Internal auditors have always needed basic IT skills, a working knowledge of common audit tools, and a functional understanding of their organizations' data processes and infrastructure. What has changed in recent years as technology advances, and what will change in the future as it continues to, is what constitutes "basic," "working knowledge," "common," and "functional."
Some internal audit leaders note that new hires generally have better IT skills on day one than many veterans possess. That's not surprising for a generation of practitioners raised on smartphones and entering the workforce in an age of wearable devices. These auditors want to use their IT skills on the job as often as possible, blurring the line between internal auditors and IT audit specialists.
But that fuzzy border is also the product of a shortage of people with exceptional IT skills who want to be internal auditors. Those IT specialists will be as much in demand in the future as they are now. For chief audit executives (CAEs), that means balancing the need for core audit skills with the mandate for IT expertise in areas that may not have existed just a few years ago.
CAEs Face Higher IT Bar
Nobody thinks every CAE should excel at IT, but expectations are pretty high. The bottom line: CAEs need to conceptually understand IT risk and hold their own in a conversation about strategic IT questions, even if they don’t understand “the OSI model” or “Active Directory administration” — except, perhaps, in technology-focused companies. Citigroup’s Mark Carawan puts it this way: “The CAE is responsible for ensuring the internal audit function stays relevant and nimbly adjusts to emerging risks and solutions. But the CAE is not responsible for being the fount of all knowledge.”
CAEs should know the IT risks the organization faces — privacy, security, data management, and maintenance — and how management is or isn’t addressing them. Although they needn’t be able to answer every IT question that comes up in day-to-day engagements, CAEs should be able to ask good questions. They should augment their staff with a strong IT audit manager or director. Says ADP’s Kathy Robinson: “There’s nothing wrong with ‘old school’ CAEs, as long as their thought processes are ahead of the curve. If not, they really need to step aside. The topics are that critical.”
"It's hard to succeed in any audit role today without some basic technology skills," says Steve Sanders, vice president of internal audit at Computer Services Inc. in Paducah, Ky. That includes both hard and soft skills — the latter an area in which some of the cleverest IT hands aren't adept. The basic software skills, like word processing, spreadsheets, and calendar and scheduling functions, should be assumed, Sanders adds. And he says, "auditors who have other software experience, such as electronic workpapers and, especially, data analytics, will have an advantage over those who do not have it."
Moreover, experience with audit-specific software is always a plus, "but these applications can be learned on the job," notes Jennifer Goschke, vice president and CAE at Office Depot in Boca Raton, Fla. That also helps keep practitioners from becoming proficient in the wrong kind of IT, developing skills on a particular brand of software at a previous job, for example, that don't translate to what's used by the auditor's current employer.
Outside the internal audit department, auditors need a big picture view of the IT landscape. In Goschke's department, "having a high-level und-erstanding of the company's overall IT infrastructure and applications used" is foundational. In addition, every internal auditor should be familiar with IT general controls and the broad risks they were designed to help mitigate, she says. It's also important to understand key data security concepts — the principle of least privilege, passwords, and authentication — although it may not be necessary to have detailed knowledge of the IT used in specific departments.
In addition, auditors should understand how data is integrated into business processes, says Kathy Robinson, CAE at ADP in Roseland, N.J. "Regardless of the auditor's focus, he or she certainly needs to know where data resides, how it flows, and how it is accessed," she explains. That knowledge comes from the training she provides, as does a working understanding of data analytics. Some of ADP's auditors have become subject matter experts in data mining, in fact, and all of them can develop specifications for a project.
Controls are a good starting place for ensuring the audit staff is adequately versed in IT. Although new auditors are starting out with better IT skills, "they still need an understanding of controls," Sanders points out, "and new hires do not necessarily have a better understanding of controls than experienced auditors possessed 10 years ago."
Often, the auditors who excel in technical areas don't excel in soft skills, such as communications, empathy, and relationship building. New hires' tech-savvy "doesn't necessarily translate into their understanding of IT risk," Goschke comments. That lack of understanding can impede their ability to interact effectively with engagement clients. "Younger auditors need the more mature practitioners to help them communicate the risks and other issues to upper management," she says. Younger team members, she adds, "tend to favor short, digital conversations." Sanders notes that a well-qualified candidate should understand what was tested and "how to convey that to other stakeholders."
Specialists Still in Demand
Even if the rising level of IT expertise that internal auditors generally bring to the table isn't necessarily sufficient to get the job done without additional soft skills, the new auditors' computer skills are definitely changing the distinctions between internal auditors and IT auditors. "We're not asking our auditors to be IT technical specialists," Robinson explains, "and we're not asking people to do what they're not technically trained to do, because we have auditors with specific skills. But we are asking people to have a good understanding of data flow, controls, and governance."
Because IT audit personnel can be difficult to find, afford, and retain, it may be more cost-effective to cross-train the existing audit staff on IT risks than to hire a group of IT auditors. But even then, Goschke emphasizes, "it's important to have IT subject matter experts on your team to provide the technical chops to be able to go head to head with IT."
One specialist skill that increasingly is being used in audits is predictive analytics, which is mining data for meaningful patterns that can predict future trends and inform strategic planning, operations, and risk management. Already, internal audit departments use predictive analytics to strengthen audit coverage by quantifying issues to better understand the risks they are dealing with. There’s no single solution; indeed, an analytics “toolbox” may be necessary for some large, complex organizations.
Predictive analytics is one of the reasons the audit team needs to be computer literate, says Citigroup’s Mark Carawan. “The most successful auditors will know enough to say, ‘This is an opportunity for predictive analytics and data mining to deliver control-enhancing assurance. Where am I going to have the greatest likelihood of a breach of policy, fraud losses, mispricing, or shortfalls in inventory?’” he explains. Carawan adds that it’s important to have data analytics experts who are familiar with the latest tools and can interpret the results they produce.
