Traditionally, the term “IT audit” suggests certain familiar procedures such as ensuring the functionality and integrity of an entity’s tools, systems and networks; testing and monitoring the security of IT systems against intrusion or misappropriation; and providing assurance around the compliance of IT activities with relevant enterprise polices, industry best practices and government laws and regulations.
However, the archetype of IT audit is changing. As society in general becomes more data driven and organizations increasingly look to leverage data to power processes, inform business decisions and generate value, IT audit must, in turn, provide business leaders with more timely and actionable risk assessments and input for effective governance of data and other IT assets. Accordingly, there are five things that auditors should be expecting to see happen in the field of IT audit in the near future.
1. IT Risk Will Remain a High Priority for the Board
At first glance at The Institute of Internal Auditors (IIA) OnRisk 2021: A Guide to Understanding, Aligning and Optimizing Risk report,1 IT risk may not seem to be a particularly high priority for board members. At least, risk is not labeled as such in the report. But, in taking a closer look at the survey responses, cybersecurity, third parties, and business continuity and crisis management are among the categories that board members rated as most relevant to their organizations, and all of them are closely related to IT.
Dispersion of the workforce and the global supply chain that occurred in the early months of the COVID-19 pandemic have added yet another layer of difficulty to third-party risk management—something many organizations were already grappling with prior to 2020. Additionally, cybercrime continues to escalate. According to a survey by Refinitiv, 71 percent of respondents said that cybercrime has become more difficult to contain due to pandemic-related remote working practices.2
Meanwhile, the IT aspect of business continuity and crisis management goes beyond keeping critical systems running in the wake of a disruption such as a natural disaster. It also includes not allowing IT systems to become the source of the disruption itself, such as with a data breach or exposure to reputational damage from social media. For example, in August 2021, the personal information of tens of millions of current, former or prospective T-Mobile customers had been leaked to hackers. The stolen personal information included names, dates of birth, Social Security numbers and driver’s license numbers.3 Within a few days, from the time the enterprise began investigating the breach to the time it was reported in the media, shares of the enterprise’s stock had fallen by approximately 3.5 percent.
These types of events show that for internal audit to deliver value around IT, internal auditors must do more than provide assurance around security, functionality and compliance. They need to aid in governance practices as well. Internal audit must also help organizations be prepared to respond from a crisis-management perspective and assess IT risk from a strategic perspective in terms of exposure. By doing these things, internal audit can provide the board and senior leadership with genuine guidance as it relates to IT risk.
2. IT Will Be More Integrated Into the Overall Audit Plan
Increasingly, organizations are relying on technology to enable virtually every aspect of their operations. According to a global survey of executives by McKinsey, executives say their organizations have accelerated the digitization of their customer and supply chain interactions and of their internal operations by three to four years, while the share of digital or digitally enabled products in their portfolios has accelerated by seven years.4 According to the report, “executives…say that funding for digital initiatives has increased more than anything else—more than increases in costs, the number of people in technology roles, and the number of customers.”5 In addition, although this acceleration is attributable in large part to the pandemic, survey respondents did not indicate that they consider these investments to be short-term contingencies, but rather a shift in how they do business.6
The implication for the future of IT audit is that in an environment with such increased reliance on technology, essentially every internal audit will be an IT audit. More precisely, auditors will not be able to audit any area of the business without looking at the IT aspect. For example, as departments throughout the organization leverage automation to perform tasks such as data entry, inventory, account reconciliation and basic customer interactions, internal audit will need to be able to determine if these technologies are properly sourced and developed, correctly programmed, and functioning as intended within the scope of auditing their respective business areas. Although there will continue to be dedicated audit engagements focused around IT systems and their related controls, auditors should be preparing for a future in which assurance around supporting IT is integrated into the scope of virtually every audit, regardless of subject matter.
Auditors should be preparing for a future in which assurance around supporting IT is integrated into the scope of virtually every audit, regardless of subject matter.
3. The IT Ecosystem Will Grow and Change
There is risk in operating with an outdated perception of what IT encompasses based on past experience.
The IT ecosystem is growing and changing due to an increased reliance on technologies, some of which are new. For example, cloud computing, the Internet of Things (IoT) and mobile technology have added a great deal more complexity to what constitutes IT.
Kaspersky’s recent Global IT Risk Report indicates that the definition of endpoint devices has recently evolved from universal desktop computers and landline telephones that were relatively easy to control to “any device that is ‘smart’ enough and connected to a network.”7 In a large organization, these devices could number in the thousands, and “…three quarters of businesses globally expect an increase in these numbers over the next 12 months.”8 Such devices are more difficult for IT teams to control because they are not tied to physical workspaces, they are not necessarily included in inventories of IT (e.g., personal tablets, virtual assistant technologies) and many have no security software installed.
However, although proliferation of IT generates risk, the absence of technology solutions will increasingly be seen as a risk in and of itself. The same report from Kaspersky notes:
Organisations which use innovative technologies are not just better protected from customer and third-party risk, they are more aware of them and crucially are more likely to continue investing in further prevention and mitigation…9
The report also notes that adding that incidents of cybercrime are likely much higher than reported because organizations are not necessarily detecting them. This technology imperative will even apply to internal audit itself, where the expectation will be for internal audit to utilize analytical tools to enhance audit breadth, depth and speed. For example, continuous monitoring of entire populations, fueled by big data, is fast becoming the new standard, as opposed to periodic reviews of representative samples.
