IT auditors new to the profession may hear references to a time when the internal audit function was viewed as the “police.” Years ago, it was not uncommon for organizations to perceive internal audit’s responsibilities of assessment and evaluation as being similar to that of a policing function. Operational errors or deficiencies identified and reported were analogous to crimes in the world of law enforcement. To be fair, there were some personality types within the internal audit profession who didn’t object to that characterization. If the characterization were true, however, most auditors did not favor that characterization and probably all of the IT function and management wished for it to go away. So, auditors worked to counter that perception and management continued to provide feedback on what it wanted from internal auditors. One big ask from management was “If internal audit surfaces issues that are either already known or that could be easily corrected, what value does internal audit provide?”
The answer to that question was delivered when auditors created opportunities through compliance initiatives, business process documentation and other operational areas to work with the IT function outside of the audit process. More frequent involvement between auditors and the IT function offered the benefit of a better working relationship than when the auditors were perceived as the police. But, in reality, whether internal audit is adding value is a dynamic perception. As organizations are characterized as engaging in disruptive innovation, continuous development, or digitalization, the audit function must complement its operational partnership with a strategic partnership to keep pace with the organization and to add value. (Just to be clear, the auditors are not creating strategy; rather, they are mindful of strategic impacts in all of their work and they communicate those impacts with senior management and the board).
The path to strategic partnership may be more easily stated than achieved, though. In the 2019 Global IT Audit Benchmarking Study from ISACA and Protiviti, 81 percent of respondents from Africa indicate that IT audit directors (or equivalent) regularly attend audit committee meetings, but respondents from other regions provided less encouraging results, with that data point ranging between 46 and 64 percent. A Chief Audit Executive (CAE) may attend audit committee meetings in place of an IT audit director; however, of the two positions, the IT audit director generally has more comprehensive involvement with IT audit assessments and evaluations. Without being part of the these and other meetings where strategic discussions take place, it is a challenge for the audit profession to assume the role of strategists.
To earn a seat at the table where strategic discussions are taking place, IT audit directors and their teams should embrace the role of strategist by emphasizing their work through the lens of the organization. For example, once the organizational impact of a risk has been identified, a strategist will extend the discussion to what the organizational impact means for the overall strategy and mission of the organization. Framing this communication in financial terms is often appreciated by senior management and is fairly easy to do. On the more challenging end of the spectrum for the strategist (and most valuable to the organization) are communications that are forward-thinking. Without being clairvoyant, the internal audit strategist can share with senior management and the board what trends their industry is experiencing or solutions for known concerns before those concerns turn into problems. This is much more valuable than an after-the-fact summary of where things went wrong.
In self-assessing how much value they are creating, internal auditors should evaluate the state of their strategic partnerships and acknowledge the interdependency of operational and strategic partnerships, but focus on the forward-looking benefits that being strategic offers. When the transition to organizational strategist has been socialized and accepted by the organization, perhaps the coveted seat at the table will be earned.
Norman Ralph Augustine once said, “Two-thirds of the Earth’s surface is covered with water. The other third is covered with auditors from headquarters.” This highlights the rise of the auditing profession and the importance that more and more companies are placing on internal and external audits due to increasing regulatory requirements. This reliance, coupled with the ever increasing dependency on technology, requires a special skill set: the IT auditor. If you have just started down this career path, these tips, and ISACA’s CISA certification, can help you navigate the IT auditor track.
The majority of the time you will be working with people who are more experienced than you. Take advantage of their knowledge, especially when it comes to IT. Because auditing requires so much on-the-job training, one of the best ways to learn is to ask questions of the people around you, over and over again. Ask them to tell you where they think the company could improve when it comes to IT, where the company is headed in terms of technology, or how they ended up in their current role. Asking a question may seem simple, but there will definitely be times when you aren’t sure who or which question to ask. Try asking your manager or coworker to talk it out with you, create a visual, or walk them through your thinking process so far. With the emergence of new technologies at a rapid pace, inquiring minds will always want to know.
