Kevin: IT audit leaders and teams worldwide and their business and technology partners in their organisations face a broad range of challenging issues today: cyber security and privacy; data management and governance; building effective partnerships with the IT organisation; dealing with ongoing digital transformation and disruption; and, perhaps most importantly, addressing resource and talent challenges. These types of issues are explored in detail in a just-released research report from ISACA and Protiviti called, “Today’s Toughest Challenges in IT Audit: Tech Partnerships, Talent, Transformation.” This report presents the results of the ISACA and Protiviti 2019 Global IT Audit Benchmarking Survey. This is Kevin Donahue with Protiviti. I had the pleasure to sit down recently and record an interview with Robin Lyons and Andrew Struthers-Kennedy.
Robin is a technical research manager with ISACA which is an independent non-profit global association that engages in the development, adoption and use of globally-accepted industry-leading knowledge and practises of information systems. Andrew is the managing director with Protiviti and is the leader of our firm’s global IT audit practise. Without further delay, let’s go to that conversation.
Andrew, thanks for joining me today.
Andrew: My pleasure. Good morning, Kevin.
Kevin: Robin, it is great to speak with you as well.
Robin: Thank you. Glad to be here, Kevin.
Kevin: Robin, let me ask you the first question. One of our major takeaways from our survey is that a strong partnership between IT audit and the IT organisation is vital to the success of strategic technology projects. What are the underlying issues involved here that you see and that are driving the importance of this partnership?
Robin: At a high level, I think a partnership between IT audit and the IT organisation or the IT function fosters alignment of IT audit’s work with organisational strategy. Looking specifically at strategic technology projects, a partnership between the two groups is important because it facilitates, I believe, importantly shared risk management. It is not uncommon for IT audit to lack confidence in the IT function’s ability to identify risks; and one could attribute that to IT audit’s independence from operations combined with its professional expertise and professional skepticism that may lead auditors to this conclusion. Ongoing interaction between the two groups, however, may allow IT audit to see the IT function engaging in risk management. With that ability to interact more closely with the IT function, IT audit can develop confidence in the IT function’s ability to identify risks. With that increased confidence, I believe that risk management becomes a shared more real-time effort during projects that may reduce guess work by IT audit as to what the project challenges and risks truly are.
This partnership, in an ongoing environment or ongoing interaction, may also help IT audit become aware of projects that have not been shared in a more formal venue such as project planning sessions or project status meetings. The ongoing interaction between audit and the IT function may also increase the likelihood that IT audit becomes involved in strategic technology projects. While IT audit’s involvement in strategic technology projects is desired, that involvement often doesn’t happen. In ISACA and Protiviti’s 2019 Annual IT Benchmarking Survey, 64% to 73% of respondents, based on company size, reported the percentage of IT audit’s role in strategic technology projects as a partnership with the IT function at less than 20%.
Kevin: So, one of the things I’m hearing from you is that this brings forth a lot more clarity in these projects for IT audit and even the IT group too in terms of what IT audio needs?
Robin: Absolutely. I think that that’s important, Kevin, because if the touchpoints between the two groups, IT audit and the IT function – if those touchpoints only happen during an audit that happens periodically, they don’t have the ability to have that clarity that you referenced.
Kevin: That’s great. Thanks, Robin. So, Andrew, let me follow-up with you. What are your thoughts on this? We’ve talked about the exponential growth of these strategic projects, technology projects, tied to organisational and digital transformation along with their Agile development cycles. Why is IT audit’s role so vital with these projects now?
Andrew: Yes. So, first of all, I think many or probably most IT organisations are legitimately looking for internal audit to provide a risk advisory role related to not just major project initiatives, but operational activities and a whole host of things that IT functions are now progressing on behalf of the business. I think it really is sort of a self-reinforcing relationship between IT audit and IT that is absolutely possible. IT is looking for, as I mentioned, high-quality, timely risk advice and input from an independent function. Internal audit is looking for that ability to have access, be on the leading edge, evaluate emerging and evolving risks and provide that risk advice and input as activities are unfolding rather than having to wait for some time when it’s often too late to change course or change the decision that’s previously been made. So, I strongly believe in the heads of audit and the heads of IT that I interacted in the market reinforced this point that they are legitimately looking for that positive high-touch, high-value relationship; and then I also think that – initially this may be a little bit cliché but really these days all projects are technology projects. There’s really no business activity or initiative that doesn’t have a data or a technology component to it.
So, it just reinforces and emphasised the increasing importance, the criticality really to have that good quality risk advice and audit input throughout the life cycle of these types of activities especially with the pace at which many organisations are trying to move. Oftentimes risk and controls are not on the frontpage of project agendas. It’s all about sprints and moving items out of backlog, and making progress, and delivering product, and moving on to the next thing. The sort of the analogy I’ll maybe give is think about driving your car and traffic calming measures. You get stuck at a red light and that might be a bit frustrating.
