面谈作为IT审计中的审计工具

Conducting onsite interviews is a critical part of any IT audit and can lead to the gathering of information not readily apparent through reading documentation and examining physical evidence. A number of articles have been written on this topic, although they are primarily focused on financial audits.^{1, 2} 本文概述了成功地对IT人员进行有关其流程的访谈的步骤, 并讨论了图表技术的使用，以帮助记录和促进这些访谈.

Interviews of key personnel during the course of an IT audit are no less important than interviews conducted during financial and business audits. 事实上, interviews and process walk-throughs during IT audits are necessary to gain a deep understanding of the actual procedures followed and identify possible control weaknesses in these procedures that may not be evident in a review of documentation and evidence.

准备

Defining and narrowing the scope of the discussion are also important, 因为这些步骤将有助于构建面试中要问的问题. 在准备面试时, a review of the organization and process to be discussed is critical. An understanding of the procedures that are documented, 以及与过程和程序相关联的已识别的控制, is necessary to be able to formulate questions and follow along with interviewees as they describe their job responsibilities. There may be occasions when existing controls are not well documented, if at all; it is in these cases where a process walk-through can be useful in identifying control points. 如果以前对该区域进行过审计, a review of the report and possibly the related work papers can be helpful, 但它们不应影响当前的审计，因为它们来自于前一个时间点.

面试中使用的问题可以通过程序文件审查的结合来制定, 过去在被审计领域的经验，以及对其他被审计单位的类似审计经验. 在一般情况下, it may be useful to have a general set of questions (topics) that outline what is to be covered 在面试过程中. These questions and topics are based on the audit test objective, 细节的程度取决于被采访者的级别——级别越高, the less detail is expected 在面试过程中. Specific questions should not be provided prior to the interview, 即使被要求, 由于被审核方可以选择不经过面试而简单地对问题提供书面答复. 提供要涵盖的主题的大纲, 而不是具体的问题, 是否应在进行实际面谈前向被审核方提供所需的信息. 所问的问题必须是开放式的, resulting in a conversation and eliciting a detailed response, 不是简单的“是”或“不是”的回答.

The identification of staff to be interviewed is also important. Because newly hired staff are likely to know less about actual operations and may be involved with less-critical operations, 他们应该尽可能避免. 虽然与经验丰富的员工相处更难(因为组织更需要他们), they will know more about the actual operations performed. This is another reason why it is critical to be very clear about the scope of the interview when scheduling the meeting.

在准备面试时 of staff related to change management, it is important not to assume everyone agrees on the definition being used. Will the discussion include controls around source code changes, migration of application changes through development environments, changes to infrastructure components or emergency changes? 经常, 这些项目将由不同的工作人员管理, 在拥有许多平台的大型组织中, conducted differently depending on the platform in question.

面试

There are many opinions on where to conduct the actual interview. Some advocate having the interview conducted in the interviewee’s workspace for reasons that include having possibly needed information nearby.³ 但是为了减少干扰, 在远离面试者工作区域的地方进行面试可能是个好主意, 除非有实际的演示, 需要在工作文件文档中包含演练或屏幕截图. 在面试过程中，与流程相关的演练所需的手头信息是最少的. Using a conference room with a whiteboard may help when mapping out processes.

It is helpful to begin the interview with a review of the purpose and objective of the interview to ensure that there is agreement on the purpose and the right people are present to accomplish the objective. 另外, confirmation of the agreed-upon time constraints specified when scheduling the interview is likely to assure all participants that their time will be used wisely. It is useful to communicate to the interviewee that notes will be taken and there may be some follow-up items to complete after reviewing notes taken during the interview. 花一点时间谈论审计师的背景可能会有所帮助，有助于开始对话.

根据审核人员的大小, 让另一名审计人员作为观察员参加面谈可能是个好主意, but prior to the audit that individual should be requested to refrain from asking questions unless he/she feels something critical is being missed. The addition of an extra observer helps clarify questions when reviewing notes taken postinterview and establishing follow-up items. Lead auditors may consider attending interviews that will be conducted by more junior audit staff or with audit staff who may not be familiar with the entity being audited. The goal is not to outnumber the auditee through a show of force, but to ensure accuracy (in the case of having more than one auditor present) and reduce any contention and the possibility of the interview getting off track (in the case of a junior auditor conducting the interview). The next item is applicable for any type of interview, 也许是工作面试, 为收集资料而进行的电视/电台采访或任何其他演讲场合. It is critical to listen to the full response to the questions asked, not cutting off the person responding or completing their response for them. Another important point is to avoid questioning the interviewee as to their skills or abilities; such questions are likely to cause the interviewee to close up and the interview will quickly end. 许多IT审计员都有IT背景, so the temptation is great to question others about their skills or prowess. 应该抵制这种诱惑, 但是面试官应该自由地询问控制可能薄弱或缺失的领域. 作为一名审计师，这是专业知识应该发挥作用的地方，不会被视为一种侮辱. 在讨论过程中, topics may arise that are interesting to talk about, but not in line with the objective of the meeting or the audit overall. It is important not to get sidetracked into such discussions.

