Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
Drive Your Own Destiny in Achieving Goals

Adam KohnkeAn individual would be hard-pressed to debate that behaviors and habits individuals exercise in their personal lives have no bearing or effects on their professional career. To that end, the ability to visualize, establish and pursue goals is a useful tool to realizing our personal desires, both personally and professionally. This blog post will provide some insight on basic, but useful, practices that individuals may adopt to help them start setting and achieving relevant goals, as well as explore common problems individuals run into with setting goals, with examples of how to overcome those problems and achieve what they desire.

As individuals, we typically find ourselves strictly focusing on the end result we’d like without really assessing the actions, outcomes, time and effort necessary to achieve the desired result. This leads us to having eyes bigger than our stomachs and is likely to result in failure to achieve our goals. Whether the goal involves obtaining a new security certification, a desired job promotion or paying the mortgage off early, these goals require adequate thought and planning on the challenges to be faced. As Abraham Lincoln is quoted as having said, “Give me six hours to chop down a tree, and I’ll spend the first four sharpening the axe.” Focusing on the journey and preparation necessary to achieve our goals and not the final destination puts us on a track to action and allows us to shed wasted energy on wishful thinking.

My own approach to setting personal and professional goals always uses the SMART method. Goals should be Specific, Measurable, Achievable, Relevant and Time bound. Most organizations adopt the SMART goal method for employee goal-setting, but they are useful for setting personal goals, as well. For example, a SMART personal goal related to achieving the CISA certification could be as follows (assuming a 30 June start date):

  1. Schedule the CISA exam for 1 October
  2. Finish reading the CISA exam preparation guide by 31 July
  3. Complete all CISA practice exam questions with a passing scope of 85 percent by 31 August

Each element is specific to CISA exam preparation, is measurable with dates on each item included, is achievable (as three months of preparation are provided), is relevant to passing the certification exam and is time-bound because the first step of scheduling the exam is driving completion of the following steps. This example shows how achieving small steps can lead us to our larger desired end result. Obviously, there is no guarantee of a pass on the exam, but by setting necessary preparatory goals, there is an increased likelihood of success.

A useful tool for ensuring the continued pursuit of goals is a printed list, either written or typed and printed. The list should be hung somewhere where it serves as constant reminder to fulfill the actions written on it. The medium is not too important as long as the list stares you in the face every day and burns a hole in your brain to get it done! I personally aim to write down and achieve approximately 12 goals every quarter that fulfill a mix of professional and personal accomplishments. Some are easy, such as attend a volunteer event, and some are more difficult goals, such as finish my first Cybrary course.

Revisit your overall personal goals at least quarterly and set new goals on a non-stressful schedule. Make it fun and enjoyable, but ensure goals are meaningful to move you in the direction you desire. Slowly, you’ll start seeing the results and stronger habits will be formed to achieve loftier goals. By leveraging this mindset in my professional life, I have found that I start setting and achieving mini-goals at work when conducting audit engagements. I often use lists to drive my daily work activities and sometimes rework the daily list several times. I usually keep no more than six items on my list, then as I achieve 50 percent or more, I create a new list starting with what’s left over from the previous list.

Our goals will not achieve themselves. Getting what we want typically will require some patience, grit, experimentation and the desire to see things through to the bitter (or hopefully pleasant) end. We are the drivers of our destiny, so again, let’s focus on the journey, and soon enough we will arrive at our intended destination.

Rethinking Cost Analysis in the Era of Cloud Computing and Emerging Tech

Katsumi SakagawaHave you thought about cost analysis in the era of cloud operation, combined with other emerging technologies? There is an orthodox way of considering cost analysis: Costs can be fixed, variable or some combination of the two. However, when it comes to analyzing IT costs, traditional cost analysis in the era of emerging technologies is inadequate.

The entire cost element must be taken into account: from where the cost occurs to what the cost consumes. An enterprise not only has to consider emerging technologies, but also has to consider the current legacy system. An inevitable, necessary cost exists in the file service required to produce what an enterprise needs.