An audit requires a lot of information to flow between various people, and all parties involved want it completed in the most efficient and effective manner. Whether you are communicating to a manager, a client, or a coworker, being able to relay a message accurately and effectively will help manage that flow of information. Clients want to be able to give you what you need the first time you ask. Precisely describing what item you are requesting and why helps ensure unnecessary time isn’t spent going back and forth for clarification. Managers always want to know where things are at and how the audit is progressing. Regularly updating them on your progress better informs them on where additional help may be needed and how the strategy moves forward to meet the audit deadline. Effective communication helps build relationships and makes you an effective person to work with in the future.
Technical Versus Non-Technical
Because you will interact with various people at all levels and departments of an organization, each person’s level of IT knowledge will differ. One of the best skills you can work on is being able to “translate” IT technical terms into terms or examples that anyone can understand. For example, simply explaining what acronyms stand for can ensure everyone is on the same page. Practice this on family, friends, coworkers, etc. Be sure to know your audience when using technical terms, as IT personnel will understand without an explanation while executives may not. This is especially helpful when conveying IT findings to higher-level management and helping them understand the severity of the finding and how to mitigate this risk in the future. This skill is often developed over time and with experience, so don’t get frustrated if there is some miscommunication at the beginning.
The biggest takeaway is to be open to learning everything you can and striving to improve your skills. There is a demand for certified IT auditors, which makes this career path a great starting point.
Editor’s note: For more career insights for newcomers to the IT audit, governance, risk and security fields, visit ISACA’s Young Professionals page.
If perceptions were always reality, why would a company that has hired professionals after conducting reasonable background checks be wary of internally orchestrated fraud and other white-collar crime? Why would an IT auditor obsess about the consistent integrity of systems and compliance?
Many in the audit industry would argue that regular audits will provide objective insights, uncover problems, ensure efficiency, assess risk of material misstatement, assess controls, promote accountability and compliance, and instill a sense of confidence in management that the business is doing “well” (assurance). If organizations are willing to go an extra mile to ensure optimal health of IT systems and are willing to invest in the necessary redundancy at all levels of infrastructure to reduce likelihood of unplanned system downtime, is a 20-minute time investment at recruitment and promotion interviews something we can consider as a worthwhile tradeoff to achieve gender inclusiveness in the technology industry?
Is it time for a gender audit in the technology industry? When we are told that men are more likely to be perceived as leaders than women, we might need to listen harder, understand the perception, dig deeper and try to appreciate this line of thinking. Is this much more a perception than a reality?
The reality: Gartner revealed that although women make up almost half of the workforce worldwide, only 31 percent of IT employees are women. This number falls further at leadership level to just 22 percent, and only 13 percent of CIOs are female.
Perception: In the absence of any other reasonable explanation, the statistical reality might explain, but not excuse, the photoshopping misadventure by Brunello Cucinelli’s “representative.” By trying to smuggle two top women executives into a picture of a male gathering of Silicon Valley executives in Italy, the “artist’s” crude and dismal attempt at gender mainstreaming the photograph (through Photoshop) was frustrated by technical pixel scrutiny. The glaring gender disparity reared its ugly head, and this time journalists’ credibility and professional integrity were put under microscopic scrutiny.
Perception or reality? From the above statistics and scenario, we can infer a strong probability that a majority of the interview panelists for top executive positions are most likely to be male. We may, therefore, need to concern ourselves with the qualities and competences that most male top executives look for in prospective female leaders, if we are going to give equal representation a chance.
Backed by evidence: Matthew Biddle from the University at Buffalo contends that “Men are still more likely than women to be perceived as leaders. … Men tend to be more assertive and dominant, whereas women tend to be more communal, cooperative and nurturing. As a result, men are more likely to participate and voice their opinions during group discussions, and be perceived by others as leaderlike.” The article goes on to indicate that “the gender gap was strongest during the first 20 minutes people were together, similar to an initial job interview, but weakened after more than one interaction.”
