In a rapidly changing business environment driven by technological advancements and evolving risk, the role of IT audit practitioners has undergone a significant transformation. Gone are the days of static, one-size-fits-all approaches to auditing. Today's IT auditors are agile, curious, and committed to continuous learning, ensuring that they remain effective and relevant in the face of new challenges. Several key attributes define next-generation IT audit practitioners and how they are reshaping the landscape of IT auditing. These attributes breathe new life into audit practice and shape how organizations approach audit work in today's rapidly evolving technological landscape. Today’s IT auditors should consider key drivers for innovative audit approaches to succeed in a dynamically evolving digital landscape and secure organizational data .
Agile and Iterative Approaches
Next-generation IT audit practitioners are no longer confined to rigid audit plans that cannot be adapted to changing circumstances. Instead, they embrace agile principles in planning and executing audits. This flexibility allows them to adapt quickly to shifting business and technology risk. By applying iterative methods, IT auditors can continuously refine their processes, ensuring that they remain aligned with the latest developments and emerging threats.
Agile methodologies enable IT auditors to break down complex audit tasks into smaller, manageable segments that can be assessed and adjusted in real time. This approach not only enhances the accuracy and relevance of audit findings but also fosters a culture of continuous improvement. Agile principles, such as “responding to change over following a plan,” empower audit teams to realign priorities swiftly when new areas of risk surface, ensuring that audit activities remain relevant and timely. For instance, adopting iterative cycles enables auditors to deliver incremental insights, leading to quicker risk mitigation. Additionally, the principle of "customer collaboration over contract negotiation " ensures that audit teams maintain open communication with stakeholders, fostering a dynamic exchange of information to identify and respond to potential vulnerabilities effectively. By adopting these agile principles , IT auditors can respond effectively to unexpected challenges and capitalize on emergent opportunities.1
Problem-Solving Mindset
The current problem-solving mindset of an IT auditor is rooted in the identification of control issues and the formulation of actionable recommendations to address their remediation. This approach ensures compliance and mitigates risk effectively; however, it often focuses on the symptoms rather than the causes. To achieve truly sustainable solutions, IT auditors must delve deeper into the root causes of these control issues, discerning the underlying factors that give rise to such vulnerabilities. By addressing these foundational problems, they can not only resolve immediate concerns but also fortify the organization's systems against future risk.
For instance, consider an IT audit finding related to user access reviews for an application. Using the 5 whys method of root cause analysis2, the IT auditors may proceed with several questions and responses:
- Q: Why was user access review not performed?
A: Because the responsible team was not aware of the requirement.
- Q: Why was the team not aware of the requirement?
A: Because the requirement was not communicated clearly.
- Q: Why was the requirement not communicated clearly?
A: Because there was a lack of formal documentation and training.
- Q: Why was there a lack of formal documentation and training?
A: Because the organization had not established a robust process for disseminating policy changes.
- Q: Why had the organization not established a robust process?
A: Because there was insufficient leadership oversight on policy management.
By identifying and addressing these root causes, the organization can implement comprehensive training programs, improve communication channels, and establish effective oversight mechanisms, ultimately strengthening user access management and reducing the severity of future audit findings.
Curiosity and a solution-oriented approach are essential traits for today's IT auditors. Auditors with this mindset are not merely focused on identifying control failures; they strive to propose pragmatic, tech-enabled improvements. This proactive attitude ensures that audits contribute to the enhancement of business processes and risk management practices. By leveraging their problem-solving skills, IT auditors drive meaningful changes and add value to their organizations.
A problem-solving mindset requires IT auditors to think critically and creatively about the issues they encounter. They must be adept at analyzing data, identifying patterns, and developing innovative solutions that address the root causes of problems. This approach helps organizations mitigate risk more effectively and promotes a culture of innovation and continuous improvement.