You have the groupware function relating to the workplace and project activities, and the firewall function to avoid malicious access and protect data, and their updated plans.

On the other side, a for-profit-enterprise has to earn a profit. A company may have to restructure its home pages and address new systems, possibly with newly emerging technologies like RPA, AI and so on.

The whole cost consists of three categories:

  • The first category involves the fixed costs to maintain the current computer system. There are costs for the hardware and software, middleware, network facility and applications to communicate with employees and outside partners (using, for example, Office 365® and its automatic updating systems), and maintenance of a cloud subscription.
  • The second category includes the inevitable costs to earn profit, such as restructuring a new site where customers access and select goods to purchase in order to gain an advantage against competitors. Here, a cost will vary depending on how much development and re-structuring is needed. A certain company may decide to invest huge amounts in RPA to reduce future cost. Another company may migrate the current on-premise environment to the cloud to pursue reduced costs. These are neither fixed costs nor variable costs, but the costs should be planned for in the budget. It is crucial to analyze the gap between the planned budget and costs consumed.
  • The third category deals with a contingency and risk response costs. I have seen many companies and projects budget for contingencies. For example, 10 percent of the fixed costs often is planned as a contingency cost or the risk response cost. In a sense, this is a semi-fixed cost, not a true fixed cost.
Why Don’t We Apply Due Diligence in Selecting Social Media Providers?

Robert FindlayI’ve reviewed many social media implementations across a large variety of companies and, among the many concerns from a security perspective, is the total lack of due diligence over their selection.

It’s a puzzle really. Why would any competent CIO approve an initiative that is set up on a cloud-based platform that does not really know who its users are, has no audit certification, is demonstrably insecure, and is subject to rampant fraud and impersonation. But that is exactly what is happening when marketing and digital media people launch sites on providers such as Facebook and Twitter.

We are quite used to cloud providers not letting us audit them directly so our next port of call is to check their certification; not only does no one do this standard check when setting up on social media, but in fact there isn’t any certification to review. Interestingly, if you look at associated cloud products such as social studio (Salesforce.com) and workplace (Facebook), these corporate-focused systems do have certification such as SOC 2 and ISO27001. But this is not the case for any of the main social media sites such as Facebook, Twitter, Instagram or WhatsApp. This should be a warning sign that all is not well in the world of security on these systems. Regardless, the marketing team will insist on using them anyway.

Even a cursory look at known vulnerabilities would inform you that these sites have exploitable vulnerabilities; just check them out in any CVE security vulnerability database. Did anyone in your organization do this very simple and quick review?

It’s not as if there are no consequences; look at the recent Facebook photo API bug that exposed 6.8 million users’ images. A bug in API granted developers access to Facebook users’ images even if those images had been uploaded but not published to the user’s timeline. Similarly, WhatsApp had a recent security issue when a buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via a specially crafted series of SRTCP packets sent to a target phone number. The upshot was that the hackers were able to infect your phone without you actually doing anything. If it weren’t social media, ask yourself, would you use these products?

There are countless other security concerns with social media: they are hosing up your data; did your team check the privacy statements before they signed up?; some are completely open to their employees to exploit your sites (remember the Donald Trump Twitter deletion by a Twitter employee?); and good luck enforcing your password policy on the site.

You can pretty much assume, therefore, that all the sites are insecure, your digital media team didn’t review or risk-assess any of them, and you have no idea who the people are interacting with you on the sites. The time for you to launch that audit is long overdue.

Editor’s note: Robert Findlay will be presenting on “Social Media and its Cyber Threats” at the GRC conference, to take place 12-14 August in Ft. Lauderdale, Florida, USA.

