Leading authorities on IT audit offered solutions to several of the industry’s most critical challenges at Monday’s IT Audit Director Forum. The forum was part of global IT association ISACA’s North America CACS Conference, which concludes Wednesday in New Orleans.
The wide-ranging, discussion-intensive forum explored many of the toughest and most timely challenges encountered by IT auditors. Three key lessons emerged:
1. Optimize opportunities associated with big data. Efficiently harnessing the potential of big data can be problematic. The diversity of data, determining the data’s lineage and a lack of strategy from business leaders for optimizing the data are among the complicating factors.
However, the wealth of data available to IT auditors can help them deliver tremendous value.
Michael Juergens, CISA, CGEIT, CRISC, principal at Deloitte & Touche LLP, said IT auditors should not “take their foot off the gas” when it comes to making use of the data available to them.
“One recurring theme we see is where an internal audit function does something with analytics or data and then ‘checks the box,’ saying they are using analytics or big data,” Juergens said. “This topic is extremely broad so it is important to consider multiple aspects of big data and analytics, from data lifecycle management and defensible destruction to data loss prevention, storage requirements, data governance and tool selection.”
2. Continuous risk assessments are essential. David J. Brand, managing director with Protiviti, said the evolving IT landscape requires more vigilance.
“An annual risk assessment is no longer acceptable,” Brand said. “If you have one report for the audit committee that is used for the rest of the year, that probably isn’t getting it done. Maybe you have an annual report for the audit committee, but you have to have the ability to react more quickly and make real-time adjustments rather than refresh on an annual basis.”
Brand said that organizations need to be especially mindful of internal vulnerabilities, which tend to be underestimated and underfunded in IT budgets.
3. Audit professionals play a critical role in assessing cyber risks—and need to make that clear. Tony Noble, CISA, VP of IT Audit at Viacom Inc., said a perception exists that a lack of expertise among IT auditors limits their ability to detect cyber risk. He said the problem usually is a lack of dialogue rather than a shortage of knowledge.
“If internal audit’s opinion on how the organization is addressing cyber risks is not valued, it will be difficult for them to convince management that they are adding positive value to the organization,” Noble said.
Noble said auditors should make use of established frameworks such as COBIT 5 and educational opportunities involving emerging technologies to ensure their skills keep pace.
Other speakers and topics included:
A white paper featuring additional insights will be available soon.