Strong Ties from the Beginning: ISACA and the “Big Four”

Strong Ties from the Beginning: ISACA and the "Big Four"

From day one as the Electronic Data Processing Auditors Association (EDPAA), the professional association now known as ISACA has provided benefits to members who hold diverse roles in information systems governance, security, audit and assurance, across a wide range of industries and organizations, large to small. Also, from the beginning, the association has had a special connection with the “Big Four” professional services firms—Deloitte, Ernst & Young (EY), KPMG and PricewaterhouseCoopers (PWC)—which have also evolved over the years.

“When I joined EY, the person I was working for told me I had to join ISACA. So that was really my introduction, and the same time I got involved in the world of IT auditing,” said Ken Vander Wal, CISA, now Chief Compliance Officer at HITRUST. His boss at the time happened to be John Kuyers, who had served as EDPAA international president for two years.

For Vander Wal, part of the appeal of the ISACA membership to him and EY was expanding his professional network beyond his company and gaining experience and connections through volunteering.

“Working for an organization like EY, you already have an international network. But what was really neat was being able to extend that international network to non-EY professionals,” remembered Vander Wal. “And it became even more meaningful when I had the chance to serve as international ISACA president myself and being able to do some visiting of chapters at an international level and meeting professionals at the chapter meetings.”

Un-Kiat Khor, who is responsible for technology risk management for a bank in Singapore, found the ISACA membership to be immensely helpful in providing her with best practices and support from other peers in the industry, including from the Big Four, when she found herself in need of guidance upon taking on larger responsibility in a new role.

“Four years into my role in the organization as the information system auditor, my boss decided to appoint me as the head of information systems audit, without really a mentor or someone to look up to,” she explained. “I was part of ISACA—EDPAA at that time— and I was able to find mentors and role models from the Big Four colleagues that I had met at the association. I was able to benefit very much from EDPAA as they were able to serve as role models early in my career. And obviously, many of these are friends today.”

Khor noted that even now, she looks to her Big Four connections within ISACA for their professional opinion when working on projects.

“Today if I need a job to be done I could call up a Big Four partner and share with them the frames of reference and assignment I have on hand and be able to get a quick professional proposal so that I can size the role and actually go out with the review I was planning to conduct.”

Vander Wal also noted that it was valuable to be able to work with ISACA products and frameworks that were used widely across the industry.

“With COBIT, the product was clearly recognized for the contribution it made to organizations. You can really tell that it did have an impact, because they were very adamant about complying with it and meeting the requirements that were contained in the COBIT framework.”

The support of EY during his time there stood out to Vander Wal, speaking to the value of ISACA not only to himself personally, but to the firm.

“The fact that it has been so relevant to organizations and they see the benefit of it as well as to members and members’ commitment to take their personal time on weekends in support of ISACA—that’s what is so amazing,” said Vander Wal. “From my perspective, it’s only a win-win for them and for the organizations they work for.”

This is a theme that also rang true for Terry Grafenstine, ISCACA Chairman (2017- 2018), member of ISACA’s international board (2013-2020), and Risk and Financial Advisory Managing Director at Deloitte, particularly in regards to seeking job candidates.

“IT Auditing is an incredibly competitive market, which makes it very difficult to recruit and retain top talent. Through my relationships at ISACA, I have been able to connect with fellow professionals and to either recruit people into various organizations in which I’ve worked—and to help others in the industry connect independent of me as well,” Grafenstine noted. “Having a certification, such as the CISA, is an independent measure of your technical knowledge, but it also shows your commitment to the profession and to lifelong learning. In the marketplace, having certifications can also be a differentiator in selecting one candidate or firm over another.”

In addition to Deloitte’s connection to ISACA through its prospective and current employees, the company has also collaborated with ISACA in other ways over the years.

“Although I only joined Deloitte in 2017, Deloitte has a long history of collaborating with professional associations like ISACA in sponsoring educational events and thought leadership papers to enhance the profession,” Grafenstine said. “For example, Deloitte recently sponsored ISACA’s 2018 State of Cybersecurity Survey. The survey highlighted challenges that the entire industry faces in finding qualified cyber talent, an uptick in the cyber threats that companies are facing, and an increased focus in the CSuite on cyber as a strategic business threat.”

Whether through professional development, career opportunities, or collaboration on events and research, the longtime relationships with these four companies will continue to play a role in ISACA’s future for years to come.

“Big Four” conference booths at ISACA conferences