Internal auditors are under increasing pressure to add value to what is valued while, at the same time, helping to protect their enterprises from risk such as cyberattacks. In addition, an internal audit will likely tie up key IT resources that should also be creating value for the enterprise. It is, therefore, becoming ever more vital to plan what will be audited, when it will be audited and by whom. Indeed, a plan should be a detailed formulation of a program of action.
Former US President Abraham Lincoln once famously said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” He was, of course, discussing the need to spend time planning. In internal audit, an important part of this planning should go into developing the IT audit plan.
In December 2018, ISACA published the COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution. It includes some new concepts to help enterprises design a tailored governance system. In my recent Journal column “Developing the IT Audit Plan Using COBIT 2019,” I propose repurposing these new concepts and marrying them to a more familiar concept—portfolio management—to develop an IT audit plan that should be closely aligned with the business strategy and direction.
Read Ian Cooke’s recent Journal article:
“Developing the IT Audit Plan Using COBIT 2019,” ISACA Journal, volume 3, 2019.
When I produced my auditing Amazon Web Services (AWS) Journal article for volume 3, I was just wrapping up my very first audit against an AWS environment. During the planning stages of my audit engagements, I do as much research as possible to determine how the in-scope technology works, how to find the configurations and if others before me have documented their findings on key risk factors, controls and areas that I can leverage as I complete audit planning. Sadly, AWS had the most readily available documentation that discussed how to go about performing a basic audit of their products and what to focus on, but nothing further existed, at least as far as my Internet searches led me.
As it was difficult to readily find one and there was not unlimited time to locate a previously documented audit program for AWS, one had to be developed from scratch. The backbone of the audit program and the article was inspired by the specific areas in the AWS Auditing Security Checklist (Governance, Network Configuration, etc.). When it came to selection of and discussing the particular controls to focus on in the article and audit program, there was the glaring challenge of not everyone using AWS in the same way or using the same services like Cognito or Glacier, so the focus of both the article and audit program were kept as basic as possible and around its core services, including S3, IAM, etc.
As I further produced the article, I wanted to very briefly touch on what I felt were the fundamental pieces of information for a given focus area and then elaborate on any tricky items that could be easily overlooked and why that is important. A prime example is the IAM root account. Without doing some research or if questions are not asked in a certain way, auditors may be unaware of this superuser account existing and the limitations that presently exist to secure it.
Find the companion to my Journal article, the AWS Audit Program, on the ISACA website.
Read Adam Kohnke’s recent Journal article:
“Auditing Amazon Web Services,” ISACA Journal, volume 3, 2019.
When looking at innovation, it may seem daunting to involve audit properly to protect the organization. With any new effort, there are a lot of unknowns. In traditional project processes, there should be enough time to discover major issues and handle the risk revealed. Innovation, though, wants to move quicker. As a result, the increased speed can mean risk is not properly identified and reviewed. Therefore, it is important for audit to proactively become involved in innovation efforts as the organization attempts to improve its ability to compete.
Be Engaged With the Effort
Innovation is proactive and, in some respect, aggressive. Therefore, audit cannot take a passive approach to innovation. Rather, it needs to be an active participant, whether we are talking about an innovation team or an overall, organizationwide effort. Let us look at 2 ways audit can engage proactively.
Serve as a Mentor
Too often, audit is seen as the opposition, especially within IT. Most of us do not like when someone is watching over our shoulders, and that is effectively what audit is asked to do. However, audit can also serve to guide a team in risk identification and mitigation, as well as ensure that required regulations and compliance are met during the project process and not afterwards, when it is significantly more expensive.
In other words, an auditor serves as a mentor to innovation efforts so that any work that is done takes into account the controls and requirements with which the organization must comply. This reduces the possibility of rework to retrofit solutions, which can result in unexpected cost and delayed realization of proposed solutions. Since innovation often seeks to find the product or optimization before a competitor does, delays can invalidate the effort altogether.
Leverage Knowledge and Experience to Provide Solutions
Generally speaking, a broad range of subject matter expertise is critical for innovation efforts. Audit brings its own set of skills and knowledge, often in areas that other team members do not have a strong competency in. As a result, it is important for audit to help the efforts by providing solutions based on that knowledge and experience. For instance, if a team is starting down a track that will result in cumbersome controls (such as manual ones) when an alternate path would still move the team forward and protect the organization, an auditor can guide the team to the second path.
