ISACA Journal
Volume 1, 2,016 

Features 

Transforming the IT Audit Function—Taking the Digital Journey 

Robert (Bob) E. Kress 

Today’s digital revolution is disrupting every corner of the business world and every function across the business enterprise, including IT audit. Where does IT audit need to go when the mantra is “better, faster, cheaper?” The relentless transformational impact of IT is redefining the IT audit function itself, forcing auditors to question long-established practices, rethink fundamental processes and recalibrate their function for the digital era.

Defining the Digital Destination

As with so many enterprises, particularly well-established global players, digital disruption was the major challenge facing Accenture two years ago. At that time, work was largely siloed by risk category and retrospective. Digital disruption was sweeping aside established companies and reshaping markets and industries, and these pressures were felt acutely. So the organization pondered what implications all this digital change held for IT audit. The internal audit (IA) function knew that it needed to be better integrated across the entire risk spectrum, so that a holistic approach could be taken. With markets, the business environment, competition and client needs changing so rapidly, there was also a sense that purely retrospective audits would be increasingly inadequate going forward. Lastly, while the digital revolution was driving much of this change, it was also understood that digital technologies provided the tools needed to respond and adapt to the disruptive forces buffeting the organization, assuming the knowledge of how to use them effectively.

So the team began by reexamining the fundamental mission and strategy, asking: What is the digital destination, and what kind of capabilities are needed to audit the IT of tomorrow? For Accenture, a global giant in technology services with more than 358,000 professionals, this question went to the very core of the business. But the same issues of mission, strategy and long-term goals are relevant for every IT audit group embarking on this transformational journey. While IT will have different capabilities and maturities from one company to the next, envisioning the future state of an organization’s IT operation is the first and surest prerequisite for setting off on a transformational journey with the confidence of knowing that successfully arriving at that destination can be achieved.

Accenture knew that IT audit had to support the high-performance business strategy by identifying, evaluating and reporting the fullest possible range of client-facing and internal risk factors in the digital age. Accenture’s audit team also aimed to be a value-add partner to the business by providing objective and relevant IT assurance and contributing to the effectiveness and efficiency of governance, risk management and control processes.

Less obvious were two strategic conclusions to which the group came. Given the speed with which business changes today, the IT audit team felt that it would be necessary to shed the traditional stance of IT audit as an “outsider” coming in to measure after the fact. Rather, continuous alignment with the business and its evolving strategy would be essential to measure whether IT audit was advancing the company’s business strategy. Similarly, the audit team believed that it could be more effective if it shed IT audit’s historic cost-center mentality in favor of running IT audit “like a business,” which meant using a managed services approach and treating the organizations it served as customers.

Leveraging Digital Technology

The audit team’s strategy depended on value, flexibility and efficiency—qualities not always associated with audit functions in the past—and it sensed that leveraging new and powerful technologies would be essential for executing that strategy effectively. Accenture’s audit team set about evaluating, selecting and integrating new technologies that were aligned with the strategy and would allow a step-function improvement in the capability.

The group began by looking at how to enhance audit management through the use of end-to-end audit life cycle management tools. There are several powerful platforms available in the marketplace. The team systematically assessed the capabilities and costs of each before selecting the solution that best matched Accenture’s requirements. Implementing a robust governance, risk and compliance (GRC) capability is critical for IA. GRC would provide the platform to automate the audit work and improve productivity, ensure consistency across global teams, enhance risk coverage and assessment, and improve the ability to manage the audit process.

The group then sought to leverage analytics to support continuous audit, continuous monitoring and value identification. Once again, the digital revolution has made sophisticated analytics software available for this purpose. Analytics software enables auditors to increase risk coverage across an entire universe of data (versus using sampling) and focus on outliers in higher-risk areas. Analytics also allow auditors to identify trends and predict areas of higher risk, while creating a clear line of sight on cost-saving opportunities for the business.

The third item on the digital shopping list was a tool for enabling a continuous risk assessment approach. Previously, the group had focused on an annual risk assessment, but the pace of change in the business and the associated risk is accelerating, rendering strictly annual assessments potentially anachronistic. By moving to a continuous risk assessment approach, the audit group was able to stay current with the business, anticipate risk and proactively offer services to help manage risk, and implement appropriate controls before issues occur.

