(ThisIsEngineering / pexels)
Dedicated IT audit departments will become a governance standard for most corporations. However, now organizations and professionals are trying to play catch-up on a landscape that is rapidly evolving.
The domino effect
To keep up, business professionals must update procedures, policies, infrastructures and human resources. The further behind they stay, the greater the risk. Three items top the list of IT auditor woes.
1. Cybersecurity
Technology allows us to work in ways never seen before, from cloud computing and big data to remote work and digitized info. Businesses can operate with a fully remote workforce (no brick-and-mortar building needed) or a hybrid.
Thanks to digital data, file storerooms are a thing of the past, making remote work possible and saving money an organization would otherwise spend on rent. Cloud computing capabilities have taken our duties and efficiencies to higher heights.
However, remote work weakens security as employees access potentially unsecured networks. Organizations must stay on top of and align with regulatory reporting revisions, auditing novel technologies like blockchain, robots, AI machines and cryptocurrencies.
With the ever-increasing technological landscape, it’s little wonder that cybersecurity liability insurance is a must-have despite its soaring price, up 50% in 2022.
2. Managing change
Perpetually evolving technology and infrastructure changes are a constant hurdle for IT auditors. Organizations must innovate and transform their businesses while securing against new threats. With changing technology comes new skills, systems and cutting-edge tools to vet, adopt and teach.
Strategy developers must remain agile and flexible, which is no easy feat. Shifting focal points, infrastructures, processes and procedures causes massive business disruptions and wastes valuable time and resources. Organizations will require more involvement from their auditing departments to ensure change initiatives.
3. Staffing
Skilled labor is in demand for IT auditing. However, this arena has a shortage of skilled workers because new skills are constantly needed to keep up. To fill the gap, organizations must resort to different tactics, such as training on the job (which can be more cumbersome in remote work situations), upskilling employees, recruiting, co-sourcing and outsourcing.
The above challenges are just the tip of the iceberg facing IT auditors. Additionally, organizations agonize over managing and transforming infrastructure.
Cloud computing and the volume, variety, and velocity of big data have IT auditors barely treading water in their duties. With so much information, combing through and analyzing it all is a colossal undertaking.
The solutions
Information technology security and auditing programs must take on a more robust role within organizations. Successful IT auditing professionals must increase their expertise while modernizing processes, policies, human resources and tech. They’re needed to protect themselves and their organizations from ever-increasing threats on a technological front.
An ever-changing task like IT auditing may sound daunting, but little steps add up to significant progress. IT auditors should consider the following to improve their organization’s information security.
● Take advantage of accounting membership organizations. Professional societies provide ample opportunities to continue your education on pressing topics like information technology and cybersecurity. Participate in various online and in-person accounting continuing education courses at national and local levels to keep your knowledge current.
● Perform risk assessment audits more frequently. What has been an 80/20 rule of business audits to IT audits should become at least 50/50. Consider hiring or upskilling the right employees or outsourcing to experts or advisors.
● Create a well-defined reporting line. IT auditors must collaborate with many departments, from executive management and the board of directors to legal and human resources. It takes all hands on deck to help an organization control and diminish an escalating volume of IT risks that could destroy the enterprise. Crucial information must reach the appropriate manager as quickly as possible. Ideally, an IT audit director should report to a Chief Audit Executive or the equivalent of a CAE.
● Follow multiple industry frameworks instead of one. Avoid the temptation to pick only one of the industry frameworks on the subject matter and stick to it. Together, the COBIT, COSO, ISO and ITIL industry standards can help you develop a more comprehensive risk assessment.
Organizations should approach effective IT audit management through various controls, including a devotion to learning more and operating as an independent and impartial function. In addition, cybersecurity and IT risks should take top billing as high-priority, strategic-level risks. Organizations and IT departments must apply sufficient resources and expertise (internal or external) to identify and manage such risks effectively.