The 20-minute finding is significant in demonstrating the effect of time lag between each gender’s effective responsiveness during such interactions; perhaps a longer lapse might be needed by some female interviewees to rid themselves of any reticence or inhibitions and fully engage to enable effective communication. Simply put, if women were afforded those 20 minutes, the perceptions and speculation about gender and leadership would blur, and women may begin to get an equal chance at qualifying for top positions. A top executive team with diversity in skills, gender and culture often leads to better performance and may attract more investment as well, as ensuring a strong business reputation and enhanced shareholder value maximization.
As a leader in your own right, would you consider giving female interviewees a 20-minute head start to level the playing field?
Editor’s note: For more resources on empowering women in the tech workforce, visit ISACA’s SheLeadsTech website.
Have you ever audited a computer system’s migration plan when transferring it from on site to the cloud? Here are some recommendations to keep in mind based on lessons learned from migration practices:
- Clarify the work burden mitigation effort. Once cloud migration is complete, it is important to clarify what burden has been mitigated by the migration from on site to the cloud; for example, automatic scalability. If the company’s computer infrastructure system meets the requirements for automatic scaling service, it can enjoy not only the service, but also cost savings. A computer system, like many single physical servers and few virtual system environments, has to address mitigating the operational burden and full treatment.
- Verify there is no loss of security functions. A cloud vendor provides various security services; however, when transferring to a cloud environment, companies should examine whether any security services and circumstances that were addressed on site were lost or downgraded. For instance, if a company currently runs a laboratory-typed anti-virus sand boxing system, AI-based filtering system or industry-needed scoring system as a firewall, it should check whether the system can transfer onto the cloud vender’s service, as well as how it is priced.
- Find out the current application’s operation system and the infrastructure for the system, and determine whether it is possible to migrate them directly to a cloud environment. If the target application the enterprise is seeking to shift is a specialized legacy OS for which the cloud vendor doesn’t support service, it may need to migrate the legacy OS first.
- Finally, look at the risk mitigation procedure that will lead to the systems going live on the cloud. There are many existing layers, such as the internet connection layer, the OS infrastructure, middleware, application infrastructure, application server and application scheme. A company can’t help addressing them without upgrading them. Each layer requires its own upgrading activities and tests. It might be important to plan a step-by-step migration schedule. To migrate all at once is not always the best solution. In addition, when considering risk mitigation, Rollout and Rollback procedure should be designed by the user. The most risk-sensitive person is the user, and the user should be responsible to mitigate hazards.
Every organization has data that is vital for its organizational growth. Typically, most organizations build security around infrastructure, network and applications. But with data leakage becoming more prevalent, organizations are now considering data to be their crown jewel.
Data can be classified as structured data or unstructured data. Structured data is mostly stored in a database, but usually more than 80 percent of data are unstructured.
Enterprises need to protect the data from unauthorized access not only from external users but also from internal users, so virtually all organizations are building security controls around data-centric security. Data-centric security embeds controls into the data itself so that these controls are intact to the data even when the data is at rest or in motion, or while the data is being utilized in an application. In data-centric security, data is independent of the security of the infrastructure, be it device, application, network or the method of transport of data.
Data leaks not only have a negative impact on the reputation of the enterprise but also can lead to penalties/legal action from regulators. New regulations require the organization to build controls around the security and privacy of the data regardless of whether the data is intended to be used internally or intended to go outside the organization’s boundaries.
At its core, data-centric security can be considered among the following categories:
- Data Classification – Data Classification is a process of identifying, labeling and classifying the information/data, preferably according to the sensitivity or criticality of the data. Most of the classification tools have elements of machine learning based on content and context. The classification of the data increases the effectiveness of DLP, CASB and EDRM tools.
- Data Leakage/Loss Prevention (DLP) – DLP is a system that performs real-time scanning of data at rest and in motion, evaluates that data against existing policy definitions, identifies policy violations and automatically enforces some type of pre-defined remediation actions such as alerting users and administrators, quarantining suspicious files, encrypting data or blocking traffic outright. DLP takes time to mature and requires participation from the entire organization, especially in setting the policy.
