Common attributes that advance some IT audit departments from good to great.
As the use of information technology continues to proliferate so do the associated risks organizations face.
The massive cyber heist affecting more than 100 financial institutions in some 32 countries is only the latest in a spate of data security breaches worldwide. Losses from the attack, disclosed last year, eventually could exceed $1 billion. During the past 10 years, hackers have infiltrated millions of files of customers at eBay, Target, Sony, Heartland Payment Systems, and so many others.
Such incidents underscore the importance of an organization having not only a good IT audit department, but one that's world class.
So what, specifically, constitutes a world-class IT audit department? Attributes that make an audit department world-class include: having a clear mission statement that proactively addresses IT vulnerabilities instead of merely reacting to them, providing impactful and timely work products, maintaining relevance and adding value; encompassing an audit process that is streamlined and organized for increased productivity and better project management, and raising the audit profile.
Staffing, Credibility, Reputation
Staffing, credibility and reputation form the foundation of the IT audit department's role within the organization. That means having good people onboard and adequately staffed IT audit resources. But pinning down what's "adequate" can be difficult – a moving target – given the many risks out there.
The IT audit team also must function as a business partner and serve as a resource that has the trust and ear of top management as well as a seat at audit committee meetings. It's important that the department combines knowledge of the IT audit areas plus the line of business in order to gain a comprehensive view of the area under audit. The team needs to engender respect for its skill and understanding of IT risks and controls. Other positive characteristics include good communication skills, both written and verbal.
In addition, it's vital to maintain technical expertise via continuous training to keep on top of the latest developments in technology. The problem IT auditors face is they are auditing technology, which is constantly changing and requiring companies to invest in training the staff.
A very real issue in the profession often occurs: as employees are trained they become more marketable elsewhere. So the dilemma is whether to invest in your staff and bring them up to speed while at the same time you end up strengthening their resumes which opens the door opens for them to competitive job offers. Some companies have found a way to get around this double-edged sword. Rather than training their staff, they go outside and contract third-party vendors to conduct IT audits. It's something I see occurring more and more as companies on a case-by-case basis balance training costs and outsourcing.
Use of Technology
Anyone traveling on the road toward world-class auditing will need to have a continuous auditing and monitoring program in place.
There's a greater emphasis on utilizing technology to enhance audit effectiveness and efficiency. Among data analysis tools, ACL and IDEA are examples of popular products employed by auditors in data analysis.
Similarly, there's an emphasis on efficient use of Audit Governance Risk and Compliance tools. Teammate and RSA Archer are two that generate positive comments and are in wide use. These software products help users organize and maintain audit supporting documentation and structure the resulting document.
The relationship between IT risk assessments and world-class auditing involves:
Awareness of emerging technology trends, risks and exposures that threaten the business data, security and recovery. Cloud computing represents a classic emerging risk. As companies consider moving their data into the cloud, that action poses significant risk of breaches and exposure of company information. The key issue with cloud computing is that if you channel critical information through cloud vendors is whether it is properly protected.
Effective assessment of IT risks and their impact on the enterprise. As cited earlier, cyber attacks continue to target organizations from retailers to banks to healthcare providers. Security breaches have cost companies hundreds of dollars and lawsuits. No one is immune.
Understanding the specific key risks to the business. Risk assessments look at the big picture to get a better handle on the key business/IT risks.
Establishing a close relationship with information security. IT auditors and information security management need to work together because they are addressing the same risks. Both groups need to make sure that there are proper controls in place to protect information. Unfortunately, those two groups don't always communicate well even though they share a common objective.
How to Create a Favorable Image
Your group needs to perform well – or its reputation will take a hit. The bottom line: An organization may have the best plan in the world, but unless it's perceived as doing a credible job, its good name will suffer. Here are some suggested steps to foster a positive image:
- Have an experienced, well-qualified staff.
- Co-source with experts, if necessary.
- Present a good deliverable (i.e., audit report).
- Establish client liaisons to promote business partnerships.
- Involve client management in development of audit plan.
- Promote your best people back into the client organization (business and IT).
- Educate senior management and business clients on IT risks.
Also keep in mind various approaches for communicating the value of the audit department, such as (1) creating an audit intranet site with information about controls and a general rundown on the department and (2) distributing audit informational brochures.
The Role of IT Control Educators
To achieve world-class status, an organization needs to position IT Audit as the IT control educators. This entails the department becoming involved in strategic IT projects as a control consultant and helping to identify and correct control issues before they become audit issues.
It also means improving audit effectiveness and efficiency through sharing industry best practices and highlighting changes in approach to clients and management. Above all, communicate in language management can understand. Technobabble never works; IT staff must guard against getting overly technical. When explaining the business risk of technical issues, quantify it in financial terms.
IT auditors straddle the line between corporate cops and corporate consultants. They want to be viewed a nice guys whose service adds value. But never lose sight of audit's primary mission: to provide assurance to management that risks are being addressed.
Fred Roth is Vice President of the IT audit division at MIS Training Institute.