This Is Not Thinking Outside the Box
Neither of these are new competencies within audit. Rather, they are existing competencies that any auditor assigned to a project should already have. We are simply applying them to an innovation effort within an organization. Generally speaking, this is a good approach. Look at what audit’s role is in the project cycle, and apply that role appropriately to the innovation work. However, it is important for audit to be more active (proactive) than in a traditional project. In this way, audit will be able to meet its goal of protecting the organization while also being seen as a partner, not an obstacle, in the innovation effort.
Read K. Brian Kelley’s recent Journal article:
“Innovation Governance: What Is Innovation?,” ISACA Journal, volume 2, 2019.
Like in many professions, the new year is traditionally a time for planning for IT auditors. This year, I am willing to wager that many of your resulting IT audit plans include something to do with the EU General Data Protection Regulation (GDPR).
A question naturally follows from this: How do you go about performing the audit? A Google search for the term “GDPR audit” produces about 34,800,000 results (as of 15 January 2019). So how do you separate the wheat from the chaff?
This very topic was recently discussed on ISACA’s Engage Audit and Assurance Online Forum. Excellent suggestions were made, including using the International Association of Privacy Professionals (IAPP) Certified Information Privacy Manager (CIPM) Body of Knowledge and the self-assessment tools defined by the United Kingdom’s Information Commissioner’s Office.
My own suggestion was to use annex 1 of the ISACA guide Implementing the General Data Protection Regulation. This defines 9 core GDPR processes in a COBIT-like process model to form a Data Protection Management System (DPMS) that could be reviewed from an assurance perspective. This idea went on to inspire my recent IS Audit Basics ISACA Journal column, “Assurance Considerations for Ongoing GDPR Conformance.”
Imagine my surprise when I learned that ISACA was developing a GDPR audit program using the same concept. I know “fools seldom differ,” but in this instance, I like to think that “great minds think alike”!
If there really are 34,800,000 ways to audit GDPR, may I strongly suggest that you consult each of these ISACA documents before you start.
Read Ian Cooke’s recent Journal column:
“IS Audit Basics: Assurance Considerations for Ongoing GDPR Conformance,” ISACA Journal, volume 1, 2019.
I have been fortunate in my career to have attended many excellent ISACA conferences where the keynote speakers have excelled in delivering their message in very clear and pragmatic ways. One such speaker was futurist Mark Stevenson about whom I wrote in my recent Journal article, coauthored with Ian Cooke, in which we discuss the 8 principles of successful optimists and their relevance to the IT audit profession.
Personally, I found Stevenson’s closing keynote talk at the ISACA EuroCACS in Dublin in 2016 very inspiring, and it has motivated me to increase my level of participation with ISACA. Since this talk, I have spoken at an ISACA EuroCACS event, joined the ISACA Ireland Chapter board, spoken at an ISACA risk management talk, participated as a subject matter expert for ISACA webinars and am now evidently contributing to writing ISACA Journal articles and blogs.
Martin Cullen and Mark Stevenson at ISACA EuroCACS, National Convention Centre, Dublin, Ireland, 1 June 2016
If you consider optimism and the audit profession, you might think that these are incompatible in that auditors tend to focus on risk, with the resultant perception slanting toward a pessimistic outlook (risk aversion) rather than an optimistic outlook. Indeed, audit and an optimistic outlook may appear as contradictory since a large part of the audit job requires a risk-averse mindset (e.g., to identify and report on the bad things that may happen to your organization). While I believe there is no single trait that defines a successful auditor, optimism is an important trait.
The Institute of Internal Auditors (IIA's) definition of internal auditing in its International Professional Practices Framework (IPPF) states that internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. To my mind, these words can be interpreted to mean that audit is, ultimately, striving to help the organization improve and work better.
Similarly, the definition of optimism in the Oxford English Dictionary is “hopefulness and confidence about the future or the success of something.” Ultimately, we as auditors strive to help positively shape the success of our respective organizations by assessing the controls that mitigate the pertinent risk factors to our organizations. In our roles as auditors, we are concerned with the future success of our organizations. The purpose of internal audit reports is to bring about positive change.
Additionally, in our audit roles, we surface and report on gaps in controls to mitigate risk factors and ensure that these are not ignored, but, instead, addressed in a timely manner. We as auditors can often be thought of as representing the “conscience” of an organization. Sometimes, we even write recommendations to help our organizations address risk with the ultimate goal of increasing the chances of our organizations succeeding in the future. In other words, this is helping the people in our organizations to control and shape the future of the organization. And believing that you can help control and shape the future is the definition of an optimist, is it not?