- Cloud Access Security Broker (CASB) – Since now most of our data is residing in the cloud, be it private, public or hybrid cloud, CASB helps in identifying, monitoring and controlling enterprise data in cloud infrastructure (including applications hosted on cloud), and extends controls to the cloud applications.This also often is referred to as Cloud DLP in terms of data-centric security.
- Digital/Information Rights Management (IRM, DRM, ERM, EDRM) – DRM is basically the rights of the data owner/custodian of the data. It embeds the security controls into the data itself. The controls remain active even if the data is in use, and also remain active during the movement of data. This helps the enterprise to have control over the data, even if the data has left the boundary of the enterprise. Some popular controls for DRM are self-destruction of data or disallowing copy/paste/print of the document.
Data-centric Security Scenario
Suppose one of the directors of the enterprise is on leave and has no access to corporate emails or applications. An urgent board note (confidential document) needs to be vetted by him. Now the director asks his office to send the message to his personal email for review. His office sends him the board note to his personal email.
How can the security of the document be ensured?
Can we assume that after reviewing the note, he has deleted the data from his device or email inbox? Can the enterprise be 100 percent sure that the data would not be misused in future? No!
But if we enforce DRM on the document, we can set the period to the life of the document itself. We can even recall or revoke access to information that we have shared to anybody. DRM maps the policy so that the document can be protected automatically whenever it is discovered, detected, downloaded or shared.
Emergence of Data Privacy and Protection Laws
The year 2018 was significant for privacy and data protection laws in the world, with new measures such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Bahrain also passed a new, comprehensive data protection law, making it the first Middle East country to adopt a comprehensive privacy law.
One of the most significant privacy law developments of 2019 is expected from India. India’s draft bill introduces specific rights for individuals as well as requirements that processing entities have to meet. For example, businesses will need to implement organizational and technical safeguards regarding the processing of personal data, including for cross-border data transfers. The law also calls for the establishment of a Data Protection Authority for overseeing data processing activities.
An individual would be hard-pressed to debate that behaviors and habits individuals exercise in their personal lives have no bearing or effects on their professional career. To that end, the ability to visualize, establish and pursue goals is a useful tool to realizing our personal desires, both personally and professionally. This blog post will provide some insight on basic, but useful, practices that individuals may adopt to help them start setting and achieving relevant goals, as well as explore common problems individuals run into with setting goals, with examples of how to overcome those problems and achieve what they desire.
As individuals, we typically find ourselves strictly focusing on the end result we’d like without really assessing the actions, outcomes, time and effort necessary to achieve the desired result. This leads us to having eyes bigger than our stomachs and is likely to result in failure to achieve our goals. Whether the goal involves obtaining a new security certification, a desired job promotion or paying the mortgage off early, these goals require adequate thought and planning on the challenges to be faced. As Abraham Lincoln is quoted as having said, “Give me six hours to chop down a tree, and I’ll spend the first four sharpening the axe.” Focusing on the journey and preparation necessary to achieve our goals and not the final destination puts us on a track to action and allows us to shed wasted energy on wishful thinking.
My own approach to setting personal and professional goals always uses the SMART method. Goals should be Specific, Measurable, Achievable, Relevant and Time bound. Most organizations adopt the SMART goal method for employee goal-setting, but they are useful for setting personal goals, as well. For example, a SMART personal goal related to achieving the CISA certification could be as follows (assuming a 30 June start date):
- Schedule the CISA exam for 1 October
- Finish reading the CISA exam preparation guide by 31 July
- Complete all CISA practice exam questions with a passing scope of 85 percent by 31 August
Each element is specific to CISA exam preparation, is measurable with dates on each item included, is achievable (as three months of preparation are provided), is relevant to passing the certification exam and is time-bound because the first step of scheduling the exam is driving completion of the following steps. This example shows how achieving small steps can lead us to our larger desired end result. Obviously, there is no guarantee of a pass on the exam, but by setting necessary preparatory goals, there is an increased likelihood of success.
A useful tool for ensuring the continued pursuit of goals is a printed list, either written or typed and printed. The list should be hung somewhere where it serves as constant reminder to fulfill the actions written on it. The medium is not too important as long as the list stares you in the face every day and burns a hole in your brain to get it done! I personally aim to write down and achieve approximately 12 goals every quarter that fulfill a mix of professional and personal accomplishments. Some are easy, such as attend a volunteer event, and some are more difficult goals, such as finish my first Cybrary course.
Revisit your overall personal goals at least quarterly and set new goals on a non-stressful schedule. Make it fun and enjoyable, but ensure goals are meaningful to move you in the direction you desire. Slowly, you’ll start seeing the results and stronger habits will be formed to achieve loftier goals. By leveraging this mindset in my professional life, I have found that I start setting and achieving mini-goals at work when conducting audit engagements. I often use lists to drive my daily work activities and sometimes rework the daily list several times. I usually keep no more than six items on my list, then as I achieve 50 percent or more, I create a new list starting with what’s left over from the previous list.
Our goals will not achieve themselves. Getting what we want typically will require some patience, grit, experimentation and the desire to see things through to the bitter (or hopefully pleasant) end. We are the drivers of our destiny, so again, let’s focus on the journey, and soon enough we will arrive at our intended destination.
Have you thought about cost analysis in the era of cloud operation, combined with other emerging technologies? There is an orthodox way of considering cost analysis: Costs can be fixed, variable or some combination of the two. However, when it comes to analyzing IT costs, traditional cost analysis in the era of emerging technologies is inadequate.
The entire cost element must be taken into account: from where the cost occurs to what the cost consumes. An enterprise not only has to consider emerging technologies, but also has to consider the current legacy system. An inevitable, necessary cost exists in the file service required to produce what an enterprise needs.
You have the groupware function relating to the workplace and project activities, and the firewall function to avoid malicious access and protect data, and their updated plans.
On the other side, a for-profit-enterprise has to earn a profit. A company may have to restructure its home pages and address new systems, possibly with newly emerging technologies like RPA, AI and so on.
The whole cost consists of three categories:
- The first category involves the fixed costs to maintain the current computer system. There are costs for the hardware and software, middleware, network facility and applications to communicate with employees and outside partners (using, for example, Office 365® and its automatic updating systems), and maintenance of a cloud subscription.
- The second category includes the inevitable costs to earn profit, such as restructuring a new site where customers access and select goods to purchase in order to gain an advantage against competitors. Here, a cost will vary depending on how much development and re-structuring is needed. A certain company may decide to invest huge amounts in RPA to reduce future cost. Another company may migrate the current on-premise environment to the cloud to pursue reduced costs. These are neither fixed costs nor variable costs, but the costs should be planned for in the budget. It is crucial to analyze the gap between the planned budget and costs consumed.
- The third category deals with a contingency and risk response costs. I have seen many companies and projects budget for contingencies. For example, 10 percent of the fixed costs often is planned as a contingency cost or the risk response cost. In a sense, this is a semi-fixed cost, not a true fixed cost.
I’ve reviewed many social media implementations across a large variety of companies and, among the many concerns from a security perspective, is the total lack of due diligence over their selection.
It’s a puzzle really. Why would any competent CIO approve an initiative that is set up on a cloud-based platform that does not really know who its users are, has no audit certification, is demonstrably insecure, and is subject to rampant fraud and impersonation. But that is exactly what is happening when marketing and digital media people launch sites on providers such as Facebook and Twitter.
We are quite used to cloud providers not letting us audit them directly so our next port of call is to check their certification; not only does no one do this standard check when setting up on social media, but in fact there isn’t any certification to review. Interestingly, if you look at associated cloud products such as social studio (Salesforce.com) and workplace (Facebook), these corporate-focused systems do have certification such as SOC 2 and ISO27001. But this is not the case for any of the main social media sites such as Facebook, Twitter, Instagram or WhatsApp. This should be a warning sign that all is not well in the world of security on these systems. Regardless, the marketing team will insist on using them anyway.
