Mitigating Cybersecurity Risks: The Importance of IT Audit for Your Organization
Ini, thanks for talking with me today. You have a huge breadth and depth of knowledge! Can you distill the main challenges you see in IT audit right now?
There are a few main issues that come to mind in IT audit right now: cybersecurity, data management and governance, emerging technology and infrastructure changes that come with adopting it, third-party and vendor management, as well as the global workforce issues of staffing, resources and skills shortages.
That’s quite a list! Given the fast-pasted nature of emerging technology, what best practice do you recommend for auditors as they partner with cross-functional teams, specifically in the IT arena?
IT professionals and auditors must work together to ensure controls are properly designed and working effectively. Think of the IT professionals as a professional footballer, and your cybersecurity IT auditor as the referee – both roles are necessary to run a fair and organized game.
When IT systems are built, they should be built into controls, but IT auditors understand that errors may occur in the process. With that in mind, IT auditors are responsible for examining the system closely to detect any flaws in controls or risks of external threats such as stolen credentials and phishing attacks.
Audits sit in a unique position in an organization – they must be able to understand and explain to senior or executive management cyberthreats and more importantly, the tools to combat the threats.
Just like referees do, IT audits make sure that everybody understands what the rules of the game are and how you play it.
I see IT security and privacy topped your list of concerns. Can we delve more into that?
Cyber risk has become one of the top challenges for any business to handle. A single cybersecurity incident can significantly disrupt operations, inflict long-term financial damage, cause regulatory and legal actions, and damage an organization’s reputation as well as the trust of its customers.
Finance leaders view cybersecurity as a top technology challenge largely because their organizations are experiencing and changing amid a digital transformation. Digitizing company operations – such as moving data and processes to the cloud, virtualization, using artificial intelligence (AI) and robotics – also change the risk and control environment of a company.
While many internal audit organizations outsource large portions of their general IT audit processes, there is a growing trend of migrating these capabilities in-house. As internal audit departments begin to develop capabilities surrounding cybersecurity in coming years, many of the challenges they face will be similar to those addressed when absorbing IT audit functions.
Bottom line, IT auditors cannot let their guards down. They do not have the luxury of conducting high-level “check-the-box” audits of areas like information security, controls, and overall privacy. Security issues are among the greatest concerns for auditors because, if an emergency arises (e.g., data loss, security breach), it often jeopardizes other operations and processes in the organization. Reducing that risk requires effective controls to be maintained and updated.
Let’s talk about data management and governance. What are your thoughts on that topic?
Organizations have great aspirations when it comes to leveraging technologies to streamline their workflow, such as integrating RPA, AI, machine learning, deep learning, and continuous auditing and monitoring. And those are just the tip of the iceberg!
These technologies hold great promise to fuel long-term growth for organizations; but underlying that promise — and potentially hindering it — is the need for strong and sound data. As noted in Protiviti’s recent global study on the use of AI, because few companies perceive their data to be a valuable asset, they do not devote sufficient attention to how it is collected. Companies should begin by looking at the source of their data and make sure there are clear rules and policies in place that ensure it is clean and usable, before making the switch to intricate technologies.
The ability to leverage advanced technologies is highly dependent on the quality of data in an organization. Moreover, IT audit must be able to access and govern the data being used to ensure various control and compliance requirements are being met as different functions in the organization begin to employ these technologies.
The Bay Area is the world leader in embracing emerging technology and infrastructure change. How should the IT audit function approach transformation, innovation, and disruption?
Enterprises are adopting emerging technologies at a rapid pace to create synergies and harness the latest technologies – they rightly expect auditors to be forward-looking technology consultants who can contribute ideas that add value to the organization during IT projects. Boards and C-level management use the audit as the primary tool in assessing strategic risk, so audit chiefs are always engaged in updating the technology-related skills of their audit workforce.
Audit professionals need to gear up to face the challenge of auditing emerging technologies. Auditors need to learn and understand new skills and acquire knowledge related to predictive analytics, robotic process automation (RPA), blockchain, machine learning and artificial intelligence (AI).
Committee of Sponsoring Organizations of the Treadway Commission (COSO) guidance explains that although the use of emerging technology has resulted in a large number of automated procedures, “traditional” internal controls remain relevant. Organizations must maintain their risk management practices and control structures while undergoing various digital transformations. This places a significant burden on IT audit functions to keep pace with changes and ensure that audit plans address these transformations appropriately.
