.png)
It’s the time of year when people seem to be publishing lists of things to be considered in an IT internal audit plan. Not to be outdone, we’ve decided to do the same. Only with a twist. As well as looking at what people are asking us for, we’ve listed (a) what they used to ask us for but don’t any more (if audit fashion is a thing, these are the mullet haircuts of IT audit). (b) what topics no one is asking for but you really should think about. And (c) what they’ll try to sell you but you probably don’t need.
What people are asking for:
First, the top three audits people are asking for. There won’t be any surprises for you there, but we have to list them anyway, or you’ll be saying ‘but what about….’:
1. Cyber and information security
It’s the perennial favourite – cyber and information security. We get a mix of compliance auditing to standards (for example, ISO 27000 family) and ‘risk based’ auditing, as well as niche components (identity and access management, anyone?) However you approach it, everyone wants to talk about cyber security.
2. Digital transformation and change
If I had a pound for every client that wants to digitally transform their organisations, I’d be a rich man. Technology services are moving quickly, and opportunities abound for most industries. With change comes risk, and that’s where audit comes in. Most commonly focused on project-specific audits, where internal audit has to treat the line between independent auditing and advice.
3. Resilience
Driven by Operational resilience requirements and DORA, this takes Business Continuity and Disaster Recovery on a step or two. Standards vary by jurisdiction (have you compared the UK requirements to those in Europe – similar titles, different approaches) but certainly a focus for many organisations.
IT topics out of vogue
We still think these are important, but no one seems to want internal audits of them very often.
1. IT service management
Remember the mantra that IT is a service, and the quality of that service impacts the value provided by IT? It’s even more true now, with fragmented IT delivery chains, only for some reason, people don’t seem to want to audit this. It also links with operational resilience if you’re smart, but people are looking at different things now.
2. Data governance/Privacy (a bit)
SO, the logic goes that security, privacy, data quality and so on are all overseen by a ‘data governance’ process. Logically it feels sound, but practically many of our clients found it a bit esoteric. Privacy plays into this, and while there’s a vague interest, it’s not in-depth or detailed any more in our experience.
3. IT governance
This one we’re sad about. We rarely get asked to perform an internal audit of governance. However, decision making, reporting and accountability are more important, and more complex, than ever before now. Surely due for a revival?
IT topics you should think about
Few people ask for these, but we kind of wish they did. There’s interesting things in them there audits…
1. Architecture
So much to cover here. Ho decides how everything fits together? Who is in control of the IT framework? How do they do this and police it? With so many solutions available, and deeper IT delivery chains, we worry we’ll quickly get to a point where no one really understands how it fits together.
2. Technical debt /Legacy
Times are tough. Budgets are tight. Skills are hard to acquire. So, what IT things should really have been done but have not? Where is the can being kicked, and how is that risk being managed? From experience, if I could have one measure of an organisation to determine it’s control, it would be technical debt (what should have been done but hasn’t).
3. Skills and capabilities
The plans for the next 5 years will undoubtedly be significant (see Digital transformation above). How will the organisation acquire the skills to make this change? How will they retain the skills to ensure it is sustainable? How will they build and develop people internally to rise to the challenges posed by modern technology?
IT audits they will try to sell you
So what will they tell you are important, but probably aren’t? Here’s our top three:
1. Blockchain
What even is it anyway? Yes, we know, and are mightily impressed. But unless you have (or plan to have) a service based on this technology, why are you even thinking about it?
2. AI
See ‘Blockchain’ above. Internal audit over a risk that purports to be existential to humanity is a tough one – perhaps they should have documented policies and procedures? We have no doubt this will become critical and core to many organisations in time, but probably not today. There’s an immature regulatory framework and while you’re probably using AI in some ways (whether you know it or not),
3. ESG in IT (or vice versa)
Another existential risk. Super important. But, if you’re auditing ESG, then audit it everywhere (not just in IT). If you are auditing how IT can enable ESG, unless you’re an IT company, we worry you have an IT audit hammer and the topic looks very much like a nail. IT auditors – this is probably not your wave.
Comentários