Those traffic calming measures are there, one, to assure safety but, two, to actually help the overall system move much faster. So, it’s not a free-for-all. It’s not moving in an uncontrolled fashion. So, while, I think, there are going to be instances where internal audit provides that break, their role is really to help the overall system and project portfolio move faster and in a safer, more secure manner and that’s especially true I think as Agile development. The rapid push for innovation and transformation are top of mind on almost every organisation’s agenda.
Kevin: That’s a great analogy. Thanks, Andrew. I want to switch gears a bit, Robin. Let’s talk about some of the top technology challenges that IT audit leaders cited in our global study. Not surprisingly privacy and cyber security top the list. Robin, do you see their concerns being more about their current capabilities or the overall threat landscape globally right now?
Robin: I think that there’s no doubt that both current capabilities and a very dynamic threat landscape are on the forefront of IT audit leaders’ concerns. I think that their concerns are shared with members of the board as well as practitioners. Most likely, these concerns go first from the threat landscape so leaders can determine what they have to address. Then they look to whether their current capabilities can meet the challenge that they have identified. From this year’s survey, cyber security awareness exists as 66% to 81% of respondents anticipate performing a cyber security audit in the next 12 months. Along with that awareness of cyber security is acknowledgement that not just one moving part, but two moving parts – both the threat landscape and current capabilities – have to be managed. So, what might it look like as leaders navigate this dynamic threat landscape in organisational environments with emphases on data governance, data protection, and data quality?
As compliance with data-based regulations and standards affect more organisations using examples of GDPR and the California Consumer Privacy Act as examples. Technologies such as RPA, AI, and machine learning are being leveraged. Use of these technologies is a great way to manage privacy and data requirements but they’re not without some challenge. I think that it’s not unusual for a malicious disrupter to follow quickly on the heels of any technology that experiences increased adoption. So, as organisations address privacy and other compliance initiatives – and I should be trained not just on the compliance demands, but also on the business-as-usual components of cybersecurity. That’s the cybersecurity strategic plan remediation and, of course, monitoring that ever-changing threat landscape.
Kevin: Thanks, Robin. You brought up some interesting points about the new technologies and capabilities in play here. Andrew, I want to ask you about that in a minute but, first, let me remind our audience that the results of the 2019 IT Audit Benchmarking Study from ISACA and Protiviti are detailed in our report, “Today’s Toughest Challenges in IT Audit: Tech Partnerships, Talent, Transformation.” This report and other materials are available at ISACA.org and Protiviti.com/ITAuditSurvey. Okay, Andrew, regarding those technologies. I want to talk a bit with you about the talent and skills challenges IT audit groups face today. In particular, we see in our results that new skill sets such as knowledge of advanced and enabling technologies are in high demand. Andrew, what do you see as the new hiring paradigm for IT audit groups?
Robin: Yes, Kevin, great point and I think we certainly see through the survey results and through sort of a broader engagement with practitioners and leaders in the professions, this is really one of the priority areas to really continue to try to address. Things like security and cyber have now been on the agenda for many years and all the functions have been working hard to gain access to the necessary level of technical capability to support execution of their mandate within their organisation. Those are skill sets, especially the more clinical end of the security spectrum, that haven’t really existed in the traditional auditor’s background experience and skills. So, the audit functions have been working through this now. I think your question was around the hiring paradigm. I think I would spin that slightly and encourage listeners to explore ways of getting access to the right talent which may not necessarily directly equate to external hiring.
We encourage and we’ve seen organisations have a lot of success through rotation programmes and I guess what I’ll call internal hiring where they’re seeking out individuals and groups within their own organisations that have the skills, the capabilities, the tools that audit needs and would like access to. Through various types of programmes – secondments, rotations, guest auditor, those types of programmes and others – they’re able to get access to the necessary talent. That really spans across a number of areas but I think perhaps the area that is a principal focus these days is around things like data analytics and advanced analytics. In particular, sort of the advancement of the spectrum when you get into things like machine learning and AI. Many organisations have those types of groups that support business intelligence reporting and are exploring or pursuing some of the more advanced stuff and are often willing to share capabilities, tools and other things with other parts of the business I think very much including internal audit. So, I think that’s something that we probably shouldn’t overlook as a legitimate way to get access to the necessary talent.
Then as I kind of think through hiring and then development of internal audit capability. So, hiring I see as bringing in either specific skills or hiring broadly capable entry-level individuals and then through a more organic process - which also, by the way, might include sending them out into the business on secondments or rotations to get operational experience but a more organic process to develop that capability in-house. I think there are a few areas that internal audit functions are starting to and certainly should continue to look at. I mentioned data analytics, compliance and legal especially with the rapidly changing privacy landscape. I think those types of skills are going to be increasingly important. Even individuals with backgrounds in atypical, non-traditional psychology, we’re starting to see more of that.
