The following descriptions highlight several matters for which Vestige was retained that involve I.T. Auditing Services. Each of these cases are real matters that we have worked, but for privacy and confidentiality purposes, any identifying information has been sanitized.
Publicly Listed Professional Services Firm
Our client, a public company, subject to SEC regulation, had both a robust Internal Audit Department as well as its outside audit firm (one of the Big 4). While the Internal Audit Department had financial auditors on staff and had a handful of individuals that dabbled in I.T. Reviews, it became evident that the level of expertise needed for such a complex environment exceeded their internal resources. Over the years the organization has had to deal with a number of regulatory requirements, including: Sarbanes-Oxley (SOX) compliance, HIPAA, PCI, and FINRA, to point out a few. Vestige became involved as an extension of this organization’s Internal Audit Department, providing a wide range of I.T. audits and assessments for a number of the organization’s divisions and separate business entities. Reporting through the Internal Audit Department, we were able to closely coordinate our efforts with the financial auditors to provide the organization with an even better overall assessment of the organization’s risks. Beyond that, we provided our client confidence with moving forward on its external audits, knowing that issues were identified and addressed internally in ample time to remediate the controls and show that they had been in-place and working over a period of time. It was even reported to us that the external auditor was able to rely upon much of our work product due to its completeness, accuracy and quality of findings, thereby saving our client substantial fees in having to undergo additional scrutiny and testing by the external audit firm.
Institute of Higher Education
Vestige has complemented the Internal Audit Department of a four year college that caters to more than 30,000 students and has several campuses. The Internal Audit Department is on the smaller side (2-4 auditors) and has no one that specializes in I.T. Auditing. While it is void of this important function within its internal resources, it does have one of the financial auditors who has shown an interest. As a result, not only has Vestige partnered with the University to conduct the I.T. component of its audits, but we have provided some additional ancillary services to assist with the training of this individual. For example, as part of our engagement we have created the audit programs for some of the areas of concentration, as determined by the organization’s risk assessment. Vestige initially conducted an audit of one of these areas, completed our documentation and also created add-on audit programs, custom-tailored to the University, and provided these along with training to the internal resource for them to conduct on-their-own. In this manner, the University is not only gaining Vestige’s expertise as it relates to the identification of risks and the conducting of the I.T. audits, they are also gaining important knowledge and resources to build up their own internal expertise.
For more than 12 years, Vestige has provided outsourced I.T. Auditing to a large ($1B+ revenue) conglomerate. Throughout the years, this organization has maintained its own Internal Audit Department of 8-10 financial auditors. They had previously attempted to recruit, hire and retain IT Auditors, but were never successful at keeping these individuals long enough to gain any of the efficiencies and insight that someone gains by being in the environment an extended period of time. Frustrated with this approach, the conglomerate originally sought our services out to augment the internal I.T. auditor’s experience, to act as a reviewer and to mentor the individuals on the I.T. Auditing side since the balance of the Internal Audit Department was financially-focused. Eventually it became evident that the organization was in a vicious cycle of recruiting, hiring, training and then losing these individuals and turned to Vestige as an outsourced solution providing full I.T. Auditing services as part of its Internal Audit Department and its 20+ individual portfolio companies.
Outside Accounting Firm
As a Public Accounting firm, our client provides external audit functions to thousands of clients. Like so many other regional and local accounting firms, our client has financial auditing expertise, but does not have the internal resources from an I.T. Auditing focus. Since the introduction of the AICPA’s Statement of Audit Standards 94 (SAS.94) in May 2001, reliance upon auditing “around” the technology involved in a financial system is no longer acceptable and auditing firms have had to rely upon and develop expertise in being able to audit the actual technology. As most auditors are financially-focused, there is a wide dearth of expertise as it relates to the I.T. Auditing component. Vestige has complemented these firms’ needs by partnering with them to jointly provide comprehensive audits that focus on the financial and the I.T. components. This has included routine financial audits, but has also included specialized I.T. audits such as SAS70s (deprecated) and SSAE16/SOC-type compliancy reports.