Internal Audit Should Take Multifaceted Approach to Robotic Process Automation

David MalcomIn the same manner that the adoption of ERP applications and the use of offshore labor arbitrage and outsourcing previously transformed the workplace, robotic process automation (RPA) and intelligent automation are demonstrating the potential to be the next megatrends to help organizations improve the efficiencies and performance of back-office operations. As many organizations are just beginning their journeys to implement RPA technologies, this presents an opportunity for internal audit groups to work with their stakeholders to ensure appropriate governance and controls are built into the design of their RPA programs.

There are several risks in establishing an RPA program that internal audit should assess before organizations look to begin deploying bots into production.

  • First and foremost, ensure the organization has established guidelines for the development of RPA capabilities and clear ownership for the ongoing run and maintenance of activities associated with managing this technology.
  • Secondly, tried and true IT general controls that internal audit assesses in just about every review should be designed into RPA operations. Access to bots, change management, data integrity and disaster recovery/business continuity–all are critical operational procedures that should be defined prior to utilizing any bots in production.
  • Finally, internal audit can assist management with defining appropriate key performance indicators (KPIs) and benefits realization processes to monitor and measure the success of an RPA program.

As internal auditors, we should also evaluate the potential efficiencies that can be gained through adopting RPA capabilities ourselves.

  • At a time where we find ourselves in an increasing struggle to attract and retain top talent, utilizing RPA capabilities to automate highly manual, repetitive tasks that require little judgment could help provide opportunities to free our staff to focus on more interesting activities, improving their engagement.
  • Any audit testing that internal audit performs involving calculations, variance analysis, and reconciliations are prime candidates to be automated. Additionally, operational procedures that all internal audit departments perform, including the distribution of audit documentation requests and issue follow-up, can also be performed by RPA capabilities.

My department recently conducted a successful pilot where we automated the evidence gathering and testing of several SOX IT general controls. This is very straightforward testing that my team has been doing for years and, to be honest, no one really enjoys performing. We are now looking for additional ways we can leverage RPA to provide more real-time insights to our stakeholders and enable our team to focus on higher-value activities.

RPA is quickly moving from an emerging technology to an integral component of organizations’ operational capabilities. It is critical for internal audit to understand the associated risks that come with the adoption of RPA and provide assurance that their organization has designed effective controls as part of their RPA program. Additionally, internal audit should not ignore the value that can be gained by adopting RPA itself and the efficiency opportunities RPA can provide the department. As security and IT audit practitioners, we all have roles to play in ensuring our organizations deploy this new technology in a controlled manner.

Editor’s note: For more resources related to this topic, view ISACA’s new Audit Outlook video series.

IT Audit: Stay Relevant or Perish

Ravikumar Ramachandran“Victory awaits him who has everything in order – luck, people call it. Defeat is certain for him who has neglected to take necessary precautions in time. This is called bad luck.” –Roald Amundsen, The South Pole

The title and the quote above says it all – and fits the essence of the 2019 Global IT Audit Benchmarking Study, conducted by ISACA and Protiviti.

An executive summary of the 2019 IT Audit Benchmarking Study, which will be released in full later this year, found that the biggest challenges for IT auditors are:

  • IT security and privacy/cybersecurity
  • Data management and governance
  • Emerging technology and infrastructure changes—transformation, innovation, disruption
  • Resource/staffing/skills challenges
  • Third-party/vendor management

Let us discuss in detail every challenge and the ways to get ahead of them:

IT security and privacy/cybersecurity
Cybersecurity is the chief risk for any organization that has a virtual presence. With the staggering numbers being quoted for Internet of things (IoT) devices being connected together and with more than 56 percent of the global populace – almost 4 billion users – connecting to the internet, the volume of cybercrimes and threats are going to accelerate in an unrelenting pace, posing formidable challenges for the IT audit community as well as business leadership.

Establishing a strong cybersecurity culture would help the IT auditors in tacking this menace, although this alone may not suffice. Business needs to move with the advancements in technologies to remain competitive. IT audit, as often pointed out by ISACA, needs to play an enabling role, meaning rendering their assurance functions in a manner that helps organizations to conduct their operations in a seamless and secure way, and also be compliant to various regulations.

