Maurice Gilbert, Managing Partner of Conselium and Publisher of Corporate Compliance Insights, interviews Ron Hale, Chief Knowledge Officer at ISACA, an international professional association that advocates for and credentials practitioners in the GRC space, with a particular focus on IT governance.
Maurice Gilbert: What changes have you seen in IT audit in the past few years and what changes do you anticipate going forward?
Ron Hale: The IT audit profession has experienced a significant transition in the last years. First and most important, the concept of IT audit has been replaced by information systems (IS) audit due to the expanding nature of information systems within the enterprise and the critical reliance on information as a business enabler. Technology is no longer the primary focus. The work of auditors proficient in computing and communications technologies – as well as how these technologies are implemented and managed and integrated into business processes – is an essential part of providing assurance that risks are identified and effectively managed and that business processes involving technology solutions and processes are in compliance with enterprise policies.
As the need for information becomes more critical and as technology is increasingly integrated into new ways of serving stakeholders and effectively managing the enterprise, the currency, completeness, relevance and accuracy of information becomes more critical. With the increased criticality of information and information technology, the role and importance of the IS auditor has expanded and is likely to continue to expand since technology is no longer separate from business success.
We have witnessed the importance of the IS auditor in response to compliance needs in particular as governments increasingly turn to regulations as a means to address problems. IS auditors have stepped up to address compliance challenges. In addition, the expertise and skills of IS audit has been recognized as being a required skill set for compliance practitioners. As a result, compliance is becoming a larger part of IS audit activities and auditors are being called to bring their skill and expert knowledge of IS systems and business processes to compliance departments. We will see additional requirements that will be addressed through IS audit in response to privacy and cyber threat. This will include both the skill and expertise of these professionals within the audit function, as well as in support of implementing regulatory response initiatives within enterprise business units. Because of the technical and business expertise that IS auditors have, they will increasingly be required to step up to ensure that the enterprise is effectively addressing regulatory requirements.
As a result of the many demands on IS audit, there is a shortage of skilled practitioners. This is probably the biggest challenge that we currently face. We need to promote the profession to new candidates, as well as to experienced workers who are seeking new job opportunities. Talking with recent graduates who are ISACA members, I find that many discovered IS audit at a job fair but did not have audit as a career objective when they were planning their college program. We need to promote IS audit and the interesting and challenging work that IS auditors do, and encourage colleges and universities to provide relevant coursework in the academic program.
MG: How does ISACA help its members meet the coming challenges?
RH: ISACA has a long history of serving the IS audit profession. This year we are celebrating the 45th year of our founding, when we were known as the EDP Auditors Association. While much has changed in the profession, ISACA remains focused on building the IS audit profession and enhancing the credibility and capability of IS audit professionals.
Our first line of support for our members is at the local level. Members can attend educational sessions, prepare for certification exams and share knowledge within our global network of 200 chapters. Being able to network and share with colleagues in the same language and in the same city or country not only provides a great learning opportunity, but also joins members into a community of professionals.
We believe that the community of professionals is important, and we extend opportunities for engagement on a regional and international level. ISACA offers our regional Computer Audit, Control and Security (CACS) Conference as an opportunity to join colleagues and learn from industry leaders. We also support the larger community of professionals through our Knowledge Center where members can engage in topic-specific discussions, get questions answered or gain access to the research products and tools that ISACA produces.
Associations cannot only look internally to support their members. We live in an increasingly complex world where there is a need for governments, commercial entities and not-for-profit associations to collaborate in solving problems and in developing the professionals who can implement solutions. ISACA, working internationally and through regional and chapter-led initiatives, reaches out to governments and regulatory bodies to inform these bodies and to collaborate in addressing problems. We are also a member of industry and international standard-setting bodies, providing a voice of the IS audit profession.
Our research publications and practice aids, including audit work programs and standards and guidelines we produce for the profession, address traditional areas of IS audit interest, as well as emerging issues and technologies. Recent publications address important topical areas such as advanced persistent threats, privacy and big data, control objectives for cloud computing, mobile payments and geolocation. COBIT 5 focus area guides, such as COBIT for Assurance, and resources for the application of COBIT, including the COBIT Assessment Program, provide a foundation for applying an enterprise framework for the governance and management of information and information technology and audit-specific perspectives and tools that link with governance and management practices.
MG: How will IS auditors interact with non-IS auditors and with the compliance department?