Even a cursory look at known vulnerabilities would inform you that these sites have exploitable vulnerabilities; just check them out in any CVE security vulnerability database. Did anyone in your organization do this very simple and quick review?
It’s not as if there are no consequences; look at the recent Facebook photo API bug that exposed 6.8 million users’ images. A bug in API granted developers access to Facebook users’ images even if those images had been uploaded but not published to the user’s timeline. Similarly, WhatsApp had a recent security issue when a buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via a specially crafted series of SRTCP packets sent to a target phone number. The upshot was that the hackers were able to infect your phone without you actually doing anything. If it weren’t social media, ask yourself, would you use these products?
There are countless other security concerns with social media: they are hosing up your data; did your team check the privacy statements before they signed up?; some are completely open to their employees to exploit your sites (remember the Donald Trump Twitter deletion by a Twitter employee?); and good luck enforcing your password policy on the site.
You can pretty much assume, therefore, that all the sites are insecure, your digital media team didn’t review or risk-assess any of them, and you have no idea who the people are interacting with you on the sites. The time for you to launch that audit is long overdue.
Editor’s note: Robert Findlay will be presenting on “Social Media and its Cyber Threats” at the GRC conference, to take place 12-14 August in Ft. Lauderdale, Florida, USA.
In the same manner that the adoption of ERP applications and the use of offshore labor arbitrage and outsourcing previously transformed the workplace, robotic process automation (RPA) and intelligent automation are demonstrating the potential to be the next megatrends to help organizations improve the efficiencies and performance of back-office operations. As many organizations are just beginning their journeys to implement RPA technologies, this presents an opportunity for internal audit groups to work with their stakeholders to ensure appropriate governance and controls are built into the design of their RPA programs.
There are several risks in establishing an RPA program that internal audit should assess before organizations look to begin deploying bots into production.
- First and foremost, ensure the organization has established guidelines for the development of RPA capabilities and clear ownership for the ongoing run and maintenance of activities associated with managing this technology.
- Secondly, tried and true IT general controls that internal audit assesses in just about every review should be designed into RPA operations. Access to bots, change management, data integrity and disaster recovery/business continuity–all are critical operational procedures that should be defined prior to utilizing any bots in production.
- Finally, internal audit can assist management with defining appropriate key performance indicators (KPIs) and benefits realization processes to monitor and measure the success of an RPA program.
As internal auditors, we should also evaluate the potential efficiencies that can be gained through adopting RPA capabilities ourselves.
- At a time where we find ourselves in an increasing struggle to attract and retain top talent, utilizing RPA capabilities to automate highly manual, repetitive tasks that require little judgment could help provide opportunities to free our staff to focus on more interesting activities, improving their engagement.
- Any audit testing that internal audit performs involving calculations, variance analysis, and reconciliations are prime candidates to be automated. Additionally, operational procedures that all internal audit departments perform, including the distribution of audit documentation requests and issue follow-up, can also be performed by RPA capabilities.
My department recently conducted a successful pilot where we automated the evidence gathering and testing of several SOX IT general controls. This is very straightforward testing that my team has been doing for years and, to be honest, no one really enjoys performing. We are now looking for additional ways we can leverage RPA to provide more real-time insights to our stakeholders and enable our team to focus on higher-value activities.
RPA is quickly moving from an emerging technology to an integral component of organizations’ operational capabilities. It is critical for internal audit to understand the associated risks that come with the adoption of RPA and provide assurance that their organization has designed effective controls as part of their RPA program. Additionally, internal audit should not ignore the value that can be gained by adopting RPA itself and the efficiency opportunities RPA can provide the department. As security and IT audit practitioners, we all have roles to play in ensuring our organizations deploy this new technology in a controlled manner.
Editor’s note: For more resources related to this topic, view ISACA’s new Audit Outlook video series.
“Victory awaits him who has everything in order – luck, people call it. Defeat is certain for him who has neglected to take necessary precautions in time. This is called bad luck.” –Roald Amundsen, The South Pole
The title and the quote above says it all – and fits the essence of the 2019 Global IT Audit Benchmarking Study, conducted by ISACA and Protiviti.
