IT is changing more rapidly than any other business area. Not only is technology evolving, but emerging risks are constantly materializing, and best practices for risk mitigation are shifting in response. These factors present challenges to even the most technical IT auditors.
For integrated and operational auditors reviewing IT risks, the challenges are even greater. IT processes and their terminology can be daunting to outsiders. Postmortems are now called sprint ceremonies, software deployments involve build-and-release pipelines, and domains comprise trees and forests. What were industry best practices several years ago often are considered vulnerabilities today as the threat landscape evolves.
Nontechnical auditors may struggle to translate the language, much less assess risks and controls in this environment. However, there are steps they can take to successfully provide assurance and advice on many IT risk areas without becoming technical experts.
Audit clients may expect that internal auditors are already highly familiar with the terminology, frameworks, and best practices for their area of expertise. Auditors can reduce friction and ensure stronger communication upfront by clarifying their level of familiarity with the subject.
At every planning meeting, nontechnical internal auditors should remind IT leadership that they will be focusing on processes and controls, not providing technical IT expertise. Moreover, auditors should start meetings with technical experts by providing information on the audit objectives as well as their audit background. A good way to remind clients of the auditor's expertise is to say, "We're not experts on your processes, but we are experts on risk and controls."
Auditors should feel comfortable asking highly technical interviewees to explain things more simply when those clients use acronyms or get too deep into technical details. Experts often are generous, gracious, and excited to teach practitioners new concepts when auditors are honest about their limited familiarity with technical terms.
Be a Continuous Learner
While internal auditors cannot be expected to have the same level of technical expertise as their IT audit clients — or even as specialized IT auditors — it is important for all auditors to stay up to date on basic IT control concepts and industry trends. There are many resources available to auditors: Internal Auditor magazine articles and blogs as well as The IIA's Global Technology Audit Guides, training, and certifications.
When auditors are developing their training plan, they can ask the organization's chief information officer (CIO) for input. The CIO can focus auditors' training on the organization's highest risks or areas in transition, and may provide opportunities for internal auditors to attend the same training that their IT clients are taking, which promotes alignment.
Auditors should have conversations with technology experts about trends in the profession and balancing operational efficiency and risk mitigation. Both sides can learn from this discussion, as often auditors may err on the side of risk mitigation while the IT client may lean toward operational efficiency. Having an open dialogue can promote stronger alignment, understanding, and collaboration between the auditor and client.
Also, audit clients can be great teachers and can recommend additional learning resources. For example, I will never forget the moment one of our enterprise architects plopped a thick copy of the ITIL Handbook on my desk and offered to guide me through the content.
Because of the pace at which IT best practices are changing to better meet stakeholder needs for digital transformation, even the most technical internal auditors need to be learning constantly. One advantage less technical IT auditors may have is a natural openness to change and a practice of researching current IT standards before starting an audit.
An internal auditor's network can be one of the practitioner's greatest assets. Auditors can leverage their peers for benchmarking and understanding best practices, as well as a sounding board for ideas.
Equally valuable are relationships internal auditors have built within their organization, especially with key first- and second-line functions. The organization's enterprise architects, IT security, and IT governance, risk, and control (GRC) staff can be incredible resources because of their expertise in emerging technology, the organization's IT environment, and industry standards. For example, I work closely with the IT GRC team, meeting monthly to discuss audit plans, audit results, and how we can better coordinate and add value. Their technical expertise is helpful as I audit new areas.
Leverage Nontechnical Skills
Sometimes an internal auditor's perceived technical weakness can be an advantage. A few years ago, the chief audit executive at my company had a conversation with our CIO that changed my perception of my value as a nontechnical IT auditor.
The CIO explained that often a group in IT already knew there was a problem, but nobody had time to dig into it. When that happened, I would help that group define and solve the problems on its own. As I asked probing questions, facilitated gathering information and ideas, and identified organizational silos, the solutions would become apparent. In other words, it was my lack of technical expertise that made me a trusted asset.
Inefficiencies and control breakdowns often are caused by ineffective communication between groups. Nontechnical internal auditors can help clients focus on the narrative. Do the processes make sense? Is there a consistent understanding? Are there bottlenecks or points of friction? Sometimes a nontechnical auditor can identify and investigate potential risks by bringing together technical experts to share information, discuss mitigating controls, and come up with an action plan to address the true risk areas.
Another strength nontechnical internal auditors may bring to the table is an enterprise view of risk. Occasionally, IT audit specialists may be tempted to get caught up in the details and rate a minor finding as critical because it didn't meet a standard or expectation. Nontechnical auditors may be more likely to think at the big picture level, considering mitigating controls and residual risk.
Rise to Challenging Risks
Nontechnical IT auditors may be tempted to downplay their value in a constantly evolving IT environment. However, by setting clear expectations, learning continuously, building relationships, and embracing their nontechnical skills, these auditors can provide the assurance and advice that their organizations require — even with the most challenging IT risks.