Innovating Yourself as an IS Auditor

As new technologies are developed, we have to stay up to date with them. More so than almost any other practitioner interfacing with information technology, auditors have to work hard at continual education. It is not just the technology, though. We are also seeing orders of magnitude more data. More data to process means we have to be more efficient at sifting through those data to ensure we can protect our organizations. So how do we stay up with what is current?

First and foremost, we need to use technology for our benefit when we can. Data is a big deal, but as it has exploded, it is a big deal for just about everyone. That means companies are investing a lot of capital in developing systems to handle the reams and reams of information we have at our fingertips. These systems are able to spot trends and exceptions both. Why should these solutions be limited just to the folks doing financial forecasting? We can use them, too. That is a key attitude for us to take: When technology helps us, we have to come up to speed on it and leverage it for all its worth.

Second, speaking of learning new technology, we are being exposed to new ideas, new protocols and new standards all the time. We have to set aside the time to understand all of these new things. It is not practical to try to learn any of them in great detail. However, we have to understand them well enough to understand what they provide, where they have issues and what they should actually be used for. If we are relying on what we learned just 5 years ago, some of our knowledge is already out of date.

Finally, we have to understand that with the changes we have in technology, whole disciplines may be completely upended. I can remember a time when organizations were on the Internet and firewalls were a very uncommon thing. Now we are in an era where we know the firewall is not enough. These concepts are more abstract than a protocol definition. However, it is just as important that we stay up-to-date in these concepts as well.

All of this adds up to continually innovating yourself to maintain your knowledge and skills. The good news is that if you keep up, you will never be bored. Technology is changing at a break neck pace. There is always something new to learn and pick apart!

Read K. Brian Kelley's recent Journal article:

"Innovation Governance: Innovate Yourself—Using Innovation to Overcome Auditing Challenges," ISACA Journal, volume 6, 2019.

Leveraging Emerging Technology for Better Audits

Jake NixMy first role post-graduation was working as a financial statement auditor. We used tick mark pencils on printed workpapers, and we manually footed (recalculated) balances. On my second engagement, I begged my manager to let me use annotation in PDF and Excel to expedite the process. He believed in me, and we accomplished the same level of quality in half the time it took the year prior.

We used the time savings to dive deeper into more meaningful work and, as an independent auditor, we accomplished something rare: true value-add feedback for the client. At the end of the project, I had spent the same amount of time as my predecessor, but I was able to accomplish so much more.

Fast forward, and we are now facing the same exact situation with analytics, artificial intelligence (AI) and robotic process automation (RPA). While there continues to be resistance to these solutions and fear among the general population, it will not replace us; it will empower us.

AI and the other tools often mentioned in the same breath are enablers; they will allow us to reduce time spent on remedial tasks that do not add value or do not require critical thinking to accomplish. But they are not a magic bullet—they must be implemented intelligently and with a strong understanding of return on investment.

Unlike switching from a paper-based audit to leveraging the tools on my enterprise-issued laptop, there is a significant cost associated with these new tools, and one that must be evaluated against the efficiencies that will be gained upon implementation.

As nice as it is to eliminate the repetitive and tedious task of matching change tickets to changes within enterprise resource planning, it only takes 20-40 hours a year to test this process on average, and while we have yet to reach economies of scale with some of these solutions, the automation of testing such a process can be expensive. While it is feasible, it may not be the best use of resources for an organization. Just like any advancement in our profession, we must be strategic and practical, harnessing the power of AI where we will see the best return on our investment.

Read Jake Nix's recent Journal article:

"The Intelligent Audit," ISACA Journal, volume 6, 2019.

I Know What I Know (If You Know What I Mean)

Ian CookeEdie Brickell (incidentally the wife of singer/songwriter Paul Simon) had a modest 1988 hit titled “What I Am.” The opening lines of the song contain the lyrics “I'm not aware of too many things. I know what I know if you know what I mean.”

