person holding out a lit light bulb
PHOTO: Riccardo Annandale

Earlier in my career I was an IT auditor (starting with Coopers & Lybrand). In fact, I was a bit of a techie and trailblazer when it came to understanding how the operating and related systems could affect the operation of applications and, therefore, business operations.

I had some fun with this when the IT audit leaders in France contradicted me. I wrote a simple RPG ii program then compiled and ran it twice. I changed a couple of lines in the Linkage Editor so that the results were different.

IT audit has been a passion of mine for many years, so I was interested to see Deloitte's piece, The Future of IT Audit.

Highlights From Deloitte's Vision of the Future of IT Audit

Here are some excerpts with my comments:

"In a world where everything from automotive to banking relies upon technology, IT audit methodology needs to change. The future of IT audit should align itself with IT’s new strategic role and to act as an adviser, not solely an auditor."

I'd argue being an auditor is being an adviser. That should not be a change. But what may need to change is that a larger percentage of the audit plan and staffing should be on technology-related risks and opportunities.

"As boards are recognizing a paradigm shift wherein IA takes on a strategic role, they expect IT not just to keep pace, but also to think critically about IT audit risks."

Again, this should not be a change. Internal audit should already have a strategic focus. There’s little value in auditing the past when the future is what matters. IT audit should be concerned with the success of the organization as a whole and the risks to that business as well as the opportunities to take advantage of change – with a focus on those that relate to technology. See "Making Business Sense of Technology Risk": It’s not about IT risk, it’s about business risk.

The greatest risk may be taking too little risk.

"Directly engage with IT leadership in evaluating the risks, skills, and capabilities required to assist the organization in mitigating IT execution risk, which today can represent an existential threat to the business."

This sounds good but is misdirected. Focus on the business, not technology out of context.

"Become highly conversant on the strategic plan and consider IA’s role in evaluating management’s monitoring of IT execution risk."

There is so much more, as I will explain below.

"Today, internal audit professionals need to be technically savvy in the context of the IT-driven enterprise and the IT-driven business strategy."

While this sounds good, what does it mean?

Related Article: Should We Audit at the Speed of Risk?

My Vision for the Future of IT Audit

So what is my advice for IT auditors? What is the future of IT audit?

  1. The goal should be to perform auditing that matters. Address the issues (risks and opportunities) that are important to the success of the organization as a whole. Work, even in specialist teams such as IT audit, should be designed to address the business risks and opportunities that matter to the success of the organization.
  2. Don’t have a separate IT risk assessment and plan. Remember to focus where reliance is placed on technology — and a failure would be serious from a business, not just an IT perspective.
  3. Audit any IT risk assessment (see the guidance in "Making Business Sense of Technology Risk" cited above). It should help leaders understand how the achievement of enterprise objectives may be affected by technology failures or successes. A risk-prioritized list of information assets simply doesn’t cut it.
  4. Don’t underestimate the need to participate and advise on development and major maintenance projects.
  5. Don’t do work where the results wouldn’t matter to leadership.
  6. Recognize the need to take the right level of risk. Being late to rollout a new technology because of concerns about risk can be more damaging than accepting a higher level of risk so you can be first to market.
  7. Provide the insight, advice and assurance that leaders need if they are to manage the organization for success.
  8. Don’t be afraid to call out IT management when they fail to be sufficiently visionary.
  9. Don’t "audit what you can." Audit what you should because it matters. Get extra resources if there’s a gap.
  10. The future for internal audit and IT audit is bright, but only if we put our significant talents to work providing leaders with the assurance, advice, and insight that matter to them: information that helps them to achieve their objectives.

What do you think?

Related Article: IT Modernization: Where Should You Start?