The need for innovation in the IT assurance field is based on evolving requirements for which traditional responses have lagged behind. The ability to have an in-depth understanding of the organization and its changing environment and track its complex technology represents a challenge for IT auditors and IT assurance analysts. Without advanced tools and methods, they cannot meet the requirements of understanding the organization and tracking complex technology or perform their work more efficiently. To overcome this, organizations are required to adapt their assurance methodologies and increasingly use technology in the execution of assurance work.1 This dynamic offers an invaluable opportunity for the introduction of new ideas to the IT assurance process.
The following question arises: How can the IT audit process be innovated? Innovation in the planning phase is feasible using a new methodology called the IT Semantic Audit. It is based on the use of semantic graphs, a form of knowledge representation.2, 3 The typical audit process consists of three phases (figure 1).4
The opportunity to develop new methods and tools for planning IT audits is based on a series of needs related to the limitations of current human techniques, tools and capabilities in the face of increasing complexity and technological diversity.5, 6 On one hand, IT audit jobs require high levels of understanding about the organization, its environment and the technology that enables it. Such a requirement generates the need to gather information, compile it and validate it with the stakeholders of the organization and the audit process, and share it with the members of the audit team to achieve a level of homogeneous knowledge and maximize the efficient use of it. This need is often not adequately met due to the lack of specialized methods and tools in the modeling of IT audit segments.
THERE IS A NEED FOR ORGANIZATIONS TO HAVE AN ADVANCED SOLUTION THAT ENABLES THEM TO HAVE A FULL AND SUCCESSFUL APPROACH TO THE PLANNING OF THEIR IT ASSURANCE WORK.
On the other hand, the effects of the so-called “crisis of technical knowledge” must also be taken into account.7 Computer security leaders have said they feel overwhelmed and disadvantaged with regard to criminal competence, a tendency to which several factors contribute such as legislation, the increase in technological complexity, and the appearance of more specialized and equipped hackers than ever.8 Without a doubt, this finding also applies to IT auditors, who may have difficulty adjusting to technological changes in matters such as cybersecurity.
The limitations of the documentation techniques used in IT auditing, which are inherited from the general audit, are because they are not oriented to systems engineering. The Institute of Internal Auditors (IIA) states:
The documentation of internal controls can take various forms, including flowcharts, policy and procedure manuals, and narrative descriptions. The IIA Standards do not require any particular form of documentation and the scope of documentation may vary depending on the complexity of the area. Depending on the nature of the organization, control documentation can range from generic guidelines to written and detailed policies and procedures. In most cases, internal auditors use flowcharts along with narrative descriptions as a starting point for documentation work…9
These techniques are insufficient and short of scope when documenting a typical IT audit segment. For example, they do not refer at all to the decomposition of the IT audit segments required to discover and document the intricate relationships between their components. This lack impacts the quality of the IT audit plans and the end results of the IT audits. However, they can be improved through knowledge representation.
Add to this the complexity inherent in the management of the information required for efficient planning of IT audits. Such complexity often exceeds the available capacities, even if there are highly trained human resources with vast experience. Therefore, there is a need for organizations to have an advanced solution that enables them to have a full and successful approach to the planning of their IT assurance work. This can also be addressed through knowledge representation.
IT Semantic Audit Methodology
The answer to the question of how to innovate the IT audit process in the planning phase is to innovate through a methodology called the IT Semantic Audit, which is aimed at modeling audit segments using semantic graphs (figure 2).
The concept of semantic graphs is the representation of a domain of knowledge that connects objects of different types in a systematic way. It encodes knowledge organized in a network of nodes and links instead of tables of rows and columns.
Graphs are used everywhere to deal with many different problems. Facebook, Microsoft, Google and others all have their own implementation of graphs. They use them to improve algorithms such as search engines and machine learning (ML) models. For example, in Google Maps the streets are arches or links, while the intersections are nodes.10
With graphs, people and organizations can benefit from a dynamically growing semantic network of facts and can use it for data integration, knowledge discovery and in-depth analysis. Figure 3 shows the semantic graph section of the data backup process of a fictitious organization called ABC 123. It represents the corresponding cascade of goals.
