Home > Risk > EY gets a “B-” for their IT audit guidance

EY gets a “B-” for their IT audit guidance

Recently, Ernst & Young published advice for internal audit functions regarding their IT audit work. Ten key IT considerations for internal audit starts out in brilliant fashion by pointing to the need to:

  • Identify and understand the “risks that matter” (an expression I have been using and advocating for some time)
  • Invest in the risks that are “mission critical”  to the organization, and
  • Effectively assess risks across the business

Three positive and excellent points towards a high review score!

But, then they falter:

  • They focus on the weeds of IT audit, instead of making sure that internal audit as a whole is focused on the risks that matter, including those relating to technology. Guidance should not be aimed at the senior IT auditor, but to the chief audit executive (CAE) and the board
  • They talk about traditional so-called “IT risks”, such as information security, cloud, social media, and privacy, instead of upgrading their (and our) thinking by reflecting on risks to the business as a whole – the risks that matter and are mission critical to the organization – and how they are affected by failures to use and manage technology well
  • They suggest a separate IT risk assessment, rather than a fully integrated business risk assessment

These days, as InformationWeek (March 18 issue) proclaims in its cover page, its “Goodbye IT, Hello Digital Business”. When CEOs are looking to technology as the #1 way to reach customers, deliver new products and services, and grow the organization, internal auditors and the boards they serve should be thinking large: what are the mission critical organizational objectives and how might they be affected (positively or adversely) by the use or misuse of technology. Instead of, as EY suggests, talking about ‘availability’, talk about the potential that new mobile payment applications might be unavailable, resulting in customers moving to competitors.

EY missed some major issues as well:

  • With technology being the #1 enabler for growth and strategy, the CIO needs to step up. He needs to change from being the janitor, responsible for maintaining the IT infrastructure, to the strategic visionary that helps guide the organization to new heights built on some of the latest technology. The CAE and the IT audit team need to be concerned with whether the full potential value is being obtained from technology – a major aspect of IT governance
  • With more code being written for mobile than any other platform, and more and more mission-critical functionality being delivered on (not just through) mobile devices, mobile app change management moves to be one of the greatest technology process risks

This week, I will be speaking at the ISACA North America CACS Conference. My main message is that when 80% of business risks relate to technology (a situation which is not far away), the IT audit function will have to be mainstream – and resourced to address 80% of the audit plan.

It is time to rethink the whole idea of IT audit as a specialization. Maybe it should be mainstream and finance becomes the specialization!

I welcome your thoughts and comments.

  1. April 15, 2013 at 6:57 AM

    Couldn’t agree more, Norman. Once again you are spot on. I’ve been preaching that there is no such thing as “IT risk” for several years at confences and in articles, etc. It is all about the business risk. Your point about re-thinking IT audit as a specialization, and instead becoming the mainstream is not something I had considered to this point. But now that I think about it, the disconnect many internal audit organizations have between their business audit teams and IT auditors is at a point where we can longer tolerate it as a profession. I “benchmarked” with a fairly large, global automotive supplier a few weeks ago and noted they have 1 IT auditor, and that person focuses on the SOX controls only.

    We have to change the thinking of CAEs. We have to jointly drive the audit plan with the business audit leadership. We have to finally address the lack of IT knowledge within the business audit teams. And we have to modify the IIA Quality Assurance & Improvement Program requirements to measure the progress.

  2. April 15, 2013 at 7:15 AM

    I agree that its time to think about IT differently as it relates to both the IT field and Internal Audit. I don’t believe it supplants finance because finance is still the language of business and it’s still what sinks you or keeps you afloat. However, I don’t see how its possible to address finance without addressing IT. To me, it seems like we need to pull down the walls between accounting / finance and IT to create more of a general business knowledge. Individuals may develop their individuals curve balls that distinguishes them. However, this discreet set of knowledge would be built on top of the broader base.

  3. April 15, 2013 at 4:02 PM

    May be I was day dreaming when I called in one of my blogs to the meger between ISACA and IIA . Now ,I think it is more than a dream !


  4. April 21, 2013 at 12:24 AM

    “IT risk” is a weird term. Sounds like it’s the technology which is at risk.

    As for information risk, that should be subject to targeted assessment activities. Not in isolation obviously, but as part of an orchestrated enterprise risk effort.

    Thanks for sharing your insight.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: