Gone are the days of check list auditing (Tick and bash audit). To add value to business auditors need to go beyond check listing.
Be it an application control review (ACR), IT General Controls Review (ITGCR), A project review or an integrated audit, it is imperative for any auditor business or IT to understand the business environment (macro and micro), underlying business environment, business processes before narrowing down to the underlying software and hardware architecture.
Even IT auditors also need to have an adequate understanding of an organisation’s financials including IT budgets if they are to do value add and perform a risk based audit (RBA).
Auditors need to have a better understanding of the macro environment and micro environment in which the entity they are providing assurance or consulting service operates if they are to add any value. Even an IT security auditor needs to understand the underlying business environment to position issues arising appropriately and to ensure a RBA
Failure to understand the business environment will lead to identification of issues that do not add value to the entity under review and loss of relevance of an auditor.
A good understanding of the business will enable an auditor to raise issues that will add value and improve organisation operations. Auditors need to raise their profile beyond identifying controls that are not adequate and effective to articulating process and controls that add value to and improve revenue to the business under review.