The IT Semantic Audit presents an opportunity for IT assurance functions in the planning phase as it enables agile, collaborative and organized modeling of IT audit segments in organizations of all types. With this methodology, the models are specified through the use of a natural language formed by a standardized vocabulary. When a model is created, it represents the taxonomy (figure 4) of the segment (i.e., the base knowledge structure that allows the specification of internal IT control) from the needs of the stakeholders through the chain of enabler’s goals to the computer components and subcomponents and their properties.
A completed model is a domain ontology.11 It is a knowledge base of the context that can be scrutinized in detail, both visually and automatically. It enables programs and humans to simultaneously share the knowledge housed within the programs, which can be seen as a set of concepts (i.e., things, events and relationships).
The IT Semantic Audit can be implemented for different purposes in the areas of IT assurance of an organization. In auditing, it enables the performance of pre-audits that contribute to the planning of fieldwork and post-audits to ensure the quality of IT audits after completion. In compliance, it helps to discover and document all the laws and regulations to which the organization is subject. And in government, it facilitates the discovery, documentation and correlation of the cascades of goals and risk from the interested parties to the enablers or components.
The IT Semantic Audit Process
The steps to carry out the planning of assurance works through the IT Semantic Audit methodology are important to understand and are summarized here.
Step 1: Organize Work
The first thing to do is estimate the number of relevant components to be modeled and the complexity of the main themes to be treated. This allows for the selection of sufficient and adequate resources to assume the modeling of the assurance segment.
Next, each section of the model’s taxonomy (figure 4) is assigned to each member of the modeling team.
Step 2: Represent Components
For each section of the model, the modeling team adds all nodes that represent the model’s components. Users should note that the components nest among themselves, as in the reality of the segment that is represented. For example, a data center includes a room, people, equipment and devices, and other components such as goals, threats, vulnerabilities and risk.
It is likely that too many nodes are defined for the scope of the segment. Because of this, it is recommended that users exercise supervision to mitigate this risk.
Step 3: Link Nodes
Each node or component is defined by its properties. Depending on the data type, each property may contain a data value, a set of data or a reference to other nodes. Those of the last type are the edges through which one node is linked to another. For example, the model node has a property called “main node.” This property value links the root node with the node that represents the model essence or concept. In cases of, for example, modeling a segment called “data backup,” that property would point to the node that represents the aforementioned process.
There are also nodes that link other nodes to each other. Think about the cascades of goals, starting with the stakeholder’s drivers and needs, that link with the organizational goals and, in turn, with those of IT, and with the goals of the components. Chains of this type are achieved through link nodes.
Step 4: Prioritize Nodes
Once the model taxonomy has been completed (i.e., it has all the nodes that correspond to the reality of the modeled segment and all the links between them), it is time to convert it into ontology, that is, it should be documented. But first, for the sake of the use of resources, it is not required that all nodes be worked beyond their presence in the model. That effort should be made for only a few of them. For that, each node has a property called “priority,” whose discrete value can be set by the user, from very low to very high. This property is only required to be set in priority nodes so that the program treats its realities as different.
Step 5: Document Facts
This phase consists of registering all the facts that are useful to produce a good assurance work plan in the model. This is done through the properties of the nodes. Those related to previous findings and risk, including risk incidents, are of paramount importance. Remember that the nodes have properties of different types such as text document, date, diagram, audio, video and geolocation. Each provides the right tool to register and recover the corresponding documentation.
A summary of its definition and status must be recorded for each documented node. This is a very important step aimed at the quality of the assurance plan resulting from the process.
An important aspect of this phase is to consider the practice of involving the stakeholders to obtain their opinion of the facts that are being recorded.
THE ULTIMATE GOAL OF THE PLANNING PROCESS WITH THE IT SEMANTIC AUDIT IS TO DEFINE THE AUDIT TESTS OR AUDIT PROCEDURES.
