Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
What I Wish I Knew When I Started in IT Audit

Mais BarouqaWho among us does not sometimes reflect on our journey and certain days that remain nailed to our memory, either because they were too tough to forget or too good to be true? We experience those flashbacks in certain situations, wishing that they were either handled differently, or wishing we knew something extra at the time to have had an edge. Today, I am going through one of those times, where I want to share what I wish I knew about IT audit before I became an IT auditor.

Before I get into detail about my wishes, I have to throw out a disclaimer. I am not against making mistakes. On the contrary, I am a strong believer that mistakes are crucial for the molding process of anyone’s skills and career. The lessons learned from mistakes are valuable. However, do we all agree that sometimes life can be a bit easier if we had those cheat sheets to avoid those mistakes in the first place?

To share my wishes, I have to share a bit of my story, as each wish comes with a very interesting background. To start with, let’s go back six years ago, when I was still a university student trying to figure out what I wanted, while being anxious about where I would end up. At that time, I had to go out and try several companies, hop into different positions, and try to figure out where I fit (while feeling that I might not fit into anything!). By luck, I applied to an IT auditor position at a consulting and accounting firm. At that time, I wished I actually knew about the existence of the IT audit field throughout my university studies, during which I could have directed my efforts into examining this field further and attempting to get into it earlier.

As I moved forward with my IT audit career, I was faced with daily challenges – some were basic and easily handled, but others felt impossible to overcome. Many times, I wished I had a magic wand that I could wave to solve my problems, whether that problem was due to a lack of knowledge in a certain area or an inability to understand a complex environment. Little did I know that this magical wand actually existed in the form of people. So, for my second wish, I wish I knew how important it is to have a proper professional network. You see, networking is not only limited to social and personal talks – its value can expand into a pool of skills and problem-solving techniques that can help you in any situations through brainstorming and sharing experiences.

When you hear the term “IT audit,” your first instinct might be that the field is all about technology. Well, that’s what I had in mind, too. I had this assumption that I would only be involved in technical matters. However, as an IT auditor, we are required to examine the systems and infrastructure, but our involvement does not stop there. As technology is playing a crucial part of business success these days, IT audit is required to get involved in examining the impact of technology on business processes, where a major linkage between business risk and technology risk is becoming stronger. Back in my early days as an IT auditor, I wish I had better literacy on business processes and other business areas that can assist in my IT audit work and deliverables.

Let’s step aside for a bit from the technicalities of IT audit, and talk about a time when I wish I had known the benefits of having a mentor to help take your career to the next level. There are occasions that require an “oracle” of some sort who you can reach out to – this oracle is called a mentor. A mentor is someone you can shadow and someone you can learn from on topics such as communication, negotiation and other skills that cannot be found in books. This person is someone who has been in your shoes and walked the same path you are going through, and who can help you out in avoiding certain pitfalls. Therefore, for me, back in my early IT audit years, I wish I knew how important it is to have a mentor.

By now, if you did not already relate to any of my wishes above, you might have started to focus on your own, so I will be leaving you with my last wish. Throughout my career, I came across several colleagues and made new friends. Each one brought a different experience, and with each experience, I learned a lesson. Accordingly, for my final wish, I wish that I knew when to let go of bad experiences at an early stage and cling to the good ones for a bit longer.

Editor’s note: For more career insights for newcomers to the IT audit, governance, risk and security fields, visit ISACA’s Young Professionals page.

Senior IT Audit Leaders Discuss Cybersecurity, Data Analytics

Paul PhillipsSenior IT audit leaders met to discuss a wide variety of topics, including audit analytics, IT audit’s role in cybersecurity and incident management, and agile/DevOps shops, at the recent IT Audit Leaders Summit in Geneva, Switzerland, as part of EuroCACS/CSX 2019. Participants shared opinions and best practices, and strategized on the path forward with new technologies and business practices.

The Summit kicked off with a session on Audit Analytics in a World of Change. Moderator Dietmar Hinkel noted the benefits of using analytics in audit, including:

  • More transactions are reviewed/monitored in less time
  • Added assurance is taken from the work performed
  • Fraudulent transactions are identified more quickly

In turn, this:

  • Creates value
  • Increases insights
  • Reduces costs
  • Mitigates risk
  • Enhances efficiency and effectiveness

Regardless if the data came from sampling or from automation, Hinkel noted that at the core, the auditor is looking at data and synthesizing it. And, this synthesis of data is where the auditor really adds value.

