Edie Brickell (incidentally the wife of singer/songwriter Paul Simon) had a modest 1988 hit titled “What I Am.” The opening lines of the song contain the lyrics “I'm not aware of too many things. I know what I know if you know what I mean.”
Besides being a nice play on words, the lyrics are quite prophetic; in reality, we all are somewhat restricted by what we know and understand. We, as ISACA members and IT specialists, all know a lot about IT risk and its 3 main categories. Specifically:
• IT benefit/value enablement risk—Associated with missed opportunities to use technology to improve efficiency or effectiveness of business processes or as an enabler for new business initiatives
• IT program and project delivery risk—Associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programs as part of investment portfolios
• IT operations and service delivery risk—Associated with all aspects of the business-as-usual performance of IT systems and services, which can bring destruction or reduction of value to the enterprise
However, the audiences for IT audit reports, most notably, the audit committee, tend to be generalists and, well, they know what they know if you know what I mean. I believe it is therefore incumbent on IT audit to educate or a least to offer to educate committee members in this regard.
We can do this by bringing together our understanding and that of our audit committees. This can be done by drawing a line between the 3 main risk categories, the IT risk to the business objectives and the assurance provided. We need to help the committee understand the significance if the report in front of them states that a key, in-scope application is not in compliance with the information security management system (e.g., International Organization for Standardization [ISO] 27001). We want them to know what we know, if you know what I mean.
Read Ian Cooke’s recent Journal article:
“Providing Audit Committee Guidance,” ISACA Journal, volume 5, 2019.