One of my frustrations over the years has been the continuing practice of those involved in addressing technology (or IT) risk and related audit of seeing it in a silo.
About 15 years ago, I was on a team of practitioners developing guidance for auditors (the GAIT Methodology, which continues to be recommended guidance by the IIA). One of the team members was Jay Taylor, head of IT Audit for GM at that time (later its CRO). He said something that resonates today: "There is no such thing as IT risk, only business risk."
We should not be concerned specifically with risk to systems availability, access, security, etc. or even to information assets. What we should be concerned with is risk to the business and the achievement of its objectives.
Business Risk, Not IT Risk, Should Be the Focus
Any technology risk assessment should be made in terms of the potential effect on the business, not any effect on IT assets or goals.
Yet guidance from ISO, NIST and FAIR continues to focus on the silo not the whole business. It does not enable risks arising from technology-related issues to be measured against technology-related rewards, or other sources of business risk. It doesn’t enable decision-making around where scarce resources are best invested: for example, addressing ransomware risks or the possibility of being late to market with new products. After answering such strategic questions and determining the level of resources that should be spent on addressing cyber, for example, look inside the silo and decide in more detail and specificity where to focus those resources.
I addressed this in "Making Business Sense of Technology Risk," in many ways my most difficult book to write, which should be eye-opening to many IT risk and audit practitioners. But the world continues to focus on IT risk instead of business risk.
Consider a recent piece from KPMG: IT Internal Audit Planning for 2021. While it has some interesting and useful observations about what is inside the silo, it recommends IT audit practitioners focus there instead of the larger business — the context within which IT operates and serves.
For example, the report states: "IT Internal Auditors must stay aware of, and align themselves to, the IT transformation activities across the organization to stay relevant."
While this is true, what is more important is for all internal auditors, not just those who specialize in technology, to understand how the business is transforming! Auditors (and risk practitioners) should look to the future and understand how technology can and should be deployed for current and future benefit. In other words, understand the strategic plans and initiatives of the enterprise and then consider how technology is and will be used. Only now can technology-related risks to the business be identified and assessed — in terms of achieving those strategic plans and related objectives.
Related Article: People Still Don't Know How to Assess Cyber Risk
Technology Should Not Be Assessed in a Silo
The other point I would make, which is overlooked by far too many, is that talking about “IT” is limiting. It is far better to talk about technology, which extends beyond the scope and control of IT management. Technology is being deployed in manufactured products as well as the equipment used to make them.
We should not be talking about IT audit planning but planning for the entire internal audit organization. Often, I had integrated teams of operational and technology auditors working on major system development projects. And planning should be continuous.
Staffing needs to be done with care. You need people who can see the big (business picture) as well as people with the technical skills for the technology of today and tomorrow.
I welcome your thoughts.