As Winston Churchill once famously said, “A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty,,” and we as auditors must continue to strive to see the opportunity in every difficulty and not the difficulty in every opportunity.
Read Ian Cooke and Martin Cullen’s recent Journal article:
“IS Audit Basics: Affect What Is Next Now,” ISACA Journal, volume 6, 2018.
The business case for diversity is well-established. Research studies clearly indicate that diverse and inclusive organizations benefit from increased productivity, enhanced problem solving and heightened levels of employee engagement over their more homogenous peers. But how does an organization successfully attract and retain the best and brightest IT audit talent in an ever-increasing competitive market? Sure, you could try to compete with the Silicon Valley (California, USA) firms by upgrading your employee perks to include on-site spas, car washes and free gourmet meals. But there is a more effective strategy—one that is often overlooked—and it does not involve offering free frittatas. Employee resource groups (ERGs) can be a very valuable tool to recruit new talent and ensure that existing employees feel welcomed and valued.
Role of ERGs in Employee Recruitment and Retention
ERGs can assist with both recruitment and retention. Employees from diverse backgrounds may be reluctant to join or stay with an organization if nobody “looks like them.” RELX Group has been working to leverage relationships with its African Ancestry Network (AAN) and historically black colleges and universities such as Morehouse College (Atlanta, Georgia, USA), with a goal of expanding its recruiting process for IT audit and other technical positions to diverse candidates. In turn, Morehouse students will gain exposure to RELX professionals who may be able to serve as mentors and provide guidance to students in the technology and IT audit fields.
Dispelling the Myth of ERG Boundaries
Many employees feel that just because they are not part of a specific demographic group, an ERG may not embrace them or they cannot or should not attend particular events. That is simply not the case. RELX’s AAN, for example, has expansive programming that goes beyond the US observance of Black History Month celebrations and are intended to benefit employees at large. The AAN sponsors events around breast cancer awareness, financial planning, project management 101, and how to effectively use LinkedIn to expand and maintain your professional network, among others. As a result, many AAN events are attended by employees that are not of African ancestry.
Our recent Journal article discusses the value of leveraging ERGs as one of several practical strategies for creating and maintaining a diverse and inclusive IT audit team.
Read Asim Fareeduddin and Femi Richards’ recent Journal article:
“Effective Strategies for Creating and Maintaining a Diverse and Inclusive IT Audit Team,” ISACA Journal, volume 6, 2018.
Blockchain is a distributed transactional database in which transactions and related details are recorded and verified through consensus algorithms. Once a transaction is recorded, it cannot be changed or canceled. Thus, blockchain offers features—transparency, security, immutability, accuracy and traceability—that are key features in auditing. Its use will have several kinds of impacts on the auditing profession.
The audit profession will be more IT-oriented, and its main objective might no longer be to ensure the regularity and sincerity of an organization’s financial statements, but instead to review the information systems and, in particular, to ensure that blockchain technology is properly deployed. Auditors might even have to certify the blockchain itself.
Thus, financial and IT auditors will need more in-depth technical and technological knowledge and, at the same time, auditing firms will have to hire more IT auditors and other types of profiles to fully benefit from the various technologies that are currently being developed (i.e., blockchain, big data capabilities, data visualization).
At the same time, the auditing standards will have to evolve since, currently, there are no audit standards describing how to conduct an audit of blockchain, whereas some financial auditors already face the challenge of auditing enterprises active on blockchain or organizations that have set up blockchain platforms to execute some of their business processes.
Finally, thanks to its characteristics, the use of blockchain makes it possible to automate audit tests, or at least to facilitate them, thus reducing the length and cost of audits. Some audit-related tasks that are time consuming and do not require specific technical expertise and are currently performed by junior auditors will disappear. As such, audit firms will hire fewer junior auditors for the benefit of more experienced professionals. Those experienced professionals will use new technologies such as blockchain and their professional judgment to go beyond the pass/fail evaluation of the traditional financial audit report to make more sophisticated analyses, provide better insights and forward-looking recommendations to their clients and, thus, become their strategic business partners. This situation might, however, represent an ethical challenge for the profession, as Certified Public Accountants (CPAs) are currently not authorized by the US-based Public Accounting Oversight Board and limited by other national bodies in the kind of advisory services they can provide to their audit clients.
Read Nathalie Brender and Marion Gauthier’s recent Journal article:
“Impacts of Blockchain on the Auditing Profession,” ISACA Journal, volume 5, 2018.
