Into The Spotlight: IT Audit Managers
“I have traveled the length and breadth of this country and talked with the best people, and I can assure you that data processing is a fad that won’t last out the year.” –Editor in charge of business books for Prentice-Hall, 1957
Thrust into the spotlight by a 10-year onslaught of legislation, governance and technology change, the IT audit professional has become a vital part of the fabric of many organizations. In the United States, legislation, such as the Health Insurance Portability and Accountability Act (HIPAA, 1996), Graham-Bliley-Leach (1999) and the Sarbanes-Oxley Act (2002), has brought new rules to how organizations think about internal control. Governance standards, such as COSO (Committee of Sponsoring Organizations of the Treadway Commission), COBIT (Control Objectives for Information and related Technology from the IT Governance Institute) and ITIL (IT Infrastructure Library), have codified how organizations should achieve internal control. The massive and profuse advances in technology, the exponential expansion of the Internet, integrated systems and new forms of data storage and transmission have enhanced the need for the careful retooling of IT control mechanisms. In the middle of the maelstrom, trying to keep above the battle is the IT audit professional.
History of IT Auditing
It is not the first time that work has radically changed. The current work environment transformation is only accelerating from a revolution that began more than 200 years ago. Sometime in the 18th century, society transformed from its agrarian foundation to an industrial base and transformed work and the results of work. Management also changed. The management techniques of planning, organizing, directing and controlling (old now, but new then) were based on pre-18th century military traditions (superior, subordinate) and planning techniques (mission, strategy, tactical).
The revolution did not ignore the auditing profession. In the quickening pace of change, control and the need to evaluate control continued its centuries-old presence. In “Spiraling Upward: History of Internal Auditing and the Institute of Internal Auditors,” Parveen Gupta wrote, “[auditing’s] origins can be documented and traced back to civilized communities that existed around 5000 B.C. The Chaldaean and Babylonian empires were the first to….(build) an elaborate system of checks and counterchecks … primarily to minimize errors and to safeguard state property from dishonest tax collectors.” In addition, Mesopotamian and early Jewish civilizations promoted “limited access to assets, dual custody of liquid assets, surprise audits, care in selecting employees and separation of duties.”
Today, business and management, while relying on basic 18th-century management techniques, have a set of issues not encountered by their early industrial revolution counterparts. In the 18th century, organizations used information and communicated through sight and sound—in writing or verbally. Today, organizations can create, distribute, store, access and collaborate on information at the simple click of a mouse and rarely see or touch the gathered information. The general information is the same as their 18th-century counterparts (strategic, tactical or mission), but it arrives and can be assessed at the blink of an eye rather than weeks or months.
What emerged out of thousands of years of auditing was a new form. This form specialized and focused on technology: the IT audit. According to Wikipedia, the biggest multilingual open-access encyclopedia on the Internet with more than 500,000 articles, IT audit is a relative baby to its much older professional sibling. In its “History of Information Technology Auditing,” Wikipedia explains that the first use of a computerized accounting system was in 1954 at General Electric. Through the mid-1960s, the auditing profession was still auditing around the computer. Then in the late ’60s, the American Institute of Certified Public Accountants (AICPA) and the big accounting firms of the day helped develop EDP (electronic data processing) auditing, and the Electronic Data Processing Auditors Association (EDPAA) was born, with the goal of producing guidelines, standards and procedures for EDP audits.
Now known as the Control Objectives for Information and Related Technology (COBIT), “Control Objectives” was published in its first edition in 1977. In 1994, the EDPAA changed its name to Information Systems Audit and Control Association, now known simply as ISACA.
The Role of the IT Auditor
No organization that invests in technology should be without an IT audit presence. For many smaller and medium-sized organizations, employing both an IT auditor and an IT audit manager is not possible. However, the skill sets needed by an IT auditor in a small to medium-sized organization are identical to the skill sets needed by an IT audit manager in a larger organization. Whether or not an IT audit professional supervises others is quite independent from the characteristics and skill sets needed to succeed in the profession. In the discussion that follows, the IT auditor working alone and IT audit managers working with staff are considered equivalent.
The uniqueness of the IT audit manager position is in its focus and not in its generally required skill set. There are two levels of skill needed by the IT audit manager—technical and soft—most of which they share with their non-audit peers. The technical skill set allows IT audit managers to function in their specialized audit role. These skills include risk assessment and audit planning, audit testing techniques, applying frameworks for IT control, comprehension of technology and its controlled use within the organization, report writing and quality-assurance techniques. Coupled with certification, such as the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP), among others, these skills will set them apart from peers in terms of knowledge base and professional effort.
Soft skills also are critical and allow the IT audit manager to transition into many other management positions with the organization, not just within information technology. These skills include communication and presentation, critical and strategic thinking, analytics and problem solving, project management, and even internal marketing. All these characteristics should be coupled with a tremendous curiosity, a desire to learn and a willingness to work hard.
Alan Oliphant expressed it well when he wrote in “The New IT Audit Manager” that “a good lesson for new IT audit managers is: If at first you don’t succeed, try something different.” You should remember that you are part of a grander scheme within the organization and have an obligation to keep your job and the jobs of your subordinates vital and fresh. To do this, play like a tea player, share yourself by giving of your specialized and general knowledge, and continue to grow and learn as if you are still green. Without such an approach, you will begin to rot.
Career wisdom for it audit professionals
What can be said to today’s IT audit professional (or those wanting to move in that direction) that cannot be found in a basic management course? You can find solid career wisdom in the words of both the famous and the infamous. To uniquely frame the needed skill set of the IT audit manager, here are 10 unique aspects of the job, viewed through the eyes of others, non of whom is or was an auditor:
1. “One hundred percent of the shots you don’t take don’t go in.” – Wayne Gretzky, former National Hockey League Superstar
Sometimes it is important to take a stand, to be unique in your advice or approach and to take a chan