IT Audit Stay Relevant or Perish“Victory awaits him who has everything in order – luck, people call it. Defeat is certain for him who has neglected to take necessary precautions in time. This is called bad luck.” –Roald Amundsen, The South Pole
The title and the quote above says it all – and fits the essence of the 2019 Global IT Audit Benchmarking Study, conducted by ISACA and Protiviti.
An executive summary of the 2019 IT Audit Benchmarking Study, which will be released in full later this year, found that the biggest challenges for IT auditors are:
- IT security and privacy/cybersecurity
- Data management and governance
- Emerging technology and infrastructure changes—transformation, innovation, disruption
- Resource/staffing/skills challenges
- Third-party/vendor management
Let us discuss in detail every challenge and the ways to get ahead of them:
IT security and privacy/cybersecurity
Cybersecurity is the chief risk for any organization that has a virtual presence. With the staggering numbers being quoted for Internet of things (IoT) devices being connected together and with more than 56 percent of the global populace – almost 4 billion users – connecting to the internet, the volume of cybercrimes and threats are going to accelerate in an unrelenting pace, posing formidable challenges for the IT audit community as well as business leadership.
Establishing a strong cybersecurity culture would help the IT auditors in tacking this menace, although this alone may not suffice. Business needs to move with the advancements in technologies to remain competitive. IT audit, as often pointed out by ISACA, needs to play an enabling role, meaning rendering their assurance functions in a manner that helps organizations to conduct their operations in a seamless and secure way, and also be compliant to various regulations.
To achieve this, IT auditors have to always be on top of new technologies, such as cloud, virtualization, big data analytics, AI and robotics, their associated threats, and evolving new threats, as well as being aware of how to remediate them in a timely and cost-effective way. In addition to having to perform these difficult tasks, they also need to be able to have strong communications skills so that leaders and business stakeholders are aware of the risk and, in turn, help the IT auditors to perform their task.
Data management and governance
Data management, sometimes referred to today as big data management, is synonymous with big innovation management, big opportunities management and, eventually, big money management. For an IT Auditor it is a twin challenge, first to assess how the organization uses the big data for its decision-making, where it stores the data, and how it achieves the CIA triad. Secondly, in the case of fraud detection, the challenge becomes how to harness the big data analytics or big data forensics to capture the audit trail and nab the culprit. Naturally it calls for skills in data science and analytics to handle these tasks and, as these are evolving technologies, the skillsets are difficult to find in the market.
Emerging technology and infrastructure changes – transformation, innovation, disruption
“Technology is a vector,” wrote Kevin Kelly in his excellent book, What Technology Wants. Kelly stresses the point that technology will move ahead regardless of people supporting it. In other words, technological advancement is imminent, and people are not the driving factor. To quote business executive Mark Cuban, “Artificial Intelligence, deep learning, machine learning – whatever you are doing, if you don’t understand it, learn it. Because otherwise, you are going to be a dinosaur within three years.”
Because global enterprises are embracing big data analytics, AI, and cloud computing in a huge way, audit professionals need to be familiar with these technologies so that they can perform their assurance function effectively.
In view of the above discussions, it is very clear that the audit function is going to face challenges in finding the right mix of resources. We need experienced auditors who have an understanding of emerging technologies, with special emphasis on data science. Although artificial intelligence cannot replace the audit function, it has the potential to complement the audit discipline by performing routine activities and highlighting exceptions for the attention of the auditors to make an informed judgement. The new-age technology will help to raise the standard of auditing, provided auditors make the effort to acquire the latest technical knowledge and upskill themselves from an audit perspective.
This is necessitated because of digital transformation, which enterprises around the world are pursuing. As a result, organizations increasingly resort to cloud and/or third-party service management, which leads to third party or vendor risk. Auditors need to help businesses mitigate this risk and help achieve their strategic objectives in cost-effective fashion. Effective handling of cybersecurity risk requires auditors to be thoroughly updated on the latest threats and also possess the counter-intelligence to prevent and contain cybercrimes.
IT audit exists to assist organizations in strategic technological management – that is, efficient and effective use of technology, combined with robust risk management. Technology is advancing at a rapid pace, thereby influencing and changing the way business is conducted. Business requires the help of IT audit to thrive and navigate through this stormy digital transformation period. Therefore, it is imperative for IT audit teams to equip themselves and stay relevant so that they can be of great value and play a key role in this fast-moving digital world.
Author’s note: The views expressed in this article are the author’s and do not represent that of the organization or of the professional bodies to which he is associated.
Written by Ravikumar Ramachandran, CISA, CISM, CGEIT, CRISC, CISSP-ISSAP, SSCP, CAP, PMP, CIA, CRMA, CFE, FCMA, CFA, CEH, ECSA, CHFI, MS (Fin), MBA (IT), COBIT-5 Implementer, Certified COBIT Assessor, ITIL-Expert & Practitioner, Account Security Officer, DXC Technology, India; excerpted from the ISACA Now Blog