I’ll say that when those types of individuals are brought into audit function, especially when they’re coming in with a number of years of experience including from things like academia, we really have to resist the urge to try and turn to auditors and allow them to function, and operate, and provide the support in the specialist areas that they are known for, and they are best at and, and that we hired them for. I think it’s perfectly reasonable for them to do what they’re best at in support of the broader audit function and not also have to be experts in internal audit methodology, the standards of the profession, whitepaper creation, and maintenance and those types of things. So, it’s definitely sort of a point of encouragement I’ll make around bringing in highly-talented capable people from another department or from the outside and then really resisting the urge to try and turn them into auditors, but instead learning to provide the support in the areas that they are best at and most capable of providing that support. Giving us maybe a couple of thoughts around talent, it’s going to be just with the way the marketplace is, skills that many auditors have. They’re in tremendously high demand from internal and external sort of hiring and recruiting. I think we should feel good about that in the sense that we’re helping develop highly-capable resources that are sought after by others in our organisations and those outside.
Kevin: Great rundown. Thanks, Andrew. I think, yes, you’re right. I probably didn’t word my question correctly. I said a new hiring paradigm. It’s really more about a new workforce or talent management paradigm, isn’t it?
Andrew: I think it’s going to have to have to be, especially when you look at sort of the transformation activities that many organisations are undertaking. Technology, as I said before, plays a critical part for some of that; but often those transformation initiatives are driven by – well, that’s unfortunately taken off course by things that are a bit more process-oriented, a bit more people-oriented and certainly culturally oriented. So, it’s going to be internal audit and IT audit’s ability to navigate through those various imposing complexities of business transformation that will really determine whether they and as a consequence, an extension that their business counterparts are more or less likely to be successful. So, technical skills are absolutely critical especially the ability I think in the coming years to make within audit and, for the broader business, the best quick use of data to be assured of its quality, its integrity and be able to quickly turn that into insight to drive timely, quality decisions. That’s absolutely critical.
There’s lots of work that needs to be done there. There’s probably lots of upscaling that needs to happen within many audit functions. I know, just as a general pulse, almost every audit function is talking about and trying to advance their data and analytics capability. That might be advance it from very low maturity or starting point or maybe take it from a mid to high level to the next level. Almost everyone’s talking about that.
That’s critical but, within that space and more broadly, auditors there can engage; have a high-level of interpersonal skills; can support some of the newer techniques around design thinking and Agile methods; and get the most out of themselves and the individual they’re interacting with. So, more of the interpersonal and the cultural aspects I think are equally important and that’s going to require, I guess, IT audit or broad audit functions to really examine the types of profiles, and backgrounds, and experiences that they need to bring in and they need to develop within their own teams.
Kevin: So, let me segue into a final question I have, and I want to hear from each of you. Robin, I’ll have you respond first. We have a ton of information we could cover from our benchmarking study. Again, our listeners can find that report at ISACA.org and Protivi.com/ITAuditSurvey. My final question is this, “Five years from now, where do you see IT audit’s development as a strategic partner in the organisation?” This is a bit of a visionary kind of question. Robin, what do you think?
Robin: Absolutely a visionary question, Kevin, and I always like to think about the development of the profession so it’s a welcome question. I actually think that this path to strategic partner is a two-phased model. I think the first phase of that is what we’re in right now which is IT audit developing what I call “operational partnerships.” I think when we talked about strategic technology projects, that’s an example of that. So, steps taken now to build and maintain relationships or to build partnerships across the organisation will pay off for the profession by building auditor’s brand so to speak and demonstrating their value in this five-year time period. So, these partnerships combined with the profession’s ability to meet the demand for the technical skills that Andrew spoke about for it to show business awareness and I think, really importantly, timing. That’s to say that the audit function’s value is providing real-time rather than after the fact which is what’s seen in a more traditional or historical audit of methodology. So, I think that these steps will help establish and maintain operational partnerships. So, I see that the operational partnership will continue to refine over the next five years. Whether the profession can achieve status as a strategic partner I think will depend on how successful it is in having a consistent presence with the board of directors and with executive management.
Andrew: Well, those are all fantastic points so not a huge amount to add. I know just in the profession and more broadly there’s discussion around the three lines of defense and sort of where that’s evolving to. I don’t think I’ll sort of explore that too much, other than to say, whilst maintaining kind of the necessary – certainly, the objectivity and sort of the independence that internal audit is really required to have, I think there are those opportunities to kind of close that gap and work much more closely, much more real-time. Robin mentioned this, much more real-time, much more closely with their business counterparts on those fast-moving, strategically-important initiatives that many organisations are undertaking and, for most, IT is supporting.
Kevin: This has been a great discussion today. Robin and Andrew, thanks for joining me.
Robin: Thank you.
Andrew: My pleasure, Kevin. Thank you.
Kevin: It’s a dynamic, evolving technology landscape for today’s organisations and one for which IT audit can deliver substantial value with the right resources, tools, and, perhaps most importantly, partnerships. Thanks for listening today. You can find the ISACA/Protiviti report, “Today’s Toughest Challenges in IT Audit: Tech Partnerships, Talent, Transformation” at ISACA.org and Protiviti.com. I also invite you to subscribe to our podcast series, “Powerful Insights,” wherever you access your podcast content.