To achieve this, IT auditors have to always be on top of new technologies, such as cloud, virtualization, big data analytics, AI and robotics, their associated threats, and evolving new threats, as well as being aware of how to remediate them in a timely and cost-effective way. In addition to having to perform these difficult tasks, they also need to be able to have strong communications skills so that leaders and business stakeholders are aware of the risk and, in turn, help the IT auditors to perform their task.

Data management and governance
Data management, sometimes referred to today as big data management, is synonymous with big innovation management, big opportunities management and, eventually, big money management. For an IT Auditor it is a twin challenge, first to assess how the organization uses the big data for its decision-making, where it stores the data, and how it achieves the CIA triad. Secondly, in the case of fraud detection, the challenge becomes how to harness the big data analytics or big data forensics to capture the audit trail and nab the culprit. Naturally it calls for skills in data science and analytics to handle these tasks and, as these are evolving technologies, the skillsets are difficult to find in the market.

Emerging technology and infrastructure changes – transformation, innovation, disruption
“Technology is a vector,” wrote Kevin Kelly in his excellent book, What Technology Wants. Kelly stresses the point that technology will move ahead regardless of people supporting it. In other words, technological advancement is imminent, and people are not the driving factor. To quote business executive Mark Cuban, “Artificial Intelligence, deep learning, machine learning – whatever you are doing, if you don’t understand it, learn it. Because otherwise, you are going to be a dinosaur within three years.”

Because global enterprises are embracing big data analytics, AI, and cloud computing in a huge way, audit professionals need to be familiar with these technologies so that they can perform their assurance function effectively.

Resource/staffing/skills challenges
In view of the above discussions, it is very clear that the audit function is going to face challenges in finding the right mix of resources. We need experienced auditors who have an understanding of emerging technologies, with special emphasis on data science. Although artificial intelligence cannot replace the audit function, it has the potential to complement the audit discipline by performing routine activities and highlighting exceptions for the attention of the auditors to make an informed judgement. The new-age technology will help to raise the standard of auditing, provided auditors make the effort to acquire the latest technical knowledge and upskill themselves from an audit perspective.

Third-party/vendor management
This is necessitated because of digital transformation, which enterprises around the world are pursuing. As a result, organizations increasingly resort to cloud and/or third-party service management, which leads to third party or vendor risk. Auditors need to help businesses mitigate this risk and help achieve their strategic objectives in cost-effective fashion. Effective handling of cybersecurity risk requires auditors to be thoroughly updated on the latest threats and also possess the counter-intelligence to prevent and contain cybercrimes.

Summary
IT audit exists to assist organizations in strategic technological management – that is, efficient and effective use of technology, combined with robust risk management. Technology is advancing at a rapid pace, thereby influencing and changing the way business is conducted. Business requires the help of IT audit to thrive and navigate through this stormy digital transformation period. Therefore, it is imperative for IT audit teams to equip themselves and stay relevant so that they can be of great value and play a key role in this fast-moving digital world.

Author’s note: The views expressed in this article are the author’s and do not represent that of the organization or of the professional bodies to which he is associated.

The Challenge of Assessing Security for Building Automation Systems

Mario Navarro PalosBuilding automation systems (BAS) have many characteristics that differ from traditional information processing systems, including different risks and priorities. Furthermore, these types of automation systems are subject to different performance and reliability requirements, and often employ operating systems, applications and configurations that may be considered unusual IT practices.

BAS frequently encompass any electrical component or device that is used to control a building by managing security, safety and utility services, such as physical access, HVAC, heating, alarms, and lighting, among other electrical and mechanical controllers that automate the buildings.

These services are crucial to any organization; therefore, BAS should be considered, managed, and protected as part of the critical infrastructure, whereby security is an essential factor in the ongoing care and maintenance of these systems. Security-critical services like these demand the underlying control system be reliable and robust against security threats.

In order to identify the appropriate security controls for the protection of these critical systems, it is necessary to know the current status of the building automation infrastructure. Consequently, a security assessment will help any organization to accomplish this task and boost its risk management strategy. A tailored security assessment for BAS will significantly improve situational awareness by providing highly valuable insights and identifying threats and vulnerabilities that are usually off the organizations' radar.

An initial tailored approach should, at a minimum, include the evaluation, analysis, and review of the following security control groups:

Security architecture. An effective assessment must review and evaluate the architectural design of the automation control environment. Network segmentation and segregation, boundary protection controls, remote access, and firewall rules effectiveness, among other critical security controls, should be considered.

Policies, plans, procedures and baselines. Policies and procedures must be well-defined and documented. BAS systems need to be appropriately configured to maintain optimal operation by following a security strategy in a security plan with a strong foundation on documented configuration baselines. This security plan must be aligned with the enterprise architecture and the information security policy framework.

Systems and services acquisition. An adequate security assessment should cover the contracting and acquiring of automation control system components, software, and services from third parties. Since organizations must include security requirements as part of the acquisition process to ensure that the products and services received fit into the enterprise security program, assessment findings will identify existing gaps in BAS implementations, especially those associated with contracting third-party services.

Disaster recovery. The business continuity strategy should be reviewed to evaluate the effectiveness of the continuity of operation plans. Any security assessment should consider that a solid plan addresses roles and responsibilities, assigned personnel and their contact information, and detailed activities associated with responding and restoring system operations after a disruption or failure.

Other control groups such as account management, audit and accountability, configuration management, and maintenance, should be part of a more comprehensive assessment. Designing a security assessment that is too wide in scope involves the review and evaluation of tons of security controls. This approach will most likely overwhelm any team; more importantly, the resulting findings will not provide a resonant value to the different leadership levels of the organization.

Therefore, an effective strategy for designing and executing security assessments for BAS should be founded on a tailored plan of action that encompasses performance, availability, risk, operations, resources, systems communications, change management, components’ lifetimes, and location as key differentiators from traditional IT systems.

Editor’s note: Mario Navarro Palos will present further insights on this topic during his “Designing Security Assessments for Building Automation Systems” session at ISACA’s 2019 North America CACS conference, to take place 13-15 May in Anaheim, California, USA.

Data Analytics in Internal Audit: State of the Data, 2019

Caitlin McGawBack in 2008, I placed a talented senior IT auditor who was one of the first I had seen with excellent data analytics skills, an ACL certification, and a vision for how to apply data analytics to a broader suite of audits. Our Fortune 500 client seemed very keen to capitalize on his skills. However, in the end, our client couldn’t clearly articulate a vision for Audit’s use of data analytics. The senior IT auditor moved to another company where Internal Audit had fully embraced this. Today, he is a senior IT audit & data analytics manager for a Fortune 100 company.

I’ve seen this story unfold more than once over the years. The takeaway: even with great people evangelizing the power that data analytics can bring, data analytics has taken a long time to take root within Internal Audit. With the seeds long planted, the garden is finally burgeoning forth.

Now is the time to embrace data analytics, people! But this isn’t the data analytics of even five years ago. The real power play today is coming from Python, R, and SQL. These are the tools IT audit professionals need to embrace and learn to use. Alteryx is on the horizon but doesn’t seem to have made big inroads into Internal Audit yet.

In the course of doing the research for this piece, I spoke with more than a dozen Internal Audit data analytics leaders and senior practitioners, at companies ranging from a major airline to a behemoth in the search engine and innovation space, to get their views on where things stand now, and what proactive IT auditors can do to hang ten on the data wave.

The current Internal Audit data analytics landscape
You might be wondering how embedded data analytics are at this point. Good question. My research shows that, in terms of the percentage of audits that use data analytics, the range goes from 25-30 percent to 50 percent, with at least two very large companies looking to be at 100 percent by this year.

