Deloitte recently published a report around “The Future of IT Audit” and why they are more important now than ever.
Here are some excerpts with comments:
“In a world where everything from automotive to banking relies upon technology, IT audit methodology needs to change. The future of IT audit should align itself with IT’s new strategic role and to act as an adviser, not solely an auditor.“
Being an auditor is being an adviser. That should not be a change. But what may need to change is that a larger percentage of the audit plan and staffing should be on technology-related risks and opportunities.
“As boards are recognizing a paradigm shift wherein IA takes on a strategic role, they expect IT not just to keep pace, but also to think critically about IT audit risks.”
Again, this should not be a change. Internal audit should already have a strategic focus. There’s little value in auditing the past when the future is what matters. IT audit should be concerned with the success of the organization as a whole and the risks to that business as well as the opportunities to take advantage of change – with a focus on those that relate to technology.
The greatest risk may be taking too little risk.
“Directly engage with IT leadership in evaluating the risks, skills, and capabilities required to assist the organization in mitigating IT execution risk, which today can represent an existential threat to the business.”
This sounds good but is misdirected. Focus on the business, not technology out of context.
“Become highly conversant on the strategic plan and consider IA’s role in evaluating management’s monitoring of IT execution risk.”
There is so much more outlined below.
“Today, internal audit professionals need to be technically savvy in the context of the IT-driven enterprise and the IT-driven business strategy.”
Could not agree more!
InfoDNA’s Perspective of The Future of IT Audit
- The goal should be to perform auditing that matters. Address the issues (risks and opportunities) that are important to the success of the organization as a whole. Work, even in specialist teams such as IT audit, should be designed to address the business risks and opportunities that matter to the success of the organization.
- Don’t have a separate IT risk assessment and plan. Remember to focus where reliance is placed on technology — and a failure would be serious from a business, not just an IT perspective.
- Audit any IT risk assessment. It should help leaders understand how the achievement of enterprise objectives may be affected by technology failures or successes. A risk-prioritized list of information assets simply doesn’t cut it.
- Don’t underestimate the need to participate and advise on development and major maintenance projects.
- Don’t do work where the results wouldn’t matter to leadership.
- Recognize the need to take the right level of risk. Being late to rollout a new technology because of concerns about risk can be more damaging than accepting a higher level of risk so you can be first to market.
- Provide the insight, advice and assurance that leaders need if they are to manage the organization for success.
- Don’t be afraid to call out IT management when they fail to be sufficiently visionary.
- Don’t “audit what you can.” Audit what you should because it matters. Get extra resources if there’s a gap.
The future for internal audit and IT audit is bright, but only if we put our significant talents to work providing leaders with the assurance, advice, and insight that matter to them: information that helps them to achieve their objectives.
With do many repositories and the unknown around what is in all the documents that make up so much of the total information landscape, engage InfoDNA to bring their automation tools and people to uncover the unknowns. Learn more at www.infodnasolutions.com