Experimentation and Innovation
IT auditors must be willing to challenge the status quo and push the boundaries of traditional auditing practices. One way to accomplish this is to be open to experimentation. Experimentation involves calculated risk and exploring new ideas. By embracing experimentation and innovation, IT auditors can uncover new insights and develop more effective strategies for managing risk. Modern IT audit practitioners are experimenters at heart. They are open to piloting new tools and methods, such as personas or tree of thoughts analysis, to uncover deeper insights . Personas and tree of thoughts analysis are designed to map decision-making processes. Personas represent archetypal users or stakeholders, while the tree of thoughts organizes sequential or branching reasoning paths, facilitating structured analysis and strategic planning.
Creating detailed and realistic representations of different user groups within an organization allows IT auditors insight into the various ways systems and controls are used and potentially exploited. This helps in tailoring the audit approach to address specific risk and behaviors associated with each persona. For example, in a cybersecurity controls review, desired personas might include a network administrator, a regular employee, and an external contractor.
Each persona would have unique access levels, responsibilities, and potential vulnerabilities. The network administrator persona might focus on the technical configurations and access controls, ensuring that only authorized personnel have elevated privileges. The regular employee persona would highlight the need for strong user authentication and training on phishing awareness, while the external contractor persona would emphasize the importance of secure remote access and data protection measures. By considering these personas, IT auditors can ensure a comprehensive review of cybersecurity controls, addressing the different perspectives and risk associated with each user group.
Today's IT auditors are agile, curious, and committed to continuous learning, ensuring that they remain effective and relevant in the face of new challenges.Beyond experimentation, innovation in IT auditing involves leveraging emerging technologies such as artificial intelligence (AI), machine learning (ML), and data analytics to enhance audit processes. These tools provide deeper insights into organizational risk and assist auditors in identifying potential issues before they become significant problems. To this end, prompt engineering with generative AI tools is revolutionizing IT auditing by enabling auditors to streamline complex analyses through dynamic, multilayered prompts, often referred to as prompt chaining.3 For example, auditors can craft a sequence of prompts to dissect system and organizational controls (SOC) reports, uncovering nuanced insights into compliance and operational risk. Additionally, these tools allow for the comparison of organizational security policies and standards, highlighting similarities and discrepancies with remarkable accuracy and efficiency. This adaptive approach not only enhances precision but also accelerates the audit process. Auditors who use the tools and technologies of the future can expect deeper, more actionable findings in less time.
Enterprise and Stakeholder Orientation
Effective communication is a cornerstone of modern IT auditing. IT auditors are skilled communicators who translate technical findings into business impact. To accomplish this, they use visual storytelling, personas, or dashboards to convey complex information in an accessible and engaging manner. This ability to communicate clearly and persuasively helps IT auditors build strong relationships with stakeholders and ensures that their recommendations are understood and implemented.
Collaboration is another key aspect of business and stakeholder orientation. IT auditors act as connectors across multiple groups, bridging the gap between technical and operational teams to ensure a cohesive understanding and approach to risk. They actively participate in steering committees and working groups during transformation projects or the adoption of emerging technologies such as AI, providing critical insights that help align organizational goals with risk mitigation strategies.
Moreover, storytelling abilities and analytical insights elevate IT auditors beyond the confines of traditional audit reporting and presentations by transforming raw data into compelling narratives that resonate with business leaders. Instead of merely presenting technical information or risk statistics, these practitioners weave insights into stories that illuminate the broader context and implications of their findings. A generic example from one of the authors’ audit findings demonstrates the effectiveness of storytelling:
“During our latest IT audit, we discovered a crucial issue regarding user access reviews for a vital application, which is used by over 10,000 users and contains highly sensitive client data. This oversight means our systems could be accessible by unauthorized individuals, posing a high risk of data breaches and security compromises. The core problem was traced back to the responsible team’s lack of awareness about this requirement, which originated from ineffective communication and insufficient documentation within the organization.
Further investigation revealed that these issues stem from a broader organizational failure to establish robust processes for policy dissemination and management oversight. This finding underscores the need for immediate action to improve documentation protocols, enhance training programs, and implement effective communication strategies for policy changes. The financial implications of this oversight are severe, as unauthorized access to sensitive data could lead to substantial losses, including significant regulatory penalties. By addressing these root causes, we can significantly reduce risk and better safeguard our organization's assets and reputation.”
