Innovation teams research new and innovative ways for the business to compete. This usually means accelerating a development cycle, incorporating feedback quickly and continually revising a product or process. In other situations, it may mean taking the organization into new territory, whether it be via new functionality, new market space or the like. Overall, innovation efforts may mean new processes or workflows or operating models. To an auditor, all of this screams risk.
Then there is the idea of using innovation for audit. After all, we are having to look at more and more data to verify controls. There are more touch points in our organizations. There is more of everything, which means auditing becomes bigger. Just as the rest of the organization can seize gains on innovation, so, too, can audit.
Providing Audit Services to the Innovation Team
Domain 3 of the Certified Information Systems Auditor (CISA) job practice is titled “Information Systems Acquisition, Development, and Implementation.”1 Given that an innovation team is likely involved in development and, perhaps, some acquisition and, almost certainly, assisting with the implementation process, we see that audit should play a key role in the operation of an innovation team.
Feasibility, Strategic Goals and Proper Oversight
An auditor serves on a project to ensure that the organization’s resources are used appropriately. As a result, an auditor:
- Reviews the feasibility of projects based on resources, time and other factors
- Evaluates if projects are in line with the organization’s strategic goals
- Ensures that projects, and the management of projects, are properly maintaining oversight and control over project cost, schedule and quality
In essence, the work of an innovation team is no different than any other project team. The difference is that an innovation team usually has a lot of latitude to try and do new things. This freedom can result in approaches that incur high risk to one or more of these functions. It is not a difference of methodology but of reach and speed. Therefore, we can take the role that an auditor plays on a project team and apply it to innovation.
For instance, while there is not likely to be a formal business case for an innovation effort, there still should be enough information on requirements, objectives and goals to evaluate proposed efforts by the innovation team. What is the likelihood that the organization will see enough benefits to offset the cost? One complication some cite is that innovation teams are usually performing work to gain knowledge. Knowledge is an asset, but it is harder to evaluate its value than a physical product. However, this is true of research in general and we have determined mechanisms to evaluate intellectual property already. The key is to realize that innovation is similar to other already-established practices.
Following that line of thinking, consider the case when the team is prototyping or looking at technology to implement. In a normal project, an auditor considers whether or not the security controls are effective. The same applies for an innovation effort. One difference, though, is if the security controls are not sufficient, an auditor could take advantage of innovation’s rapid cycle by providing feedback to develop or improve controls as part of the effort. Just as with any IT project or effort, the earlier on in the process a gap is found, the cheaper it is to solve. Therefore, if a new path is being developed by the innovation team, baking in controls makes more financial sense than waiting until implementation.
Speaking of implementation, given that the best innovation teams have knowledgeable folks from throughout the organization, not all are likely to be up to speed on proper procedures and processes such as those around change control. An auditor can help guide a team down the path of knowing what processes are in place, what controls must be met, and ensuring that an innovation team does not miss something critical that would put the organization at risk.
Of course, this is not the extent of how an auditor can aid an innovation team. Just as there is more to what an auditor does on a project team, there is more that an auditor can do with respect to an innovation team or organizational innovation effort—certainly more than can be covered in an article. Therefore, consider using a project mind-set as a template for determining the scope and value of an auditor with respect to an innovation team.
Operational Risk
Because of the freedom that is given to most innovation teams, there is the possibility that an effort may work with sensitive or protected data as part of the innovation process. Do not stop with data. For instance, an innovation team looking at Internet of Things (IoT) devices may be working on better controlling the temperature on a factory production floor. However, if it bypasses safety controls in its testing, there may be an issue that causes the organization operational loss. Therefore, an innovation team can help reduce this kind of risk by having the appropriate advisement from a skilled auditor. After all, we are supposed to understand the whys of the controls that we have in place. That also means we can ensure that an innovation team’s effort does not compromise one of those controls in a way that is harmful to the business.
Innovation Audits
Finally, after project implementation, an auditor should be involved in doing a post-implementation assessment. The post-implementation assessment serves to do the following:
- Confirm that the benefits gained outweigh the costs of the effort.
- Ensure appropriate lessons learned are recorded and codified for reuse by the organization.
- Verify that post-implementation issues have been identified and are either resolved or moving in that direction.
With respect to innovation, the same process is valuable. There is quite a bit of literature and numerous write-ups on how to do these, but, at the end of the day, they are all assessing these three things.
Organizational Innovation and Audit
Organizational innovation, if effective, results in new operating models, new processes and new procedures as the organization seeks to improve. At the very least, existing models, processes and procedures will be modified. With this type of change, there needs to be an evaluation on the controls in place. Are the existing controls sufficient to handle the new or changed processes? If not, how do they have to evolve?
Of course, it is always best to evaluate the controls before the changes take place. This is not always possible as there may be unknowns that come up as part of the change. However, audit should be involved as soon as possible to determine if changes to controls are necessary. Again, this is not any different from the type of work auditors already do. Just because something is labeled innovation does not mean it is exempt from standard controls.
Innovating Audit
One last area to consider is how to innovate in audit itself. As the amount of data we collect keeps exploding, the more we are having to turn to new technologies to handle this deluge of information. For instance, most security event systems now rely on technologies such as Elasticsearch or other non-Structured Query Language (NoSQL) technologies to handle the different types of event entries from various systems to process these events and dig through them looking for anomalies. This is one example of how innovation is shaping security and, by extension, audit.
However, we should not stop there. We should also look at what can be improved with respect to controls. Most auditors are big advocates of automation where possible. Taking the human element out of things should bring about consistency in process. We always talk about the possibility of human error and, the more we automate, the more we reduce that risk. Innovation should certainly be applied to automation.
We can also look at how we are conducting audits. Perhaps the way certain information is collected is painstakingly slow and manual. A good example I have seen is with Active Directory password setting audits. Too often, auditors ask an administrator for a screenshot. However, some auditors come with a script prepared to extract this information right out of the appropriate Group Policy. Packaged with other audit-appropriate scripts, a lot of the needed information on controls can be collected with a minimum time investment. This is one of the things we seek to do with innovation: improve processes where possible to free up work for other valuable efforts. Innovation when it comes to audit is not about changing the what or the why. It is about changing the how when it makes sense to do so.
The Auditor Plays a Key Role
Innovation should never exclude audit. In fact, having an auditor engaged can provide great benefit to any organization. After all, an auditor actively engaged in the innovation process can ensure that not only does the organization gain more benefit than cost from the innovation work, but that key pitfalls are avoided. While innovation teams and innovation efforts tend to move quickly relative to normal organizational processes, they should still be subject to standard audit expectations. In fact, because they are moving faster, it makes more sense to have an auditor serving the team or effort like any other subject matter expert. Innovation equals quicker, but not at the price of recklessness.
Endnotes
1 ISACA, “Affirm Your Expertise, Advance Your Career: See What’s Next as a CISA,” CISA Certification Overview
K. Brian Kelley
Is an author and columnist focusing primarily on Microsoft SQL Server and Windows security. He currently serves as a data architect and an independent infrastructure/security architect concentrating on Active Directory, SQL Server and Windows Server. He has served in a myriad of other positions including senior database administrator, data warehouse architect, web developer, incident response team lead and project manager. Kelley has spoken at 24 Hours of PASS, IT/Dev Connections, SQLConnections, the TechnoSecurity and Forensics Investigation Conference, the IT GRC Forum, SyntaxCon, and at various SQL Saturdays, Code Camps, and user groups.