Have you ever audited a computer system’s migration plan when transferring it from on site to the cloud? Here are some recommendations to keep in mind based on lessons learned from migration practices:
- Clarify the work burden mitigation effort. Once cloud migration is complete, it is important to clarify what burden has been mitigated by the migration from on site to the cloud; for example, automatic scalability. If the company’s computer infrastructure system meets the requirements for automatic scaling service, it can enjoy not only the service, but also cost savings. A computer system, like many single physical servers and few virtual system environments, has to address mitigating the operational burden and full treatment.
- Verify there is no loss of security functions. A cloud vendor provides various security services; however, when transferring to a cloud environment, companies should examine whether any security services and circumstances that were addressed on site were lost or downgraded. For instance, if a company currently runs a laboratory-typed anti-virus sand boxing system, AI-based filtering system or industry-needed scoring system as a firewall, it should check whether the system can transfer onto the cloud vender’s service, as well as how it is priced.
- Find out the current application’s operation system and the infrastructure for the system, and determine whether it is possible to migrate them directly to a cloud environment. If the target application the enterprise is seeking to shift is a specialized legacy OS for which the cloud vendor doesn’t support service, it may need to migrate the legacy OS first.
- Finally, look at the risk mitigation procedure that will lead to the systems going live on the cloud. There are many existing layers, such as the internet connection layer, the OS infrastructure, middleware, application infrastructure, application server and application scheme. A company can’t help addressing them without upgrading them. Each layer requires its own upgrading activities and tests. It might be important to plan a step-by-step migration schedule. To migrate all at once is not always the best solution. In addition, when considering risk mitigation, Rollout and Rollback procedure should be designed by the user. The most risk-sensitive person is the user, and the user should be responsible to mitigate hazards.
Every organization has data that is vital for its organizational growth. Typically, most organizations build security around infrastructure, network and applications. But with data leakage becoming more prevalent, organizations are now considering data to be their crown jewel.
Data can be classified as structured data or unstructured data. Structured data is mostly stored in a database, but usually more than 80 percent of data are unstructured.
Enterprises need to protect the data from unauthorized access not only from external users but also from internal users, so virtually all organizations are building security controls around data-centric security. Data-centric security embeds controls into the data itself so that these controls are intact to the data even when the data is at rest or in motion, or while the data is being utilized in an application. In data-centric security, data is independent of the security of the infrastructure, be it device, application, network or the method of transport of data.
Data leaks not only have a negative impact on the reputation of the enterprise but also can lead to penalties/legal action from regulators. New regulations require the organization to build controls around the security and privacy of the data regardless of whether the data is intended to be used internally or intended to go outside the organization’s boundaries.
At its core, data-centric security can be considered among the following categories:
- Data Classification – Data Classification is a process of identifying, labeling and classifying the information/data, preferably according to the sensitivity or criticality of the data. Most of the classification tools have elements of machine learning based on content and context. The classification of the data increases the effectiveness of DLP, CASB and EDRM tools.
- Data Leakage/Loss Prevention (DLP) – DLP is a system that performs real-time scanning of data at rest and in motion, evaluates that data against existing policy definitions, identifies policy violations and automatically enforces some type of pre-defined remediation actions such as alerting users and administrators, quarantining suspicious files, encrypting data or blocking traffic outright. DLP takes time to mature and requires participation from the entire organization, especially in setting the policy.
- Cloud Access Security Broker (CASB) – Since now most of our data is residing in the cloud, be it private, public or hybrid cloud, CASB helps in identifying, monitoring and controlling enterprise data in cloud infrastructure (including applications hosted on cloud), and extends controls to the cloud applications.This also often is referred to as Cloud DLP in terms of data-centric security.
- Digital/Information Rights Management (IRM, DRM, ERM, EDRM) – DRM is basically the rights of the data owner/custodian of the data. It embeds the security controls into the data itself. The controls remain active even if the data is in use, and also remain active during the movement of data. This helps the enterprise to have control over the data, even if the data has left the boundary of the enterprise. Some popular controls for DRM are self-destruction of data or disallowing copy/paste/print of the document.