How to get into the game
Build skills. How do you do that? The consensus among the leaders I spoke with is that online courses are a fantastic way to start. Check out Coursera, Udacity and Datacamp. Take this first step and dip your toes into the water with their free course offerings on Python, SQL and more. Boot camps are another way to go if you have the time. Once you have some skills, take on a project at work – a small one that you can drive to an early win. Do you need some sort of analytics certification? The answer across the board was no. What you need is curiosity, fearlessness, some skills and a growing portfolio of projects to build a solid use case.

Other tools that are ancillary but useful to start getting your arms around: Power BI, Tableau, QlikView and Spotfire. What’s in the works: Robotic Process Automation, AI, Neural Nets.

Now’s the time to start reading up. Who makes the best data analysts for Internal Audit? IT audit professionals. Why? Because being an adept and successful IT auditor requires that one is able to translate complex technical topics for non-techies. Business acumen and business process knowledge come with the territory, as does customer-facing concern and interface. What problem are you trying to solve? What data do you think will help you find an answer? IT auditors know the audit process and the evidentiary requirements for solid audit findings and recommendations. They also know how to write for a variety of audiences, which was identified by all the experts I spoke with as a critical skill.

Sure, data scientists know the tools inside and out, but they don’t have these other pieces, many of which are part of the intangible art of auditing.

Editor’s note: For more resources on what’s next in audit, visit ISACA’s future of IT audit page.

Shifting Technology Landscape Positions Auditors for Greater Impact

Brennan P. BaybeckEnterprises are exploring opportunities driven by digital transformation, identifying technology-driven paths to deliver more value, more quickly, while also benefiting from new process efficiencies. IT auditors must do the same to ensure they remain valued partners by the organizations for which they work.

As enterprises increasingly harness technologies such as artificial intelligence and data analytics – and deploy methodologies such as Agile and DevOps – the IT audit teams of the future would be well-served to mirror this approach if they wish to thrive amid the business technology landscape of the future.

Traditional auditing methods need to be revisited to more directly align with how businesses are operating, so audit teams are living what they are auditing instead of operating in parallel universes from their business partners. If auditors are going to audit areas like DevOps or Agile, it stands to reason that they should have direct familiarity with those methodologies. Not only would that background allow auditors to deliver deeper, more meaningful audits by better understanding the practitioner view, but auditors also would realize many of the same business benefits that motivated their colleagues to adopt the methodologies in the first place. For example, one of the main benefits the business is realizing is faster development of key capabilities. Auditors could realize that same benefit of quicker development and release in areas that have long been challenges in the audit field, such as faster development of audit programs and reporting, and more comprehensive, automated audit testing procedures.

While IT auditors have a proud, longstanding tradition of making strong contributions to their organizations, auditors are seldom known for being on the leading edge of pursuing new technical capabilities or finding innovative approaches to performing their work. That will need to change, at least to some extent, if IT auditors are going to remain indispensable in a future in which automation, artificial intelligence and other emerging tech trends will dictate changing roles for auditors and, in some cases, potentially put auditors’ roles in jeopardy.

New ISACA research on the future of IT audit highlights several compelling data points that provide perspective on how auditors and their organizations need to prepare for the changing nature of the IT audit profession. Among the notable data points:

  • Two-thirds of survey respondents (67 percent) observe difficulty recruiting auditors with the required technical skills
  • Nearly half (47 percent) expect that IT auditors will be significantly more involved in major tech projects in the next 3-5 years
  • An overwhelming majority (92 percent) express optimism when considering how technology will impact them professionally over the next five years

Organizations might not always be able to find the auditors with the technical skills they’re seeking immediately, which makes it even more important that they prioritize investing in education and skills-building capabilities as part of an ongoing strategy. That strategy needs to not only account for the conceptual, but also focus on the specific technologies and methodologies their audit teams need to understand. Given the rise of cybersecurity as a business imperative across all industries, auditors would be especially wise to pursue additional auditing cyber knowledge for how to better assess data protection and controls around key business processes. There is much work to do on the training front; the ISACA research shows that more respondents consider funding for training and professional development to be inadequate than those who say it is adequate. If organizations fail to remedy that in this evolving technology environment, their audit teams are likely to fall behind.