具有IT背景的人可能熟悉许多图表技术. If, 在面试过程中, auditors feel they have established rapport with the interviewee, diagramming specific processes can be an incredibly effective tool in identifying control weaknesses and establishing where actual procedures do not match those provided in written documents. 根据所审查的内容，有许多绘图技术可供使用. This does not have to be very formal; it can function as a way to help map processes and identify control points. 过程映射的基础 提供一些非常有用的绘图方法的描述，包括关系映射, cross-functional process maps (swim-lane diagrams) and flowcharts.⁴ 另一个很好的资源是 Workflow Modeling: Tools for Process Improvement and Application Development.⁵ 旧的，绝版的书 Diagramming Techniques for Analysts and Programmers 也是绘制图表的有用资源.⁶

不管使用哪种类型的图, the auditor has a variety of tools with which to create these diagrams. Microsoft Visio is an excellent tool; however, some work paper systems may not allow the attachment of Visio files. MS Word (2007 and later) has a feature called “smart art,，它提供了一些与流程相关的图表. 也可以使用MS PowerPoint. 也就是说, do not use these tools during the interview; too much time may be spent trying to use the tool rather than focusing on the process being discussed. Paper and pen or the aforementioned whiteboard is generally sufficient.

面试过程中, 审计人员应该意识到，他们在密切关注受访者的反应, the interviewees will be watching the auditors as well. Physical posture, facial expressions and hand gestures will be observed. 事实上, in one case an auditor was conducting an interview and taking notes, 一位接受采访的人说, 与关注, 他伸手去拿红笔.这是为了回应审计员用红笔做笔记的习惯，以便稍后跟进, but it was clearly misinterpreted by the interviewee. 在那之后, the auditor made sure to use only one pen for note taking, replacing the red pen with an asterisk in the margin.

结束面试

在采访结束时, 审核员审查所涵盖的项目并突出任何潜在关注的领域是有帮助的. The auditor should take care not to worry the interviewee by stating that there are major breakdowns or issues; instead, 应该传达的信息是，某些领域将需要额外的后续行动，或者似乎存在可能的控制空白. 如果讨论的项目需要实物证据/文件(e.g., 更改机票, 项目文档), 注册会计师应审查这些证据，并澄清用于获取所有审计证据的过程. 面试应该以感谢面试者花时间的一句话来结束.

面试后

面试结束后, the auditor must closely review any notes taken during the interview and construct a list of follow-up questions and physical evidence that may be needed. If the interview was conducted with another member of the audit team, 两名审核员应一起审查和比较记录，以确保对讨论有共同的理解.

使用图

在面向过程的面试中, the use of a diagram can enhance the conversation by helping to clarify control points and ensure mutual understanding. Simple processes can benefit from the use of a flowchart. The intent is not to create a detailed model of the entire process but to break the process down into small pieces and focus on areas identified as possibly lacking controls, as determined during a review of the documentation or during the discussion.

例如, 在变更管理过程的评审中, the documentation mentions the use of a source code management system; however, 它没有涉及太多细节. The system documentation that came with the product could be reviewed, and this would be a good time to diagram the process. 简化图(图1)显示了一个模拟流程的Visio图，其中多人可以检出相同的源代码, 导致存在两个可以被认为是当前的源代码版本:v3.2.3和v3.3.1. 源代码工具的安装由组织的技术支持小组执行. Knowing only that the tool works in the computing environment, 使用默认设置安装该工具. The development team did not specify or change the settings to include a control that would prevent the simultaneous checkout of code that results in multiple code streams. 这可能是期望的效果，或者可能导致稍后合并流所需的返工. By diagramming the process interactively with the auditee 在面试过程中 (on a whiteboard or blank sheet of paper), the possible control weakness can be easily identified.

The previous example demonstrated the use of a simplified flowchart to help guide the conversation and map out a picture of the code management process. 使用更多个人或团队的更复杂的过程将受益于泳道图. 泳道图提供了一个高层次的流程，并确定了与流程相关的人员或组. 图2 shows a swim-lane diagram of the application change management process. This is a greatly simplified flow of the change management process; however, 不像流程图, the swim-lane diagram shows the various groups involved and how they interact. 泳道图上的每个框都可以使用流程图进一步展开.

The creation of a swim-lane diagram should be done after procedural documentation has been read and the necessary interview(s) have been conducted. It is a more complex diagram than a simple flowchart, 在面试过程中创建一个简历可能会占用面试本身的宝贵时间. 事实上, 进行审计时, any diagrams created are best done on a whiteboard or blank sheet of paper, 而工具的使用应该留到以后再用. 一旦创建, the diagram can be reviewed with the auditee for accuracy and offered to the auditee to use in his/ her department’s documentation. 向被审计方提供图表可能有助于表明审计的目标是成为合作伙伴而不是对手.

结论

很多次, an interview can help auditors identify possible control breakdowns in an IT environment or people performing their job in a way that does not follow the documented procedures. While some things identified in an interview are easily countered (e.g.“不，我说错了. 我们这样做.”), 这可能会导致审计师要求提供证据来支持面试中提到的一些事情. While there is little formal training offered on this skill, 这绝对是一项值得学习的技能. 学习如何发展和提问, 建立融洽的关系, and obtain information can only really be learned with practice. Confidence is built over time, and it can lead to more effective interviews. 使用绘图工具, 比如流程图, 能否极大地提高对话的质量以及对关键过程流和控制的理解.

尾注

¹ Leincke L.; J. Ostrosky; M. Rexroad; J. Baker; S. Beckman; “Interviewing as an Auditing Tool,” 注册会计师杂志，二零零五年二月
² Seipp E.; D. Lindberg; “A Guide to Effective Audit Interviews,” 注册会计师杂志2012年4月
³ 同前.
⁴ Damelio R.; 过程映射的基础，2^nd 版，生产力出版社，美国，2011
⁵ 尖锐的,.; P. 麦克德莫特; 2 .工作流建模:用于过程改进和应用程序开发的工具^nd 版， Artech House，美国，2009
⁶ 马丁J.; K. 麦克卢尔.; Diagramming Techniques for Analysts and Programmers，普伦蒂斯霍尔，美国，1985年