This Q and A is based on ISACA member Ross Wescott’s interview with CIOTalkRadio.com. Ross Wescott, CISA, CIA, is chief IT auditor at Portland General Electric (USA).
Q: Do companies that conduct IT audits demonstrate a significant improvement in IT efficiency, effectiveness, or overall value creation?
A: Overall, I think that companies that have regular IT audits do gain value. Some gain value through a level of comfort that they are doing everything right. Others gain value because the independent audit looks at their operation and sees and fixes real flaws. Yet others gain value because they embrace the audit function and use it for their analytical skill sets outside of regular audits. Value is very subjective.
On the other hand, I’d also have to say that it depends. Off the top of my head, a successful IT audit that brings value to IT really depends on the auditor:
- Understanding the influences on and within the IT group—Understanding why an IT group does what it does goes a long way to determine how to improve it, if at all.
- Using the right benchmarks and standards to measure IT—Using military-level security in a small, non-profit organization would be an incorrect use of a set of standards. Philosophically, each of those organizations needs to protect its information assets but how it is done and the tools used are completely different.
- Focusing the audit on risk impact and likelihood—No matter what I think or what the standards or general governance guidelines say, if the risk is not high enough or if it falls within the organization’s risk appetite, I might as well save my breath.
Q: How open are IT leaders and their crews to seeing themselves reflected in an IT audit and on a regular basis?
A: Most IT departments that I have audited have no problem with being reflected if it is honest and free of distortions. It does rest, however, on my relationship with IT and their trust that I have their best interests at heart.
Not many people embrace being evaluated. A few months ago, I was talking to my CIO about my general approach to IT auditing, and I said to him, “I want you to understand that I do not wake up in the morning thinking of ways to make you fail. I want you to succeed. I want you to have as few issues as possible because it means you are doing the right things and doing things right. And to the extent that I can help you succeed within my experience and knowledge, I will help you succeed. Your failure does not equal my success.” I think the CIO finally understood where I was coming from.
Now, I will point out the flaws as they come during my work, and I will put those into a report for correction. However, because the CIO trusts me, we are fine with having these conversations.
Not all organizations embrace audits because they do not have this kind of relationship or do not see the need. Mandated audits are less successful, even if they find the flaws, because their focus is short-term success.
For more of Ross’s interview, visit CIOTalkRadio.com. Check back here in upcoming weeks for parts three and four of his interview series. Part one is available here. For customizable audit programs from ISACA, click here.
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post. To view all blog posts, please click on the ISACA Now link in the blue box on the left.