Traditionally, audit training has focused mostly on learning about emerging technology topics just prior to planning and performing an audit. While still important, this will not address the needs of the future. Similar to the IT business partners that auditors assess, the audit field should also focus on developing skills such as coding and testing, and areas such as AI and data analytics. These are skills and capabilities that audit teams will require in order to effectively perform their charter in the future. If the current auditor is not capable of adapting with these new skills, then the audit team will be required to find the person with those skills. This could be accomplished by seeking these capabilities from other talent pools, such as developers, co-sourcing or even complete outsourcing, which our research also has identified as trends.

Generally, respondents to the survey are right to be enthused about the future of IT audit. The coming years hold great promise for IT auditors, as an ever-expanding array of technology projects will benefit from auditors’ conscientiousness and unique ability to identify the process improvements and capability gaps that can make or break a project’s success. The more progressive audit teams, and the ones that will be best positioned to thrive in the future, are those that will proactively adopt the technologies and methodologies that their business partners are deploying, and those that commit to executing on a vision for continual training and education. Just as the digital transformation era is poised to enable organizations to better serve their customers and business partners, the same can hold true for the audit function.

How to Approach Blockchain Deployment While Mitigating Risk

Varun EbenezerBlockchain has emerged as one of the most promising technological developments of the past decade. Originating from the digital currency Bitcoin, blockchain employs use of a distributed ledger to provide consensus through its decentralized participants, eliminating the need for a central authority. This advancement has the potential to transform several key industries, much like the rise of the internet did in the 1990s.

Blockchain technology has a multitude of benefits, such as enabling peer-to-peer transactions, transparency, cost reduction, speed, fraud mitigation, and security by design. However, as is the case with any emerging technology, there are several risks with blockchain that should be considered by organizations that plan to use it. There are currently no universally accepted standards in place for blockchain, nor is there clear guidance available from a regulatory perspective. Due to these conditions, caution must be used when deploying blockchain technology at an enterprise level.

ISACA has developed a Blockchain Preparation Audit Program to provide organizations with a framework to manage blockchain. The program covers six key areas: pre-implementation, governance, development, security, transactions and consensus.

These areas touch upon the primary risks that are associated with use of blockchain, and aim to achieve the following objectives:

  • Assess an organization’s blockchain solution to determine whether it is adequately designed and operationally effective
  • Identify blockchain risks which could result in reputational and/or material impact
  • Provide organizations with a holistic perspective on blockchain technology, with consideration for both technical and non-technical factors

When properly deployed, blockchain can provide substantial benefits. However, blockchain is not practical for every organization, and management must ensure that its use supports business objectives accordingly. The following are examples of adverse impacts that can occur when a blockchain solution does not align with business objectives:

  • Impractical use cases that are in misalignment with organizational strategy
  • Inadequate deployment that results in wasted time and resources
  • A blockchain solution that does not function properly
  • Potential for noncompliance with industry regulators
  • Vulnerabilities that could impact source code, endpoints, and sensitive data

In addition to the risks discussed above, the blockchain audit/assurance preparation program also will allow organizations to consider other relevant questions. Some of these questions include:

  • Was there a business case assessment created for the use of blockchain? Was it approved by key stakeholders?
  • What were some practical use cases that the organization was looking to use blockchain for?
  • What type of blockchain (permissioned vs. permission-less) is the organization using?
  • Are blockchain wallet private keys being managed by a clearly identified custody approach?
  • How is the organization acquiring the required development expertise to support the blockchain solution?
  • How were vendors selected to support the organization’s blockchain solution? What due diligence processes were followed?
  • Does management adequately understand blockchain technology, and are they providing effective oversight?
  • What is the approach being used to manage applicable regulatory risks?