Besides being a nice play on words, the lyrics are quite prophetic; in reality, we all are somewhat restricted by what we know and understand. We, as ISACA members and IT specialists, all know a lot about IT risk and its 3 main categories. Specifically:

 •  IT benefit/value enablement risk—Associated with missed opportunities to use technology to improve efficiency or effectiveness of business processes or as an enabler for new business initiatives
 •  IT program and project delivery risk—Associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programs as part of investment portfolios
 •  IT operations and service delivery risk—Associated with all aspects of the business-as-usual performance of IT systems and services, which can bring destruction or reduction of value to the enterprise

However, the audiences for IT audit reports, most notably, the audit committee, tend to be generalists and, well, they know what they know if you know what I mean. I believe it is therefore incumbent on IT audit to educate or a least to offer to educate committee members in this regard.

We can do this by bringing together our understanding and that of our audit committees. This can be done by drawing a line between the 3 main risk categories, the IT risk to the business objectives and the assurance provided. We need to help the committee understand the significance if the report in front of them states that a key, in-scope application is not in compliance with the information security management system (e.g., International Organization for Standardization [ISO] 27001). We want them to know what we know, if you know what I mean.

Read Ian Cooke’s recent Journal article:

Providing Audit Committee Guidance,” ISACA Journal, volume 5, 2019.

How to Prepare for Taxation in a Digitalized Economy

Helena Strauss
While IT professionals and auditors are not required to be tax experts, they do need to have a certain level of mindfulness with regard to taxation within the digitalized economy going forward as tax collection is slowly but surely becoming part of the natural business ecosystem where taxation happens by default.

IT professionals and auditors should consider the following to better address taxes within the digitalized economy:

  • Regarding the client’s business structure, does it deliver highly digitalized services and does it have an international economic presence?
  • Does the client have sufficient IT controls in place to identify the origin of its users of digitalized services provided? Controls such as bank account details, IP addresses, customer addresses might suffice, although they can be changed or anonymized. This information should be used to bill the client and apply the correct Value Added Tax (VAT)/Goods and Services Tax (GST) rates, which is a fully digitized process.
  • Does the client make use of freelance or contract workers within the gig economy? If so, payments to them should be made after withholding taxes (dependent on the jurisdiction in which the worker resides). This is also a digitalized process in most instances.

The following IT internal controls questions should also be answered:

  • Do the current IT internal controls ensure accurate tax reporting?
  • Does the current point-of-sale system or accounting software identify the location of the customer buying digital services? If so, does the software make provisions for the specific tax requirements in the country of the customer?
  • Is the accounting software set up in such a way that would enable withholding taxes for payments made to temporary/contract/freelance workers?
    Though the previous points are not an exhaustive list of considerations, they do provide guidance to illustrate the holistic approach of professional services required by Industry 4.0 and beyond.

Read Helena Strauss' recent Journal article:

"Digital Transformation of Taxation," ISACA Journal, volume 5, 2019.

Auditing Green IT

Sustainability has become a key focus in the 21st century. Both society and organizations recognize the importance of sustainability in their day-to-day functions and demand guidelines that help them implement, control and improve practices in this regard. Many IT organizations have begun to implement green IT practices. Based on our experience applying an extension of COBIT in different organizations to audit green IT, we believe that the following steps should be considered:

  1. Understand the scope—Due to the novelty of green IT, many organizations do not fully understand the scope of green IT practices. Thus, it is important to differentiate between green-by-IT practices (in which IT is used to reduce the negative impact that other areas have on the environment) and green-in-IT practices (in which sustainable practices are applied in IT itself to reduce its negative environmental impact).
  2. Conduct a systematic and progressive green IT assessment—Assessing all the processes established by COBIT (adapting them to green IT) is unfeasible. So, it is advisable to group COBIT processes using a maturity model. This allows auditors to conduct a more organized and progressive audit, assessing first and ensuring compliance with the most basic and necessary processes of the first maturity levels before assessing more complex processes of higher levels.
  3. Implement improvement actions—We have also guided organizations toward the improvement of the practices they carry out. Organizations should develop improvement plans and progressively implement the processes level by level of maturity.

We believe that these 3 steps can help you not only when properly assessing green IT, but also when establishing a strategy to implement and improve the processes and practices that are carried out. This will benefit your work as auditors, making the entire audit process simpler and more complete, and it will help organizations achieve better results in green IT.

Read J. David Patón-Romero, Maria Teresa Baldassarre, Moisés Rodríguez and Mario Piattini's recent Journal article:

"Auditing Green IT Governance and Management With COBIT 5," ISACA Journal, volume 4, 2019.