Ira Winkler presented a session on “Advanced Persistent Security” with much discussion on what exactly constitutes a “sophisticated attack.” Winkler said that attackers are successful not because they are advanced or sophisticated, but because they are adaptive and persistent.

In preparing to combat the adaptive and persistent attackers, Winkler noted that IT audit has a role to play – specifically, to “stop cyber hygiene failings” and mitigate security failures.

Following up on Winkler’s session, Andrew Neal led a discussion on IT audit’s role in cyberattack investigations. Neal noted that often urgency tends to override risk management in the face of a cyberattack. Neal suggested taking a philosophical approach in incident planning through understanding an enterprise’s risk tolerance, its culture, and what its goals should be at the end of an incident (e.g., internal communications, timing to resolve an incident, etc.). Enterprises can then apply various scenarios within the backdrop of the philosophy to provide more robust and flexible incident plans. When an actual incident happens, the enterprise can take that philosophical approach and pivot to the incident at hand.

Neal also noted that IT audit plays an important role in incident management. Audit can translate the incident in business terms to senior management. Audit’s organizational familiarity, involvement in IT and security, understanding of processes and maturation and its objectivity are particularly germane in performing this role.

Vilius Benetis spoke next on the importance of security operation centers (SOCs) as part of a larger presentation on what IT auditors should know about cybersecurity. He walked through the most successful SOCs; it isn’t the technology, but the creative, energetic teams that monitor and mitigate cyber risk. As cybersecurity is human vs. human, not human vs. machine, building a team that understands core business objectives while also performing cybersecurity strategy is key. “We must convert risk into value,” he said.

Closing out the Summit, Guy Herbert led a discussion on agile, DevOps and continuous integration/continuous development. “Saying no is easier than suggesting a better way,” said Herbert, who believes that utilizing continuous development processes is the future of work.

In lieu of “agile,” Herbert prefers the term “agility” and says that means small, frequent and fast change to gain feedback and make adjustments, allowing for being adaptive and course correction before you have invested time and resources into a failed path. “When work is open, we unleash the full potential of all teams,” he said. Open work means a shared context, direct feedback and access to information.

Internal audit can change to adopt this work model by focusing on outcomes, not output. Security must be part of the design and control objectives.

Editor’s note: For more insights and IT audit industry trends see the 2019 IT Audit Global Benchmarking Study from ISACA and Protiviti.

Establishing Credibility with More Experienced Clients and Business Partners

Alicja FoksinskaI graduated college with all the confidence in the world. However, I then entered Corporate America, and I had a rude awakening. My college studies equipped me with knowledge and skills to achieve tasks thrown at me, but what I had to do next is establish my credibility.

I felt like the puppy in this picture. I was handed an oversized K-9 Unit vest that I had to grow into as I was again starting from the bottom. In the audit profession, building rapport is key. When I entered meetings, I knew people were probably thinking, “She looks like a student, what does she know?” They were correct – I looked like any recent graduate, and I didn’t have the experience to provide feedback to well-experienced process owners who have been in their position for 25-plus years. To overcome that, I had to start building credibility.

My manager taught me an important lesson right away: it is OK to ask questions. He explained that a textbook only taught me the definitions and uses of systems, but it did not teach me the processes that my company has in place. To my surprise, process owners were very happy to explain their processes from beginning to end, provide me with flow charts, or even draw the processes out. I thought asking questions would erode my credibility – however, my questions did the opposite and allowed me to build better relationships with the process owners. My questions showed the process-owners that I am a good listener, diligent note-taker and a fast learner. By taking the time to listen to the process-owners explain their processes and ask good questions throughout, I was able to not only gain a stronger understanding of the process, but I was able to start relationships with the process owners that would be beneficial in my career.

Another lesson I found helpful was preparing for meetings ahead of time. Reading white papers and diving deeper on certain topics allowed me to pre-load myself with the information, so I could speak the same language the process-owners used during the meeting. For an IT term to exist, it must be an acronym! There were so many of those to learn that I even made myself a cheat-sheet to remember, for example, that “UPS” does not mean United Parcel Service, but rather Uninterrupted Power Supply.

