2019 NACACS IT Audit Leaders Summit Recap

During the 2019 North America CACS IT Audit Leaders Summit, senior audit leaders gathered to discuss emerging technology, innovation of audit departments, cybersecurity and other topics organized around the summit’s theme, “Leading in a World of Change.” A recap of the summit has been released which highlights major discussion points, captures real-world examples and practical solutions, distills professional advice to help middle managers advance their careers, and socializes leadership insights for the broader community of IT audit professionals.

The summit is convened annually for senior IT audit leaders to exchange ideas and share best practices. While many attendees came from financial services, fields as diverse as technology, entertainment, healthcare, education, wine, and internet and telecommunications were also represented.

The topics covered during the summit included: audit innovation; the state of IT audit, particularly with respect to the challenge of finding candidates with the talent and skill necessary to meet an enterprise’s needs; IT audit’s role in cybersecurity investigations; agile, DevOps and continuous delivery; and cybersecurity culture and accountability.

During a discussion entitled “Audit Innovation in a World of Change—A Practitioner’s View,” facilitators Chris Wiseman, senior vice president, IT audit, SunTrust, and John Caragher, vice president, global IT audit, Aon,

highlighted the pace of technology change and its impact on audit plan development and execution. They cited statistics that confirm sweeping transformations related to emerging technology including blockchain, artificial intelligence (AI) and cloud resources.

IT audit leaders also discussed their respective enterprises’ cyberincident response readiness for the kind of event whose scale or magnitude jeopardizes institutional survival. Preparation for such events involves broad organizational challenges. It also touches on charter and governance, privacy, and team roles and responsibilities and the ability to integrate with other enterprise resilience programs.

With respect to DevSecOps, audit leaders acknowledged the difficulty of finding sufficiently qualified professionals who are able to help their enterprises build security into the continuous deliver system development life system. Audit leaders and staff must be able to strike the right balance between their roles as enablers of innovation and stewards of control.

Andrew Struthers-Kennedy, managing director and leader, IT audit practice, Protiviti, presented an executive summary of the 2019 Global IT Audit Benchmarking study, which analyzed responses to the 2019 annual survey. Responses indicated that a single cybersecurity incident can disrupt operations and result in the loss of revenue, as well as the loss of reputation. The study also found that enterprises aspire to leverage technologies, including continuous auditing and monitoring.

The study also revealed that enterprises are in search of candidates who are well versed in advanced and enabling technologies. Critical thinking and experience in data science are other top skills that companies seek. Data scientists are particularly difficult to find, but some audit leaders have partnered with other departments to supplement their talent pools in this regard.

ISACA board member Mario Damianides and Patrick Hynes, principal, Ernst & Young Cybersecurity & Privacy practice, discussed the importance of understanding the advanced persistent threat (APT) life cycle and how it impacts regulatory disclosures.

Meanwhile, Mike Wolf, managing director, KPMG CIO Advisory practice, and Lavin Chainani, director, KPMG Risk Assurance practice, facilitated a discussion of agile software development, DevOps and continuous delivery. They noted that DevOps is about tearing down silos between teams and instilling a culture that integrates development, operations, security, internal audit, risk and the business—so they all collaborate toward a common goal of faster, reliable and more frequent deployments to production.

The summit’s final session, “Cybersecurity on the Front Lines: A Call to Action,” was facilitated by Carlos Amaya, principal, and Chad Murphy, managing director, Deloitte Risk and Financial Advisory. The panel focused on relationships between boards of directors and chief information security officers (CISOs) or chief information officers (CIOs).