The challenge was in deciding how to automate and manage a risk assessment effort that interviews more than 400 top leaders to identify risk themes and then sharing this information across a global IA group. The team decided to take an innovative approach and leverage customer relationship management (CRM) technology to manage the interview process, capturing risk notes and themes and making this information available on a real-time basis to the global team.

The audit group knew, from innovations in other parts of Accenture, that collaboration and communication tools had become immense force multipliers capable of increasing the productivity of a relatively small audit staff. So the group set out to leverage these new technologies, using videoconferencing to eliminate travel wherever possible and using internal social media channels to accelerate IT audit collaboration throughout the enterprise. Leveraging collaboration technology enhanced the auditors’ ability to share knowledge across global teams, improved their ability to work virtually, and strengthened the relationships between the enterprise’s people, teams and customers.

Results

What results was the team able to achieve with these moves? In Accenture’s case, the team increased the number of IT audits provided by more than 250 percent (from 16 to 45 annually) between 2012 and 2015 (see figure 1).

Accenture’s digitization of IT audit has helped it manage risk better, faster and more cost effectively. By moving into the digital realm, Accenture has been able to increase productivity, add new services and be far more proactive in monitoring the changing risk profiles of the enterprise’s rapidly growing global businesses. Leadership can now reach out to the audit team to assess risk before making strategic decisions, rather than calculating costs afterward. The group’s experience can be instructive for every IT audit leader who is evaluating how and where digital technologies fit into their scope of work.

The success of the team’s transformation also established a model for the broader evolution of the entire IA function at Accenture (figure 2). Having brought the IT audit team into the digital era, the group followed the same road map for the rest of IA.

Lessons Learned

It is important to note that while digital technology enabled many of the performance improvements that were realized at Accenture, these tools alone do not get the job done. Just as critical are the changes in mind-set that were made throughout the process.

Here are the most important lessons learned during Accenture’s IT audit transformation:

  • Align IT audit strategy with business strategy—In today’s business environment, corporate strategies can change frequently in response to market pressures, competitive challenges or emerging technologies. IT capabilities and the IT audit function need to be just as nimble in adjusting to the changing needs of the business and new technologies.
  • Clarify governance—It is critical to have senior business leadership input on new and changing risk factors resulting from changes in business strategy, IT audit’s assessment of risk, and high-level IA plans. This demands a more robust governance regimen in which input is solicited from business leads on a near-continuous basis, rather than once a year.
  • Run IT audit like a business—Operate the IT audit function like a business, and treat the people and organizations served as true customers. Provide these customers with a set of defined service offerings in a ‘managed service’ approach, so they can request the services they want based on the changing needs of the business. Focus relentlessly on value-add to the business, and measure customer satisfaction.
  • Manage performance metrics—Measure critical success factors, benchmark progress, and use the overall metrics to drive change. The role of IT audit leadership is critical here, intervening where necessary to rectify deficiencies and capitalize on achievements.
  • Transform people—An integral part of transforming the function may involve transforming the people and the internal culture in which they are working. An audit function that historically has been retrospective needs to undergo a radical shift when moving to a proactive stance. Strong leadership is required to drive culture and process change, so be sure to have the right people in senior management positions. Work to instill new ways of thinking and working throughout the function.
  • Go big—Make bold decisions to drive step-function increases in the enterprise’s capabilities, and apply rigor and discipline in executing the changes. Be just as tough on the internal business processes of IT audit as on the business areas tasked with auditing.
  • Communicate success—This, along with benchmarking, is helpful to demonstrate the value IT audit adds and the progress being made to senior leadership as well as the IA team. Do not be embarrassed to speak highly of the IT audit function when meaningful and measurable progress are achieved.

How applicable are these lessons to IT audit teams at other organizations? After all, one could argue that the circumstances at Accenture were not representative, since internal audit is part of a company that lives and breathes IT every minute of every business day.

Conclusion

Looking back over the digital journey at Accenture, it is likely that, if anything, this transformation stands as a hyper-example of what IT audit transformation can achieve for all IA organizations. Stakeholders are viewed as true customers, and the IT audit role is focused on providing a variety of valuable services to meet the needs of the audit committee and the company. These transformation results demonstrate the potential prize that every IT audit team committed to digital transformation can pursue and win.

Robert (Bob) E. Kress is the managing director of global IT audit in Accenture’s internal audit organization, which supports the US $31 billion company and its 358,000 employees working in more than 120 countries. He has overall responsibility for identifying, evaluating and reporting on the full range of client-facing and internal technology risk.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.