Editorial
Earlier in my career I was an IT auditor (starting with Coopers & Lybrand). In fact, I was a bit of a techie and trailblazer when it came to understanding how the operating and related systems could affect the operation of applications and, therefore, business operations.
I had some fun with this when the IT audit leaders in France contradicted me. I wrote a simple RPG ii program then compiled and ran it twice. I changed a couple of lines in the Linkage Editor so that the results were different.
IT audit has been a passion of mine for many years, so I was interested to see Deloitte's piece, The Future of IT Audit.
Highlights From Deloitte's Vision of the Future of IT Audit
Here are some excerpts with my comments:
"In a world where everything from automotive to banking relies upon technology, IT audit methodology needs to change. The future of IT audit should align itself with IT’s new strategic role and to act as an adviser, not solely an auditor."
I'd argue being an auditor is being an adviser. That should not be a change. But what may need to change is that a larger percentage of the audit plan and staffing should be on technology-related risks and opportunities.
"As boards are recognizing a paradigm shift wherein IA takes on a strategic role, they expect IT not just to keep pace, but also to think critically about IT audit risks."
Again, this should not be a change. Internal audit should already have a strategic focus. There’s little value in auditing the past when the future is what matters. IT audit should be concerned with the success of the organization as a whole and the risks to that business as well as the opportunities to take advantage of change – with a focus on those that relate to technology. See "Making Business Sense of Technology Risk": It’s not about IT risk, it’s about business risk.
The greatest risk may be taking too little risk.
"Directly engage with IT leadership in evaluating the risks, skills, and capabilities required to assist the organization in mitigating IT execution risk, which today can represent an existential threat to the business."
This sounds good but is misdirected. Focus on the business, not technology out of context.
Learning Opportunities
Webinar
Jun
1
How organizations can design, build and run Generative AI into the Customer Experience
Discover how to drive enhanced CX through Generative AI
Webinar
Jun
6
The Future of Social Media: Emerging Trends and How to Stay Ahead of the Curve
The impact of emerging technologies like AI on social media
Webinar
Jun
7
The Building Blocks of Personalization
This webinar will explore how personalization can create powerful ecommerce shopping experience.
Webinar
Jun
13
The Future of Contact Centers with AI at the Helm
Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX
Webinar
Jun
20
3 Steps to Unlock Your Customer Data and Drive Revenue
Discover how Twilio Segment’s #1 Customer Data Platform helps implement data-driven strategies.
Webinar
On demand
AI for Marketers: Optimize Personalization Across the Funnel
Understand the benefits of utilizing AI across your entire marketing stack
Webinar
Jun
1
How organizations can design, build and run Generative AI into the Customer Experience
Discover how to drive enhanced CX through Generative AI
Webinar
Jun
6
The Future of Social Media: Emerging Trends and How to Stay Ahead of the Curve
The impact of emerging technologies like AI on social media
"Become highly conversant on the strategic plan and consider IA’s role in evaluating management’s monitoring of IT execution risk."
There is so much more, as I will explain below.
"Today, internal audit professionals need to be technically savvy in the context of the IT-driven enterprise and the IT-driven business strategy."
While this sounds good, what does it mean?
Related Article: Should We Audit at the Speed of Risk?
My Vision for the Future of IT Audit
So what is my advice for IT auditors? What is the future of IT audit?
- The goal should be to perform auditing that matters. Address the issues (risks and opportunities) that are important to the success of the organization as a whole. Work, even in specialist teams such as IT audit, should be designed to address the business risks and opportunities that matter to the success of the organization.
- Don’t have a separate IT risk assessment and plan. Remember to focus where reliance is placed on technology — and a failure would be serious from a business, not just an IT perspective.
- Audit any IT risk assessment (see the guidance in "Making Business Sense of Technology Risk" cited above). It should help leaders understand how the achievement of enterprise objectives may be affected by technology failures or successes. A risk-prioritized list of information assets simply doesn’t cut it.
- Don’t underestimate the need to participate and advise on development and major maintenance projects.
- Don’t do work where the results wouldn’t matter to leadership.
- Recognize the need to take the right level of risk. Being late to rollout a new technology because of concerns about risk can be more damaging than accepting a higher level of risk so you can be first to market.
- Provide the insight, advice and assurance that leaders need if they are to manage the organization for success.
- Don’t be afraid to call out IT management when they fail to be sufficiently visionary.
- Don’t "audit what you can." Audit what you should because it matters. Get extra resources if there’s a gap.
- The future for internal audit and IT audit is bright, but only if we put our significant talents to work providing leaders with the assurance, advice, and insight that matter to them: information that helps them to achieve their objectives.
What do you think?
Related Article: IT Modernization: Where Should You Start?
Learn how you can join our contributor community.
