Five Questions With... 

Download Article

Charan Kumar began his career in programming in various roles, including systems analysis, design and development. Appreciating the need for an in-depth understanding of business operations by IT professionals, Kumar pursued the Chartered Accountant certification. While in the CA program he experienced firsthand the increased reliance of organizations on information technology and foresaw the changing role of financial audit, with information systems (IS) audit as an area of expertise. He then earned his Certified Information Systems Auditor™ (CISA®) designation. Based on various cases investigated by Kumar, he was conferred the Certified Fraud Examiner designation in 1996. Subsequently, he earned the Certified Internal Auditor (CIA) and Certified in the Governance of Enterprise IT® (CGEIT®).

With the intent to increase the awareness of ISACA in India, he—together with his colleagues at the New Delhi Chapter— organized the first ISACA international event in India in 1996. This event in New Delhi was succeeded by the formal launch of the Mumbai Chapter, and many other chapters in India were soon to follow. Kumar was instrumental in the formation of the New Delhi Chapter of ISACA of which he is the founding president.

Kumar spent 18-plus years in the profession, at Coopers & Lybrand, Ernst & Young and KPMG, among others, and more than five years in the industry with a leading shipping line in the Middle East. He regularly speaks at various conferences and has served on ISACA’s Education Board and various program committees. He currently serves on the ISACA Toronto Chapter’s Research and Academic Relations Committee.

Outside of his career and association with various organizations, Kumar enjoys the outdoors and trekking. When away from work, he can be spotted flying a Cessna through the eastern Toronto skies. He can be reached at


What do you see as the biggest risks being addressed by IS auditors? How can businesses protect themselves?


An organization’s ability to understand IS/IT risks influences its initiative to mitigate them. Given the complexity and pace of change in technology, IS/IT risks and exposures are constantly evolving. There is always a large risk that leadership within business may not be able to comprehend the urgency and complexity of IS/IT risks. IS auditors address this risk via their audits and reports by bringing to the business leadership’s attention the IS/IT risks, as well as recommendations to mitigate them.

Businesses can shield themselves by recruiting resources with the appropriate blend of skills within their team, for example, CISA- or CISM-certified auditors. The collective skill set supports a quality audit, and management can expect a fair degree of assurance that IS/IT risks are identified and appropriate risk mitigation recommendations are made.


How do you think the role of the IT auditor/ professional is changing or has changed? What would be your best piece of advice for IT auditors as they plan their career paths and look at the future of IT auditing?


In essence, the role has not changed much over the past many decades. That is, IT auditors are still identifying IS/IT risks and providing recommendations to mitigate them. What has changed is the IS/IT knowledge domain.

An auditor’s understanding of the role of technology in business is very important. This can assist in appreciating IS/IT risks from a business perspective, i.e., identifying the impact of each risk by responding to the “so what?” question for every risk identified. This can also help in articulating the business impact of IS/IT risks and can contribute to the “value add” while also facilitating buy-in from senior leadership.


How do you believe the certifications you’ve attained have advanced or enhanced your career? What certifications do you look for when hiring new members of your team?


Absolutely, they have had a tremendous positive influence. CISA was my first. Certification is granted by a professional institution when a candidate demonstrates adequate understanding of the subject via the exams, and obtains minimum practical experience. Certifications provide assurance that a candidate has the minimum professional expertise expected in the field. This opens doors as employers or clients know what to expect.

When hiring, CISA of course is the minimum for IT auditors. As auditors, we constantly face challenges; hence, the attitude of the candidate is very important. If potential candidates do not have the CISA certification, I typically encourage them to work toward their designation, and I provide the required support to help them accomplish this.


How do you see the role of IT governance changing in the next five years?


There is increased awareness and appreciation of IT governance compared to a few years ago. I expect organizations that have implemented IT governance and best practices to realize economic benefit due to their adoption. As a result, this economic success will likely stimulate further industrywide acceptance of IT governance.


What has been your biggest workplace challenge, and how did you face it?


Auditors are seen, more often than not, in a policing role. This makes the auditee very defensive, challenging findings and resisting recommendations.

I have found upfront articulation of expectations and categorical expression of an auditor’s role to clients very helpful. It is also important for auditors to demonstrate objectivity and fairness in attitude and appearance in their dealings with clients. This brings significant respect for auditors. They are then seen as doctors who diagnose the patient, identify problems and prescribe recommendations that may not always contain “good news.” At the same time, the patient appreciates the value-add provided by the doctor.

Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.