When information is presented through dynamic narrative framing, auditors can masterfully articulate audit findings, driving real organizational change. Through such narratives, IT auditors foster emotional and intellectual connections, helping leaders visualize potential outcomes and understand the strategic importance of their decisions.
Coupled with precise analytical skills, storytelling ensures that recommendations are not just heard but internalized, empowering leaders to make more informed, confident choices in navigating risk and opportunities within the complex business landscape. The ability to influence decision making is critical for IT auditors, as it ensures that their findings lead to tangible improvements in organizational practices. By building trust and credibility with stakeholders, IT auditors can drive meaningful changes that enhance risk management and promote long-term success.
Commitment to Continuous Learning
In a world where technological advancements are happening at an unprecedented pace, IT audit practitioners must be committed to continuous learning. Adopting a growth mindset is essential for staying relevant and effective. Next-generation IT auditors actively pursue specialized certifications in emerging technologies, such as AI and data science, to complement their foundational IT audit credentials. Programs such as ISACA’s® Advanced in AI Audit (AAIA) equip auditors with cutting-edge skills to assess AI systems effectively.4 These certifications ensure that auditors remain proficient in evaluating complex technological landscapes. This commitment to professional development ensures that IT auditors are equipped with the knowledge and expertise needed to address emerging challenges.
Continuous learning involves staying current with the latest developments in technology, risk management, and auditing practices. IT auditors must be proactive in seeking out new information and training opportunities that can enhance their skills and knowledge. A commitment to lifelong learning empowers auditors to move beyond traditional methods and practices. By continuously expanding their knowledge, they remain agile and effective, ready to meet the demands of an ever-evolving business landscape.
Cross-disciplinary learning is another crucial aspect of continuous learning. By exploring concepts in behavioral science, change management, and innovation, IT auditors can evolve their practices and stay ahead of the curve. To this end, exploring behavioral science helps next-generation IT auditors understand how human behavior impacts risk and decision making, enabling more effective audits. Change management equips them to navigate and guide organizations through rapid technological and operational shifts, while innovation fosters the ability to adapt audit techniques to emerging technologies and challenges, ensuring that audits remain relevant and insightful. This holistic approach to learning enables IT auditors to design more effective audit strategies by addressing both the depth of technology within specific areas (vertical domains) and the breadth of interconnected themes and systems across audit domains (horizontal views). By integrating these perspectives, auditors can uncover nuanced risk and opportunities, ensuring a comprehensive evaluation of technological environments.
The commitment to continuous learning, collaboration, and innovation is vital for IT auditors in navigating the complexities of today's dynamic business environment.
Conclusion
The role of IT audit practitioners has evolved significantly in response to the dynamic business environment. Next-generation IT auditors are agile, curious, and committed to continuous learning. By cultivating these attributes, IT auditors ensure that their work remains impactful and relevant. As organizations face new challenges and opportunities, the role of agile and innovative IT auditors in driving meaningful change and managing risk effectively becomes increasingly crucial. By staying ahead of emerging risk and driving meaningful change, these forward-thinking professionals play a critical role in shaping the future of IT auditing.
Endnotes
1 Agile Alliance, “What is the Agile Manifesto?”
2 Tulip, “What are the Five Whys? A Tool for Root Cause Analysis”
3 Gadesha, V.; Kavlakoglu, E.; “What is Prompt Chaining?,” IBM
4 ISACA®, “The World’s First Advanced AI Audit Certification,” 2025
Michael Podemski, AAIA, CISA, CISM, CRISC, CDPSE, CCAK, CSX-A, CCAK
Is a senior IT audit director at Aon. Podemski leads global audit initiatives, focusing on technology risk, IT governance, and cybersecurity. He is dedicated to transforming IT audit into a center of excellence by leveraging automation, analytics, and innovation to enhance audit execution, increase agility, and drive continuous improvement. He also serves on the Board of ISACA® Chicago Chapter, contributing to event planning, academic relations, mentoring, and certification review courses.