Five Questions With... 

 
Download Article Article in Digital Form

Robby B. SebopengRobby B. Sebopeng, CISA

Robby B. Sebopeng was appointed the auditor general of Botswana in 2010. He had been the acting auditor general since 2008 and the deputy auditor general from 2003-2008. His career began with the Botswana Government in 1983 as an assistant auditor in the Office of the Auditor General.

During his career in the Office of the Auditor General, he introduced the application of monetary unit sampling, general audit objectives, and the concepts of risk and materiality. He pioneered the establishment of email, Internet access and an automatic computer backup system as part of the Office’s disaster recovery plan. He introduced COBIT in Botswana’s public sector to ensure that business objectives are achieved and that undesired events are prevented or detected and corrected.

In his personal time, Sebopeng enjoys spending time with his family, listening to music, reading, gardening and traveling.


Question

You have had a long history in the Office of the Auditor General of Botswana, culminating in your appointment as Auditor General in 2010. To what do you attribute your successful growth in the office? What advice would you give to others looking for similar growth within their own career path?

Answer

Within the first six months after joining the office in 1983, I had already completed several complicated audits such as audits of revenue collection and construction projects. My reports were immediately recognized by management. This recognition motivated me to research and keep on producing even better results. The best reports are included in the Auditor General’s Annual Report, which goes to the National Assembly.

I took advantage of on-the-job training, which led me to specialize in value-for-money audits and, later, information systems (IS) support and IS audits. I always made sure that I possessed the relevant knowledge and skills needed for my job—these were scarce skills then and still are today.

My advice to my colleagues is that employees who progress to the top are those who derive satisfaction from their work, develop themselves, are willing to take new challenges and are not afraid of change. I strive to excel in my work and I am patient and loyal to the public service. Furthermore, I always take advantage of the opportunities provided to me.

Question

What do you see as the biggest risk factors being addressed by IS audit professionals? How can businesses protect themselves?

Answer

More often than not we have come across many government departments that have questionable governance practices. With the pervasive use of information technology in business processes across government has come the critical need for strategic leadership to ensure that the organization’s IT sustains and extends the organization’s strategies and objectives. The absence of leadership and organizational structures from which to drive IT investments leads to a high risk of failure. Despite the many developments in governance there are still many leaders that fail to see IT governance as an integral part of overall enterprise (corporate) governance. As a result, many IT units within organizations are left to direct their activities leading to poor strategic alignment. Another prominent risk factor is poor management of IT projects. Many government departments do not have the technical expertise to develop IT solutions for their business needs. This often results in the department outsourcing the system development process and, as a result, introducing such risk factors as vendor failure to deliver, poor quality, lack of documentation and missing functionality. Lack of a system development life cycle (SDLC) has been shown to lead to more errors and cost overruns. Even more worrying is the loss of business knowledge or ability to take over responsibility from the vendor. The outcome of this is that the new system is often abandoned or the organization is tied to a perpetual support contract with the supplier.

These risk factors can be mitigated by adopting best practices in governance. IT governance is the responsibility of executive management, and it should be borne in mind at all times that IT investments are meant to help the organization attain its strategic goals (mandate). It then follows that organizational structures and processes (policies and standards) are introduced to guide operations that will align all efforts toward the ultimate goal. A third party or contractor engaged by the entity is expected to live up to the standards set out by the entity, thus ensuring that there is no deviation from management guidance.

Question

How do you think the role of the IS auditor is changing or has changed? What would be your best piece of advice for IS auditors as they plan their career path and look at the future of IT auditing?

Answer

IS audit has not only become an integral part of regulatory audit, in terms of the requirements to gain an understanding of and review internal controls, but has become a key source of audit evidence. Over the years, the involvement of IT auditors on engagements has grown and continues to grow to a point where the IS audit function is no longer an option. In the advent of computerization or automation of accounting systems, complex IT environments have been introduced that require a specialized skill set: IS audit. An effective and efficient audit is dependent on the collection of adequate audit evidence to support assertions. Hence, the collection of such evidence rests on the auditor’s ability to navigate and interrogate the system as one, if not the only, repository of the accounting records/information.

With the reliance that audit engagements or financial auditors place on IS auditors, it is inevitable that the IS auditor’s competence is questioned from time to time (area of concern). There is a need for IS auditors to demonstrate that they have the required skills and knowledge to carry out the task at hand. The Certified Information Systems Auditor (CISA) designation is a globally accepted certification that demonstrates these competencies. My advice to IS auditors, thus, is to work toward obtaining and maintaining CISA certification.

Question

How do you believe the certifications you’ve attained have advanced or enhanced your career? What certifications do you look for when hiring new members of your team?

Answer

Having been one of the first CISA professionals in a country with scarce IS auditors, it is obvious to me how marketable CISA holders are, especially when CISA is coupled with accounting and business courses and later strategic management courses.

It is obvious that there can be no audit without information technology diagnostics and performance audit (value-for-money studies) and forensic audit to meet the modern customer’s needs.

My office not only looks for professional accountants, but also hires IS auditors and other qualifications. Unfortunately, IT qualifications are very scarce in Botswana and throughout the region.

Question

What has been your biggest workplace or career challenge and how did you face it?

Answer

Having qualified with accounting degrees through the post-graduate level, industry professionals often considered me an academic. To do the accounting and auditing work in practice, the law demanded that I be professionally qualified. This is why professional recognition is critical. CISA and hard work are what helped me to succeed and overcome these roadblocks


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.