Some of you may not know this, but earlier in my career I was an IT auditor (starting with Coopers & Lybrand). In fact, I was a bit of a techie and trailblazer when it came to understanding how the operating and related systems could affect the operation of applications and, thereby, business operations.
I had some fun with this when the IT audit leaders in France contradicted me. I wrote a simple RPG ii program then compiled and ran it twice. I changed a couple of lines in the Linkage Editor so that the results were different.
Anyway, IT audit has been a passion of mine for many years.
Here are some excerpts with my comments:
- In a world where everything from automotive to banking relies upon technology, IT audit methodology needs to change. The future of IT audit should align itself with IT’s new strategic role and to act as an adviser, not solely an auditor.
Comment: being an auditor is being an adviser. That should not be a change.
Comment: what may need to change is that a larger percentage of the audit plan and staffing should be on technology-related risks and opportunities.
- As boards are recognizing a paradigm shift wherein IA takes on a strategic role, they expect IT not just to keep pace, but also to think critically about IT audit risks.
Comment: again, this should not be a change. Internal audit should already have a strategic focus. There’s little value in auditing the past when the future is what matters.
Comment: IT audit should be concerned with the success of the organization as a whole and the risks to that business as well as the opportunities to take advantage of change – with a focus on those that relate to technology. See Making Business Sense of Technology Risk. It’s not about IT risk, it’s about business risk.
Comment: the greatest risk may be taking too little risk.
- Increasingly, boards are shifting their focus to understand how technology can also be leveraged offensively to create new opportunities, business models, and revenue.
Comment: nothing new here.
- Directly engage with IT leadership in evaluating the risks, skills, and capabilities required to assist the organization in mitigating IT execution risk, which today can represent an existential threat to the business.
Comment: this sounds good but is misdirected. Focus on the business, not technology out of context.
- Become highly conversant on the strategic plan and consider IA’s role in evaluating management’s monitoring of IT execution risk.
Comment: there is so much more, as I will explain.
- Today, internal audit professionals need to be technically savvy in the context of the IT-driven enterprise and the IT-driven business strategy.
Comment: this sounds good, but what does it mean?
So what is my advice for IT auditors? What is the future of IT audit?
- The goal should be to perform auditing that matters. Address the issues (risks and opportunities) that are important to the success of the organization as a whole. Work, even in specialist teams such as IT audit, should be designed to address the business risks and opportunities that matter to the success of the organization.
- Don’t have a separate IT risk assessment and plan. Remember to focus where reliance is placed on technology – and a failure would be serious from a business, not just an IT perspective.
- Audit any IT risk assessment (see the guidance in Making Business Sense of Technology Risk). It should help leaders understand how the achievement of enterprise objectives may be affected by technology failures or successes; a risk-prioritized list of information assets simply doesn’t cut it.
- Don’t underestimate the need to participate and advise on development and major maintenance projects.
- Don’t do work where the results wouldn’t matter to leadership.
- Recognize the need to take the right level of risk. Being late to rollout a new technology because of concerns about risk can be more damaging than accepting a higher level of risk so you can be first to market.
- Provide the insight, advice, and assurance that leaders need if they are to manage the organization for success.
- Don’t be afraid to call out IT management when they fail to be sufficiently visionary.
- Don’t ‘audit what you can’ – audit what you should because it matters. Get extra resources if there’s a gap.
- The future for internal audit and IT audit is bright, but only if we put our significant talents to work providing leaders with the assurance, advice, and insight that matter to them: information that helps them to achieve their objectives.
What do you think?
 Deloitte has done something crazy, at least in a Windows environment. If you cannot see the article because of their advertising, move your mouse over to the left and it should disappear.