Data-centric Security Scenario
Suppose one of the directors of the enterprise is on leave and has no access to corporate emails or applications. An urgent board note (confidential document) needs to be vetted by him. Now the director asks his office to send the message to his personal email for review. His office sends him the board note to his personal email.
How can the security of the document be ensured?
Can we assume that after reviewing the note, he has deleted the data from his device or email inbox? Can the enterprise be 100 percent sure that the data would not be misused in future? No!
But if we enforce DRM on the document, we can set the period to the life of the document itself. We can even recall or revoke access to information that we have shared to anybody. DRM maps the policy so that the document can be protected automatically whenever it is discovered, detected, downloaded or shared.
Emergence of Data Privacy and Protection Laws
The year 2018 was significant for privacy and data protection laws in the world, with new measures such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Bahrain also passed a new, comprehensive data protection law, making it the first Middle East country to adopt a comprehensive privacy law.
One of the most significant privacy law developments of 2019 is expected from India. India’s draft bill introduces specific rights for individuals as well as requirements that processing entities have to meet. For example, businesses will need to implement organizational and technical safeguards regarding the processing of personal data, including for cross-border data transfers. The law also calls for the establishment of a Data Protection Authority for overseeing data processing activities.
An individual would be hard-pressed to debate that behaviors and habits individuals exercise in their personal lives have no bearing or effects on their professional career. To that end, the ability to visualize, establish and pursue goals is a useful tool to realizing our personal desires, both personally and professionally. This blog post will provide some insight on basic, but useful, practices that individuals may adopt to help them start setting and achieving relevant goals, as well as explore common problems individuals run into with setting goals, with examples of how to overcome those problems and achieve what they desire.
As individuals, we typically find ourselves strictly focusing on the end result we’d like without really assessing the actions, outcomes, time and effort necessary to achieve the desired result. This leads us to having eyes bigger than our stomachs and is likely to result in failure to achieve our goals. Whether the goal involves obtaining a new security certification, a desired job promotion or paying the mortgage off early, these goals require adequate thought and planning on the challenges to be faced. As Abraham Lincoln is quoted as having said, “Give me six hours to chop down a tree, and I’ll spend the first four sharpening the axe.” Focusing on the journey and preparation necessary to achieve our goals and not the final destination puts us on a track to action and allows us to shed wasted energy on wishful thinking.
My own approach to setting personal and professional goals always uses the SMART method. Goals should be Specific, Measurable, Achievable, Relevant and Time bound. Most organizations adopt the SMART goal method for employee goal-setting, but they are useful for setting personal goals, as well. For example, a SMART personal goal related to achieving the CISA certification could be as follows (assuming a 30 June start date):
- Schedule the CISA exam for 1 October
- Finish reading the CISA exam preparation guide by 31 July
- Complete all CISA practice exam questions with a passing scope of 85 percent by 31 August
Each element is specific to CISA exam preparation, is measurable with dates on each item included, is achievable (as three months of preparation are provided), is relevant to passing the certification exam and is time-bound because the first step of scheduling the exam is driving completion of the following steps. This example shows how achieving small steps can lead us to our larger desired end result. Obviously, there is no guarantee of a pass on the exam, but by setting necessary preparatory goals, there is an increased likelihood of success.
A useful tool for ensuring the continued pursuit of goals is a printed list, either written or typed and printed. The list should be hung somewhere where it serves as constant reminder to fulfill the actions written on it. The medium is not too important as long as the list stares you in the face every day and burns a hole in your brain to get it done! I personally aim to write down and achieve approximately 12 goals every quarter that fulfill a mix of professional and personal accomplishments. Some are easy, such as attend a volunteer event, and some are more difficult goals, such as finish my first Cybrary course.
Revisit your overall personal goals at least quarterly and set new goals on a non-stressful schedule. Make it fun and enjoyable, but ensure goals are meaningful to move you in the direction you desire. Slowly, you’ll start seeing the results and stronger habits will be formed to achieve loftier goals. By leveraging this mindset in my professional life, I have found that I start setting and achieving mini-goals at work when conducting audit engagements. I often use lists to drive my daily work activities and sometimes rework the daily list several times. I usually keep no more than six items on my list, then as I achieve 50 percent or more, I create a new list starting with what’s left over from the previous list.
