I have to admit, I was a halfway decent senior financial auditor with (what is now) PwC. I was no star. But my life as a recently qualified chartered accountant changed when I was given a couple of career choices.
The first was to follow my heart and relocate to the Paris office. I loved France (and French women, let alone the food), having spent multiple summers there with French families or working in a warehouse in the East of Paris.
The second was to follow my head.
I had been a guinea pig in an experiment involving flowcharting and evaluating the controls over a client’s computer systems. It was weird: I had done my best with the new purple Internal Control Questionnaires (ICQs), but both they and the flowcharts could hardly be seen under the barrage of critical review comments and corrections by the Computer Audit Group (CAG). When I met with the CAG Supervisor to hear in person what he had to say about my pitiful attempt, I have to admit being more than a little upset by his harsh words. He asked if I had listened to a word of the training – and I replied that I had not received any training at all! He went from my greatest critic to an admirer, saying that while I had messed everything up it was a great job for somebody with zero experience or training.
Shortly after that strange episode, I met with my manager and he told me that in addition to the opportunity to move to France, I also had an offer to join CAG as a senior computer auditor.
It was a tough decision but CAG was a life-changing experience.
The trainers at the introductory training (CAG College) saw something in me. Even though I had no programming background and was learning COBOL for the first time, they asked me to become the technical expert. In addition to helping others with their COBOL programs, I was to research new developments in technology and interpret how they might affect our clients and our audits.
I fell in love with technology and it changed my life. I was promoted to manager and then senior manager very quickly (I believe I was the youngest manager in the firm at that time).
After I left PwC, it didn’t take long before I was able to move from IT audit to a VP position in IT with responsibility for multiple areas including information security. I hoped to become a CIO. But life intervened and the company I was with outsourced IT and I moved to a new company as CAE.
As CAE, as much as 25% of my team were IT auditors!
I am sharing this to explain why technology, its management and audit, has always been dear to my heart. I am no longer the techie that I was; I now have more of a business executive perspective.
So when I see interesting articles on IT risk and IT audit, my passion resurfaces.
I have known Matt Kelly for many years from when he ran Compliance Week. He is now the Editor and CEO of Radical Compliance, a newsletter I enjoy.
He has penned a piece for Galvanize, a “GRC” software vendor. The article is A better approach to managing IT risk.
Unfortunately, I cannot recommend the article. It has far too much of a compliance focus for me (understandable, since that is Matt’s professional focus and background).
I will just pick out a few statements for comment.
The article starts with this assumption and following statement:
IT security is fundamental to achieving business objectives—which means that understanding and managing IT risk is also fundamental to achieving business objectives.
This is because IT risk evolves across two fronts:
- The constantly growing number of regulations that govern issues like privacy or system integrity
- The always-shifting design of IT systems themselves.
What is wrong with that?
- IT security’s potential effect on business objectives varies from organization to organization. Unfortunately, most do not assess how a breach could affect those business objectives (which I why I wrote a book about it). For some, it is huge; for others, not so much.
- IT risk is far broader than IT security. It includes any failure in the use (or misuse) of technology, including such issues as:
- The availability of the systems and so on relied on to support business operations
- The availability of the systems relied on for delivery of services to customers
- The quality of both, including providing the functionality needed by the business
- The reliability of those systems to deliver what is needed when it is needed, etc.
- The ability to support an agile organization
- Few perform the quality assessment of technology-related risk and opportunity sufficient to make informed and intelligent business decisions. They assess risk to information assets instead of risk to business objectives.
- There is no such thing as “IT risk”, only business risk (to quote Jay Taylor, former head of IT audit and then CRO at GM).
- Sometimes, taking more IT-related risk (because of the opportunities) is the right business decision.
- There are many other factors that can change IT-related business risk, such as a change in the business or an acquisition, a desire for new software by the business, an increase in software purchased or subscribed to directly by the user, an increase in the volume of network traffic that threatens reliability, the loss of maintenance support by a vendor, rapid testing of application changes, operating system changes, the delay of a major systems project, and so on.
Matt doubles down with (emphasis added):
One way a company ends up with too much IT risk is to let those IT systems fall out of compliance with regulatory obligations. Even worse: as we look at the business landscape today, it’s also painfully clear that this is becoming the primary way a company ends up with too much IT risk, too.
Compliance is probably the least concern for CIOs outside financial institutions.
If you want to understand “IT risk” it starts with understanding the reliance placed on technology by the business. Ask:
- What needs to go right (when it comes to the use of technology) if we are to achieve our objectives?
- What could go wrong in such a way that it imperils the achievement of objectives?
But management should be the one understanding and assessing risk, including risk related to technology.
While internal audit needs to understand technology-related risk (a far better term than IT risk, since technology is not managed only by the IT function), that is for audit planning purposes. It shouldn’t be for reliance by operating management – even though that is what Matt is saying in his article.
In fact, internal audit should be assessing how well management understands and addresses business risk, including but not limited to technology-related risks and opportunities.
IT audit and the understanding and management of technology-related risks and opportunities are very important (and dear to my heart).
But please, start with understanding the business and how it relies on technology.
Then ask those two questions:
- What needs to go right (when it comes to the use of technology) if we are to achieve our objectives?
- What could go wrong in such a way that it imperils the achievement of objectives?
Obtain answers that are ‘valued’ based on how they might affect the achievement of business objectives.
IT auditors: the best ones are those who not only have technology skills but have a deep understanding of the business.
Above all, there is far more to technology-related risk than information security.
I welcome your thoughts.
- What is quality internal auditing? - April 17, 2024
- Conflicting research and thoughts on ESG - March 20, 2024
- Useful ethics training for internal auditors - February 21, 2024