Furthermore, by reading white papers, I can gain insight into the current state of the industry and/or the future predictions. This allows me to compare the current processes and systems at my company and provide the business with insights that I was able to find and potentially identify ways to create efficiencies. Curiosity has fueled my success at building credibility and rapport with the business, as I’m always trying to find a better way to perform a task or give insight into potentially maturing the current process. Reading old audit reports is always a great way to dive into the area one is about to audit again. Going through the business descriptions, the testing that occurred and findings that were discovered is always a great way to start the research and prepare for a meeting with the business.

Lastly, time – give it time. You will not be an expert in every business field, even if you are an auditor for life. The old adage, “Rome wasn’t built in a day,” is highly applicable here. You need time to create great things and you should always have questions, as you will be learning for the duration of your career.

After a few years in this profession, I’m still learning, and won’t ever stop learning. I’m lucky to work with so many talented and knowledgeable people in my company that enjoy sharing their skills with me. Every time I meet with someone who has devoted his or her career to a certain topic, I feel incredibly humbled as I get to learn from the best teacher around: the expert.

Editor’s note: For more career insights for newcomers to the IT audit, governance, risk and security fields, visit ISACA’s Young Professionals page.

A Seat at the Table: Internal Auditors as Operational Partners and Organizational Strategists

Robin LyonsIT auditors new to the profession may hear references to a time when the internal audit function was viewed as the “police.” Years ago, it was not uncommon for organizations to perceive internal audit’s responsibilities of assessment and evaluation as being similar to that of a policing function. Operational errors or deficiencies identified and reported were analogous to crimes in the world of law enforcement. To be fair, there were some personality types within the internal audit profession who didn’t object to that characterization. If the characterization were true, however, most auditors did not favor that characterization and probably all of the IT function and management wished for it to go away. So, auditors worked to counter that perception and management continued to provide feedback on what it wanted from internal auditors. One big ask from management was “If internal audit surfaces issues that are either already known or that could be easily corrected, what value does internal audit provide?”

The answer to that question was delivered when auditors created opportunities through compliance initiatives, business process documentation and other operational areas to work with the IT function outside of the audit process. More frequent involvement between auditors and the IT function offered the benefit of a better working relationship than when the auditors were perceived as the police. But, in reality, whether internal audit is adding value is a dynamic perception. As organizations are characterized as engaging in disruptive innovation, continuous development, or digitalization, the audit function must complement its operational partnership with a strategic partnership to keep pace with the organization and to add value. (Just to be clear, the auditors are not creating strategy; rather, they are mindful of strategic impacts in all of their work and they communicate those impacts with senior management and the board).

The path to strategic partnership may be more easily stated than achieved, though. In the 2019 Global IT Audit Benchmarking Study from ISACA and Protiviti, 81 percent of respondents from Africa indicate that IT audit directors (or equivalent) regularly attend audit committee meetings, but respondents from other regions provided less encouraging results, with that data point ranging between 46 and 64 percent. A Chief Audit Executive (CAE) may attend audit committee meetings in place of an IT audit director; however, of the two positions, the IT audit director generally has more comprehensive involvement with IT audit assessments and evaluations. Without being part of the these and other meetings where strategic discussions take place, it is a challenge for the audit profession to assume the role of strategists.

To earn a seat at the table where strategic discussions are taking place, IT audit directors and their teams should embrace the role of strategist by emphasizing their work through the lens of the organization. For example, once the organizational impact of a risk has been identified, a strategist will extend the discussion to what the organizational impact means for the overall strategy and mission of the organization. Framing this communication in financial terms is often appreciated by senior management and is fairly easy to do. On the more challenging end of the spectrum for the strategist (and most valuable to the organization) are communications that are forward-thinking. Without being clairvoyant, the internal audit strategist can share with senior management and the board what trends their industry is experiencing or solutions for known concerns before those concerns turn into problems. This is much more valuable than an after-the-fact summary of where things went wrong.

In self-assessing how much value they are creating, internal auditors should evaluate the state of their strategic partnerships and acknowledge the interdependency of operational and strategic partnerships, but focus on the forward-looking benefits that being strategic offers. When the transition to organizational strategist has been socialized and accepted by the organization, perhaps the coveted seat at the table will be earned.