Our goals will not achieve themselves. Getting what we want typically will require some patience, grit, experimentation and the desire to see things through to the bitter (or hopefully pleasant) end. We are the drivers of our destiny, so again, let’s focus on the journey, and soon enough we will arrive at our intended destination.
Have you thought about cost analysis in the era of cloud operation, combined with other emerging technologies? There is an orthodox way of considering cost analysis: Costs can be fixed, variable or some combination of the two. However, when it comes to analyzing IT costs, traditional cost analysis in the era of emerging technologies is inadequate.
The entire cost element must be taken into account: from where the cost occurs to what the cost consumes. An enterprise not only has to consider emerging technologies, but also has to consider the current legacy system. An inevitable, necessary cost exists in the file service required to produce what an enterprise needs.
You have the groupware function relating to the workplace and project activities, and the firewall function to avoid malicious access and protect data, and their updated plans.
On the other side, a for-profit-enterprise has to earn a profit. A company may have to restructure its home pages and address new systems, possibly with newly emerging technologies like RPA, AI and so on.
The whole cost consists of three categories:
- The first category involves the fixed costs to maintain the current computer system. There are costs for the hardware and software, middleware, network facility and applications to communicate with employees and outside partners (using, for example, Office 365® and its automatic updating systems), and maintenance of a cloud subscription.
- The second category includes the inevitable costs to earn profit, such as restructuring a new site where customers access and select goods to purchase in order to gain an advantage against competitors. Here, a cost will vary depending on how much development and re-structuring is needed. A certain company may decide to invest huge amounts in RPA to reduce future cost. Another company may migrate the current on-premise environment to the cloud to pursue reduced costs. These are neither fixed costs nor variable costs, but the costs should be planned for in the budget. It is crucial to analyze the gap between the planned budget and costs consumed.
- The third category deals with a contingency and risk response costs. I have seen many companies and projects budget for contingencies. For example, 10 percent of the fixed costs often is planned as a contingency cost or the risk response cost. In a sense, this is a semi-fixed cost, not a true fixed cost.
I’ve reviewed many social media implementations across a large variety of companies and, among the many concerns from a security perspective, is the total lack of due diligence over their selection.
It’s a puzzle really. Why would any competent CIO approve an initiative that is set up on a cloud-based platform that does not really know who its users are, has no audit certification, is demonstrably insecure, and is subject to rampant fraud and impersonation. But that is exactly what is happening when marketing and digital media people launch sites on providers such as Facebook and Twitter.
We are quite used to cloud providers not letting us audit them directly so our next port of call is to check their certification; not only does no one do this standard check when setting up on social media, but in fact there isn’t any certification to review. Interestingly, if you look at associated cloud products such as social studio (Salesforce.com) and workplace (Facebook), these corporate-focused systems do have certification such as SOC 2 and ISO27001. But this is not the case for any of the main social media sites such as Facebook, Twitter, Instagram or WhatsApp. This should be a warning sign that all is not well in the world of security on these systems. Regardless, the marketing team will insist on using them anyway.
Even a cursory look at known vulnerabilities would inform you that these sites have exploitable vulnerabilities; just check them out in any CVE security vulnerability database. Did anyone in your organization do this very simple and quick review?
It’s not as if there are no consequences; look at the recent Facebook photo API bug that exposed 6.8 million users’ images. A bug in API granted developers access to Facebook users’ images even if those images had been uploaded but not published to the user’s timeline. Similarly, WhatsApp had a recent security issue when a buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via a specially crafted series of SRTCP packets sent to a target phone number. The upshot was that the hackers were able to infect your phone without you actually doing anything. If it weren’t social media, ask yourself, would you use these products?
There are countless other security concerns with social media: they are hosing up your data; did your team check the privacy statements before they signed up?; some are completely open to their employees to exploit your sites (remember the Donald Trump Twitter deletion by a Twitter employee?); and good luck enforcing your password policy on the site.
You can pretty much assume, therefore, that all the sites are insecure, your digital media team didn’t review or risk-assess any of them, and you have no idea who the people are interacting with you on the sites. The time for you to launch that audit is long overdue.
