There is no doubt the audit profession has benefited from technological innovation and adoption, resulting in great career paths not only for IT auditors, but across the ecosystem of technology careers in audit. However, the role of auditors in the technology realm has grown increasingly challenging over the past few decades.
As we think about how companies are adopting new-age technology, such as connected devices (Internet of Things) and now artificial intelligence, baked in with regulatory and privacy risks, one must constantly retool and redeploy new skill sets. As I will explore in my session at ISACA Conference North America 2026 in May, we do not have the benefit like our quality auditors, financial auditors or many of the other audit “cousins” of ours to simply wait and see – rather, we have to be at the forefront of these technologies, and their related risks, to continue to provide value to our organizations.
Enhancing AI Knowledge and Assessing Risk
AI continues to be one of the top challenges in terms of security and risks impacting all organizations. According to the National Cyber Security Centre, an authoritative voice on cyber threat to the UK, “Artificial intelligence (AI) will almost certainly continue to make elements of cyber intrusion operations more effective and efficient, leading to an increase in frequency and intensity of cyber threats. Proliferation of AI-enabled cyber tools will highly likely expand access to AI-enabled intrusion capability to an expanded range of state and non-state actors.”
IT auditors can further their knowledge through added skills, including understanding the different types of AI risk frameworks available in the market. Some of the key frameworks include the NIST AI Risk Management Framework (RMF), the Cloud Security Alliance (CSA) AI Controls Matrix (AICM) and ISO 42001 for AI Management Systems. Additionally, it is important to gain knowledge of the various large language models, along with understanding how to evaluate AI systems through the lens of technology controls, cyber risks as well as privacy, in addition to misuse and resilience concepts.
Understanding and Auditing the IoT
The layer of device security across the IoT space is vast: think of smart cars, appliances, industrial control systems in manufacturing, medical products and smart consumer devices. All of these can be applicable outside of the immediate industry IT audit professionals may work in. There is a strong need to understand how products and their services operate from a security layer as well as from a network/data flow perspective. Focus on how cyber risks can be impacted through the vulnerabilities that can be found in firmware, and it becomes quickly obvious that auditors need foundational knowledge of IoT as well as understanding how to assess these risks.
IoT deployments face escalating security threats, yet systematic methods for auditing the defensive posture of IoT device networks remain underdeveloped. Some IoT concepts, such as edge computing, enhanced interoperability across technology ecosystems, predictive maintenance and AI integration, all require significant knowledge upskilling for future IT auditors to be trusted advisors for their respective companies. It is imperative to ensure developing knowledge in specialized cloud platforms across AWS, Azure and learning key languages such as Python and C++, as well as enhancing knowledge in the IoT technology stack and hardware components of the IoT space.
Building on Traditional Privacy Principles
The privacy world has exponentially developed over the past two decades due to technological advancements and vast data proliferation. There are certainly age-old foundational privacy principles across the globe that IT professionals remain knowledgeable about. However, there is a growing need to correlate privacy risks and knowledge across multi-dimensional use of data and cyber risks, along with understanding processes required to develop a robust IT audit skillset in this space.
Developing skills across handling data breaches, proactively assessing how ethical hacking works and how AI impacts privacy is crucial. One sure way is to go through certifications such as ISACA’s Certified Data Privacy Solutions Engineer (CDPSE), which validates the technical skills and knowledge it takes to assess, build and implement comprehensive data privacy measures.
Auditors Must Keep Pace with Digital Risk
Building trust as a technology internal audit function with business leadership requires focus across key areas. Technology investment continues to increase, and quick adoption and understanding of how technically complex areas of the IT world overlap with business continues to grow. It is important to follow the pace of cyber evolution demands and stay relevant so that IT auditors can provide real value businesses that are dealing with emerging challenges.
Developing skills across privacy, IoT and AI is not a one-stop journey, but a continuous demand. In order to be confident in navigating the next era of digital risk, audit professionals need to have a strategy in place for their team to find a path forward to meet the emerging needs of our customers.
