Re: Quis auditdiet ipsos Auditores?
Generally, auditors do not work alone, for reasons that should be obvious, but it seems are not.
Audit teams descend upon you partly because no single member should have access to data without someone else in the team of equal or greater authority signing off on that access. Usually, a senior (internal) auditor (which is what Andrew Skelton was) will be signing off on access by junior members of the team access/collect, and will be unlikely to be 'at the coal-face', as the senior auditor's actions will need to be signed-off by the Head of Internal Audit, or some similar entity.
Now, if he instructs a junior member to grab a copy of the payroll database, he can't then sign off the access - that is an obvious deficient control. What happens is an Audit Plan is made in which taking a copy of the database is a part (but see later about normal practice), and it is signed-off by the Head of Internal Audit (or possibly another, independent, Senior Internal Auditor). He should not be able to waltz in on his own authority and grab a copy of whatever he likes. 'Fishing' expeditions are possible, but everything accessed or taken needs to be recorded and counter-signed, with the log audited by someone else. Audit is all about following a process in painful detail.
External Auditors come and review Internal Audit's working practices every so often.
Obviously, once a copy of data is (legitimately) on an Internal Audit's computer(s)*, you pretty much have to trust that it is not being misused - I would not be surprised to learn that in this case a Payroll Audit had just taken place, although I would understand normal practice would be not to take a copy of the payroll database, but to take a (sufficiently large to be representative) random sample of records to check for problems (for reasons that should be obvious).
Being an internal auditor should not give you 'the keys to the kingdom'. It should give you monitored and audited access to a representative sample of parts of the kingdom, precisely to prevent a disgruntled auditor causing great damage - which is what happened in this case.
I would expect one of the audit findings on the Payroll Audit would have been a deficiency in access controls, unless there was a Very Good Reason that the audit department needed a full copy of the database. Audits generally proceed on a representative sample of data.
Audit departments have to be 'squeaky clean' with regard to their own process controls, as they are the ones telling the rest of the company what best practice should be. It doesn't mean you avoid all risk - but deficiencies need to be recorded and agreed as allowable by the board of directors who have the legal responsibility for the proper running of the company. There is nowhere to hide.
Sorry if I've gone on a bit. My years in Internal Audit are coming back to haunt me and I'm getting flashbacks, even though I was never formally certified.
*Computers used for data analysis by internal audit would generally not have Internet access, and follow the rule that client data can be imported or destroyed, but never exported. The only data that comes off those machines are the results, with the exception of secure backups, which are retained so that the audit can be reviewed, either by a separate internal audit team; or by the external auditors.