Editor’s note: Robert Findlay will be presenting on “Social Media and its Cyber Threats” at the GRC conference, to take place 12-14 August in Ft. Lauderdale, Florida, USA.
In the same manner that the adoption of ERP applications and the use of offshore labor arbitrage and outsourcing previously transformed the workplace, robotic process automation (RPA) and intelligent automation are demonstrating the potential to be the next megatrends to help organizations improve the efficiencies and performance of back-office operations. As many organizations are just beginning their journeys to implement RPA technologies, this presents an opportunity for internal audit groups to work with their stakeholders to ensure appropriate governance and controls are built into the design of their RPA programs.
There are several risks in establishing an RPA program that internal audit should assess before organizations look to begin deploying bots into production.
- First and foremost, ensure the organization has established guidelines for the development of RPA capabilities and clear ownership for the ongoing run and maintenance of activities associated with managing this technology.
- Secondly, tried and true IT general controls that internal audit assesses in just about every review should be designed into RPA operations. Access to bots, change management, data integrity and disaster recovery/business continuity–all are critical operational procedures that should be defined prior to utilizing any bots in production.
- Finally, internal audit can assist management with defining appropriate key performance indicators (KPIs) and benefits realization processes to monitor and measure the success of an RPA program.
As internal auditors, we should also evaluate the potential efficiencies that can be gained through adopting RPA capabilities ourselves.
- At a time where we find ourselves in an increasing struggle to attract and retain top talent, utilizing RPA capabilities to automate highly manual, repetitive tasks that require little judgment could help provide opportunities to free our staff to focus on more interesting activities, improving their engagement.
- Any audit testing that internal audit performs involving calculations, variance analysis, and reconciliations are prime candidates to be automated. Additionally, operational procedures that all internal audit departments perform, including the distribution of audit documentation requests and issue follow-up, can also be performed by RPA capabilities.
My department recently conducted a successful pilot where we automated the evidence gathering and testing of several SOX IT general controls. This is very straightforward testing that my team has been doing for years and, to be honest, no one really enjoys performing. We are now looking for additional ways we can leverage RPA to provide more real-time insights to our stakeholders and enable our team to focus on higher-value activities.
RPA is quickly moving from an emerging technology to an integral component of organizations’ operational capabilities. It is critical for internal audit to understand the associated risks that come with the adoption of RPA and provide assurance that their organization has designed effective controls as part of their RPA program. Additionally, internal audit should not ignore the value that can be gained by adopting RPA itself and the efficiency opportunities RPA can provide the department. As security and IT audit practitioners, we all have roles to play in ensuring our organizations deploy this new technology in a controlled manner.
Editor’s note: For more resources related to this topic, view ISACA’s new Audit Outlook video series.
“Victory awaits him who has everything in order – luck, people call it. Defeat is certain for him who has neglected to take necessary precautions in time. This is called bad luck.” –Roald Amundsen, The South Pole
The title and the quote above says it all – and fits the essence of the 2019 Global IT Audit Benchmarking Study, conducted by ISACA and Protiviti.
An executive summary of the 2019 IT Audit Benchmarking Study, which will be released in full later this year, found that the biggest challenges for IT auditors are:
Let us discuss in detail every challenge and the ways to get ahead of them:
IT security and privacy/cybersecurity
Cybersecurity is the chief risk for any organization that has a virtual presence. With the staggering numbers being quoted for Internet of things (IoT) devices being connected together and with more than 56 percent of the global populace – almost 4 billion users – connecting to the internet, the volume of cybercrimes and threats are going to accelerate in an unrelenting pace, posing formidable challenges for the IT audit community as well as business leadership.
Establishing a strong cybersecurity culture would help the IT auditors in tacking this menace, although this alone may not suffice. Business needs to move with the advancements in technologies to remain competitive. IT audit, as often pointed out by ISACA, needs to play an enabling role, meaning rendering their assurance functions in a manner that helps organizations to conduct their operations in a seamless and secure way, and also be compliant to various regulations.
To achieve this, IT auditors have to always be on top of new technologies, such as cloud, virtualization, big data analytics, AI and robotics, their associated threats, and evolving new threats, as well as being aware of how to remediate them in a timely and cost-effective way. In addition to having to perform these difficult tasks, they also need to be able to have strong communications skills so that leaders and business stakeholders are aware of the risk and, in turn, help the IT auditors to perform their task.
