Information Security Matters: Does IT Auditing Still Make Sense?

Information Security Matters
Author: Steven J. Ross, CISA, CDPSE, AFBCI, MBCP
Date Published: 1 May 2019

Podcast   ISACA Journal Podcast:  Does IT Auditing Still Make Sense?

Don’t worry. The answer is “Yes.”

But wait a second. What is this question doing on top of a column called “Information Security Matters”?

IT Auditing and Information Security

I would like to make the case that IT1 auditors are important contributors to information security and have been since the auditing profession realized that it needed to get hip to those crazy machines in the basement that were eating their balance sheets. In this year in which we celebrate ISACA’s 50th anniversary, it is worth asking how IT auditing as we knew it a half century ago has matured and changed.

ISACA was, after all, an association formed by and for IT auditors. IT auditing, as we knew it 50 years ago, has grown and transformed itself into information security, so I feel within my rights to ask the titular question. Oh, and it has become more than information security. ISACA’s website tells us that the organization’s constituency now encompasses consultants, educators, regulators, chief information officers (CIOs) and internal auditors as well as information security professionals and IT auditors.2 So, is that where we can find IT auditing today?

Of course, there are still many IT specialists within the ranks of internal and external auditors. In the great majority of cases, these people perform audits of the controls embedded in information systems and support the information needs of financial auditors. While retaining their independence, they usually maintain close relationships with those in the aforementioned specialties derived from IT auditing over the last five decades.

Trust in Information Systems

In one way or another, both IT auditors and all those professionals in related fields3 are concerned with the matter of trust (or the lack thereof) in information systems and the data they manage. Simply put, can we as individuals, companies, government agencies and as a society trust the systems that provide us with information? That trust is threatened by human frailty and error, so we have built controls into the systems to detect and repair the myriad mistakes that people make. Of course, some of those frail humans are programmers, so it may be the system rather than the user that goofs. For that reason, we also need controls over the process by which systems are developed and implemented.

Sadly, from the very beginning of commercial information technology, trust has been undermined by the malicious as well as the error prone. Therefore, we have needed security as well as controls for as long as invisible ones and zeroes could be translated into money, power or both. When IT auditing sprang into existence in the 1960s, it was the sole voice calling for both controls and security in information systems.

Sometime between 1969 and this glorious anniversary, business users and managers heard that voice and implemented security and controls (and risk management and business continuity and compliance and disaster recovery and, and, and…), so there was no further need for IT auditing and the field shriveled and disappeared.

Well, actually, no it did not.

Keeping Others Honest

If, for no other reason, IT auditing perseveres because it keeps all the other trust and controls-related professions honest. The fact that there is a community of interest among those who would enforce risk and mitigate security does not mean that all within that community perform their functions well. So well-trained and independent observers, a.k.a. IT auditors, have the role of review and oversight.

Specific to information security, both IT auditors and security professionals have the same objective: keeping an organization’s information resources safe from misuse. In much the same way, both football players and referees have a common interest in the integrity of the game. Each has its role, and the systems and the games would collapse without them.

 

This does not mean that an auditor’s judgment should supersede that of the auditee, in this case the chief information security officer (CISO). There needs to be an objective basis for any audit comments; that basis ought to be generally recognized standards, both internal and external, as well as best practice. These, plus the information security department’s own plans and objectives should be the source of a dialog as to whether the function is meeting its own goals in a standards-based manner.

IT Auditing and Cybersecurity

Unfortunately, in this era of cybersecurity threats, mere compliance with standards may be insufficient. While it is true that some organizations that have been attacked have been found to have fallen short in their security, many others with excellent security practices have also been victimized. Despite the often-heard cry, “Where were the auditors?” neither they nor the information security function were at fault. The value of IT auditing in these circumstances, as I see it, is that the auditors can attest that information security protections were properly implemented despite the fact that they were overcome.

In the aftermath of a successful cyberattack, IT auditors will hardly be alone in trying to determine how it was perpetrated. Frankly, IT auditors are unlikely to be the most capable of detecting technology flaws. But, given that such a high percentage of successful cyberattacks stemmed from nontechnical actions (i.e., stolen credentials, phishing),4 IT auditing might help make the case that cybersecurity protections may be redirected more to training and awareness than to adding more and more technology.

In effect, IT auditing has become a consultative function with the ear of senior management and the board of directors (BoD). Likewise, the ability to explain to information security and risk management professionals what the higher-ups are expecting is a very valuable service. So, for that matter, is the entrée IT audit has into an organization’s upper ranks to explain the reality of the risk it faces.5

IT auditing in 2019 is not what it was in 1969. What is? The fact that it has spawned so many controls-related specialties is a testament to the need over all these years for the expertise, insight and dedication that IT auditing had…and has. From the perspective of my own career, which has included IT auditing, information security, risk management, consulting and education (how about that for checking all of ISACA’s boxes?), I can say that the world of information technology would be a more dangerous place without IT auditing, past and present. If today IT auditing is focused on making sure all the others who secure information systems are doing their jobs and doing them well, I say that we are all better for it.

Endnotes

1 We called it electronic data processing (EDP) auditing in those days, but let us not be picky.
2 ISACA, History of ISACA, h04.v6pu.com/why-isaca/about-us/history.
3 Ross, S.; “Unsung Security Heroes,” ISACA Journal, vol. 5, 2016, h04.v6pu.com/resources/isaca-journal/issues
4 Verizon, 2018 Data Breach Investigations Report, USA, 2018, http://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf. Theft of credentials is mentioned throughout the report, but I believe the most relevant statistics are on page 9.
5 ISACA and Institute of Internal Auditors Research Foundation, “Cybersecurity: What the Board of Directors Needs to Ask,” USA, 2014. Perhaps the best example I know. Importantly, it was jointly published by ISACA and the Institute of Internal Auditors.

Steven J. Ross, CISA, AFBCI, CISSP, MBCP
Is executive principal of Risk Masters International LLC. Ross has been writing one of the Journal’s most popular columns since 1998. He can be reached at stross@riskmastersintl.com.