The Key Questions IT Auditors Should Be Asking Themselves

FEI Daily: Why is security so top-of-mind for organizations right now? What has changed over the last year?

Andrew Struthers-Kennedy: As a starting point, we’re seeing organizations continue to pursue technology modernization, as well as digital and technology enabled transformation initiatives. This is often resulting in more complex technology environments (including through the expansion of the vendor ecosystem that supports the overall delivery of IT services), more extensive use of advanced technologies, and an increased use of data and technology to support enhanced customer engagement and operational performance as well as the digitization of products and services.

Security has been a top risk and a priority for many organizations the last several years, but the pandemic-related change in ways of working (predominantly remote, making use of rapid deployment collaboration technologies, increased use and reliance on remote connectivity software and systems, etc.) has created, exposed and increased the significance of vulnerabilities in systems and processes that had not previously been identified or were not a priority to resolve. We’ve also seen technologies rapidly introduced that have become business critical solutions for information exchange and communications internally and with customers, vendors and other business partners. Add to this the continued and increased instances of cyber breaches occurring and being reported, and there is heighted focus and attention on all things cyber related. In addition to preventing business interruption, cyber breaches/incidents often kick organizations into crisis mode and with so many organizations already dealing with broader crisis events, many are taking all reasonable steps to avoid having to deal with a crisis within a crisis.  

FEI Daily: What takes an organization from Digital Follower to Digital Leader?

Struthers-Kennedy: Digital leaders are really distinguished by their mindset and approach towards innovation, their culture that creates an innovation-centric way of working, and their challenge of traditional ways of working. Many digital leaders have a proven track record of disrupting traditional business models, and with digital being core to their strategy, they continuously challenge and improve based on lessons learned. Data and technology are core to everything they do. In contrast, those at lower levels of digital maturity often have no formal plans related to digital activities, and innovation is either not a focus or is pursued in discrete (versus embedded), ad-hoc, and reactive ways. Digitally immature organizations are often slow to react, overly risk averse and lack the capability to successfully drive change through the organization.

FEI Daily: The majority of organizations appear to fall under the Digital Follower category. What risks are those organizations facing if they do not improve their maturity?

Struthers-Kennedy: The major risks relate to negative disruption to their business models (i.e., erosion of market share/competitive position) ‑ that’s the macro level (existential) risk ‑ they don’t evolve in the right areas or at the right pace. Digital Leaders take a holistic approach to digital transformation, which is not just about the exploration and adoption of emerging technologies. There is a focus across areas including: enhancing customer engagement and experience; driving improved operational performance, digitization of products and services; and making extensive use of data (including advanced tools and techniques) to drive decision making. There are also risks to their ability to attract and retain the necessary talent, as well as risk to security and broader operational resilience that correlate to organizations with legacy technologies.

FEI Daily: How do you expect IT audit challenges to develop in the coming year?

Struthers-Kennedy: In many ways, in today’s world, every audit is to some extent an IT Audit and I’d encourage all IT auditors to think in this way. Technology and data supports, enables, and influences virtually every aspect of modern business. Effective identification and management of technology risk is as important (if not more important) than it has ever been, so the role of the IT auditor is critical.

There is going to be absolutely no shortage of areas for IT audit functions to focus on, and it’s a dynamic and exciting time to be in the profession. Pursuit and adoption of new technologies is moving at a pace not seen for some time. Technology projects that were deferred will be restarted. The continued increase in the amount of data being created, stored, processed and transmitted is creating both opportunity and risk; and the broad disruption (from familiar and unfamiliar sources) and threat landscape we have seen and continue to see will continue to challenge even the most agile IT departments. IT audit departments need to be well aligned with their key stakeholders, as well as other assurance functions that may exist in their organization (e.g. risk, compliance, controls teams, as well as their business process-focused counterparts). Auditors need to examine whether they have access to the necessary skills to address the broad range of risks, at the necessary depth. They further need to examine whether they are engaged and interacting with key areas of the business on a sufficiently frequent basis to position themselves to identify and communicate a point of view on risk that is timely. Is their approach to risk assessment sufficiently dynamic to allow them to act and direct resources at the speed of risk, and are their reporting mechanisms sufficiently streamlined and clear to allow them to deliver high impact findings and recommendations that serve the broad range of stakeholders from board members to control operators. These are some of the key questions IT auditors should be asking themselves and each question represents tremendous opportunity for IT audit functions as we head into 2021.