Data management and governance
Data management, sometimes referred to today as big data management, is synonymous with big innovation management, big opportunities management and, eventually, big money management. For an IT Auditor it is a twin challenge, first to assess how the organization uses the big data for its decision-making, where it stores the data, and how it achieves the CIA triad. Secondly, in the case of fraud detection, the challenge becomes how to harness the big data analytics or big data forensics to capture the audit trail and nab the culprit. Naturally it calls for skills in data science and analytics to handle these tasks and, as these are evolving technologies, the skillsets are difficult to find in the market.
Emerging technology and infrastructure changes – transformation, innovation, disruption
“Technology is a vector,” wrote Kevin Kelly in his excellent book, What Technology Wants. Kelly stresses the point that technology will move ahead regardless of people supporting it. In other words, technological advancement is imminent, and people are not the driving factor. To quote business executive Mark Cuban, “Artificial Intelligence, deep learning, machine learning – whatever you are doing, if you don’t understand it, learn it. Because otherwise, you are going to be a dinosaur within three years.”
Because global enterprises are embracing big data analytics, AI, and cloud computing in a huge way, audit professionals need to be familiar with these technologies so that they can perform their assurance function effectively.
In view of the above discussions, it is very clear that the audit function is going to face challenges in finding the right mix of resources. We need experienced auditors who have an understanding of emerging technologies, with special emphasis on data science. Although artificial intelligence cannot replace the audit function, it has the potential to complement the audit discipline by performing routine activities and highlighting exceptions for the attention of the auditors to make an informed judgement. The new-age technology will help to raise the standard of auditing, provided auditors make the effort to acquire the latest technical knowledge and upskill themselves from an audit perspective.
This is necessitated because of digital transformation, which enterprises around the world are pursuing. As a result, organizations increasingly resort to cloud and/or third-party service management, which leads to third party or vendor risk. Auditors need to help businesses mitigate this risk and help achieve their strategic objectives in cost-effective fashion. Effective handling of cybersecurity risk requires auditors to be thoroughly updated on the latest threats and also possess the counter-intelligence to prevent and contain cybercrimes.
IT audit exists to assist organizations in strategic technological management – that is, efficient and effective use of technology, combined with robust risk management. Technology is advancing at a rapid pace, thereby influencing and changing the way business is conducted. Business requires the help of IT audit to thrive and navigate through this stormy digital transformation period. Therefore, it is imperative for IT audit teams to equip themselves and stay relevant so that they can be of great value and play a key role in this fast-moving digital world.
Author’s note: The views expressed in this article are the author’s and do not represent that of the organization or of the professional bodies to which he is associated.
Building automation systems (BAS) have many characteristics that differ from traditional information processing systems, including different risks and priorities. Furthermore, these types of automation systems are subject to different performance and reliability requirements, and often employ operating systems, applications and configurations that may be considered unusual IT practices.
BAS frequently encompass any electrical component or device that is used to control a building by managing security, safety and utility services, such as physical access, HVAC, heating, alarms, and lighting, among other electrical and mechanical controllers that automate the buildings.
These services are crucial to any organization; therefore, BAS should be considered, managed, and protected as part of the critical infrastructure, whereby security is an essential factor in the ongoing care and maintenance of these systems. Security-critical services like these demand the underlying control system be reliable and robust against security threats.
In order to identify the appropriate security controls for the protection of these critical systems, it is necessary to know the current status of the building automation infrastructure. Consequently, a security assessment will help any organization to accomplish this task and boost its risk management strategy. A tailored security assessment for BAS will significantly improve situational awareness by providing highly valuable insights and identifying threats and vulnerabilities that are usually off the organizations' radar.
An initial tailored approach should, at a minimum, include the evaluation, analysis, and review of the following security control groups:
Security architecture. An effective assessment must review and evaluate the architectural design of the automation control environment. Network segmentation and segregation, boundary protection controls, remote access, and firewall rules effectiveness, among other critical security controls, should be considered.
