The future of IT audit

The board imperative to raise expectations

As boards are recognizing a paradigm shift wherein IA takes on a strategic role, they expect IT not just to keep pace, but also to think critically about IT audit risks.

Increasingly, boards are shifting their focus to understand how technology can also be leveraged offensively to create new opportunities, business models, and revenue.

Furthermore, they are trying to understand the new kinds of technology risks, which touch nearly every aspect of the business:

• Not executing a new strategy because of IT issues
• Failing to have the technology infrastructure needed to deliver a world-class customer experience or to support an M&A growth strategy
• Inability to enter a new market due to technological deficiencies

How IA leaders can seize strategic opportunity

Since IT is increasingly driving business strategy, it is quickly becoming untenable for IT audit methodology to be merely supportive.

Action steps:

Directly engage with IT leadership in evaluating the risks, skills, and capabilities required to assist the organization in mitigating IT execution risk, which today can represent an existential threat to the business.

Become highly conversant on the strategic plan and consider IA’s role in evaluating management’s monitoring of IT execution risk. For example:

• How is management evaluating the security, privacy, and resiliency of the technology that is being relied upon to execute the strategy?
• What are the technology risks associated with delivering the strategy?
• And how might an IT audit report reflect that?

IT-focused audit groups can raise their knowledge game

How should your audit group transform its approach to align with IT’s new strategic role and the future of IT audits?

Action steps:

Learn the business strategy and understand IT’s critical role in executing it. It used to be enough to simply know about the latest technologies, such as cloud and the Internet of Things (IoT). Today, internal audit professionals need to be technically savvy in the context of the IT-driven enterprise and the IT-driven business strategy.

Draw upon external resources to bolster your understanding of IT-execution risks. This may include attending IT-focused webinars and IT IA–focused industry association conferences and becoming knowledgeable on common IT governance frameworks, such as the following:

• International Organization for Standardization (ISO) 27001
• Control Objectives for Information and Related Technology (COBIT), created by the Information Systems Audit and Control Association (ISACA)
• National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF)

Additionally, obtaining a certification in an IT discipline or engaging outside advisers to help you understand IT in the context of the enterprise are other avenues for building your knowledge.

Use your elevation to create visibility (and vision) for the future of IT audit.

Are you a chief compliance officer, chief risk officer, or chief audit executive? Regardless of your role, don’t take anything for granted, but move this new paradigm shift forward.

Action steps:

Examine your viewpoints in terms of IT-driven business strategy, IA’s role in providing business insight, and the evolving skills needed to assess and mitigate the new breed of existential IT risks.

Self-educate with resources that provide a strategic view of IT risk, including risk and compliance journals, the National Association of Corporate Directors (NACD), and Deloitte’s Center for Board Effectiveness.

Initiate dialogue as IA leaders toward the chief executive officer (CEO), chief strategy officer (CSO), chief technology officer (CTO), chief information officer (CIO), and chief information security officer (CISO) to obtain their perspectives firsthand.

The silos of separation are coming down. Get ready.

IA organizations have traditionally maintained a separate IT focus in the context of IT as a supporting enabler. This siloed approach can be traced to the historic view that the technical experience required to function in an IT capacity had to be cultivated and managed separately.

This separation often created more challenges than it solved, and it is misaligned with many of today’s business models. No longer is IT just an enabler of the business; it is central to business success.