ISACA Journal
Volume 6, 2,018 


IS Audit Basics: Affect What Is Next Now 

Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt, and Martin Cullen, CISA, CGEIT, CRISC, COBIT Foundation, COBIT Assessor and Implementer, ISO 27001 LA 

To celebrate its 15th birthday, LinkedIn asked its members to share what they wanted to be when they were 15. Now, I do not know about you, but an auditor was not on my list, nor did I, or any of my friends, take turns at playing auditor and auditee! And yet, we became IT auditors. How did this happen? I certainly do not believe (at least, not entirely) that life is what happens to you when you are busy making other plans.1 We are where we are because of a series of conscious decisions. The question now becomes how do we make conscious decisions to create, grow, improve and add value to our lives, our enterprises and the profession?

At EuroCACS 2016 in Dublin, Ireland, the closing keynote speech was given by futurist Mark Stevenson.2 It was described by a colleague sitting next to me as the best talk he had ever heard. The talk centered on eight principles that Stevenson derived from traveling and working with successful optimists.3 That colleague, Martin Cullen, went on to read Stevenson’s book, so I tasked him to collaborate with me in reviewing the principles and their relevance to IT auditors.

Have an Unashamed Optimism of Ambition

Stevenson recommends not feeling embarrassed to say that things can be better. People should have no qualms about imagining an improved world and advocating for it, no matter how much derision they may receive at the hands of the cynical.4

This is not about the next promotion. This is about seeing that things in audit are not as they should be and they could be better. Those who believe this is the case should advocate for it in their enterprise. And those who are not sure how things can be better can reach out to their peers in the ISACA Online Forums.5

Engage in Projects That Are Bigger Than You

Philosopher Daniel Dennett6 says that an occupational hazard of his profession is being asked, “What is happiness?” The best definition he has come up with is to “find something more important than you are and dedicate your life to it.”7

There are many issues directly related to the adoption of new and innovative technologies in the world today. Examples range from the erosion of privacy to the lack of female representation in the industry. ISACA is a leading advocate in these areas with the introduction of its privacy principles,8 several documents around the EU General Data Protection Regulation (GDPR)9 and its SheLeadsTech10 program. Auditors who are passionate about these topics can do something about them by getting involved.

ISACA is always looking for volunteers,11 and any ISACA employee will agree that it is the volunteers who make the organization what it is.

Ideas Are for Sharing, Not Protecting

Every new idea is, as Matt Ridley12 suggests, the result of the joining together of two other ideas. Pragmatic optimists happily let their ideas meet and mingle with others.13

Back in my very first column in this space,14 I asked why, when we live in a world where it is very much a viable option to run a business using open-source software, we, as an ISACA community, do not develop open-source audit/assurance programs? To me, this is an idea waiting to meet someone else’s idea. Would it be possible, for example, to use GitHub15, Slack16 or ISACA’s Online Forums.17 I am not certain, but I believe it needs others’ ideas to help push it over the line.

I am also sure that everyone reading this column has ideas of their own. I would like to hear them. Only together can we truly move the IT audit profession forward.

Making Mistakes Is Okay, but Not Trying Is Irresponsible

As Ken Robinson18 pithily told the TED conference, “Being wrong is not the same as being creative, but if you’re not prepared to do anything wrong you’ll never do anything original.”19

We have all made mistakes during our careers and in audits. The key is to learn from them and not be afraid to try again. After every audit, each auditor should take some time to sit back and consider how it went. What went well? What mistakes were made? How could it be done better the next time? Audit-specific items should be documented and added to the audit file as there is every chance the auditor may be requested to audit this item again.

You Are Defined by What You Do, Not by What You Intend to Do

Pragmatic optimists are not interested in what others might do if they had more time or if their manager was more understanding or if they were the manager or if it was next week. People are what they do. That is it. Get on with it.20

LinkedIn is full of conversations about the unimportance of certifications when compared to experience and, yes, there is no doubt that experience really counts. However, if people are defined by what they do, does not the fact that they have put in the effort to attain that certification say something about them? Lack of time is no excuse. Make time! Those who believe they have all the certifications they need can translate, write21 or review items.22 Exam Item Development Working Groups are composed based on geographical representation. Those who participate learn so much.

Be an Engineer

Engineers do not build bridges from a left-wing or right-wing perspective. They build bridges from an evidence-based perspective and, over time, bridge building gets better. Politicians make their decisions from an ideological perspective and, (in the opinion of many), over time, politics gets worse. No one should ignore politics, but those who choose engineering will do more.23

This is key. Audit recommendations should be based on agreed criteria24 and have the required evidence to back them up. If the evidence was obtained in an interview, it should be documented and the auditee sent a copy or a draft report produced in which the auditee is asked to confirm the auditor’s understanding.

As for politics, the auditor should remain sufficiently neutral to maintain independence while still being aware of how decisions are reached. That is, the auditor must understand who has the ability to make, ignore and overturn decisions; whether these are taken unilaterally or by consensus; and the degree to which they represent a compromise. Without such knowledge, the recommendations in the audit report may not be followed and the audit function could, consequentially, be discredited.25

Be Prepared to Lose Nine Battles Out of 10

No one can win them all, but anyone is likely to win one battle out of 10. In “round two,” the auditor may win one battle out of nine and, by round three, one out of eight. By that time, the auditor will have created enough of a shift for the rest to follow. Those who worry about losing nine out of 10 will likely never enter the fray. It is useful to concentrate on winning the one. Overnight success is for the movies.26

This is about winning the war, not the battle. All IT auditors have been here. They have identified a significant issue and, being conscientious and aware of the politics, they have reported the finding to management early only to be told at the exit interview that there is no issue or the issue has been resolved and should no longer be in the audit report.

My advice? If there is no compelling reason not to and it is possible to confirm that the risk has been addressed, the item should be removed. The auditor has done his or her job. The job is to help mitigate risk, not to have findings. Not only that, it has been accepted that the auditor’s recommended course of action was the correct one; this will work in his or her favor the next time a similar issue is found in another application. Furthermore, the auditor is building a relationship of trust with the auditee. This will be helpful the next time there is a finding that cannot be removed.

Kick Out Cynicism

Cynicism has become embedded in society and it is often seen as wisdom. yet there is nothing wise or even likeable about cynicism. For the cynic, everything is just a little too hard to imagine or do. As such, cynicism is both a recipe and an excuse for laziness. Auditors should have no time for it.27

It can be very easy to become cynical and even have a sense of futility when working as an IT auditor. This is especially the case when finding the same issues across different applications and nothing ever seems to change. I urge IT auditors to avoid this and try to think differently. Could the applications be audited horizontally?28 Could the issues be tackled from another angle? Remember culture, ethics and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities.29 Peers in ISACA’s Online Forums may be a good source of help in this area.30


At the end of the day, if there is one guiding principle that encapsulates all these principles, it is, “Judge your worth not by what you own, but by what you create.”31 ISACA is the vehicle that allows IT auditors to learn and create. When I was 15, I was torn between IT and journalism. ISACA has enabled me to do both. Along the way, I feel I have created, I have grown and I have improved. This, in turn, has brought value to my enterprise. As it approaches its 50th anniversary, ISACA can allow anyone reading this article to do more, too. Members can affect what is next, now. Pragmatic optimism tells us that the future is still a game worth playing and all players can make a difference.32


1 Lennon, J.; Beautiful Boy (Darling Boy), USA, 1980
2 Stevenson, M.; “‘Reluctant Futurist’ Mark Stevenson Is an Author, Broadcaster and Expert on Global Trends and Innovation,”
3 Stevenson, M.; An Optimist’s Tour of the Future, Avery, USA, 2011,
4 Stevenson, M.; “Eight Principles of Successful Optimists,” The Wall Street Journal, 20 March 2012,
5 ISACA Online Forums, Audit and Assurance,
6 Encyclopaedia Britannica, Daniel C. Dennett,
7 Op cit Stevenson 2012
8 ISACA, Privacy Principles and Program Management Guide, USA, 2016,
9 ISACA, “General Data Protection Regulation (GDPR) Readiness, Assessment and Compliance,”
10 ISACA, SheLeadsTech,
11 ISACA, Volunteer Opportunities,
12 Ridley, M.; “When Ideas Have Sex,” TEDGlobal 2010, ridley_when_ideas_have_sex
13 Op cit Stevenson 2012
14 Cooke, I.; “Audit Programs,” ISACA Journal, vol. 4, 2017,
15 GitHub,
16 Slack,
17 ISACA Online Forums,
18 Robinson, K.; “Do Schools Kill Creativity?” TED2006,
19 Op cit Stevenson 2012
20 Ibid.
21 Op cit ISACA, Volunteer Opportunities
22 ISACA, Committees, Working Groups, Advisory Councils and Other Volunteering Opportunities,
23 Op cit Stevenson 2012
24 “Criteria” is defined as the standards and benchmarks used to measure and present the subject matter and against which an IS auditor evaluates the subject matter. ISACA, “ITAF: Information Technology Assurance Framework,”
25 Gelbstein, E.; “The Soft Skills Challenge, Part 2,” ISACA Journal, vol. 3, 2015,
26 Op cit Stevenson 2012
27 Ibid.
28 Cooke, I.; “Innovation in the IT Audit Process,” ISACA Journal, vol. 2, 2018,, figure 2
29 ISACA, COBIT 5, USA, 2012,
30 Op cit ISACA, Audit and Assurance
31 Op cit Stevenson 2012
32 Ibid.

Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt
Is the group IT audit manager with An Post (the Irish Post Office based in Dublin, Ireland) and has 30 years of experience in all aspects of information systems. Cooke has served on several ISACA committees and is a current member of ISACA’s CGEIT® Exam Item Development Working Group. He is the topic leader for the Audit and Assurance discussions in the ISACA Online Forums. Cooke supported the update of the CISA Review Manual for the 2016 job practices and was a subject matter expert for ISACA’s CISA and CRISC Online Review Courses. He is the recipient of the 2017 John W. Lainhart IV Common Body of Knowledge Award for contributions to the development and enhancement of ISACA publications and certification training modules. He welcomes comments or suggestions for articles via email (, Twitter (@COOKEI), or on the Audit and Assurance Online Forum. Opinions expressed are his own and do not necessarily represent the views of An Post.

Martin Cullen, CISA, CGEIT, CRISC, COBIT Assessor and Implementer, ISO 27001 LA
Is an experienced IT audit senior manager with more than 10 years of experience across different industries. His previous roles were of a technical nature and included IT software engineering, project management, business intelligence development and database administrator. He has previously presented at ISACA EuroCACS, ISACA Ireland Chapter events and in webinars. He is a Gold member of ISACA and is currently serving on the ISACA Ireland Chapter board as certification director.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.