Business and technology leaders use various buzzwords to define the technology landscape and what it may look like in the future. It is common to hear them use words such as “evolving,” “fast-paced,” “disruptive,” “agile,” “generative” and more to describe the state of IT. These are terms that 21st-century IT auditors may also find themselves using. On the other hand, when asking certain IT managers, chief information officers (CIOs) or chief information security officers (CISOs) how they would describe the IT auditor, they may use descriptors such as “restrictive,” “outdated,” or “fault-finding,” or phrases such as “They do not understand what we do” or “They do not understand how the technology works.” Executives who feel this way believe that recommended controls do not add value or that the auditor is simply going over a checklist. Therefore, it appears that there is a disconnect between the first line of defense (management) and the third line of defense (auditors).
If the IT auditor is not intentional, this perception can continue and the perceived gap between control testing, recommendations and technology advancement widens as organizations adopt new technology to drive their business objectives into the future.
There are 3 skills that a modern IT auditor must possess to add value to the technology teams being audited and to avoid being seen through a negative lens by senior leadership.
There are 3 skills that a modern IT auditor must possess to add value to the technology teams being audited and to avoid being seen through a negative lens by senior leadership:
- Understand what drives the bottom line. In simple terms, this means knowing how the organization makes money. Gone are the days of an IT auditor only being concerned about IT audit (i.e., change management, access management, segregation of duties [SoD], backups, traditional IT control tests). The auditor must now understand what drives the bottom line of the enterprise and, based on risk assessment, articulate how technology risk can impact that bottom line and subsequently design innovative tests to address such risk. If not, there will always be a gap between them and the CIO. So, the first step is understanding the bottom-line drivers and putting every control to be tested through bottom-line impact and likelihood tests. Generally, as long as audit findings can be linked to their potential impact on the bottom line, the risk is understood and accepted by the auditee.
- Acknowledge the importance of cybersecurity. Several surveys from renowned thought leaders have identified cyberrisk as a top business risk from today into the future.1, 2 Predictions state that the likelihood and impact of this risk will continue to increase. One risk factor that most IT professionals agree is an inherent part of new technology (e.g., artificial intelligence [AI], quantum computing) is security risk. Every technology leader wants their organization’s data assets secured. The IT auditor of the future must be able to clearly demonstrate that they possess the knowledge and skills to be able to test and understand cybersecurity controls. These controls are not only limited to the governance space, which is where most IT auditors end their reviews. Years ago, it may have been enough for an auditor to conduct phishing tests and determine whether a firewall was in place. But today’s auditors must understand cyberarchitectural principles such as zero trust, threat modeling and microsegmentation, to name a few. Knowledge of security DevOps, cloud and the vulnerability management life cycle is also important. A guiding principle in cybersecurity is that the chain is only as strong as its weakest link. Consequently, it is important that the auditor understands all links in the chain within the context of the organization and designs audit programs that ensure that the weakest link is not only identified, but strengthened.
- Embrace adaptability and a risk-based approach. For platforms such as Microsoft Power Apps, which was designed to support business agility, faster development, and deployment for small business applications, the auditor may need to adapt the traditional approach to application testing of general IT controls. For example, such platforms may challenge auditors’ traditional ways of thinking when it comes to a control such as developers not having access to publish a build to production.
Adaptability is critical in a situation such as this. It implies the ability of an auditor to vary their approach while ensuring that the underlying risk is mitigated. Some controls are now built into systems. So, the conversation with the auditee should be risk-driven and not merely about populating a control activity. This could also take the form of an auditor auditing a Software-as-a-Service (SaaS) solution within an organization and asking the auditee how they ensure that the system administrator (admin) cannot change the source code or how backup procedures are performed.
Conclusion
If anything is certain about the future of technology, it is change. These changes are not driven by audit requirements, but rather by constantly evolving business needs. IT auditors must adapt to new technology to ensure that they can stay relevant and constantly develop new ways to drive value and improve the control environment through audits.
Endnotes
1 PriceWaterhouseCoopers, 2022 Global Risk Survey, United Kingdom, 2022
2 Allianz, “Allianz Risk Barometer 2023—Rank 1: Cyber Incidents,” 2023
Fene Osakwe
Is an award-winning global cybersecurity and digital assurance professional, international conference speaker, Amazon best-selling author and published thought leader. He has more than a decade of experience working on the first, second and third lines of defense. He has worked for multibillion-US dollar companies and consulted for financial institutions, telecom and fintech companies, state governments, and universities. Osakwe has created security functions for several organizations from the ground up. In a previous role at the largest telecom infrastructure company in Africa and the Middle East, he established security and governance, risk and compliance (GRC) functions. He was recognized as one of the top 10 global cybersecurity leaders under 40 in 2023 by CIOLOOK USA and was named one of the 100 inspiring global personalities of 2022 by Hoinser Magazine. He received the Cybersecurity Excellence award (Middle East and Africa) from Ibento Global in 2022 and was named the cyber youthmentor for Dubai in 2022 by the United Arab Emirates (UAE) Cyber Council. Osakwe is an advisory board member on several boards globally and author of the best seller Climbing the Corporate Ladder With Speed.