An IT Audit Approach to Digital
Information Technology is becoming more of great significance centric to the operations of public sector and companies. In the age of digital transformation, organisations are further digitizing their processes, executing them with the support of IT systems. They are relying extensively on data and connecting with customers, partners and suppliers. Compliance to laws and regulations, which if not adhered to could have serious reputational and financial repercussions, depend even more on the appropriate state of IT systems and practices. The mandates of the audit committee need to include cybersecurity, data protection and IT operations.
Many organisations are undertaking significant programs to deliver digital changes to their business environment, including changes to the consumer-facing elements and IT functions. These digital transformations are often critical to the ongoing success of the organisation. Companies need to ensure appropriate risk management of these transformations to assist in ensuring their success.
The challenge for IT Audit is significant in the digital world, and so is the payoff. Various transformations need to be considered by the IT audit function in order to keep pace with a volatile risk landscape. The key challenges for the IT audit function include:
- The need to deliver a flexible and dynamic audit plan. Risks in a digital world are continuing to emerge and evolve sometimes rapidly. IT Audit functions need to be prepared to adapt their plans more regularly than they traditionally would.
- The need to understand the impact of the digital movement across the business and its maturity. As many organisations begin to move towards a digital customer-centric business model and adapt business models to more digital ways of working, IT Audit functions need to understand the impact and changes.
- When undertaking risks assessments, IT Audit functions need to ensure that they look at IT and external changes that could impact risks within the business. This is even more important with the potential rapid emergence and evolution of risks and the adoption of new technology across the business.
- IT Audit functions must ensure that they have access to sufficient skill sets to audit emerging risk areas e.g. cyber risk and cloud computing. To robustly audit these emerging areas, support from specialist providers could be required or employing relevant in-house skills.
With organisations having to adapt their ways of working to more Digital methods, many changes are beginning to occur. The technology landscape has become more complex and there are more touchpoints that need to be monitored especially when it comes to Social Media and Cloud Computing.
- Social media continues to be recognised as a source of risk going forward, which will only be further stressed by the progress of digitalisation. In this context, social media refers to websites and applications that enable users to create and share content or to participate in social networking. This is an element many organisations’ IT Audit functions are starting to include in their risk universes and audit plans as the organisation interacts more externally through such channels.
- Cloud computing refers to a model for provision of information technology services in which resources are in a third-party environment, which is not owned or even managed by the consuming organisation. This provides an elastic environment where resources are consumed and billed based on demand. Services offered by vendors may include shared infrastructure environment (Infrastructure-as-a-Service), software platforms (Platform-as-a-Service) or even complete software services (Software-as-a-Service). Usually a contract is entered into by the two parties defining the nature of service, fees, security-arrangements for data, and monitoring processes to ensure contract compliance.
As digitalisation embeds across various sectors and exposes organisations to considerable risk, companies should look to ensure that digital risks are being managed appropriately across the business and that appropriate response plans are designed. This relies on appropriate Governance and Risk & Compliance across the lines of defence. A number of companies are adapting by opting for more integrated risk management approach or “converging to eGRC”. Software tools are available on the market that allow for a more integrated view of IT governance, policy management, risk management, audit management, compliance management, and incident management. These platforms allow for a more systematic approach to managing the information necessary to fulfil the audit function.
In addition to GRC tools, the IT Audit function may leverage the same Digital methods and technological capabilities like Data Analytics and Robotic Process Automation.
- Data Analytics solutions are being integrated within the IT Audit department by the development of tools, that allow the function to have a data driven approach, to get insight into the systems, processes and data of the organization. The latest platforms allow for the creation of “self-service tools” that give the IT auditors the ability to further incorporate data analytics within their programs and get insight through analysing data in real time.
- IT Audit functions should consider implementing robotic solutions that will perform the control testing by automating population extraction, sample selection and completing the testing template for the specific control. Robotic Process Automation solutions can be used by IT Audit functions to develop automated controls testing (e.g. IT General Controls & SOX testing), in order to perform testing of certain routine and repetitive controls making the process more reliable and depending less on human intervention for collection of data points. Another potential area of consideration for the use of robotics is to format and upload data into the analytics tool such as in the case of journal testing.
IT Audit functions should take on a more advisory role across the business, providing guidance on methods and controls across the business functions, for example in system development or change projects. They need to be actively involved and have a seat at the table.
Ultimately the focus of the IT Audit becomes more critical in a world dominated by Cybersecurity and Data Protection risks. As organization increase their level of digitalisation, the scope and complexity of cybersecurity and data protection compliance increases.
- The risks from cyber-attacks continue to be front of mind as media coverage of cyber attacks makes the headlines. The actual and perceived threat increases as the perimeters and boundaries are merged as the digitalisation of business accelerates. Organisations should be considering not only their own cyber risks, but also those of their wider ecosystem of suppliers, service providers and partners.
- Organization collect, access, process, and store confidential customer information. The amount of data collected to remain competitive is astronomical and growing as a result of the increased engagement of customers through various digital channels. With more stringent regulations and heftier fines brought about by GDPR, organizations must ensure that their IT systems and processes can meet the requirements. IT Auditors should assess data protection requirements and procedures to securely store and access data.
The governance and operating models of organisations will continue to be redefined, setting up the approach to be taken, and tailoring the company’s internal control framework, risk appetite and risk management systems to manage the demands of operating in a digital world. IT Audit will need to consider all of the above mentioned factors including the use of GRC solutions, data analytics and RPA solutions to successfully manage the ever increasing complexity of the IT environment. Finally, an IT Audit function that successfully adapts to today’s rapidly changing world will become a trusted advisor to an organisation poised for growth.