Policies, plans, procedures and baselines. Policies and procedures must be well-defined and documented. BAS systems need to be appropriately configured to maintain optimal operation by following a security strategy in a security plan with a strong foundation on documented configuration baselines. This security plan must be aligned with the enterprise architecture and the information security policy framework.
Systems and services acquisition. An adequate security assessment should cover the contracting and acquiring of automation control system components, software, and services from third parties. Since organizations must include security requirements as part of the acquisition process to ensure that the products and services received fit into the enterprise security program, assessment findings will identify existing gaps in BAS implementations, especially those associated with contracting third-party services.
Disaster recovery. The business continuity strategy should be reviewed to evaluate the effectiveness of the continuity of operation plans. Any security assessment should consider that a solid plan addresses roles and responsibilities, assigned personnel and their contact information, and detailed activities associated with responding and restoring system operations after a disruption or failure.
Other control groups such as account management, audit and accountability, configuration management, and maintenance, should be part of a more comprehensive assessment. Designing a security assessment that is too wide in scope involves the review and evaluation of tons of security controls. This approach will most likely overwhelm any team; more importantly, the resulting findings will not provide a resonant value to the different leadership levels of the organization.
Therefore, an effective strategy for designing and executing security assessments for BAS should be founded on a tailored plan of action that encompasses performance, availability, risk, operations, resources, systems communications, change management, components’ lifetimes, and location as key differentiators from traditional IT systems.
Editor’s note: Mario Navarro Palos will present further insights on this topic during his “Designing Security Assessments for Building Automation Systems” session at ISACA’s 2019 North America CACS conference, to take place 13-15 May in Anaheim, California, USA.
Back in 2008, I placed a talented senior IT auditor who was one of the first I had seen with excellent data analytics skills, an ACL certification, and a vision for how to apply data analytics to a broader suite of audits. Our Fortune 500 client seemed very keen to capitalize on his skills. However, in the end, our client couldn’t clearly articulate a vision for Audit’s use of data analytics. The senior IT auditor moved to another company where Internal Audit had fully embraced this. Today, he is a senior IT audit & data analytics manager for a Fortune 100 company.
I’ve seen this story unfold more than once over the years. The takeaway: even with great people evangelizing the power that data analytics can bring, data analytics has taken a long time to take root within Internal Audit. With the seeds long planted, the garden is finally burgeoning forth.
Now is the time to embrace data analytics, people! But this isn’t the data analytics of even five years ago. The real power play today is coming from Python, R, and SQL. These are the tools IT audit professionals need to embrace and learn to use. Alteryx is on the horizon but doesn’t seem to have made big inroads into Internal Audit yet.
In the course of doing the research for this piece, I spoke with more than a dozen Internal Audit data analytics leaders and senior practitioners, at companies ranging from a major airline to a behemoth in the search engine and innovation space, to get their views on where things stand now, and what proactive IT auditors can do to hang ten on the data wave.
The current Internal Audit data analytics landscape
You might be wondering how embedded data analytics are at this point. Good question. My research shows that, in terms of the percentage of audits that use data analytics, the range goes from 25-30 percent to 50 percent, with at least two very large companies looking to be at 100 percent by this year.
How to get into the game
Build skills. How do you do that? The consensus among the leaders I spoke with is that online courses are a fantastic way to start. Check out Coursera, Udacity and Datacamp. Take this first step and dip your toes into the water with their free course offerings on Python, SQL and more. Boot camps are another way to go if you have the time. Once you have some skills, take on a project at work – a small one that you can drive to an early win. Do you need some sort of analytics certification? The answer across the board was no. What you need is curiosity, fearlessness, some skills and a growing portfolio of projects to build a solid use case.
Other tools that are ancillary but useful to start getting your arms around: Power BI, Tableau, QlikView and Spotfire. What’s in the works: Robotic Process Automation, AI, Neural Nets.
Now’s the time to start reading up. Who makes the best data analysts for Internal Audit? IT audit professionals. Why? Because being an adept and successful IT auditor requires that one is able to translate complex technical topics for non-techies. Business acumen and business process knowledge come with the territory, as does customer-facing concern and interface. What problem are you trying to solve? What data do you think will help you find an answer? IT auditors know the audit process and the evidentiary requirements for solid audit findings and recommendations. They also know how to write for a variety of audiences, which was identified by all the experts I spoke with as a critical skill.
