcllt. 0

.-\I1 l:.I>P-x1clit gatt’cl rcsidc

dcpartmcnt~ under the

s\.stcni cl~~~~lolxnent and apll )it;c tion staff. E~onorni~s ot‘ sc‘;1lc. 6x3 )\,itlc 21plausible rsl~lanatic~ii l

‘I’lic lli?

IiI>l’-audit dqmtm~nts mostI!. per form formal audits: m.itliin the incclium-sized lxmlis. l~l~I’-a1idit clc lx1rtni~nts lxtrti~ipation.



in\wti~ Internal

Auclil Ikprtmcnc, rcaporcing clircctl!, to top nl;magw~c~nt and Ix-gel!~ indeprndmt of tlic. opcr;i1ioml f\~nctions.



I~ct\v~ctl IO"CI mcl

Intcx-nal Audit


hroacl margins.

this pcrcentagc

rcsixmds II’









30':. ot the \K.itllin




lxt\\-ccTll17,. a11tl



w hich s11ggC’\t\ that the wdit of x1tomat~*d lx3 )~xssc’s and ttic ;iudit of nwi-.iiiic,inat proccsscs arc’ .is4ignec.l t C~(LII .imc)unts of. audit cap:1cir\ I Iilring tlic past dcc~,rdc~.(tic. bcr of H>t’ airditors I\ itllin tx1nks





tilt tllan


The future


Audit Update

( 1997, $17.00 Elsw?r


March 1997 Science Ltd II

mergers, reorganizations and a more pronounced market orientation. These developments will not only lead to the migration and interconnection of existing information systems, but will also lead to changes in the design and architecture of IT resources. The effective use of IT, characterised by exponential growth and rapid development, is a critical success factor. Its impact on EDP auditing is threefold: 1. The EDP-audit profession must develop into true IT auditing. The added value of EDP audits will be determined by the degree to which the EDP auditor connects to the principal’s management’s perception of key items, opportunities and threats. Further research into management’s appreciation of the EDP-audit function is desirable. 2. It will become increasingly important for the EDP auditor to assume an anticipatory rather than a suppressive role, to keep his technological expertise up-to-date, and further to standardise his professional methods and techniques. The centralisation of EDP-audit services will be essential for a firm development and extension of the EDP auditor’s added value; decentralisation within the IAD will narrow and blur the EDP-audit function in the context of the auditor’s functions, introducing the risk that IT processes and their associated risks and management issues receive insufficient attention. 3. It will be essential to find and maintain a balance between formal audits and derived activities (advice and participation). The EDP auditor’s impartiality can only be guaranteed if the formal audit remains the essence of his role. However, the added value of advice and participation can contribute to the EDP-audit function obtaining and maintaining a progressively firmer foothold within the organization.

Computer Audit Update 0 1997, $17.00 Elsevier

l March 1997 Science Ltd.

Given current IT developments and the associated business opportunities for banking in particular the importance of the EDP-audit function will inevitably grow. The number of EDP auditors will further increase, especially relative to the total number of employees and to the size of the IAD. In The Netherlands, the current trendsetting influence of DNB supports this expectation.

Acknowledgments The authors wish to express their gratitude to Prof. M.E. van Biene-Hershey (Vrije Universiteit/ Moret Ernst & Young), to Prof. dr IS. Herschberg (Delft University of Technology) and to the respondents of the cooperating banks.

References [DNB88]: De Nederlandsche Bank: Mentorandum omtrent de betrouwbaarheiden continui’teit van geautomatiseerde gegevensverwerking in het bankwezen, 20 September 1988 [Hers95]: Prof. communication

dr IS. Herschberg:


[Hurf94]: Chris Hurford: Opportunity Makes Thief A Report On Computer Abuse from the Audit Commission, Computer Audit Update, Elsevier Science Ltd, ISSN 0960-2593 [Paan94]: Prof. dr ir R. Paans RE and M.H.E. Gianotten: Data Center Management:getting order out of chaos, Giarte Publishing, Amsterdam/Minneapolis, 1994 [Park91]: Donn B. Parker: 17 Information Security Mphs Debunked, Proceedings ISSA Security



Edo Roos Lindgreen is a Ph.D. student at Delft University of Technology. His research interests are information security and network security. Marcel Bongers is Managing Director of the Internal Audit Department at Kas-Associatie NV, Amsterdam, associate pro fessor at Vrije Universiteit, Amsterdam, and a Member of the Board of the Dutch Order of EDPAuditors (NOREA 1.