Defining the ROI of Automation

In his opening remarks to the general session of the Institute of Internal Auditors (IIA) 2018 Midyear Meetings in Orlando (Florida, USA), IIA Global Board Chairman Naohiro Mouri said that throughout his international travels while in office, he rarely heard from audit practitioners about the “pain of automation” despite the oft-cited benefits of automation technologies and their potential to revolutionize the internal audit function. His comments sparked the idea for our ISACA Journal, volume 4, article, "The Pain of Automation." Our goal was to provide some ideas and best practices that might help ease the pain of automation.

One of our recommendations toward helping automation initiatives go more smoothly was to have clearly definable return on investment (ROI) goals and metrics, and while these are obviously important for ensuring automation technology performs and imparts value, they can also be useful in communication efforts.

For example, our company, Nielsen, recently celebrated the first anniversary of its Robotic Process Automation (RPA) Center of Excellence, and included in the internal communication that went out was a dashboard with metrics such as total project counts, the impact of RPA in terms of hours saved across various business units and the geographic distribution of projects. This was not the first time this dashboard had been shared. This was a great way to use KPIs to communicate to the broader company the scope and progress of RPA projects, quantify and visualize their value, and reinforce the idea that the work is ongoing.

Celebrating progress and wins is an important part of any ongoing initiative, and RPA is no different. Making KPIs highly visible can help boost motivation and morale and help make sure everyone is on the same page in terms of where the organization stands.

Read Wade Cassels, Jane Traub, Kevin Alvero and Jessica Fernandez's recent Journal article:

"The Pain of Automation: Internal Audit Functions Face Real-World Challenges Amid Optimistic Environment," ISACA Journal, volume 4, 2019.

Coincidence or History?

Ian CookeOn 23 October 1969—just a few months after Apollo 11 landed on the moon—the Electronic Data Processing Auditors Association (EDPAA), later to become ISACA, was incorporated. Just six days later, on 29 October 29 1969, the first communications were sent through the ARPANET, the predecessor to the Internet. A coincidence? Perhaps—but ISACA was there.

In 1996, IBM's Deep Blue defeated chess champion Gary Kasparov for the first time, and Windows NT 4.0 was released by Microsoft. In 12 months, the number of Internet host computers went from 1 million to 10 million, and COBIT was released. A coincidence? Perhaps – but ISACA was there.

In 2007, Apple announced the release of the first iPhone. The touch-screen mobile phone originally sold for US$599.00 and, within less than 3 months of its release, more than 1 million units were sold. Twenty percent of the world’s population was now online and COBIT 4.1 was released. A coincidence? Perhaps—but ISACA was there.

In 2012, Windows 8 was released, Facebook went public and COBIT 5 was released. Almost 36% of the world’s population was now online. A coincidence? Perhaps—but ISACA was there.

It is 2019.  Almost 57% of the world’s population is now online. ISACA is 50 years old, and COBIT 2019 has just been released. It has been no coincidence that ISACA was around for each of these historic IT-related events—numerous hours were put in by both ISACA staff and volunteers to keep it there.  Each of these events helped shaped the thoughts of these ISACA volunteers, who, in turn, helped develop COBIT 2019. Today, COBIT 2019, built upon ISACA’s history, can aid with the governance and management of information and technology in your enterprise.

Read Ian Cooke’s recent Journal article:

Lessons from History," ISACA Journal, volume 4, 2019.

Sharpening the Axe

Ian CookeInternal auditors are under increasing pressure to add value to what is valued while, at the same time, helping to protect their enterprises from risk such as cyberattacks. In addition, an internal audit will likely tie up key IT resources that should also be creating value for the enterprise. It is, therefore, becoming ever more vital to plan what will be audited, when it will be audited and by whom. Indeed, a plan should be a detailed formulation of a program of action.

Former US President Abraham Lincoln once famously said, “Give me six hours to chop down a tree and I will spend the first four sharpening the axe.” He was, of course, discussing the need to spend time planning. In internal audit, an important part of this planning should go into developing the IT audit plan.

In December 2018, ISACA published the COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution. It includes some new concepts to help enterprises design a tailored governance system. In my recent Journal column “Developing the IT Audit Plan Using COBIT 2019,” I propose repurposing these new concepts and marrying them to a more familiar concept—portfolio management—to develop an IT audit plan that should be closely aligned with the business strategy and direction.