Sure, data scientists know the tools inside and out, but they don’t have these other pieces, many of which are part of the intangible art of auditing.
Editor’s note: For more resources on what’s next in audit, visit ISACA’s future of IT audit page.
Enterprises are exploring opportunities driven by digital transformation, identifying technology-driven paths to deliver more value, more quickly, while also benefiting from new process efficiencies. IT auditors must do the same to ensure they remain valued partners by the organizations for which they work.
As enterprises increasingly harness technologies such as artificial intelligence and data analytics – and deploy methodologies such as Agile and DevOps – the IT audit teams of the future would be well-served to mirror this approach if they wish to thrive amid the business technology landscape of the future.
Traditional auditing methods need to be revisited to more directly align with how businesses are operating, so audit teams are living what they are auditing instead of operating in parallel universes from their business partners. If auditors are going to audit areas like DevOps or Agile, it stands to reason that they should have direct familiarity with those methodologies. Not only would that background allow auditors to deliver deeper, more meaningful audits by better understanding the practitioner view, but auditors also would realize many of the same business benefits that motivated their colleagues to adopt the methodologies in the first place. For example, one of the main benefits the business is realizing is faster development of key capabilities. Auditors could realize that same benefit of quicker development and release in areas that have long been challenges in the audit field, such as faster development of audit programs and reporting, and more comprehensive, automated audit testing procedures.
While IT auditors have a proud, longstanding tradition of making strong contributions to their organizations, auditors are seldom known for being on the leading edge of pursuing new technical capabilities or finding innovative approaches to performing their work. That will need to change, at least to some extent, if IT auditors are going to remain indispensable in a future in which automation, artificial intelligence and other emerging tech trends will dictate changing roles for auditors and, in some cases, potentially put auditors’ roles in jeopardy.
New ISACA research on the future of IT audit highlights several compelling data points that provide perspective on how auditors and their organizations need to prepare for the changing nature of the IT audit profession. Among the notable data points:
- Two-thirds of survey respondents (67 percent) observe difficulty recruiting auditors with the required technical skills
- Nearly half (47 percent) expect that IT auditors will be significantly more involved in major tech projects in the next 3-5 years
- An overwhelming majority (92 percent) express optimism when considering how technology will impact them professionally over the next five years
Organizations might not always be able to find the auditors with the technical skills they’re seeking immediately, which makes it even more important that they prioritize investing in education and skills-building capabilities as part of an ongoing strategy. That strategy needs to not only account for the conceptual, but also focus on the specific technologies and methodologies their audit teams need to understand. Given the rise of cybersecurity as a business imperative across all industries, auditors would be especially wise to pursue additional auditing cyber knowledge for how to better assess data protection and controls around key business processes. There is much work to do on the training front; the ISACA research shows that more respondents consider funding for training and professional development to be inadequate than those who say it is adequate. If organizations fail to remedy that in this evolving technology environment, their audit teams are likely to fall behind.
Traditionally, audit training has focused mostly on learning about emerging technology topics just prior to planning and performing an audit. While still important, this will not address the needs of the future. Similar to the IT business partners that auditors assess, the audit field should also focus on developing skills such as coding and testing, and areas such as AI and data analytics. These are skills and capabilities that audit teams will require in order to effectively perform their charter in the future. If the current auditor is not capable of adapting with these new skills, then the audit team will be required to find the person with those skills. This could be accomplished by seeking these capabilities from other talent pools, such as developers, co-sourcing or even complete outsourcing, which our research also has identified as trends.
Generally, respondents to the survey are right to be enthused about the future of IT audit. The coming years hold great promise for IT auditors, as an ever-expanding array of technology projects will benefit from auditors’ conscientiousness and unique ability to identify the process improvements and capability gaps that can make or break a project’s success. The more progressive audit teams, and the ones that will be best positioned to thrive in the future, are those that will proactively adopt the technologies and methodologies that their business partners are deploying, and those that commit to executing on a vision for continual training and education. Just as the digital transformation era is poised to enable organizations to better serve their customers and business partners, the same can hold true for the audit function.