Organizations are rapidly adopting technologies such as cloud computing, robotic process automation (RPA), machine learning, blockchain, and cognitive computing to create tomorrow’s business in today’s market. Internal audit needs to transform its processes to keep pace with these changes, and IT audit processes are an excellent place to start this transformation.
Organizations that still perform most internal audit tasks manually complicate IT governance. In this manual model, auditors have adopted many compliance laws, policies, procedures, guidelines, and standards, along with their related control objectives. Moreover, internal audit manages audit process elements such as training, standards, risk, planning, documentation, interviews, and findings separately.
An automated internal audit process can enable the audit function to link, consolidate, and integrate the planning, performance, and response steps of the audit process into a holistic approach. The process should present audit recommendations in a way that is dynamically sustainable within the organization’s integrated action plans.
Since 2012, many standards and frameworks have changed their models, procedures, and guidelines to elaborate on the role of the IT governance process. Accordingly, internal audit should redesign its proces-ses to coincide with new, streamlined IT processes and related roles. Meanwhile, IT audit specialists should understand the interoperability among the conceptual models of IT management, governance, standards, events, audits, and planning.
Transforming audit processes comes with challenges, though. Each of these challenges can be encapsulated in a pattern of a problem and a solution, which internal audit can prioritize based on its stakeholders’ needs.
1. Syncing the IT Audit Process With IT Project Planning
Problem: IT audit teams need a way to link, tailor, and update audit findings and recommendations for ongoing IT projects and action plans. This will be necessary for auditors to follow up on findings and identify who is responsible for carrying out audit recommendations.
Solution: An automated IT audit system would break IT audit work into two levels — findings’ recommendations and their final conditions — encompassing all preventive, detective, and corrective controls. The recommended actions reported in audit findings should be linked, integrated, and synced by their related IT project’s nondisclosure agreements, service-level agreements, and contracts. Then, the automated IT audit system should confirm that management addressed the recommendation.
2. Letting IT Governance Direct the IT Audit Process
Problem: The role of the IT audit team in corporate governance is important because the function can help bridge the gap between the business and IT in organizations. IT governance is a key part of corporate governance, which directs and monitors the finance, quality, operations, and IT functions. Three of these functions — finance, quality, and operations — are being transformed by innovative, technology-based processes. Thus, the problems are how the board and executives will design and implement a corporate governance system and how the IT governance process will be automated.
Solution: Automating the IT governance process should be comprehensive and agile. In other words, the IT governance, risk, and control mapping and cascading of goals and indicators among all levels of the organization must be user-friendly. To have an agile audit function, though, these maps and cascades should be tailored based on the types of governance roles such as the board, executives, internal auditors, chief information officer, and IT manager.
The internal audit function also should map key performance indicators based on the control objectives of various regulations, standards, and frameworks into its goals. These governance requirements include frameworks from The Committee of Sponsoring Organizations of the Treadway Commission and the U.S. National Institute of Standards and Technology (NIST), industry requirements such as the Payment Card Industry Data Security Standard, and regulations such as the European Union’s General Data Protection Regulation and the U.S. Sarbanes-Oxley Act of 2002.
3. Transforming IT Audit Processes to a DevOps Review
Problem: Nowadays, some nonfunctional requirements such as cybersecurity, machine learning, and blockchain are being inherently changed to functional requirements. This change will have fundamental effects on the IT audit process. For example, IT auditors will need to assess cybersecurity or blockchain requirements during the organization’s system development operations (DevOps) process and change their audit program schedule to fit the DevOps schedule. This change can be a real challenge, especially for small and medium-sized audit teams that lack skills and experience with DevOps.
Solution: Internal audit could solve this problem by moving to an “IT audit as an embedded DevOps review service” model. As a result, the review processes for IT governance, risk, and controls must be embedded into the DevOps life cycle. As part of this process, an automated system may provide access to metadata. For example, an auditor could set up a software robot to collect evidence about risks related to vendor lock-in, changes in vendors, and data conversion. Similarly, gathering cloud provider metadata through RPA can enable internal audit to respond to other cloud-based risks.
Generally the business model must be clear, well-defined, mature, and well-documented when any kind of business, especially IT audit, wants to migrate to the cloud. The IT audit process also will be streamlining and maturing in the cloud as a system. Thus, the cloud and robotic process automation can bring an iterative business model in which the IT audit process is transformed into a cognitive computing system. This system could result in more affordable audit costs and enable IT auditors to perform more engagements each year based on automated best practices.
4. Mitigating IT Standards’ Side Effects
Problem: Applying some IT standards is analogous to a drug interfering with other drugs and having adverse effects on a body. Without a unified medicine solution, a prescription may not provide the greatest benefits and the fewest negative effects. Likewise, internal audit should ensure the side effects of IT standards do not cause problems such as increasing compliance costs. Auditors must address two issues:
Deciding which sections of IT-related standards such as COBIT 5, ISO 2700, and NIST Special Publication 800-30 best conform with the organization’s risk management framework.
Addressing conflicts and duplications among the various standards that might result in duplicate control objectives.
Solution: An automated IT audit system should use machine learning and recommendation systems to remove the similar or contradictory control objectives of IT standards. This way, the audit system can control the duplications among all of the standards’ segments and use artificial intelligence to recommend an efficient and customized set of controls.
Transforming the Auditor
For automation to overcome these challenges, internal auditors must transform themselves, as well. This is an area in which IT audit specialists can help organizations find, prioritize, and invest in the right innovations to automate IT, internal audit, and cybersecurity processes. Moreover, by identifying ways to automate IT governance, risk, and controls, internal audit can help the IT function align its operations with the organization’s governance and transformation processes.