British science fiction writer Arthur C. Clark famously said, "Any sufficiently advanced technology is indistinguishable from magic.” This seems to apply today like never before, especially with the rise of the Internet of Things (IoT). The day is not far off when your appliances are talking to your automobile, and your car is picking up your groceries after it has dropped off your kids at school and you at the office. While this may sound like science fiction (probably something Clark might have written) or something you see on the sliver screen, the underlying technology referred to as the Internet of Things has been around for a while and is already being used by a variety of players across industry sectors with scores of startups and established players betting big on this technology. Research predicts that there will be 31 billion connected devices by 2020 with spending on IoT expected to be close to US $3 trillion dollars. Economic impacts are expected to be in the trillions with benefits, opportunities, threats and disruption galore.
Enterprises are betting big on IoT with use cases expected to deliver value across the supply chain and to customers like never before. This large-scale investment is not without its downsides, with experts predicting Himalayan challenges in securing devices apart from powering the billions of sensors and handling the resulting e-waste. Forrester research found that IoT security will remain a top issue, and we should expect to see more attacks like the Mirai botnet attack, which looks like it came straight out of a B-grade Hollywood flick, “Attack of the Killer Camera” or something like that. Data from a Symantec survey points to a 600% increase in IoT attacks in 2017 over the previous year. One way to evaluate and possibly secure IoT could be to carry out robust audits, and I was fortunate enough to collaborate with Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt, who authors a great column on IS audit basics for ISACA. In our volume 5 column, we apply ISACA’s IT audit framework to auditing IoT.
Read R. V. Raghu’s recent Journal article:
“IS Auditing Basics: Auditing the IoT,” ISACA Journal, volume 5, 2018.
One of my favorite, if not my favorite, novels is Let the Great World Spin by Colum McCann. The book is centered around Philippe Petit's 1974 high-wire walk between the Twin Towers of the World Trade Center. There is a poignant scene in the book when a mother who has just lost her son, a solider, looks out her window, sees the walk in progress and reacts with disgust—how dare he risk his life in that manner—my son is dead! However, from Petit’s point of view, this is what makes him feel alive (as his TED Talk demonstrates). This is his passion, this is what he values. Value means different things to different people, depending on their perspective.
Similarly, according to James Roth, the definition of "value added" can vary considerably from one audit department to the next. For many practitioners, this phrase describes audit work that helps management improve the business, rather than assignments that simply verify compliance with policies and procedures. For others, the opposite meaning may apply.
However, despite the significant diversity in their specific practices, Roth has observed remarkable similarities in certain key areas among best practice audit departments. These audit shops form a collective profile with the following 5 value-adding characteristics:
- Extensive staff expertise
- A challenging work environment (for audit staff)
- Organizational alignment
- Participative, qualitative, real-time risk assessment
- An array of audit services (including process audits)
I discuss 2 of these characteristics in my recent IS Audit Basics column in the ISACA Journal “Add Value to What Is Valued.” Specifically, (a) achieving organizational alignment by following the COBIT 5 goals cascade or, where this is not in place, mapping upward from processes to generic IT and enterprise goals that the organization can then review from a value perspective, and (b) auditing the processes that add this value horizontally across the enterprise using the generic COBIT 5-based assurance engagement approach.
Read Ian Cooke’s recent Journal article:
“Add Value to What Is Valued,” ISACA Journal, volume 4, 2018.
In our recent Journal article about merging internal audit departments, we discussed a practical approach to taking a skills inventory and then using that skills inventory as one of the primary inputs in making staffing decisions following a merger or acquisition.
In taking a skills inventory, however, it is important for audit management to not overlook critical skills that do not often show up on an auditor’s resume. Many of these can be just as important to the overall success of the department as subject matter expertise and technical skills.
The audit manager should understand which people on his or her team fill these vital, often unofficial roles. For example, who is comfortable talking with external stakeholders? Who can deliver bad news? Who is good at writing and editing and making reports look good? Who loves teaching and coaching? Who has a knack for networking and connecting people? Who champions team building, employee morale and recognition?
For most of us, the idea that personality, communication and compatibility (i.e., teamwork) play as important a role in team success as skill and expertise is old knowledge. But what is less clear is how many audit managers have gone through the process of defining what their critical “soft” roles are clearly enough to be able to ensure those roles remain filled.
What would you add to this list? What are those unofficial/undefined roles that are critical to the success of your organization?
Read Kevin Alvero, Randy Pierson and Wade Cassels’ recent Journal article:
“Merging Internal Audit Departments,” ISACA Journal, volume 3, 2018.