For Australian taxpayers, the concept is not new, but it is also certainly something that only a few would be comfortable facing, regardless of how compliant they are.
CIOs have to come to grips with the concept too, as organisations appoint assessors to determine whether they are getting value for their IT spending and achieving internal of global benchmarks.
IT auditing has both an external and internal context. The external context has evolved as a result of financial audit firms increasingly being required to assess the quality and reliability of the IT systems that generate a company’s accounts, such as payroll and financial systems. Over time the auditing of IT systems has evolved to become a practice field in its own right, focused on assessing the quality and cost-effectiveness of IT systems and processes.
In parallel, there has been a rise in the number of organisations that have created their own internal audit capability, possibly as an extension of its risk and compliance functions, but with an additional focus on measuring IT process efficiency. Internal audit teams may report on everything from key enterprise applications and business intelligence systems to social media policy and implementation.
Dean Kingsley leads the technology risk practice within Enterprise Risk Services for Deloitte in Sydney. He has more than 20 years’ experience in information security consulting, IT audit and technology risk management. He describes both the internal and external contexts as having both reached maturity. This is due in part to the maturing of the COBIT (Control Objectives for Information and Related Technology) framework developed by the Information Systems Audit and Control Association as a standard for IT auditing.
“COBIT is an IT audit framework, but over the last five or 10 years it’s transformed itself into an IT governance framework so it can be used by the auditors who are assessing IT,” Kinglsey says. COBIT has increasingly been co-opted by the IT functions themselves, however, to refine their operations so that they will meet the standards that the auditors are applying.
An internal audit team will most likely report to the organisation’s board, and specifically to its audit committee and risk committee. Most often they will operate under the oversight of the CFO.
But a debate has surfaced over the role of the internal audit team. Should it be a watchdog and reporting tool, or a feedback mechanism providing advice and guidance on how things can be done better?
“Most organisations realise they’ll only get better if they allow an audit to be pretty wide ranging with the things they look at and the kind of help they provide,” Kingsley says. “Not just finding the problems, but then helping to get them fixed by giving advice on how to fix them.
“They see that a valid role for an internal auditor to play is actually that of a change agent, to be that internal consultant.”
A schism emerges, however, when the IT function is able to claim that faults being found by the internal audit team are the result of advice that the audit team itself previously provided.
“With some organisations, their view is that if internal audit gets too far involved in fixing the problem, then it can’t be objective anymore,” Kingsley says. “So there’s a fine line between those jobs. But most are comfortable operating in the grey space in the middle.”
Kingsley says the evolution of technology itself is generating additional challenges for internal audit teams. Cloud computing, for instance, blurs the boundaries of what is inside and outside of an organisation, as do automated trading connections with suppliers and customers.
“It would be common for the IT auditor of an organisation to be assessing Cloud providers, to be assessing other business partners that have electronic connectivity, suppliers and customers and so on,” Kingsley says. “But if you’re Amazon and you’ve got 10,000 or 100,000 customers and 1 per cent of them want to send their auditors to come and see you, [then] that’s a lot of auditors every year.”
Hence, many organisations rely on SAS 70 (Statement on Auditing Standards 70) reports from Cloud service providers to ensure they meet their own auditing requirements. “What they typically do is they hire an auditor to do it once, write a report about it, and then all the auditors of all their customers can rely on that report,” Kingsley says.
Cloud computing can cause additional headaches in those situations where data is load-balanced, as it is difficult to know exactly where data is stored. Kingsley says larger Cloud providers such as Amazon are working to develop new approaches that will enable them to create reports that satisfy all requirements.
“I don’t think we’re mature in any way yet in doing that and so it’s a bit like the early days of IT outsourcing,” he says. “It’s the providers themselves who need to find that solution.”
But it isn’t just the Cloud that is causing angst for audit teams. Kingsley says that surveys conducted by Deloitte of internal auditors consistently reveal a disconnect between how important IT is and how well the internal audit function feels like they can deal with it.
“It’s partly about the speed with which technology moves,” Kingsley says. “It’s also about the fact that most internal audit groups find it difficult to retain their own internal skills, and as a result have to be reliant on third parties to bring that expertise to the table.”
Indeed, Kingsley says it can be difficult to find specialists with the right blend of accounting, business consulting and technical skills to fill audit positions. Deloitte tends to hire audit staff with double degree backgrounds and appropriate post-graduate qualification, such as CPAs or Chartered Accountants, or IT-related qualifications.
Fundamentally, however, he says most learning happens on the job. “They need that advisory and consultant skill set, but also they need to be obviously deep in the IT domain to be able to engage with CIOs and others in the IT function, and to credibly assess what they’re doing,” Kingsley says.
For this reason internal audit groups are commonly heavily in-sourced. But Kingsley says that co-sourcing and outsourcing models are becoming more common, to a point where some clients have completely outsourced their internal audit function back to Deloitte.
“You certainly need people who know the organisation very well, and an in-sourced model is commonly the core of an internal audit function,” Kingsley says. “That being said, one of the most common things that is co-sourced or out-sourced by organisations is the IT internal audit function, and the reason is that they really struggle to initially attract and then obviously retain that combination of skills that we’re acknowledging as difficult to create.”
Audit skills are being used by organisations to make assessments around the very future of their IT function. According to PricewaterhouseCoopers’ technology partner Chris Bennett, his organisation is increasingly being called in to audit internal service levels in comparison with what external providers might offer. Commonly this involves investigations of communication, external internet services, data management, desktop services and even enterprise applications, but nothing is sacred.
Bennett says the conversation has evolved from wanting to improve a service, to asking whether that service should be run by the organisation at all. He says inquiries are roughly double those of three years ago.
“Whatever is the driver, what we’re seeing is that the interest is there for change and assessing where organisations go from here,” he says. “And the thing that’s in the background is that the industry has reshaped itself over the last five years. It’s not a cost issue anymore. It’s also about a different set of services.
“Every time an issue pops up, though, people are questioning, ‘Well, what should I be doing right now? What should I be focussing on in terms of the support that I’m delivering into the business?’”
Bennett says these investigations are generally being commissioned by the CEO or CFO, not the CIO. Not surprisingly, he says CIOs are not entirely happy about it, although the complexity and pace of change of modern IT is leading to their acceptance.
“I think they see that it’s coming,” Bennett says, adding that the question many are now asking is, ‘How can they continue to deliver high quality service in conjunction with a partner that will be accountable for its delivery?’ “They only need to look after those things which are really critical, that they can’t outsource,” he says. “There’s a lot on the plate of CIOs today, and so I think we’re going to see an increased demand.”
One of the key candidates for examination is the data centre. Bennett says the increasing maturity of the Cloud is leading organisations to question the value of owning hardware.
“All of a sudden the data centre doesn’t take on the same sort of characteristics that it had 10 years ago, where it was spoken about in religious tone,” Bennett says.