Home > Risk > Delivering value from IT audit

Delivering value from IT audit

December 8, 2020 Leave a comment Go to comments

Some of you may not know this, but earlier in my career I was an IT auditor (starting with Coopers & Lybrand). In fact, I was a bit of a techie and trailblazer when it came to understanding how the operating and related systems could affect the operation of applications and, thereby, business operations.

I had some fun with this when the IT audit leaders in France contradicted me. I wrote a simple RPG ii program then compiled and ran it twice. I changed a couple of lines in the Linkage Editor so that the results were different.

Anyway, IT audit has been a passion of mine for many years.

So, when I saw that Deloitte has published a piece, The Future of IT Audit[1], I was interested.

Here are some excerpts with my comments:

  • In a world where everything from automotive to banking relies upon technology, IT audit methodology needs to change. The future of IT audit should align itself with IT’s new strategic role and to act as an adviser, not solely an auditor.

Comment: being an auditor is being an adviser. That should not be a change.

Comment: what may need to change is that a larger percentage of the audit plan and staffing should be on technology-related risks and opportunities.

  • As boards are recognizing a paradigm shift wherein IA takes on a strategic role, they expect IT not just to keep pace, but also to think critically about IT audit risks.

Comment: again, this should not be a change. Internal audit should already have a strategic focus. There’s little value in auditing the past when the future is what matters.

Comment: IT audit should be concerned with the success of the organization as a whole and the risks to that business as well as the opportunities to take advantage of change – with a focus on those that relate to technology. See Making Business Sense of Technology Risk. It’s not about IT risk, it’s about business risk.

Comment: the greatest risk may be taking too little risk.

  • Increasingly, boards are shifting their focus to understand how technology can also be leveraged offensively to create new opportunities, business models, and revenue.

Comment: nothing new here.

  • Directly engage with IT leadership in evaluating the risks, skills, and capabilities required to assist the organization in mitigating IT execution risk, which today can represent an existential threat to the business.

Comment: this sounds good but is misdirected. Focus on the business, not technology out of context.

  • Become highly conversant on the strategic plan and consider IA’s role in evaluating management’s monitoring of IT execution risk.

Comment: there is so much more, as I will explain.

  • Today, internal audit professionals need to be technically savvy in the context of the IT-driven enterprise and the IT-driven business strategy.

Comment: this sounds good, but what does it mean?

So what is my advice for IT auditors? What is the future of IT audit?

  1. The goal should be to perform auditing that matters. Address the issues (risks and opportunities) that are important to the success of the organization as a whole. Work, even in specialist teams such as IT audit, should be designed to address the business risks and opportunities that matter to the success of the organization.
  2. Don’t have a separate IT risk assessment and plan. Remember to focus where reliance is placed on technology – and a failure would be serious from a business, not just an IT perspective.
  3. Audit any IT risk assessment (see the guidance in Making Business Sense of Technology Risk). It should help leaders understand how the achievement of enterprise objectives may be affected by technology failures or successes; a risk-prioritized list of information assets simply doesn’t cut it.
  4. Don’t underestimate the need to participate and advise on development and major maintenance projects.
  5. Don’t do work where the results wouldn’t matter to leadership.
  6. Recognize the need to take the right level of risk. Being late to rollout a new technology because of concerns about risk can be more damaging than accepting a higher level of risk so you can be first to market.
  7. Provide the insight, advice, and assurance that leaders need if they are to manage the organization for success.
  8. Don’t be afraid to call out IT management when they fail to be sufficiently visionary.
  9. Don’t ‘audit what you can’ – audit what you should because it matters. Get extra resources if there’s a gap.
  10. The future for internal audit and IT audit is bright, but only if we put our significant talents to work providing leaders with the assurance, advice, and insight that matter to them: information that helps them to achieve their objectives.

What do you think?

[1] Deloitte has done something crazy, at least in a Windows environment. If you cannot see the article because of their advertising, move your mouse over to the left and it should disappear.

  1. December 9, 2020 at 3:34 AM

    Norman, definitely agree with you.
    My father was the manager of a grocer’s shop. I learnt an important lesson from him: the customer is the most important part of any business. What ever new technology arises, whatever circumstances change, if you don’t understand what the customer needs, and meet that need, you’re sunk.
    These consultants’ reports fail to take this fundamental truth into account. Thus in this case the statement is made, ‘Increasingly, boards are shifting their focus to understand how technology can also be leveraged offensively to create new opportunities, business models, and revenue’. That’s a statement which has probably been true since the invention of the steam engine helped Cornish tin mines pump out water and thus produce more ore for their customers.
    As a report, the ‘Future of IT audit’ is a good ‘What can we do to drum up business?’ publication but there should be nothing new in it for businesses wishing to survive and grow.

  2. Siyabonga Nkomzwayo
    January 27, 2021 at 9:17 AM

    Thanks a lot Norman. This a set of good insight and useful information. I really appreciate it. Indeed we progress through sharing.

  1. December 8, 2020 at 3:10 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: