Technology and the evolving role of the auditor
For many organisations across various industries, technology is fundamental to their successful day-to-day operations. We live in a globally connected world to which the auditing profession has had to adapt , either by enabling the auditors to perform audits more efficiently and effectively, or by addressing a new breed of cyber related risks to which that their auditees are now exposed. Underlying these developments are the new or evolved skill sets that auditors are required to embrace to remain relevant.
Technology within auditing has been evolving for many years, and the involvement of auditors with IT skill sets as part of audit teams (be they external, internal or other types of audits) is growing. In Malta we have over a 100 Certified Information System Auditors (CISA)1, most of which have only been in the profession for less than 10 years.
The role of the IT auditor has particularly been applied within the audits of relatively larger and more complex organisations, regulated industries, or operations that are highly dependent on technology. The IT auditor has been able to support audits by providing assurance on IT related controls including but not limited to automated business processes underpinned by IT operations and processes, physical and logical access controls, security and cyber risk management, software implementation and ongoing changes.
However, over the past few years, the audit profession has faced two technology related domains that had a significant impact on the world of auditing in different ways. On one end, auditors have leveraged the powerful advances in technology to perform deeper analytics in a timely and cost effective way. Meanwhile, the cyber world is exposing many organisations to a realm of cyber related risks which means that an auditor needs to assess and evaluate the effective implementation of controls as part of an enterprise’s risk management framework.
Cyber security and the role of the auditor
Most surveys carried out annually by global software security vendors report that cyber-attacks have increased on average five-fold in the past year only. Maltese organisations have not been spared from such a significant increase, most of which starts from a phishing email attack that results in malware software being installed on a company’s machine, encrypting its data and any other connected storage (including network drives on servers) with the encryption keys stored by the attacker. The attacker holds the company at ransom, and demands a payment (typically in bitcoins) in the ensuing few days failing which, the keys that would allow the legitimate data owner to decrypt the data are deleted.
The auditor’s role is required to assess how an organisation is effectively managing cyber risks The risk management framework that an auditor should be seeking is one that identifies that cyber risks are not just an IT issue, but are recognised at board of directors’ level. A robust information security policy coupled with an effective security awareness and training programme for the organisations employees should also be in place.
Many organisations are gradually adopting the US National Institute of Standards and Technology (NIST) Cybersecurity Framework2 in order to guide them through the efforts to manage cyber risks effectively, thus enabling the auditor reviewing its core functions to Identify, Protect, Detect, Respond and Recover. These five functions ensure that cyber risk management efforts cannot be focused only on preventing and defending against cyber threats but must also prepare an organisation and its employees to respond and recover when attacks occur. It is a known fact that the organisations’ employees are the weak link in the security mechanisms put into place as a result of which a shift in cyber risk management is required.
Members of audit teams need to remain aware of the many developments occurring in the cyber security world which is evolving into a business issue which will most likely affect organisations in some way or another. Of particular interest is the ‘No More Ransomware’3 project which brings Law enforcement and IT security companies to disrupt cyber-criminal businesses with ransomware connections and help victims of ransomware attacks retrieve their encrypted data without having to pay the cyber criminals.
The power delivered by data analytics to the auditor
Auditors have used technologies to assist them in automating analytical tasks throughout their audits for several years. Referred to as computer assisted audit techniques (CAATS), auditors have been able to carry out specific tests efficiently and effectively across large volumes of data sets including filtering, matching, sequence checks, complex calculations such as cut-offs and ageing, and identifying data patterns.
What has changed now is that with recent technology advances delivering significantly higher computing power enabled by cloud computing and cheaper data storage, auditors have leveraged such technologies enabling them to perform more complex analytical procedures, and performing them at a cheaper cost. With such increased power, auditors have been able to collect, process and analyse significantly larger volumes of data sets, to gain deeper insights from their clients’ data, ultimately leading to an enhanced quality and relevant audit.
This technology enables an auditor (whether external or internal) to consider both structured and unstructured data, perform deeper analytics on larger sets of data to uncover insight into risks, to communicate results through visual context, and to integrate the results from the analytics to the overall audit approach.
Many of the larger firms have embarked on their respective projects to develop their own application suite to support a powerful data analytics capability, with various software vendors now swiftly moving into this space to offer various solutions to mid and small tier firms who are not in a position to develop their own solutions.
Such technologies and their effective use in auditing are still considered to be in their infancy; however the overall plans are to make use of other historic and current data sets (eg macro and micro economic data, non-financial data) that would lead to the consideration of predictive analytics in audits.
Technology will continue to transform the way we do business, and at an ever faster rate. An auditor must take into consideration that although technologies empower more and more the audit capabilities, technology is of limited use if the right skill set and the right approach is not applied. The challenges ahead reflect the need not only to make the necessary investment in technologies themselves, but as important is the need to invest time in people with technology based skill sets within the audit teams to address cyber risks and the power of data analytics. This has resulted in an ever growing demand for auditors who can bridge financial, data, and technology sciences. Academic programmes need to embrace the evolving skill sets such as data analytical skills that auditors must possess to be successful in their audit careers.