My “recruitment” ears picked up on another of your key points: resources, staffing & skills challenges. We’ve been hearing for a several months now about the “war for talent” and “upskilling” needs. How should finance leaders approach their resourcing efforts?
Both from an IT audit and a broader IT perspective, resource needs are changing, and organizations are challenged to bring in and retain the resources they require.
Unquestionably, there is a shortage of skills and talent today in IT audit; they face growing demands to recruit new expertise and in the case of many current staff members, retrain in new skills.
Results from recent IT Audit Benchmarking Studies have shown that more than any other skills, IT audit functions are looking to hire professionals with expertise in advanced and enabling technologies.
In its research brief, The Future of IT Audit, ISACA explored the demand for new technical skills among IT auditors and how technology changes will affect the profession.
- Most auditors indicated they had a significant (44%) or moderate (38%) impact on technology projects within their organization. There is room for improvement on when auditors are brought into projects, with 28% of respondents reporting they were not brought into technology projects until post-implementation.
- IT auditors note that there is a strong demand for technical skills today. Simultaneously, auditors indicate that there is an increased expectation of expertise across a broader subject area. Somewhat contrary, or perhaps as an outgrowth of that expectation, is the notion that the IT audit team should be enhanced with data scientists. With these skills in place an IT audit team will be better able to meet the challenges of automation.
- Overall, auditors are optimistic (92%) when considering how technology will impact them professionally over the next five years. But there is uncertainty about the impact that automation and AI may have on staffing levels. Auditors are split on whether AI will replace all or some of the role of the IT auditor in the next three to five years, with 37% saying it is likely and 42% saying it is unlikely
One of the most significant challenges CAEs and IT audit leaders face is a shortage of talent with the expertise to implement advanced analytics and technology-enabled auditing and approach it in a more sophisticated manner.
According to the results of Protiviti’s 2019 Internal Audit Capabilities and Needs Survey, many internal audit groups lack the right skills to advance their functions toward the next generation of internal auditing, employing such practices as continuous monitoring, agile auditing, machine learning and AI, process mining, advanced analytics and more.
Just as IT auditors are challenged with acquiring or enhancing technical skills to keep pace with organizational innovation, they will be similarly challenged with innovation in the practice of auditing. To access new and much needed talent, IT audit functions — and the organization in general — need to think differently about where to source talent and move beyond their traditional recruiting channels and candidate requirements for skills and experience.
The past few years have proved your point: we all have to think differently about how to source talent. With the talent shortage in mind, let’s move on to how third party & vendor management is such a key piece of the IT audit function.
As part of their business and digital transformation activities, organizations continue to shift more of their data and services to the cloud or to third parties. In doing so, their risk profile is affected significantly. Remember that as companies adopt new technologies, so do hackers.
IT audit leaders also understand that vendor risk management capabilities must be governed in the context of an increasingly difficult threat environment. The IT auditing of third-party risk management becomes more effective when the two lines of defense i.e., auditors and risk managers collaborate and share information while also leveraging each other’s abilities and tools.
By linking third-party risk assessments to audit plans, both auditors and risk management teams can avoid redundancies in third-party risk evaluation processes while standardizing the risk language that is used and providing management teams and boards with a holistic view of the enterprise’s third-party risk profile.
I have learned a lot today! Bottom line, how important is the IT Audit function to the success of a business?
The importance of IT audit is only going to increase with time – this cannot be overemphasized. The growing need for technical expertise and experience in cybersecurity, and exponential growth in emerging technology, will push audit and finance leaders to develop creative ways to attract and retain talent. The changes ahead are exciting but can be perilous for a company that is under-prepared. It is vitally important to lay the groundwork now for the IT opportunities ahead.
About the Authors
Lisa Groover joined DLC in 2021 as Client Services Director for the Northern California market. In this role, she is responsible for account management, business development, and recruitment/retention of her bench consultants. Lisa applies her in-depth knowledge of industry drivers, segment niches, and market trends to help her clients meet their business goals. A tenured service director with over 15 years of experience, has her finger on the pulse of the Bay Area job market, and has served many companies from Series A to IPO and beyond.
Ini’s finance and accounting experience ranges from corporate finance to external and internal audits and handling all phases of the SOX 404 compliance program, simplifying both business and IT processes, and analyzing their design and performance. She has also led month-end, quarter-end, and year-end activities for Fortune 500 firms, including preparing extensive analysis for management and the Board of Directors.