What we learned at the conference for IT Audit and Controls
Several themes emerged during this year's IT Audit and Controls (ITAC) 2016 event, which was held in December in New Orleans, as IT auditors gathered to learn and exchange ideas on successful strategies and to gain insights on major trends and developments in IT audit. From the four keynote talks and panel discussions and 27 breakout sessions, it is clear that IT audit is evolving rapidly and several aspects, including data analytics and cybersecurity, present substantial challenges.
Many speakers referred to some overarching trends in IT audit, including the need to add more value and enable innovation not hinder it, the difficulty IT audit has in communicating to stakeholders, and the challenges of hiring professionals with the right mix of skills for the department. Some speakers cited the opportunity for IT audit to act as a bridge between technologists and business units and management.
In his opening keynote address, Tolga Erbay, senior manager of security risk and compliance at Dropbox provided some steps that IT audit organizations can take as well as what they should demand from cloud providers to renew faith in the security of data stored in the cloud. During his talk, he addressed the difficulty that audit teams have in that they can’t always complete their own audit of individual cloud providers, since it would overwhelm a provider that might have thousands of clients. He advised them to pay close attention to the provider’s own audit report and to demand that it is thorough, robust, and transparent. “One of the things to consider is if there are no or very few audit findings,” said Erbay. “It’s unlikely that they had a perfect audit, so I would push back on that.”
During his keynote address Brijen Joshi, director of global IT audit at Juniper Networks, sounded a similar theme of pursuing transparency in IT audit, as he explored how IT audit must keep up with emerging IT risks. His talk, “Keeping Up with a Fast-Paced IT World in Pursuit of Audit Excellence,” identified several challenges the IT audit function had overcome at Juniper to complete projects such as improving cybersecurity, moving more applications to the cloud, and increasing mobile capabilities. “Some of the ways to overcome challenges are to establish partnerships at all levels, maintain transparency and communicate well, and don’t wear the internal audit badge all the time,” said Joshi. “Sometimes you need to put yourself in the shoes of stakeholders and empathize with them.”
Let’s Talk About IT Risk
During another keynote, risk expert Norman Marks called for the audience to view IT risks through the same lens that they view other business risks during his talk, “How Much Cyber-Risk Should We Take?” Marks says it comes down to return on investment. "The key is to understand what the potential impact on the business would be if you had a breach," he says. "How would it affect the business? How would it affect the achievement of objectives and the success of the organization? And how much is it worth spending to address that? Because we don't want to spend more money than we are actually getting a return on in terms of reducing the risk."
One of the more popular panel discussions, which also covered the topic of IT risk, was titled, “Communicating Critical IT Risks to the Board and C-Suite” and centered on the role of IT audit in elevating important IT risks up through the organization. During this panel discussion, panelists Marius Bosman of Ball Corp., Robert Kress of Accenture, and Constance Snelling of Jackson National Life, considered how best to communicate with senior officials in the company in a way they can understand.
Kress offered the idea of taking a balanced approach. When implementing a new technology program, initiative, or capability, he advises IT executives to: “Talk about the new capabilities but also include an element of an understanding of what the risks might be, and what you are doing to mitigate the risks,” said Kress. “Because from the audit committee perspective, they will be interested in understanding the new capabilities and major programs, but they are also wearing that risk hat so make sure you cover that.”
Some other highlights:
- One of the biggest problems for IT audit departments is finding and keeping good IT auditors. During his popular session, “Six IT Audit Errors to Avoid,” Jonathan Ngah, principle at Synergy EnterPrize, a a staffing company that specializes in IT auditor recruitment, related several tips for retaining top IT audit talent. Ngah says that a poor recruiting process can leads to problems later on. “If you miss on the front end of the hiring process, you need a lot of luck to make it up on the back end.”
- Another popular session was Shawna Flanders’ “Conducting a Capability Maturity Self-Assessment,” where she showed attendees how to assess where the IT audit team is in terms of the capability of IT to deliver products and services which both support the business objectives and also properly protect information assets and meet regulatory compliance.
- During a pre-conference summit on IT Audit leadership and during some of the sessions, including a session by audit executives from Lockheed Martin titled “Transform Governance through Data Visualization and Analytics” speakers talked about how data analytics is completely changing IT audit.
Auditing the Network
An Exhibit Hall, with several vendors including NAVEX Global, also provided some great networking opportunities and the chance for IT auditors to learn more about cutting edge solutions and to trade ideas and a war story or two.
Many are already making plans to attend ITAC in 2017. It will be held next year at Hyatt Regency Hotel in Austin, Texas from November 28 to December 1.