Step 6: Define Tests
The ultimate goal of the planning process with the IT Semantic Audit is to define the audit tests or audit procedures. To complete this step, for each goal of each node marked as a priority, users insert and configure one or more nodes of class “assurance domain.”
This step includes the selection of the test program steps, the estimation of necessary resources and any other requirements that should be taken into account. All this must be part of the model, with each element represented by a linked node.
Step 7: Generate IT Assurance Plan
The product resulting from the planning process is the IT assurance plan. This report shows the executive summary, which highlights the significant aspects of the model. It also includes a set of annexes that profile the model and details about the assurance domains.
The executive summary is produced by the person in charge of the planning work team. This can be done while working on the model or after it is documented, i.e., the taxonomy of the model is completed and the corresponding facts are recorded.
This report also details the findings made in this phase, together with the auditee’s responses and the preventive and corrective plans—again, everything expressed as part of the model.
Benefits to the Assurance Process
The main benefits that the IT Semantic Audit methodology provides include:
- Adapting to changes—Having a segment model creates a greater capacity for adaptation in response to the continuous evolution of the represented segment, both in terms of internal control and the external environment of the organization, which translates into much more efficient assurance work.
- Reducing time to the assurance report—The audit team can raise and present findings and perform audit tests even before the model is completed.
- Higher assurance plan quality—The order and richness of concepts provided by the taxonomy of the model influence the quality of the assurance plan, the final product of the process.
- Higher motivation—The methodical work of decomposition of concepts, the investigation of facts and their correlation positively influences the motivation of the team, and the team tends to produce more.
- Better communication—Because the IT Semantic Audit uses a natural language formed by a standardized vocabulary, the methodology increases the capacity for collaboration between members of the assurance teams and, therefore, the productivity of the assurance functions. This advantage extends to the stakeholders of the IT assurance process insofar as they are integrated into the use of the common language.
- Reduction of risk—By enabling the ability to have an in-depth understanding of the organization, its changing environment and its complex technology, the IT Semantic Audit contributes significantly to minimizing the detection risk to maintain the required level of audit risk.
SEMANTIC TECHNOLOGIES HAVE DEMONSTRATED THEIR POTENTIAL TO INTEGRATE VALUABLE KNOWLEDGE AND ARE BEING APPLIED TO THE COMPOSITION OF DIGITAL LEARNING AND WORK PLATFORMS.
Impacts on Innovation Fields
The IT Semantic Audit is applicable in each of the innovation fields, as can be seen herein.
Collaboration
The IT Semantic Audit uses a natural language formed by a standardized vocabulary. This facilitates collaboration. Semantic technologies have demonstrated their potential to integrate valuable knowledge and are being applied to the composition of digital learning and work platforms. With the IT Semantic Audit, the ability to link data to the properties of the nodes is acquired. These data may consist of figures, descriptions or audit programs and may be provided by sources external to the model such as web services, local or external databases, and social networks.
Audit Management
In this field, the IT Semantic Audit should be established as a complement to audit management solutions already in place. It provides functions such as quantification of the work required, component documentation, and general and specific search of facts, among others.
Early Use of Data Analysis
Because the IT Semantic Audit has the ability to link data to node properties, IT auditors can use those data to discover new aspects of the segment being modeled (e.g., analyzing the risk of a facility’s environment or discovering the latest vulnerabilities of an IT component).12
When defining the audit segments through the IT Semantic Audit, the audit team is provided with multidimensional automated analysis capabilities that would not otherwise be feasible. For example, manually determining the impact of risk on organizational goals by component class requires hard work. This is in addition to the fact that manual work is subject to errors that can undermine its reliability. Instead, using the defined models (remember that a defined model is itself an ontology, i.e., a knowledge base that can be scrutinized), the auditor can efficiently achieve an exact result.