Editor’s note: The Blockchain Preparation Audit Program is complimentary for ISACA members.

IT Audit in 2019: Hot Topics and Trends

Todd WeinmanThe turn of the calendar to a new year is always a great time to take pause and reflect. Now that 2019 is in full swing, I wanted to take a quick snapshot of hot topics and trends for the IT audit field in 2019.  And just to make sure I wasn’t completely winging it, I checked in with a couple valued industry contacts.

1) Security and availability remain atop nearly all IT (and by association IT audit) departments’ list of top priorities. As John Steensen, a senior director of technology audit for Visa noted, “At Visa, Job #1 is security and Job #2 is systems availability.” This is echoed daily in conversations with heads of IT audit from around the country. IT auditors can continue to expect a steady diet of: firewalls and routers; internet, intranet and web services; remote access systems; telecommunications (data and voice); threat intelligence; systems security (penetration testing, vulnerability management, malware protection); activity and event monitoring; cyber defense and incident response, Dev-Ops, and AWS and cloud infrastructure.

2) Heightened focus on data and data governance. Dan DerGarabedian, the head of information technology and data audit (a title that is in itself telling) for BNP Paribas USA, noted that “Data governance, management and quality has been a very hot topic in the banking industry, and the trend is continuing.” As a result, they value candidates with “hands-on experience in enterprise data management.” Ronnie Dinfotan, VP of information technology internal audit for First Republic Bank in San Francisco, echoed that sentiment, noting that “These days, data savvy resonates more in the world of technology as opposed to only having network savvy.”

3) Increased focus on data analytics. In part related to the above, we continue to see increase focus on the use of data analytics for more efficient and effective auditing. As DerGarabedian noted, “Ten years ago, data analytics were a ‘nice to have.’ Today, it is an absolute and necessary (and expected) skill set to have within your audit department.” Among the desired skillsets, DerGarabedian further noted, are Python, SQL, and the use of visualization tools such as Tableau.

4) Return of the technical IT auditor. Over the past several years, in an effort to address more complex IT environments and heightened technology-related risks, we have witnessed an unmistakable trend to add more technical muscle to IT audit departments. Steensen noted that “at Visa, over the past year we have been transitioning to more of a ‘practitioner hiring model,’ where we seek out experienced technology practitioners with audit experience … and the payback has been great – our audits are deeper, more insightful, and address technical issues at a deeper level than ever before.” (For a more detailed examination of this trend and its challenges see my blog post, “Return of the Technical IT Auditor”).

5) New areas of focus. Continued movement to the cloud, big data, and other technology advancements have continued to bring new areas for IT auditors to focus. Steensen noted some of these new areas of focus for technology audit at Visa: Robotic Process Automation (RPA), machine learning and artificial intelligence, textual analysis, and blockchain, while continuous monitoring/auditing continues to evolve.

Ronnie Dinfotan sees value in an IT auditor with a forensic skill set. “I think the cybercriminals have figured out a long time ago that vulnerability tools were going to detect their backdoor services, and that an IT auditor with a forensic skillset and malware detection experience is what is needed to match some of today’s cybersecurity issues.”

Finally, increasing movement to the cloud requires IT audit to take into account consideration of the legal and contractual perspective. Thierry Dessange, an SVP and audit director with Wells Fargo, notes that, “Everyone is moving to the cloud. As an IT auditor, what should you consider when your organization is confronted with the complexity, and often inflexibility, of a third-party cloud computing contract? Ensure you’ve got the right skills at the table (i.e., legal, information security, finance, IT, operations, sourcing, etc.). You also should be clear about what types of compensating processes, and associated costs, need to be in place where the contract doesn’t provide you with all of the elements that you would want from the third-party cloud service provider.”

1 - 10 Next