Internal Audit’s Role in Business and Technology     2:00 PM – 2:45 PM

Internal Audit has always been about oversight but mostly in a narrow band. That changed when technology became an integral part of the organization many years ago.  Traditionally these areas were staffed with chartered accountants, mainly due to the financial nature, and later technology people were added to do the IT Audit.  The reviews of business and technology also occurred in isolation.  The need for people in these functions to fully understand both areas has never been greater.

Secondly what they were auditing against?  Company’s rules, procedures, policies, and financial standards? It did not take into account situations where the corporate policies procedures, by-laws had not kept pace, customer behavior had changed as had technology.  Writing up people who may have breaking rules of the Organization but were, in fact, doing the right things – too often the rules have not kept pace, are outdated and make no sense – they need changes/updating.

Why is that not happening?

Here are some of the challenges:

  • How was the Audit Plan derived?
  • Familiarity of the Auditor with the Auditee
  • Up to date skills of the Auditor.  (Fast pace of technology changes and innovation have created skills gaps – How can you be sure that the Auditor has the right skills
  • What are you benchmarking against?  Do you do continuous audits or is it a point in time review?
  • What is the culture in your organization – Are people incentivized to identify problems or they hide things.  Depending on the approach inefficacies, deficiencies or vulnerabilities may or may not be exposed.
  • Does the Organization do a thorough review and inventory of tools to understand different tools, bought, installed, and how they are used?  Too often Organizations have bought a lot more than they need.  Are these the right tools? Do we understand our own needs?
  • Do you review “as is” in your Organization?  We rely too much on policy and procedures documentation.  Reality may be different. These need to be dynamic and so should the Audit.  It has to be more about Risk Management

Inefficiencies, incompetencies and potential problems are buried all over the organization and require a review without any preferences to fully understand the business, technology, and operations fully,   What are our needs, the objectives, effectiveness of processes and tools, as well as the costs so that redundant processes are identified and removed,   This impacts software & licenses too that may be required to be removed and /or canceled with proper and effective oversight implemented.


 

Bashir Fancy
President, BIZTEK
Chris Anderson, CA (NZ), CISA, CMC, CISSP
Vice President Cyber Security at BlackBerry Limited

 


 

Tell us what you are interested in