Read Ian Cooke’s recent Journal article:
Developing the IT Audit Plan Using COBIT 2019,” ISACA Journal, volume 3, 2019.

Building an Audit Program for AWS

Adam KohnkeWhen I produced my auditing Amazon Web Services (AWS) Journal article for volume 3, I was just wrapping up my very first audit against an AWS environment. During the planning stages of my audit engagements, I do as much research as possible to determine how the in-scope technology works, how to find the configurations and if others before me have documented their findings on key risk factors, controls and areas that I can leverage as I complete audit planning. Sadly, AWS had the most readily available documentation that discussed how to go about performing a basic audit of their products and what to focus on, but nothing further existed, at least as far as my Internet searches led me.

As it was difficult to readily find one and there was not unlimited time to locate a previously documented audit program for AWS, one had to be developed from scratch. The backbone of the audit program and the article was inspired by the specific areas in the AWS Auditing Security Checklist (Governance, Network Configuration, etc.). When it came to selection of and discussing the particular controls to focus on in the article and audit program, there was the glaring challenge of not everyone using AWS in the same way or using the same services like Cognito or Glacier, so the focus of both the article and audit program were kept as basic as possible and around its core services, including S3, IAM, etc.

As I further produced the article, I wanted to very briefly touch on what I felt were the fundamental pieces of information for a given focus area and then elaborate on any tricky items that could be easily overlooked and why that is important. A prime example is the IAM root account. Without doing some research or if questions are not asked in a certain way, auditors may be unaware of this superuser account existing and the limitations that presently exist to secure it.

Find the companion to my Journal article, the AWS Audit Program, on the ISACA website.

Read Adam Kohnke’s recent Journal article:
Auditing Amazon Web Services,” ISACA Journal, volume 3, 2019.

Proactively Embracing Innovation

When looking at innovation, it may seem daunting to involve audit properly to protect the organization. With any new effort, there are a lot of unknowns. In traditional project processes, there should be enough time to discover major issues and handle the risk revealed. Innovation, though, wants to move quicker. As a result, the increased speed can mean risk is not properly identified and reviewed. Therefore, it is important for audit to proactively become involved in innovation efforts as the organization attempts to improve its ability to compete.

Be Engaged With the Effort
Innovation is proactive and, in some respect, aggressive. Therefore, audit cannot take a passive approach to innovation. Rather, it needs to be an active participant, whether we are talking about an innovation team or an overall, organizationwide effort. Let us look at 2 ways audit can engage proactively.

Serve as a Mentor
Too often, audit is seen as the opposition, especially within IT. Most of us do not like when someone is watching over our shoulders, and that is effectively what audit is asked to do. However, audit can also serve to guide a team in risk identification and mitigation, as well as ensure that required regulations and compliance are met during the project process and not afterwards, when it is significantly more expensive.

In other words, an auditor serves as a mentor to innovation efforts so that any work that is done takes into account the controls and requirements with which the organization must comply. This reduces the possibility of rework to retrofit solutions, which can result in unexpected cost and delayed realization of proposed solutions. Since innovation often seeks to find the product or optimization before a competitor does, delays can invalidate the effort altogether.

Leverage Knowledge and Experience to Provide Solutions
Generally speaking, a broad range of subject matter expertise is critical for innovation efforts. Audit brings its own set of skills and knowledge, often in areas that other team members do not have a strong competency in. As a result, it is important for audit to help the efforts by providing solutions based on that knowledge and experience. For instance, if a team is starting down a track that will result in cumbersome controls (such as manual ones) when an alternate path would still move the team forward and protect the organization, an auditor can guide the team to the second path.

This Is Not Thinking Outside the Box
Neither of these are new competencies within audit. Rather, they are existing competencies that any auditor assigned to a project should already have. We are simply applying them to an innovation effort within an organization. Generally speaking, this is a good approach. Look at what audit’s role is in the project cycle, and apply that role appropriately to the innovation work. However, it is important for audit to be more active (proactive) than in a traditional project. In this way, audit will be able to meet its goal of protecting the organization while also being seen as a partner, not an obstacle, in the innovation effort.

Read K. Brian Kelley’s recent Journal article:
Innovation Governance: What Is Innovation?,” ISACA Journal, volume 2, 2019.

1 - 10 Next