Implementation of Control Self-Assessment
As IT Semantic Audit is an easy-to-understand methodology, it has enormous potential to become the standard language for control self-assessment (CSA) completion throughout the organization.13 IT auditors can contribute by driving the use of the IT Semantic Audit methodology for agile modeling of internal control throughout the organization in the context of CSA. This is facilitated by the common use of natural language and standardized vocabulary.
Audit Horizontally
This is an area in which the IT Semantic Audit provides the ability to audit horizontally by default. Simply by defining a segment on a given process, such as change management, and relating it semantically with the application models, the goal of auditing it horizontally across all applications is achieved.
Knowledge Management
In general, knowledge management is defined as the way in which knowledge is organized and used by an organization, based on the information resources available.14, 15 It is a strategy consisting of providing the right knowledge to the right people at the right time and helping people share and put information into actions that seek to improve organizational performance.16
In this sense, innovating through the IT Semantic Audit enables an efficient transfer of knowledge about the IT audit segments. The definition of audit segments as knowledge bases is key in this context. This is undoubtedly the most important aspect in the IT audit planning phase.
Conclusion
The IT Semantic Audit is a standard methodology and modeling language for the areas of governance, control, audit and assurance of information technology. Its advantages include the ability to allow an effective, fast and complete representation of the IT segments. Also, and no less important, it can provide an efficient way to manage and transfer related knowledge.
Endnotes
1 KPMG, “Top 20 Risks in Internal Audit Before 2020,” April 2019, p. 3, https://assets.kpmg/content/dam/kpmg/ch/pdf/key-risks-internal-audit-2018.pdf
2 Girard, J. P.; J. L. Girard; “Defining Knowledge Management: Toward an Applied Compendium,” Online Journal of Applied Knowledge Management, vol. 3, iss. 1, 2015, www.iiakm.org/ojakm/articles/2015/volume3_1/OJAKM_Volume3_1pp1-20.pdf
3 University of North Carolina at Chapel Hill, USA, “Introduction to Knowledge Management,” 19 March 2007, www.unc.edu
4 ISACA, Information Systems Auditing: Tools and Techniques—Creating Audit Programs, USA, 2016
5 The Institute of Internal Auditors, Global Technology Audit Guide, (GTAG) 11: Developing the IT Audit Plan, 2008, p. 1
6 Symantec, High Alert, July 2019, chapter 2, p. 1
7 Ibid.
8 Ibid.
9 Koutoupis, A.; “Documenting Internal Controls,” Internal Auditor, 1 October 2007, https://iaonline.theiia.org/documenting-internal-controls
10 Crovari, P.; “Google Maps and Graph Theory,” Impactscool Magazine, 20 May 2019, https://magazine.impactscool.com/en/speciali/google-maps-e-la-teoria-dei-grafi/
11 Gruber, T.; “Ontology,” Encyclopedia of Database Systems, Springer-Verlag, Germany, 2008
12 Kress, R.; D. Hildebrand; “How Analytics Will Transform Internal Audit,” ISACA Journal, vol. 2, 2017, https://www.isaca.org/archives
13 Cooke, I.; “Doing More With Less,” ISACA Journal, vol. 5, 2017, https://www.isaca.org/archives
14 Op cit University of North Carolina at Chapel Hill
15 Davenport, T. H.; L. Prusak; Working Knowledge: How Organizations Manage What They Know, Harvard Business School Press, USA, 2000
16 O’Dell, C.; C. J. Grayson; “Knowledge Transfer: Discover Your Value Proposition,” Strategy & Leadership, vol. 27, no. 2, 1999, p. 10–15, https://doi.org/10.1108/eb054630
Huáscar Méndez, CISA
Is an entrepreneur in IT solutions for IT governance. He is the author of the IT Semantic Audit methodology and the software with the same name, a web application that automates it. Méndez has more than 20 years of experience in IT auditing, information security and risk. He has worked in the financial sector as an auditor and systems audit manager, and he has participated in the design and implementation of information security management systems based on International Organization for Standardization (ISO) standard ISO 27001. Méndez can be reached at hsmendezg@ gmail.com.