If you're involved in the digital transformation that's shaking up the business from top to bottom, you're likely also upending the neat little world your auditors have lived in. The move to digitize processes, retrain people, refocus job roles, and rely on cloud resources for vital functions means auditors are going to have to throw away their playbooks (they do have playbooks, don't they?) and figure out new ways to assess the health and wealth of their businesses. They have to become savvy IT experts in their own right, and start poking their noses much more deeply into IT processes.
These days, auditing types have to look through today's IT systems to determine how well data and access is locked down, how well things are governed, the role of cloud,. and what plans are in place for emerging technologies.
That's the word from Protiviti and ISACA, which recently released a survey of 1,323 chief audit executives, internal audit professionals and IT audit vice presidents and directors worldwide. Most audit plans for 2018 are impacted by the challenge of cybersecurity. More progress is still needed, as one in five organizations, on average, is not including cybersecurity in its audit plans. The most commonly reason, cited by 37 percent, is a lack of qualified resources, specifically people, skills and/or auditing tools.
As Theresa Grafenstine, chair of ISACA's board of directors, put it: "Given the increased focus on digital transformation within organizations, it's important for IT auditors to be involved throughout the entire technology project lifecycle to ensure policies and processes are put in place to mitigate risk. IT audit leaders looking to become more engaged within their organization's major technology projects have to build credibility with executive management teams by demonstrating the value that the IT audit function provides."
As stated above, yes, poke their noses much more deeply into the working of the IT department than they have been. "More partnering and collaboration are needed to counteract silo mindsets and behaviors," the report urges.
The top areas IT auditors need to explore and understand which much greater depth include the following:
- IT security and privacy/cybersecurity
- Infrastructure management
- Emerging technology and infrastructure changes - transformation, innovation, disruption
- Resource/staffing/skills challenges
- Regulatory compliance
- Budgets and controlling costs
- Cloud computing/virtualization
- Third-party/vendor management
- Project management and change management
- Data management and governance
The survey's authors note that this is the first time in the seven-year survey series that at least half of all organizations polled have a dedicated IT audit director or equivalent position. This is a significant increase from just five years ago when only one in three organizations had a dedicated IT audit director. However, actual meetings with CIOs are rare, the survey finds.