An executive summary of the 2019 IT Audit Benchmarking Study, which will be released in full later this year, found that the biggest challenges for IT auditors are:
Let us discuss in detail every challenge and the ways to get ahead of them:
IT security and privacy/cybersecurity
Cybersecurity is the chief risk for any organization that has a virtual presence. With the staggering numbers being quoted for Internet of things (IoT) devices being connected together and with more than 56 percent of the global populace – almost 4 billion users – connecting to the internet, the volume of cybercrimes and threats are going to accelerate in an unrelenting pace, posing formidable challenges for the IT audit community as well as business leadership.
Establishing a strong cybersecurity culture would help the IT auditors in tacking this menace, although this alone may not suffice. Business needs to move with the advancements in technologies to remain competitive. IT audit, as often pointed out by ISACA, needs to play an enabling role, meaning rendering their assurance functions in a manner that helps organizations to conduct their operations in a seamless and secure way, and also be compliant to various regulations.
To achieve this, IT auditors have to always be on top of new technologies, such as cloud, virtualization, big data analytics, AI and robotics, their associated threats, and evolving new threats, as well as being aware of how to remediate them in a timely and cost-effective way. In addition to having to perform these difficult tasks, they also need to be able to have strong communications skills so that leaders and business stakeholders are aware of the risk and, in turn, help the IT auditors to perform their task.
Data management and governance
Data management, sometimes referred to today as big data management, is synonymous with big innovation management, big opportunities management and, eventually, big money management. For an IT Auditor it is a twin challenge, first to assess how the organization uses the big data for its decision-making, where it stores the data, and how it achieves the CIA triad. Secondly, in the case of fraud detection, the challenge becomes how to harness the big data analytics or big data forensics to capture the audit trail and nab the culprit. Naturally it calls for skills in data science and analytics to handle these tasks and, as these are evolving technologies, the skillsets are difficult to find in the market.
Emerging technology and infrastructure changes – transformation, innovation, disruption
“Technology is a vector,” wrote Kevin Kelly in his excellent book, What Technology Wants. Kelly stresses the point that technology will move ahead regardless of people supporting it. In other words, technological advancement is imminent, and people are not the driving factor. To quote business executive Mark Cuban, “Artificial Intelligence, deep learning, machine learning – whatever you are doing, if you don’t understand it, learn it. Because otherwise, you are going to be a dinosaur within three years.”
Because global enterprises are embracing big data analytics, AI, and cloud computing in a huge way, audit professionals need to be familiar with these technologies so that they can perform their assurance function effectively.
In view of the above discussions, it is very clear that the audit function is going to face challenges in finding the right mix of resources. We need experienced auditors who have an understanding of emerging technologies, with special emphasis on data science. Although artificial intelligence cannot replace the audit function, it has the potential to complement the audit discipline by performing routine activities and highlighting exceptions for the attention of the auditors to make an informed judgement. The new-age technology will help to raise the standard of auditing, provided auditors make the effort to acquire the latest technical knowledge and upskill themselves from an audit perspective.
This is necessitated because of digital transformation, which enterprises around the world are pursuing. As a result, organizations increasingly resort to cloud and/or third-party service management, which leads to third party or vendor risk. Auditors need to help businesses mitigate this risk and help achieve their strategic objectives in cost-effective fashion. Effective handling of cybersecurity risk requires auditors to be thoroughly updated on the latest threats and also possess the counter-intelligence to prevent and contain cybercrimes.
IT audit exists to assist organizations in strategic technological management – that is, efficient and effective use of technology, combined with robust risk management. Technology is advancing at a rapid pace, thereby influencing and changing the way business is conducted. Business requires the help of IT audit to thrive and navigate through this stormy digital transformation period. Therefore, it is imperative for IT audit teams to equip themselves and stay relevant so that they can be of great value and play a key role in this fast-moving digital world.
Author’s note: The views expressed in this article are the author’s and do not represent that of the organization or of the professional bodies to which he is associated.