Stephen Doyle, CISA, CGEIT, PMIIA
Is director, internal audit with the Department of Agriculture and Water Resources in Canberra, Australia. He is responsible for the development and delivery of the internal audit work program and reports to the audit committee. He is the liaison between the department and other audit and assurance providers, including the Australian National Audit Office. Doyle has many years of experience in internal audit and advisory roles since joining Ernst & Young as an IS auditor in 1991, including the delivery of technical and business advice for both government agencies and private organizations. Doyle’s internal audit and IS audit-related experience, qualifications and background provide strong support when advising in the areas of organizational risk management and control, enterprise governance, information management and security, and business continuity management. He is also an experienced presenter and educator.
What is the biggest security challenge that will be faced in 2018?
The risk associated with third-party access to systems and information.
What are your three goals for 2018?
What is your favorite blog?
I enjoy the blogs on ZDNet and, in particular, Eileen Yu’s By The Way.
What is on your desk right now?
Chocolate! Thanks to the influence of my staff.
What is your number one piece of advice for other IS audit professionals?
Be curious. An auditor needs to be inquisitive to be successful. As Albert Einstein said, “I have no special talent. I am only passionately curious.”
What is your favorite benefit of your ISACA membership?
The opportunity to volunteer at both the local and international levels and work with people who have had a variety of adventures.
What do you do when you are not at work?
I am the primary carer for my wife and we spend time with our two daughters, their spouses and our two grandchildren. Listening to music is a favorite pastime and we are regular concertgoers. I am a keen cyclist. My greatest achievement was cycling from Everett, Washington, USA, to Williamsburg, Virginia, USA—a journey of 5,500
How do you think the role of the IS audit professional is changing or has changed?
The role has changed from being primarily a technically focused role to one that is predominantly business focused. The IS auditor must understand the business environment and functions, as well as the supporting technology, in order to truly understand and evaluate risk. Recommendations for improvements to control processes should be cost-effective and practical. To achieve this, the IS audit professional must appreciate the business context and its priorities.
A trend toward the use of outsourced service providers has also influenced the nature of the role. The use of outsourced IT services, for example, often necessitates the establishment of audit and assurance arrangements that are agreed on among the various parties. Depending on the contractual provisions, the IS audit professional may rely on independent assurance providers to undertake work that would previously have been undertaken internally.
There is an increased demand for internal and IS auditors to provide timely advice on governance, risk and control issues, especially for new developments and implementations. IS auditors often find themselves acting as advisors to project boards and technical work groups for application systems being developed or purchased.
What leadership skills do you feel are critical for professionals to be successful in the field of IS audit?
The most important leadership skill in the field of IS audit is communication, from clarifying tasks through to conveying strategic direction. In most activities they undertake, auditors need not only to understand and articulate their evaluation of organizational risk, but also to speak with clarity on control objectives and options.
Other critical skills are motivation, the ability to build trust and creativity. A leader needs to be positive and motivated to encourage an effective and pleasant work environment. Given that auditors identify and report on process weaknesses and risk management issues, trust is important to instill confidence that sensitive issues will be handled appropriately. Creativity is needed to maintain effective audit operations with the available resources and to advise on emerging technology risk scenarios.
What is the best way for someone to develop those skills?
A broad base of both life and professional experiences is a good start. When choosing employment, look for a role that has opportunities for variable and challenging tasks. Take on a volunteer role. While there are many opportunities to volunteer with ISACA, there are also opportunities to assist community and charity associations in roles that may provide completely different challenges from the normal nine-to-five.
Seek out and have regular contact with people who can provide mentoring and guidance. It is always beneficial to have feedback on behaviors that may be in your blind spot. Finally, make time for the odd moment of quiet reflection.
What advice do you have for IS audit professionals as they plan their career paths and look at the future information security?
There are many career paths for IS audit professionals in information security and it may be useful to think about the different specialty areas and decide on the ones that are of most interest. Of course, there is the requirement to develop an ongoing knowledge and competency in the field. Do not be afraid to experiment with career choices or change direction as you progress and mature. Be flexible to change and stay true to your values.
How have the certifications you have attained advanced or enhanced your career? What certifications do you look for when recruiting new members of your team?
I undertook my Certified Information Systems Auditor (CISA) qualification very early in my audit career and found it invaluable in consolidating my knowledge and skills. It introduced me to what some describe as the ‘black art’ of IS audit.
While my certifications have enabled me to easily demonstrate my competencies and professionalism, they reveal their true value only when placed in the broader context of the professional association, ISACA. I sometimes wonder what my career might have been without access to ISACA’s support, knowledge bases, networking and volunteer opportunities, professional development, research, and publications.
How do you see the roles of IS audit, governance and compliance changing in the long term?
I would predict changes in practices and organizational structures, the expertise of auditors and the use of tools will bring about an overall broader role for IS audit, governance and compliance professionals. Increasing use of information technology will result in the reduction of routine tasks such as those associated with data analysis, compliance testing and monitoring.
Chief executives will expect assurance that their organizations are performing well and that their objectives are being achieved. The roles of IS audit, governance and compliance professionals will change accordingly. There will be increased attention on the alignment of processes to support organizational outcomes. The traditional risk management and control activities will be supplemented with analysis of behavioral changes, process complexity and efficiency, costs, and outcomes. There will be improved integration of risk management, compliance, governance and audit functions to support this.
Organizations will expect these roles to provide more predictive analysis of process and risk rather than the traditional “after the event” analysis. Professionals will be asked to apply their insights and contribute as an independent strategic adviser.
What has been your biggest workplace or career challenge and how did you face it?
My biggest workplace challenge was to understand the use of enterprise systems across government agencies on behalf of the Ministry of Finance in Singapore with a view to recommending shared services strategies. The task involved having to interview 13 chief information officers (CIOs) over three days.
I was able to use a locally based team for support in arranging meetings and to help with my understanding of, at times, heavily accented English. Planning and review were critical in undertaking the work. Prior to each meeting, we collated a series of questions to ensure that we were able to capture the basic information required. Given that each operating environment was quite different, it was then necessary to explore each agency’s use of systems and associated costs, and understand their business processes and the risk of disruption. It was important to have a detailed debrief after each meeting to review our tactics and prepare for the next round.