Five Questions With... 

Download Article Article in Digital Form

Robert FindlayRobert Findlay has had a 30-year career in a variety of IT roles, including computer operations, programming, project management, IT audit and emergency project management, and has held positions such as information security manager and chief information officer (CIO).

He has worked in both the public and private sectors, for a cooperative, a partnership and a conglomerate, across a wide range of industries. His career has taken him to most continents, while working largely in the United Kingdom, Ireland and the United States.

He has taken some time off to travel extensively around the world. Part of this travel involved six months in the Caribbean Islands, researching forts and castles across all the islands, and in Central America. On this trip he was shot on two occasions and involved in half a dozen knife fights. Now, he sticks to calmer hobbies such as marathon running, long-distance hill walking and studying for a degree in international studies.


How do you see cloud computing changing the way we do business? What are your thoughts on auditing cloud computing?


People are very reluctant to commit to cloud computing because of data security risk, a lack of trust in third parties to hold personal data securely and to be responsive to incidents, and concerns over moving to new providers if a change is necessary.

Personally, I see these concerns as an anchor on cloud computing, and I can see only slow progress in niche areas for this service in the short term. Longer term, cloud computing could grow massively if location-of-data issues are resolved.

Consequently, these issues should be the focus for auditing. I like to investigate the contracts and the security of the third party. If they do not let me in, then I am suspicious of the control environment.


What do you see as the biggest risk being addressed by IT auditors and/or security professionals? How can businesses protect themselves?


External technical risks are most often discussed, but my experience is that the biggest threats to organizations are IT-related, but internal and often nontechnical. I see a lot of internal fraud through a lack of application controls, caused by developers of applications who are not pressed into applying strong validation, segregation of duties or good security reports to allow managers to review patterns of behavior.

Even less technical are the threats from poor governance. It is rare that I come across any IT management team that has read contracts, never mind applied them; in most cases, contracts do not exist. Similarly, management—of all kinds, not just IT management—does not pay attention to laws, regulations and agreements that apply to their businesses.

For companies to protect themselves, a good start is to read all regulations and contracts and set up compliance projects. Similarly, they should review their data and set up a robust reporting system to monitor exceptions to policy and a compliance framework. Too many managers do not understand their own data.


How do you think the role of the IT auditor/professional is changing or has changed? What would be your best advice for IT auditors as they plan their career paths and look at the future of IT auditing?


The role of the IT auditor is far more risk-based than it was when I started; then, technical operating system reviews and database audits were the order of the day. As a result of this evolution, IT auditors must understand it all: IT, finance, business and environmental risk. At the same time, they must have enough technical knowledge to warrant a specialist position. My advice is to keep abreast of the issues and keep skills current.


A large portion of your career has been in IT audit, but recently you worked as an IT security manager for four years. How did you transition to this field, and what brought you back to IT audit?


My transition from IT auditor to IT security manager was driven by my own IT audit findings. The organization had no one to fix the issues that I had found, so I had to get into the technical arena to resolve a host of issues, from cleaning up the virtual private network (VPN) solution to setting up security in the SAP system. However, due to business pressures and the importance of the SAP project to the entire group, the role became too specialized and the risk became SAP-focused. Consequently, I needed to broaden my skills or else become typecast in the SAP security space.


What has been your biggest workplace or career challenge, and how did you face it?


The biggest challenge I faced was a specific postimplementation review (PIR) of a major human resources (HR) and payroll system project. In general, I have found PIRs to be the most politically volatile reviews in each place I have worked; management always makes great claims to savings from new IT systems—savings that, in fact, do not exist.

In this case, the PIR uncovered an incredible set of findings regarding the project that led to the dismissal of the chief information officer (CIO) and a two-year series of audits into every aspect of the project.

The challenge was the scale and complexity of the review, and the auditees fighting every finding and delivering personal attacks on a daily basis for two years. Finally, the reports that I issued were all accepted and new projects were launched.

Sticking to the facts and being professional, courteous and, most of all, resilient led to great results for me and the business.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.