Among the top responsibilities of IT auditors is auditing software and application development projects. As those projects have moved at some companies from a waterfall style, where each phase has a distinct beginning and end, to agile, where projects are done in sprints that cross through all development phases, IT auditors have had to adapt.
We recently sat down with Sheryl Austin, a director of information security at Johnson & Johnson, at the IT Audit and Controls conference taking place this week in New Orleans to talk about pre-implementation audits, the difference between waterfall and agile, and the unique challenges that the agile method of development projects brings to IT audit.
Austin says agile-style projects can create some big challenges for IT audit because auditors need to keep up with a changing environment. "With agile there are building increments and they are continually building and changing requirements and working with customers. So what ends up happening is that in agile the auditor can't be there all the time, since there obviously not enough resources, so you have to figure out where it's really important to be involved and get involved in those pieces," says Austin. "With waterfall it was easier, because when all the requirements are done, you go look at them."
Austin says it's easy for problems to crop up in application development projects that IT auditors need to be on the lookout for. "You will see instances where [the project managers] haven't gotten the support of senior management, or they haven't gotten the right people to be involved in the project," she says. "Some other things that happen are that they don't account for having the right processes in place for changes in scope or defects that come along when they are doing the program and things don't go right."
She also advises IT auditors to take softer approach to highlighting problems and raising concerns. "It's really critical that IT audit does not come in as a sheriff in town, but instead as a partner that says, 'I'm the auditor and I really am here to help,' " says Austin. "And you make sure they have the controls in place as they go along, not after the fact."