Aaron Kerr


Innovations in IT Audit: Micro-Audits Versus Traditional IT Audits

Depending on the organization, micro-audits can increase flexibility, save valuable time and streamline the reporting process. Clearview Group partners with clients to evaluate their environment and provide real solutions to assist the IT department in strengthening controls through successful audits.

In today’s rapidly evolving IT environment, every organization needs to balance its users’ technology needs, speed, ease of use and convenience, against the critical needs to keep information safe and secure against a variety of sophisticated threats and potential liability. Clearview Group, a consulting firm based out of Baltimore, helps those organizations identify opportunities for improvement in their IT processes and controls with comprehensive audits and assessments. As a part of this service, Clearview Group can help clients determine whether micro-audits will best suit their needs. As opposed to traditional, full-scope IT audits, micro-audits are more narrowly focused on specific risk areas, which means they can potentially lead to more efficient and relevant results, shorter turnaround, and more successful reporting.

Pre-Audit Readiness and Risk Assessment

An IT audit engagement typically starts with a risk assessment and formulation of an audit plan delineating the scope and objectives of the audit. Clearview Group has extensive knowledge of the regulatory frameworks, best-practices and needed controls clients have to consider based on their size and position in the market. This includes determining whether or not certain risk areas would benefit from a micro-audit as opposed to a traditional audit.

“While you’ve always had to be nimble with assessing risk, one thing that has become very apparent in the last few years is the paramount importance of agility,” said Aaron Kerr, Clearview Group’s Director of Advisory Services. “You often hear that word when it comes to software development and processes, but it really applies to IT audits as well. Companies don’t want to be too beholden to an annualized audit plan or traditional segmentation of auditable areas — you need to be able to adapt if something changes in the industry or within the company. You need to have that flexibility in the plan to address those risks even if it wasn’t a high risk at the start of the year. The good news is that if you have solid risk assessment processes within your IT department, it isn’t too hard to make them flexible, as long as they aren’t huge, multi-month projects. There are projects that you can take on over a couple of weeks, which makes it easier to adapt prior to the audit.”

Clearview Group helps clients identify and remediate risks so they’re ready to tackle their next audit without wasting time or resources. For example, if the city of Baltimore has had multiple ransomware attacks, Kerr says clients in that area may ask how susceptible they are to similar attacks. With a micro-audit, small- or medium-sized businesses can answer that question quickly by just assessing that particular threat vector as a risk scenario.

The Difference Between a Micro Audit and Traditional IT Audit Projects

Following the risk assessment, auditors collect and analyze audit evidence and form opinions pertaining to internal controls as well as reliability of the information provided by management. As opposed to the traditional IT audit process, which can take multiple weeks or months, micro-audits can be as short as 80 hours, Kerr says. This is because, while organizations will always have a universe of potential auditable areas, micro-audits break traditionally complex items down into a sum of their parts.

“For example, with the topic of networking, the two primary areas could be security and operations, but under those there will be additional risk scenarios,” said Kerr. “A micro-audit is about carving up that universe into areas you can get done in 80 to 100 hours for a small or medium sized business. There is a way to add value in a short amount of time if the scope is correct. This forces you to think more about specific risk scenarios underneath larger, traditional auditable areas and structure the programing and frequency around those sub areas.”

Kerr points to one client he had a few weeks ago who was looking for a consulting partner. “It is a pretty sizable organization, and they’ve always structured audits as multi-month processes,” he said. “Now, they prefer to divide their audits, in this case networking, into separate, micro-audits — one on security, one on administration and one on operations. This means each IT audit can be separately risk assessed for priority and take only six weeks instead of six months, and clients aren’t fishing around looking for implausible risk areas trying to tie it to prior interpretations of the area. These micro-audits really benefit smaller organizations, because they typically have more flexibility in terms of execution.”

Additionally, with today’s virtual tools, Kerr says the ability to successfully implement a micro-audit has never been easier. “There can be a lot of overlap when it comes to evaluating certain areas  — in the past, there were specific point solutions and vendors, but now with today’s more integrated platforms like AWS and Microsoft 365, there are services that you can pay for just by clicking a button,” he said. “With micro-audits, you can be very targeted in identifying risks quickly. The virtual environment has been a big catalyst for us in terms of how we evaluate certain areas. We do our research beforehand so we can be streamlined, point to a specific screen, evaluate a specific risk area and bring results.”

Micro-Audit Results Compared to Traditional Audit Reports

Once the audit is complete and it is time to formally report on the findings, Kerr says he’s always tried to fight against the robust audit report, and micro-audits are a perfect solution.

“Traditionally, long audit findings often require an interpreter to cover everything, which can change the way the message resonates with an audit committee and board,” said Kerr. “But with micro-audits, you can reduce that report to a page or two, boil it down to the elevator pitch with graphics or visuals. Why not make the report a little less text heavy, so it is not so cumbersome? That way you will have a more captive audience and can be very present in describing potential risk scenarios and where they stand in response. There may be an issue, but is it really a big risk? With a micro-audit, you can target a specific subject that is top of mind: here is what we found, the risks involved and where clients need to take immediate action.”

While there are certain high risk IT areas that are going to be looked at each year, Kerr says Clearview Group understands that certain areas like cybersecurity can only be mitigated so far and will adapt audit reporting to reflect that.

“Do you perform the same audit every year, or do you have the flexibility to audit specific aspects of cybersecurity depending on changes in organizations, new markets, industry trends and recent events? We’ve been carving that up into smaller pieces for years now and finding out what makes sense when working through an annual plan every quarter,” Kerr said. “Whatever we look at, there is a reason. We don’t want to have to explain why we looked at this but not that. Many organizations we work with may ask how susceptible they are to malware, for example, and there are a number of ways we can tackle that question in an audit. You can come up with a plan to specifically address that question without reporting on every risk area related to cybersecurity.”

Kerr also added that this streamlined reporting allows organizations to report on risks in a more timely manner. “You should be able to get an answer in a few weeks, as opposed to by the end of the audit year,” he said. “Clients don’t want to tie themselves to an approach that used to make sense, but is now taking too long to get answers for the audit committee or board. These risks come to fruition so fast, so it doesn’t make sense to wait.”

Overall, Kerr says Clearview Group acts as a true partner with its clients and understands that there isn’t a specific definition of what an IT micro-audit has to be. “It is about targeting risk scenarios, building an audit plan with a quicker time frame from scoping to result,” he said. “That is really the key — finding a way to adapt is essential in order to keep up with the fluidity of technology.”

For more information, contact Clearview Group’s Director of Advisory Services, Aaron Kerr at akerr@www.piitasdrums.com or visit: http://www.piitasdrums.com/

More From Aaron

More in Risk & IT Risk Advisory