Tips for the Novice IT Auditor

Amy DiestlerNorman Ralph Augustine once said, “Two-thirds of the Earth’s surface is covered with water. The other third is covered with auditors from headquarters.” This highlights the rise of the auditing profession and the importance that more and more companies are placing on internal and external audits due to increasing regulatory requirements. This reliance, coupled with the ever increasing dependency on technology, requires a special skill set: the IT auditor. If you have just started down this career path, these tips, and ISACA’s CISA certification, can help you navigate the IT auditor track.

Ask Questions
The majority of the time you will be working with people who are more experienced than you. Take advantage of their knowledge, especially when it comes to IT. Because auditing requires so much on-the-job training, one of the best ways to learn is to ask questions of the people around you, over and over again. Ask them to tell you where they think the company could improve when it comes to IT, where the company is headed in terms of technology, or how they ended up in their current role. Asking a question may seem simple, but there will definitely be times when you aren’t sure who or which question to ask. Try asking your manager or coworker to talk it out with you, create a visual, or walk them through your thinking process so far. With the emergence of new technologies at a rapid pace, inquiring minds will always want to know.

Communicate
An audit requires a lot of information to flow between various people, and all parties involved want it completed in the most efficient and effective manner. Whether you are communicating to a manager, a client, or a coworker, being able to relay a message accurately and effectively will help manage that flow of information. Clients want to be able to give you what you need the first time you ask. Precisely describing what item you are requesting and why helps ensure unnecessary time isn’t spent going back and forth for clarification. Managers always want to know where things are at and how the audit is progressing. Regularly updating them on your progress better informs them on where additional help may be needed and how the strategy moves forward to meet the audit deadline. Effective communication helps build relationships and makes you an effective person to work with in the future.

Technical Versus Non-Technical
Because you will interact with various people at all levels and departments of an organization, each person’s level of IT knowledge will differ. One of the best skills you can work on is being able to “translate” IT technical terms into terms or examples that anyone can understand. For example, simply explaining what acronyms stand for can ensure everyone is on the same page. Practice this on family, friends, coworkers, etc. Be sure to know your audience when using technical terms, as IT personnel will understand without an explanation while executives may not. This is especially helpful when conveying IT findings to higher-level management and helping them understand the severity of the finding and how to mitigate this risk in the future. This skill is often developed over time and with experience, so don’t get frustrated if there is some miscommunication at the beginning.

The biggest takeaway is to be open to learning everything you can and striving to improve your skills. There is a demand for certified IT auditors, which makes this career path a great starting point.

Editor’s note: For more career insights for newcomers to the IT audit, governance, risk and security fields, visit ISACA’s Young Professionals page.

How 20 Minutes Can Lead to a More Inclusive Tech Workforce

Barbara N. WabwireIf perceptions were always reality, why would a company that has hired professionals after conducting reasonable background checks be wary of internally orchestrated fraud and other white-collar crime? Why would an IT auditor obsess about the consistent integrity of systems and compliance?

Many in the audit industry would argue that regular audits will provide objective insights, uncover problems, ensure efficiency, assess risk of material misstatement, assess controls, promote accountability and compliance, and instill a sense of confidence in management that the business is doing “well” (assurance). If organizations are willing to go an extra mile to ensure optimal health of IT systems and are willing to invest in the necessary redundancy at all levels of infrastructure to reduce likelihood of unplanned system downtime, is a 20-minute time investment at recruitment and promotion interviews something we can consider as a worthwhile tradeoff to achieve gender inclusiveness in the technology industry?

Is it time for a gender audit in the technology industry? When we are told that men are more likely to be perceived as leaders than women, we might need to listen harder, understand the perception, dig deeper and try to appreciate this line of thinking. Is this much more a perception than a reality?

The reality: Gartner revealed that although women make up almost half of the workforce worldwide, only 31 percent of IT employees are women. This number falls further at leadership level to just 22 percent, and only 13 percent of CIOs are female.