That's one reason why IT audit specialists still are in high demand. "An auditor with some technology background and a good understanding of controls might be able to do a basic IT audit," Sanders explains, "but in-depth IT audits need auditors who understand those areas well enough to speak the language of the folks doing the job." He notes that he's aware of several audit departments that use all auditors for IT audits. "The quality of work suffers just as it would if you assigned trained IT auditors to conduct financial audits," he says. "They might be able to do it, but they'll miss key things experienced financial auditors wouldn't miss. I've met some auditors who really don't have a good understanding of what they're looking at. They're not providing the value they need to provide."
In Sanders' experience, however, it can be difficult to find someone with working IT knowledge who wants to be an auditor. "Many entry-level auditors have a desire to learn IT, or they have an IT background but no audit experience," he says, blaming, at least partly, "a failure to sell the important role an IT auditor plays."
If the in-house expertise is lacking, cosourcing may be a better option than assigning technical audits to unprepared practitioners. Robinson contracts with outside firms for expertise that she doesn't need — or can't afford — to have on staff full time.
Building IT Capability
Indeed, issues around staffing an internal audit department and maintaining the right mix of generalists and specialists is one of a CAE's key IT challenges. Here is what internal audit leaders suggest for making sure every audit department has the IT know-how to get the job done.
Determine the Specialty Skills Needed "The desired IT skill set depends on the nature of the business one is auditing and the complexity of systems used," notes Mark Carawan, chief compliance officer with Citigroup in New York. "The larger and more complex the organization, the more likely it is that there will be a need for specialist skills to complement the deep business and product knowledge of the internal auditors following the end-to-end business processes."
The CAE, in consultation with senior business management and the audit committee chairman, should make that call. "The CAE should be working with management to understand the complexities of the business — such as robotics, process outsourcing, and cloud-based computing — and how customers use technology," Carawan says, "so the internal audit department can identify the risks to the business as a result."
There will be a point as IT evolves, he adds, where someone is likely to say, "I'm not sure how this works. The audit department needs someone to explain that, as well as what the risks are and how we mitigate them." Be aware, though, that executives "may be reluctant to invest in adding more IT specialists to the third line of defense, beyond those already in the first and second lines," he says.
Make Adequate Education Available "Every audit department should have a formal training program to make sure the team is up to speed on both changes in IT risk and controls and changes in their company's IT landscape," Goschke recommends. Sanders agrees, noting that it's the CAE's job to "ensure adequate training is in place for auditors to stay current on IT trends and developments."
The basics should do it, Sanders says. "I don't expect every auditor to have in-depth knowledge," he explains, "just as I don't expect my IT auditors to understand the latest accounting pronouncements." Team members should seek out IT training, such as a seminar or conference, to build basic, solid skills, he advises, then start to specialize in a few specific areas over time.
Sanders recommends information sharing after every training event, "typically in the form of a summary presentation at an all-hands departmental meeting." He also maintains a spreadsheet in his department to track training hours. Although it may seem like IT skills get a lot of attention and require a lot of CAE input, it's unlikely any audit department is focusing too much on expensive IT expertise. "My audit shop has traditionally been heavy in IT auditors, but also heavy in IT risk," he notes. Indeed, there are many situations that demand the investment required to field a squad of IT experts.
The Automated Future
The precise menu of IT skills internal audit practitioners will need 10 years from now is anyone’s guess. But it will likely refer to process automation. “Robotics and artificial intelligence will likely be much more prevalent in accounting and finance functions,” Office Depot’s Jennifer Goschke says. Some companies use “bots” to reconcile accounts, presenting audit challenges that don’t exist with humans. “I can’t go ask the bot a question about its process,” she notes. “And how secure is it to have bots performing processes on sensitive data?”
Citigroup’s Mark Carawan adds: “Stakeholders and the businesses for which they are responsible will continue to seek automated solutions to achieve improved customer service and efficiency, enhanced risk management and control, and speedier execution.”
Go Outside the Organization for Assistance "Auditors typically do not handle IT audits on their own, but they could supplement the IT audit team as additional arms and legs," Goschke comments. "Using an outside firm to come in for a day to train the team a few times a year is very cost-effective." Consulting firms also offer IT consulting and audit services on an hourly or project basis, she adds. Although this may be expensive, hiring someone full time with the same skills would cost even more. "Once my audit plan is determined for the year," she says, "I can decide which audit projects I'll perform with my internal team and which projects require specialized knowledge for which I should use an outside firm."
Provide Big Picture Guidance and Clear Marching Orders "Overall, it's really a CAE's job to articulate the things that can impact the company's ability to execute strategy," Robinson states, "and to help make sure that the underlying IT infrastructure is adequate and operational by auditing for security, processing, and recovery, and providing that output to stakeholders." And although there is always some IT involved in their audits, she adds, "We could get lost in data analytics because there is so much we could do with it. My leadership team is responsible for homing in on the things that are most impactful."
Completing the Job
Building IT knowledge and skills is a big job, but one that most internal audit departments should be able to accomplish. "It's challenging due to staff turnover and the ever-changing IT landscape," Goschke notes. "But the training is out there. You just need a plan."
But be careful about the "best laid schemes." Robinson says she is reluctant to guess what basic IT skills will look like 10 years from now. If she had tried 10 years ago, she would have been way off the mark. The iPhone was just being introduced in 2007, she explains, and "there's no way I'd have said we'd have a mobile app in 2017 that would be downloaded 11 million times — and that we'd have to audit mobile technology."
Indeed, audit departments probably won't be focused on the same issues three years from now, let alone 10. "Basic" will always be "basic," but the skills that audit leaders consider "basic" will always evolve.