Technology is a key enabler of business value. Internal auditors must be able to verify that these processes provide the intended return on investment and that technology risk decisions and resources are optimized. Without the necessary skills, auditors may not deliver the value that the business expects of them.
Most technology auditors at Nordstrom are integrated auditors — technologists with business degrees and years of consulting firm experience. They work as peers to three other unofficial designations of auditors: operations, business intelligence, and compliance.
Nordstrom uses two metrics to determine whether its technology auditors are trusted advisors: whether clients return to request internal audit’s services and whether the audit recommendations result in business value. To provide valuable counsel, technology auditors need to understand the emerging technologies with which their business partners are working as well as developments such as DevOps, the Internet of Things, and serverless architecture. In learning to provide such advice, technology auditors focused on five areas.
Cybersecurity and Privacy
Most industries consider cybersecurity and privacy to be inherently high risks. As a company that relies on technology, Nordstrom has hired professionals with cybersecurity certifications to consult and audit how to optimize its risk posture.
In turn, technology auditors have interpreted and applied controls from security frameworks to Nordstrom’s new, cloud-based environment. Two frameworks auditors use are the International Organization for Standardization’s ISO 27002 — Information Technology–Security Techniques–Code of Practice for Information Security Controls and the U.S. National Institute of Standards and Technology Cybersecurity Framework.
Auditors translate the security requirements of these frameworks into the language the audit clients use. For example, application teams have adopted a DevOps structure whereby any member of the team can make changes to production code. Auditors explained to the team the potential for unauthorized code change and the requirements contained in the security standards. That helped team members realize they should implement logging and file-integrity monitoring linked to change tickets as a compensating control to ensure that unauthorized changes would be detected immediately. As teams learn about security risk and controls, they make more risk-optimized decisions.
Nordstrom’s internal auditors rely on ISACA’s COBIT 5 framework to evaluate technology governance maturity on a repeatable basis. Auditors merged COBIT 5 and ISO standards to create a framework specific to Nordstrom as a basis for audits. This framework enables auditors and audit clients to see where their activities fit into the big picture.
Having a framework has enabled the department to partner operational auditors with technology auditors to perform integrated audits on nontechnical aspects of technology governance. In one review, auditors provided assurance that technology projects were delivering the value promised in the business case. The auditors on the integrated audit expanded their knowledge by covering tech strategy, enterprise architecture, and performance measurement.
Nordstrom’s auditors have written more compelling audit reports by testing 100 percent of populations using data science techniques. To write such reports, all auditors are expected to have basic knowledge of Microsoft Excel, statistics, and data validation. Internal audit leverages data extraction tools to obtain data for use in creating impactful issue statements in reports.
Data science tools are especially useful when joining two or more data sets (see “Beneath the Data”). In one project, internal audit extracted incident ticket information and linked it with information about problem tickets, root-cause analysis, and application IDs from multiple systems of record. To extract knowledge from these unique data sets, auditors used data visualization tools to tell the story of how well the company’s change-management controls were performing and if it was learning from the incidents. The client capitalized on the analysis to track how much progress was made since the report was delivered.
Robotic Process Automation
A recent development for Nordstrom’s internal auditors is the use of robotic process automation (RPA). Projects are advisory in nature and aligned with internal audit’s goal of identifying ways to reduce expense or work effort. Partnering with the company’s restaurant and tax divisions, auditors created robots to automate manual processes relevant to food and beverage licensing and entry of invoices. Through this automation, auditors reduced the clients’ payroll expenses.
Another example is the company’s user-access review and validation process. Auditors incorporated control owners’ control documentation into internal audit’s testing procedures and used RPA to test attributes. One test validated that users had their access revoked timely. RPA has enabled auditors to accomplish more testing within the same time frame.
Nordstrom’s technology auditors have focused on improving their verbal and written communication skills. To communicate effectively with the technology organization, the department’s IT audit director spent six months working directly for technology leaders before starting his role in internal audit. During this time, he learned those executives’ leadership and communication styles, which internal auditors now incorporate into their reports to increase their impact.
Auditors also have become persuasive communicators, effective negotiators, and great listeners. They have increased stakeholder buy-in by using data to buttress audit findings and action plans. Business partners now expect audit findings to be supported by data, even when the topic is difficult to quantify.
However, visualizing data is not required for all audit reports. Sometimes, visualizations cause the client to jump to assumptions without reading all the details. Some clients prefer to read the text instead. While audit reports should always focus on the most important risks and opportunities, auditors tailor the department’s report style to meet stakeholders’ desired format.
To benefit the organization, internal audit needs to constantly develop staff members into trusted advisors and retain them. So far, Nordstrom’s efforts have:
- Increased risk-focused conversations led by leadership, resulting in more effective controls.
- Led to a cultural shift to spend time building technology risk mitigation strategies.
In the process, technology auditors have received high client satisfaction ratings as well as more requests from management to perform work. Moreover, management is more proactive in driving change about issues that auditors have identified, even before they receive audit reports. Once clients realize that an audit report can propel them faster toward achieving their objectives, they tend to become repeat clients and tell their peers throughout the organization.