I compare notes with internal audit (IA) colleagues in other companies from time to time, and whenever the topic turns to adapting the internal audit function to the digital era, I hear a consistent theme: “This is such a big challenge. Where do we even begin?”
The fear of getting started is understandable. Transformation is a significant challenge. There are a lot of moving parts, and they are all in motion at the same time. IA professionals who are used to predictability, precision and process are naturally going to be a bit unnerved by a change effort that can, at times, appear to be messy and even chaotic. The good news is that if you have the courage not just to get your feet wet but to dive in, you will discover that the water is fine.
IS and IT auditors, assurance professionals and assessors undertake audits, assurance work or assessments of IT processes (the assignment) and, in addition to the final objective, have common tasks to complete, e.g., planning and performing activities and reporting results.
The work entails evaluating processes owned by others. But who is looking at the work processes of the auditor, assurance professional or assessor? How capable are the work processes with regard to complying with different professional standards and meeting the assignment objective defined by the employer, executive manager, board of directors (BoD), client, sponsor or external reviewer?
I recently conducted an internal auditor training program for a major firm in India. One of the questions asked during the course of the training was regarding audit checklists. The participant wanted to know if an IS auditor really needed a checklist during the course of a systems audit. He also said that some auditors in the past sent him the checklist to obtain his responses, and some only asked the questions mentioned in the checklist. He felt that auditing was a bit boring as it was just about checking a few things, filling out a checklist and submitting a report. Here I had a participant who was not at all happy about the state of audit.
How does one assess the risk of a fast-moving technology landscape, and more importantly, the speed at which business strategy changes? It all boils down to the methodological approach of risk assessment to quantify how potential events can impact business objectives.
In order for the IT risk assessment process to be a successful driver for creating the audit plan, it is important to define the audit universe. The audit universe is, first and foremost, a living document that has to be updated on a periodic basis. It should capture all of the businesses, regions and functions that make up the organization. There has to be collaboration between key business stakeholders and internal audit to come up with this audit universe, but it should be primarily driven by the audit function. Upon creation of this audit universe, there is a means to perform the risk assessment, which is primarily an enterprise risk-level activity. Depending on your organization’s structure, this responsibility can be shared between the chief risk officer and the chief audit executive. This responsibility could also belong to the chief information security officer, who then works with the internal IT audit function to come up with a risk assessment process.
Do you have any artistic skills? Despite the fact my mother was an extraordinary painter, I did not inherit her artistic genes. But I took the subject of visualization as a challenge, and the more I researched it, the more I came to the realization that it is not a gift or a gene. The skills required for most effectively displaying information are not intuitive and rely largely on principles that can be learned. Anyone can learn data visualization.
Data analytics alone is not all that is needed. While some may think of it as cosmetic, strong visualization can help convey messages more effectively. There is a big difference in acceptance and understanding when analytics results are delivered as visual dashboards rather than in spreadsheets. Additionally, there is just as much science supporting data visualization as there is behind analytics.