4. IT Audit Will Be Expected to Be More Timely, Forward Looking and Value Driven
Increasingly, auditors will not only assess IT for security, functionality, and compliance to policies and regulations, but also for sustainability and IT’s ability to create ongoing value. Similar to business continuity planning, internal audit needs to help businesses take a critical look at whether existing technologies and processes are viable for the future in the event of changing marketplace conditions, including natural disasters, political upheaval, supply chain disruption, new laws and regulations, and the changing needs of clients, customers and the workforce.
Auditors should routinely question IT management and business process owners about hardware, software, key personnel, suppliers, clients and customers, and end users, and they should ask, in one form or another, if the use of technology is based on assumptions that are sound or unsound.
As Refinitiv notes, “Technology, data and automation are not only enablers, they can also act as transformers.”10 Indeed, some technologies function as short-term solutions until a return to business as usual is achived, while others represent the power to evolve standard procedures for good. Internal audit has the capability and the responsibility to help organizations distinguish between the two and perceive the potential risk of being unresponsive to changing conditions.
The expectation, meanwhile, is that internal audit will be able to provide critical insight faster than it has in the past. Many organizations that are considered to be digital leaders identify and assess technology risk continually, meaning more frequently than on a monthly basis.11 ISACA’s IT Audit’s Perspectives on the Top Technology Risks for 2021 report notes that:
Continuous risk assessments and more risk-responsive and risk-aligned audits are essential to delivering feedback and value early and often to stakeholders and the business… A dynamic risk assessment approach enables IT audit groups to be increasingly precise in assessing and adapting to emerging risks. This capability, in turn, helps organizations identify changing risk trends closer to real time, more data-driven ways to measure and prioritize risk, and ultimately more efficient and effective risk assurance.12
As IT auditors seek to impart value and stay relevant in the IT space, they must grow their expertise and remain agile in their approach.
5. Internal Auditors Will Have to Add and Enhance IT Skills
This may be the safest prediction as it relates to the future of IT audit, but it is, nonetheless, critical. Indeed, “most internal audit groups need greater access to updated auditing skills,”13 such as those needed to provide assurance and advice around uses of robotic process automation (RPA) and algorithmic models within the organization, and subject matter such as advanced IT, cloud computing, data analytics, and privacy and data protection.
In addition to auditing such subject matter, internal auditors also need skills to apply advanced analytics, intelligent automation and data visualization to enhance the effectiveness and efficiency of audit work. There are numerous strategies that auditors and internal audit functions can use to gain these skills, including training and offering certification, hiring subject matter experts from the IT side of the business to perform internal audit and co-sourcing with third parties that specialize in IT. For most functions, it will be a combination of these strategies that yields the best results, but whatever the method, internal audit groups must be proactive and set themselves on a sustainable course toward stronger IT expertise to meet the demand for these types of assurance.
Conclusion
Organizations are going to continue to invest in technology to gain a wide variety of expected benefits. At the same time, the period from adoption of technology through obsolescence continues to shrink, as conditions within organizations and in the marketplace change rapidly. This reality equates to rising risk in IT. As IT auditors seek to impart value and stay relevant in the IT space, they must grow their expertise and remain agile in their approach so they can provide the kind of meaningful assurance and timely risk assessment their organizations need.
Endnotes
1 The Institute of Internal Auditors, OnRisk 2021: A Guide to Understanding, Aligning and Optimizing Risk, USA, 2021, https://dl.theiia.org/Documents/OnRisk-2021-Report.pdf
2 Refinitiv, Global Risk and Compliance Report 2021, United Kingdom, 2021, https://www.refinitiv.com/en/resources/special-report/global-risk-and-compliance-report#form
3 Fung, B.; “T-Mobile Says Data Breach Affects More Than 40 Million People,” CNN Business, 18 August 2021, https://www.cnn.com/2021/08/18/tech/t-mobile-data-breach/index.html
4 LaBerge, L.; C. O’Toole; J. Schneider; K. Smage; “How COVID-19 Has Pushed Companies Over the Technology Tipping Point―and Transformed Business Forever,” McKinsey and Company, 5 October 2020, https://www.mckinsey.com/business-functions/strategy-and-corporate-finance/our-insights/how-covid-19-has-pushed-companies-over-the-technology-tipping-point-and-transformed-business-forever
5 Ibid.
6 Ibid.
7 Kaspersky Lab, Ready or Not? Balancing Future Opportunities With Future Risks: A Global Survey Into Attitudes and Opinions on IT Security, https://media.kaspersky.com/documents/business/brfwn/en/The-Kaspersky-Lab-Global-IT-Risk-Report_Kaspersky-Endpoint-Security-report.pdf
8 Ibid.
9 Op cit Refinitiv
10 Ibid.
11 ISACA®, IT Audit’s Perspectives on the Top Technology Risks for 2021, USA, 2020, https://www.isaca.org/go/2020-isaca-protiviti-global-it-audit-benchmarking-survey
12 Ibid.
13 Deloitte, Internal Audit Leaders as Talent Warriors: Winning the War for Talent, Now and in the Future, USA, 2020, https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/us-internal-audit-leaders-as-talent-warriors.pdf
Kevin M. Alvero | CISA, CDPSE, CFE
Is senior vice president of internal audit, compliance and governance at Nielsen Company. He leads the internal quality audit program and industry compliance initiatives, spanning the enterprise’s Global Media products and services.