Linda Kostic began her career in accounting performing many functions, including accounts receivable, accounts payable, cost accounting, payroll and financial reporting. She then switched careers somewhat, moving into auditing—first in financial and then information technology. One IT audit role expanded into information security and quality assurance functions. Later, Kostic became a full-time information security manager, overseeing both the analysis of new systems and administration of established corporate systems. Then, she switched back into IT auditing, building an IT audit program with her current employer, before moving into enterprise risk management, where she has been involved in development, enhancement and training initiatives.

She recently began focusing on risk management disciplines, taking various related courses and working toward a professional risk management certification.

Kostic is a firm believer in getting involved in professional organizations. She is on the board of the ISACA National Capital Area Chapter, which she believes was instrumental in building both her leadership skills and a network of professional contacts at the local and international level.

Outside of her career and association with various organizations, Kostic enjoys the outdoors, taking long bicycle trips and, in recent years, running 10-milers and half marathons, primarily to raise money for various charities.

uestion

Regarding enterprise risk management, what do you believe is the single largest IT-related risk for businesses today? How do you see them meeting or not meeting this challenge?

nswer

A combined security and fraud risk is the single largest IT-related risk for businesses today. Corporate networks have far-reaching boundaries and often include remote employees as well as outsourced and contracted resources. This expanded environment touching every area of the business has led to system and network complexities, exposure to ever-changing external vulnerabilities (organized exploits), competing priorities, and resource constraints increasing the risk of internal fraud. Unlike other risks, the overall success of a security program is dependent on all employees, contractors and outsourced/third-party providers complying with security policies and procedures. The various security disciplines required to identify, analyze, assess, implement and monitor security risks and related programs can be costly, resulting in competition for corporate capital to implement cost-effective programs.

Overall, I see the financial services industry meeting these challenges through ongoing networking with professional organizations, peers and various government agencies. Security awareness programs along with ongoing compliance monitoring minimize the risk of internal security vulnerabilities.

uestion

Could you describe the impact of the increasingly strict regulatory environment on the IT auditor?

nswer

The positive impact includes strict guidance on technology-associated requirements, which typically follow best practices. This provides a tool to convince management that these best practices should be implemented. From a negative perspective, the IT auditor must remain current on the regulatory requirements and may be required to interpret them for management. More than one regulatory agency may govern a particular industry, requiring the IT auditor to evaluate the various regulatory requirements and identify the most stringent to be applied across the enterprise. This often requires the auditor to maintain key sources of information to stay current.

uestion

How do you think the role of the IT auditor/professional is changing? What would be your best piece of advice for IT auditors as they plan their career path and look at the future of IT auditing?

nswer

In the beginning, computer systems and networks were not complex, resulting in less training and understanding of technology concepts, and minimizing the audit preparation and execution time. Now, an IT auditor must have the skills to evaluate complex systems and networks, and identify potential compensating controls in areas outside of the scope of the audit. And, since technology merely automates the business processes, it is important for IT auditors to expand their background to include financial and business processes specific to their organization as well as potential external factors, in order to fully understand the risk exposure.

New auditors should be diverse and open to new disciplines, including managerial, financial and risk concepts, as part of their development goals. They need to be a partner with management to ensure that the most efficient and cost-effective recommendations addressing risks are reported. Last, as the business environment continues to change and resources become scarcer, IT auditors must be creative in the way they approach assignments and look for ways to add value back to the organization as part of and outside of scheduled audits.

uestion

How do you believe utilizing social networking sites has helped you in your career and can help IT professionals in general?

nswer

Social networking sites provide a great forum for information sharing, especially in newer technologies or addressing general managerial challenges in today’s business environment. This provides me with ideas when implementing various risk management initiatives. It also serves as a think tank forum for developing and sharing best practices. The only caution I would offer is that the source should be trustworthy; therefore, I recommend using those provided through established organizations. And, the users should be cautious not to share information that could be deemed corporate confidential or against corporate policies to reveal.

uestion

What has been your biggest workplace challenge and how did you face it?

nswer

My biggest workplace challenge has been working with difficult individuals, which also turned out to be a great learning opportunity. In this experience, it was not sufficient to reference best practices or regulatory requirements as part of an audit recommendation; I had to “sell” the benefits as well. This forced me to analyze the risks in greater detail and consider potential compensating controls (system and manual).

Enjoying this article? To read the most current ISACA^® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute^® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.