Perception: In the absence of any other reasonable explanation, the statistical reality might explain, but not excuse, the photoshopping misadventure by Brunello Cucinelli’s “representative.” By trying to smuggle two top women executives into a picture of a male gathering of Silicon Valley executives in Italy, the “artist’s” crude and dismal attempt at gender mainstreaming the photograph (through Photoshop) was frustrated by technical pixel scrutiny. The glaring gender disparity reared its ugly head, and this time journalists’ credibility and professional integrity were put under microscopic scrutiny. 

Perception or reality? From the above statistics and scenario, we can infer a strong probability that a majority of the interview panelists for top executive positions are most likely to be male. We may, therefore, need to concern ourselves with the qualities and competences that most male top executives look for in prospective female leaders, if we are going to give equal representation a chance.

Backed by evidence: Matthew Biddle from the University at Buffalo contends that “Men are still more likely than women to be perceived as leaders. … Men tend to be more assertive and dominant, whereas women tend to be more communal, cooperative and nurturing. As a result, men are more likely to participate and voice their opinions during group discussions, and be perceived by others as leaderlike.” The article goes on to indicate that “the gender gap was strongest during the first 20 minutes people were together, similar to an initial job interview, but weakened after more than one interaction.”

The 20-minute finding is significant in demonstrating the effect of time lag between each gender’s effective responsiveness during such interactions; perhaps a longer lapse might be needed by some female interviewees to rid themselves of any reticence or inhibitions and fully engage to enable effective communication. Simply put, if women were afforded those 20 minutes, the perceptions and speculation about gender and leadership would blur, and women may begin to get an equal chance at qualifying for top positions. A top executive team with diversity in skills, gender and culture often leads to better performance and may attract more investment as well, as ensuring a strong business reputation and enhanced shareholder value maximization.

As a leader in your own right, would you consider giving female interviewees a 20-minute head start to level the playing field?

Editor’s note: For more resources on empowering women in the tech workforce, visit ISACA’s SheLeadsTech website.

Auditing a Migration Plan When Transferring from On Site to the Cloud

Katsumi SakagawaHave you ever audited a computer system’s migration plan when transferring it from on site to the cloud? Here are some recommendations to keep in mind based on lessons learned from migration practices:

Clarify the work burden mitigation effort. Once cloud migration is complete, it is important to clarify what burden has been mitigated by the migration from on site to the cloud; for example, automatic scalability. If the company’s computer infrastructure system meets the requirements for automatic scaling service, it can enjoy not only the service, but also cost savings. A computer system, like many single physical servers and few virtual system environments, has to address mitigating the operational burden and full treatment.

Verify there is no loss of security functions. A cloud vendor provides various security services; however, when transferring to a cloud environment, companies should examine whether any security services and circumstances that were addressed on site were lost or downgraded. For instance, if a company currently runs a laboratory-typed anti-virus sand boxing system, AI-based filtering system or industry-needed scoring system as a firewall, it should check whether the system can transfer onto the cloud vender’s service, as well as how it is priced.

Find out the current application’s operation system and the infrastructure for the system, and determine whether it is possible to migrate them directly to a cloud environment. If the target application the enterprise is seeking to shift is a specialized legacy OS for which the cloud vendor doesn’t support service, it may need to migrate the legacy OS first.

Finally, look at the risk mitigation procedure that will lead to the systems going live on the cloud. There are many existing layers, such as the internet connection layer, the OS infrastructure, middleware, application infrastructure, application server and application scheme. A company can’t help addressing them without upgrading them. Each layer requires its own upgrading activities and tests. It might be important to plan a step-by-step migration schedule. To migrate all at once is not always the best solution. In addition, when considering risk mitigation, Rollout and Rollback procedure should be designed by the user. The most risk-sensitive person is the user, and the user should be responsible to mitigate hazards.

Securing Your Data: The Crown Jewels of Your Enterprise

Prakash Kumar RanjanEvery organization has data that is vital for its organizational growth. Typically, most organizations build security around infrastructure, network and applications. But with data leakage becoming more prevalent, organizations are now considering data to be their crown jewel.

Data can be classified as structured data or unstructured data. Structured data is mostly stored in a database, but usually more than 80 percent of data are unstructured.