RH: Increasingly boundaries between departments in enterprises are breaking down. Collaboration is more common than doing work in silos. IS audit is unique in that traditionally it has worked cross-functionally performing audits across business units and in supporting the assurance needs of the enterprise. When there was a need to address regulatory compliance such as Sarbanes-Oxley, IS auditors were the natural choice to complete business unit assessments and to help structure the controls required to address the regulation. IS audit will continue to work collaboratively with business units and compliance departments because of the information technology knowledge they bring and the skills in performing assessments.
MG: How have the rapid changes in technology impacted the business and how are IS auditors responding to those changes?
RH: The rate of technology change is accelerating at an unbelievable pace. Mobile technologies, social media, pervasive network access and intelligent devices are dramatically changing how we work and live. The change we have seen is only the beginning of what could be unprecedented advancements. We have already seen the shift in marketing and communication to social media and the growth in the use of new data sources as a way of understanding customer interests and behaviors. While online shopping just a few years ago was a nascent business sector, it is now a significant revenue generator. As younger workers enter the workplace, they come with expectations about the technology that they will use and about how they will connect with and interact with co-workers and colleagues outside of the enterprise. All of these individually are significant points of change; together, they are best described as disruptive.
New products and customer services increasingly will be intelligent offerings. Devices will not only be smart, but will also generate data that the enterprise will integrate into other services or use to gain market intelligence. Each of these instances of new technology adoption and use will be supported by operational procedures that in many cases will need to be modified to reflect new technology, new ways of doing business and a new business culture. What does not change is the need for management to be able to govern the enterprise and to have assurance that risks are identified and managed and that processes are effective and efficient. Since technology will be so tightly integrated into every process and activity, IS audit will need to be more engaged in assurance activities. This may require that IS auditors gain new skills. Audits of decision support and consumer intelligence systems based on big data will require IS auditors who have a detailed knowledge not only of the technology, but also of the analytic methods and modeling techniques that are being used.
IS auditors have had the unique experience from the earliest days of being the individual with the most detailed understanding of technology and its application to support enterprise goals. In the earliest days of computing, knowledge of technology was confined to the IT department. As time has progressed and as technology has become more available, more non-technical business people have become much more familiar with technology and its application. IS auditors, however, have had to remain at the edge of technology and were perhaps the first business people who were also required to have a detailed understanding and command of technology.
MG: How does ISACA go about educating the business community at large regarding IS risk?
RH: To effectively manage risk, enterprises need to have an approach to risk management that can address risk in a wider perspective. Enterprises need to have a program that includes the technical people, security, assurance and—importantly—those in business roles. The COBIT framework provides guidance and a structure for enterprises to govern and manage information and information technology. It provides the common language and approach that is required for people across departments to engage in enterprise activities such as risk management using the same language, processes and tools. Part of the family of COBIT products is the recently released COBIT 5 for Risk. It provides a structure for enterprise risk management with a focus on information and information technology. In addition to the COBIT framework and the risk guide, ISACA has developed more specific guidance such the Risk Scenarios for COBIT 5 for Risk that will soon be issued. This guide expands the content in COBIT 5 for Risk in the important area of developing and using risk scenarios as part of an enterprise risk management program.
For effective enterprise risk management, there is also a need for qualified experts who can develop and manage risk management programs. ISACA’s Certified in Risk and Information Systems Control (CRISC) credential attests to the mastery of risk concepts and practices for those who earn this designation.
ISACA is currently creating guidance on emerging business and technology. Part of this guidance looks at the risk that a new technology carries with it, as well as the value that an enterprise can obtain from deploying the technology. It is important that risk should be balanced with opportunity. This guidance is being directed at senior business leaders and board members.
ISACA is also engaged on a global scale with governments, regulators and associations whose members are outside of the technology area. Collaborative efforts include activities with several organizations, including the National Association of Corporate Directors. We are engaging in businesses and government initiatives with NIST and DHS and have done several programs with the European Network and Information Security Agency (ENISA). Solutions cannot come from one organization or association of practitioners. Engaging with governments, regulators, not-for-profit associations and commercial entities is important if we are going to solve some of the pressing technology problems that enterprises worldwide are experiencing.
About Ron Hale
Ron Hale is acting CEO of ISACA, as well as the association’s chief knowledge officer. Hale has more than 20 years of experience in the security field. Prior to joining ISACA, he was manager of security services for Northrop Corporation Defense Systems Division and a research manager for the Bank Administration Institute. He has also provided consulting services as a practice director in the Enterprise Risk Management division within Deloitte & Touche. He has a master’s degree in criminal justice from the University of Illinois and a doctorate in public policy from the Walden University School of Public Policy and Administration. In recognition of his accomplishments at ISACA, Hale was named to the NACD’s 2013 Directorship 100, a distinction given to 100 individuals who exemplify knowledge, leadership and excellence in corporate governance.
