By: Marilize van Schalkwyk, Information Systems Auditor: Internal Audit
I officially became a Certified Internal Auditor (CIA) during January 2020. The CIA is a globally recognized flagship designation by the Institute of Internal Auditors (IIA). The work of an internal auditor is guided by IIA standards. These standards are mandatory requirements and provide a framework for performing and promoting internal auditing.
Before I joined GIPF’s Internal Audit Department in January 2018, I worked as a developer, systems analyst, database administrator and project manager for over 27 years. The 27 years includes working as a developer in the Information Systems Department of GIPF for 10 years. The projects I worked on apart from those at the GIPF, include vehicle tracking; municipal infrastructure; document management solutions; bridge, road, water and toll road management solutions.
The experiences I gained through the years, working at different companies and in different countries, have greatly added value to my newly established career as an IS Auditor in our Internal Audit Department.
Internal audit is an independent, objective assurance and consulting activity, designed to add value and to improve an organisation’s operations. As a CIA, I add value by assessing the internal controls, governance and risk processes. During an audit, I review the effectiveness and efficiency of the applicable controls and processes in place. Where needed, I indicate control weaknesses, and/or point to areas for improvement.
As a member of the IIA, Internal Auditors are expected to apply and uphold the following principles from the IIA’s Code of Ethics: Integrity, Objectivity, Confidentiality and Competency. Adhering to these principles is essential to establishing trust and to providing the basis for reliance on our professional judgment.
As a Certified Information Systems Auditor (CISA), my focus is on the information systems (IS) environment. During an IS audit, the effectiveness and efficiency of controls relating to the objectives and scope, as identified in the audit plan, are tested. To clarify:
- Effectiveness means a control is working as intended, and it is fulfilling its purpose.
- Efficiency indicates how well it is working, and how it relates output to input.
The purpose of controls within the IS environment is to protect the confidentiality, integrity and availability of data. These controls come in two main categories namely: General IT controls (GITC) and application controls.
General IT controls include controls over data centre physical security, backups and recovery, software development life cycle, change management, and logical access controls over infrastructure, applications and data.
The application controls include batch controls, input control, processing controls, output controls and integrity controls.
The specific controls being tested during an IS audit or any normal audit activity is based on the audit objectives.
An important part of internal audit is proficiency and continuous development. For this, you need to obtain a certain number of continuing professional education credits (CPE) annually to maintain your certification. This can be achieved by attending formal training, watching webinars and by doing volunteer work. As a member of ISACA, I enjoy doing volunteer work to add to my annual CPEs. The volunteer work includes being a social media advocate, a SheLeadsTech ambassador, and providing input as member of the ISACA Member Advantage Program Task Force. The aim of this task force is to support the development of new savings opportunities to be added to the Member Advantage portfolio. I was also part of the 2020 Software Development Study Guide SME Reviewers. This included reviewing the draft study guide for IT Associates Software Development Certificate for technical accuracy; and depth of knowledge appropriate for those new to Software Development. Advice that I would give to people is to continue learning. You are never too old to learn something new. It is never too late to start a new dream.