Enterprises need to protect the data from unauthorized access not only from external users but also from internal users, so virtually all organizations are building security controls around data-centric security. Data-centric security embeds controls into the data itself so that these controls are intact to the data even when the data is at rest or in motion, or while the data is being utilized in an application. In data-centric security, data is independent of the security of the infrastructure, be it device, application, network or the method of transport of data.

Data leaks not only have a negative impact on the reputation of the enterprise but also can lead to penalties/legal action from regulators. New regulations require the organization to build controls around the security and privacy of the data regardless of whether the data is intended to be used internally or intended to go outside the organization’s boundaries.

At its core, data-centric security can be considered among the following categories:

  • Data Classification – Data Classification is a process of identifying, labeling and classifying the information/data, preferably according to the sensitivity or criticality of the data. Most of the classification tools have elements of machine learning based on content and context. The classification of the data increases the effectiveness of DLP, CASB and EDRM tools.
  • Data Leakage/Loss Prevention (DLP) – DLP is a system that performs real-time scanning of data at rest and in motion, evaluates that data against existing policy definitions, identifies policy violations and automatically enforces some type of pre-defined remediation actions such as alerting users and administrators, quarantining suspicious files, encrypting data or blocking traffic outright. DLP takes time to mature and requires participation from the entire organization, especially in setting the policy.
  • Cloud Access Security Broker (CASB) – Since now most of our data is residing in the cloud, be it private, public or hybrid cloud, CASB helps in identifying, monitoring and controlling enterprise data in cloud infrastructure (including applications hosted on cloud), and extends controls to the cloud applications.This also often is referred to as Cloud DLP in terms of data-centric security.
  • Digital/Information Rights Management (IRM, DRM, ERM, EDRM) – DRM is basically the rights of the data owner/custodian of the data. It embeds the security controls into the data itself. The controls remain active even if the data is in use, and also remain active during the movement of data. This helps the enterprise to have control over the data, even if the data has left the boundary of the enterprise. Some popular controls for DRM are self-destruction of data or disallowing copy/paste/print of the document.

Data-centric Security Scenario
Suppose one of the directors of the enterprise is on leave and has no access to corporate emails or applications. An urgent board note (confidential document) needs to be vetted by him. Now the director asks his office to send the message to his personal email for review. His office sends him the board note to his personal email.

How can the security of the document be ensured?

Can we assume that after reviewing the note, he has deleted the data from his device or email inbox? Can the enterprise be 100 percent sure that the data would not be misused in future? No!

But if we enforce DRM on the document, we can set the period to the life of the document itself. We can even recall or revoke access to information that we have shared to anybody. DRM maps the policy so that the document can be protected automatically whenever it is discovered, detected, downloaded or shared.

Emergence of Data Privacy and Protection Laws
The year 2018 was significant for privacy and data protection laws in the world, with new measures such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Bahrain also passed a new, comprehensive data protection law, making it the first Middle East country to adopt a comprehensive privacy law.

One of the most significant privacy law developments of 2019 is expected from India. India’s draft bill introduces specific rights for individuals as well as requirements that processing entities have to meet. For example, businesses will need to implement organizational and technical safeguards regarding the processing of personal data, including for cross-border data transfers. The law also calls for the establishment of a Data Protection Authority for overseeing data processing activities.

Drive Your Own Destiny in Achieving Goals

Adam KohnkeAn individual would be hard-pressed to debate that behaviors and habits individuals exercise in their personal lives have no bearing or effects on their professional career. To that end, the ability to visualize, establish and pursue goals is a useful tool to realizing our personal desires, both personally and professionally. This blog post will provide some insight on basic, but useful, practices that individuals may adopt to help them start setting and achieving relevant goals, as well as explore common problems individuals run into with setting goals, with examples of how to overcome those problems and achieve what they desire.

As individuals, we typically find ourselves strictly focusing on the end result we’d like without really assessing the actions, outcomes, time and effort necessary to achieve the desired result. This leads us to having eyes bigger than our stomachs and is likely to result in failure to achieve our goals. Whether the goal involves obtaining a new security certification, a desired job promotion or paying the mortgage off early, these goals require adequate thought and planning on the challenges to be faced. As Abraham Lincoln is quoted as having said, “Give me six hours to chop down a tree, and I’ll spend the first four sharpening the axe.” Focusing on the journey and preparation necessary to achieve our goals and not the final destination puts us on a track to action and allows us to shed wasted energy on wishful thinking.

My own approach to setting personal and professional goals always uses the SMART method. Goals should be Specific, Measurable, Achievable, Relevant and Time bound. Most organizations adopt the SMART goal method for employee goal-setting, but they are useful for setting personal goals, as well. For example, a SMART personal goal related to achieving the CISA certification could be as follows (assuming a 30 June start date):

  1. Schedule the CISA exam for 1 October
  2. Finish reading the CISA exam preparation guide by 31 July
  3. Complete all CISA practice exam questions with a passing scope of 85 percent by 31 August

Each element is specific to CISA exam preparation, is measurable with dates on each item included, is achievable (as three months of preparation are provided), is relevant to passing the certification exam and is time-bound because the first step of scheduling the exam is driving completion of the following steps. This example shows how achieving small steps can lead us to our larger desired end result. Obviously, there is no guarantee of a pass on the exam, but by setting necessary preparatory goals, there is an increased likelihood of success.

A useful tool for ensuring the continued pursuit of goals is a printed list, either written or typed and printed. The list should be hung somewhere where it serves as constant reminder to fulfill the actions written on it. The medium is not too important as long as the list stares you in the face every day and burns a hole in your brain to get it done! I personally aim to write down and achieve approximately 12 goals every quarter that fulfill a mix of professional and personal accomplishments. Some are easy, such as attend a volunteer event, and some are more difficult goals, such as finish my first Cybrary course.

Revisit your overall personal goals at least quarterly and set new goals on a non-stressful schedule. Make it fun and enjoyable, but ensure goals are meaningful to move you in the direction you desire. Slowly, you’ll start seeing the results and stronger habits will be formed to achieve loftier goals. By leveraging this mindset in my professional life, I have found that I start setting and achieving mini-goals at work when conducting audit engagements. I often use lists to drive my daily work activities and sometimes rework the daily list several times. I usually keep no more than six items on my list, then as I achieve 50 percent or more, I create a new list starting with what’s left over from the previous list.

Our goals will not achieve themselves. Getting what we want typically will require some patience, grit, experimentation and the desire to see things through to the bitter (or hopefully pleasant) end. We are the drivers of our destiny, so again, let’s focus on the journey, and soon enough we will arrive at our intended destination.

Rethinking Cost Analysis in the Era of Cloud Computing and Emerging Tech

Katsumi SakagawaHave you thought about cost analysis in the era of cloud operation, combined with other emerging technologies? There is an orthodox way of considering cost analysis: Costs can be fixed, variable or some combination of the two. However, when it comes to analyzing IT costs, traditional cost analysis in the era of emerging technologies is inadequate.

The entire cost element must be taken into account: from where the cost occurs to what the cost consumes. An enterprise not only has to consider emerging technologies, but also has to consider the current legacy system. An inevitable, necessary cost exists in the file service required to produce what an enterprise needs.

You have the groupware function relating to the workplace and project activities, and the firewall function to avoid malicious access and protect data, and their updated plans.

On the other side, a for-profit-enterprise has to earn a profit. A company may have to restructure its home pages and address new systems, possibly with newly emerging technologies like RPA, AI and so on.

The whole cost consists of three categories:

  • The first category involves the fixed costs to maintain the current computer system. There are costs for the hardware and software, middleware, network facility and applications to communicate with employees and outside partners (using, for example, Office 365® and its automatic updating systems), and maintenance of a cloud subscription.
  • The second category includes the inevitable costs to earn profit, such as restructuring a new site where customers access and select goods to purchase in order to gain an advantage against competitors. Here, a cost will vary depending on how much development and re-structuring is needed. A certain company may decide to invest huge amounts in RPA to reduce future cost. Another company may migrate the current on-premise environment to the cloud to pursue reduced costs. These are neither fixed costs nor variable costs, but the costs should be planned for in the budget. It is crucial to analyze the gap between the planned budget and costs consumed.
  • The third category deals with a contingency and risk response costs. I have seen many companies and projects budget for contingencies. For example, 10 percent of the fixed costs often is planned as a contingency cost or the risk response cost. In a sense, this is a semi-fixed cost, not a true fixed cost.
1 - 10 Next