Technology assurance is not a new word or concept. It is a process of independently assessing technology controls to determine their effectiveness.1 This assessment aims to provide appropriate recommendations to mitigate the control deficiencies identified.
During IT audits, one of the most important areas to assess is IT General Controls (ITGC), which includes evaluating access management, change management, computer operations, and password security controls. Often, these areas act in conjunction with business process controls (integrated audits) to give assurance on the computer systems that support the business process or domain under review. According to a 2019 report, cloud adoption among enterprise organizations is over 94%.2 With many major business applications utilizing cloud-based services, the scope for such reviews is reduced. As a result, some organizations have mostly opted to utilize Service Organization Control (SOC) reports, which provide some insight into the control environment of the third-party cloud hosting organization.
However, businesses have evolved in the last few years and many organizations rely on technology to enable business processes, drive operational resilience, and contribute to the organizational bottom line. The role of technology in businesses has shifted from being a process enabler to becoming the business itself.
Businesses have evolved in the last few years and many organizations rely on technology to enable business processes, drive operational resilience, and contribute to the bottom line.
With technology being at the core of most businesses in the 21st century, the IT auditor needs to think about more risk and assurance activities beyond ITGC. New threats and emerging technologies such as AI, deepfakes, the Internet of Things (IoT), quantum computing, compliance requirements from the Payment Card Industry Data Security Standard (PCI DSS), International Organization for Standardization (ISO), General Data Protection Regulation (GDPR), and many more, have changed the technology landscape. The 21st-century IT audit function can no longer work with old approaches and outdated mindsets regarding risk.
The IT audit function should be designed to adapt to the changing business environment, including sustainability issues, cyberthreats, and operational resilience challenges. The IT audit function should evolve to address these new threats, and the teams’ structure must reflect the same. The evolving digital landscape requires specialty, technical competence, and an open mindset. To ensure the smooth functioning of the IT department, it is essential to establish a well-structured IT audit department. Organizations can enhance their IT audit departments by incorporating three sub-functions (digital technology, emerging technology, and cyberassurance), which can help ensure a comprehensive audit function.
Digital Technology
As organizations embrace digital solutions and transform, the audit function must be agile enough to keep pace. This arm of the IT audit function will cover some of the more traditional reviews such as ITGC, digital transformation reviews, Service management and operations, integrated audits, IT governance reviews, product and portfolio management, and program management reviews. These IT reviews cover some traditional IT domains crucial to keeping operations afloat and implementing business changes. Digital transformation, for example, could change the way an organization operates including its systems, processes, workflow, and, at certain times, culture. The IT auditor should ensure embedded coverage in the lifecycle of the transformation project, identifying control issues within the delivery lifecycle and ensuring remediation of the gaps identified. This is more beneficial to the IT organization than reviewing after the program has been delivered, considering that many transformation projects are delivered within 18 to 30 months.
Emerging Technology
The adoption of emerging technologies, such as AI, in various organizations has become widespread. For example, An AI model, originally designed to expedite the process of scanning CVs for job recruitment, unintentionally exhibited a bias towards candidates of a specific race, while inadvertently excluding all others.3 These kinds of biases in models should be checked by assurance personnel before deployment. There are also emerging technologies such as quantum computing and IOT. These domains are vast and require an understanding of the underlying technology. Before discussing control conversations, a thorough understanding of the underlying technology is necessary. Otherwise, the assurance community may scramble to catch up. A readiness assessment may be necessary to evaluate the organization’s adaptability. Furthermore, it could be beneficial to explore whether the IT department has reached a level of maturity that would allow for the successful integration of these emerging technologies. Take for example quantum computing, breaking encryption algorithms that previously would have taken years is now possible in minutes. Tech assurance should ask questions and study quantum resistance encryption models such as lattice-based cryptography to assess if their organizations can proactively mitigate risk. This would ensure that recommendations made after an audit around encryption, for example, are forward-looking.
Cyberassurance
Cybersecurity remains one of the most important topics on the agendas of business leaders and regulators. What is new is the impact AI has on lowering the barrier to entry for cyberattacks. Cyberattacks a few years ago may have taken weeks to plan and execute. Now, these attacks can be executed with just the click of a button. Organizations should transition from broad audits called “cyberaudit” and instead consider specific areas in the cyberspectrum. This can be facilitated by following guidelines, such as those provided by the National Institute of Standards and Technology (NIST) and other standards that list the cyberdomains (identify, protect, detect, respond, and recover) for effective management and oversight to leveraging threat models. A threat model makes an organization’s risk assessment more specific to the business environment, which should drive an organization's cyberaudit cycle. Cyberassurance should cover penetration testing, wireless security reviews, sec DevOps reviews, ransomware readiness, OT security, deepfake assessments, adversarial AI, and more.
Conclusion
One reason for the disconnect between IT auditors and Chief Information Officers (CIOs) is a difference in priorities. CIOs are thinking of how to leverage these new technology areas for efficiency and effectiveness whilst managing the emerging risk, but some auditors appear to be raising exceptions that speak to the past and old outdated audit practices. As IT auditors, we should enhance the old and infuse the new. Having coverage of the traditional IT audit areas is great, but cyber needs a different kind of expertise as it has become one of the major business risk globally.4 Similarly, organizations are trying to leverage AI and IoT to improve connectivity and efficiency, however, a different assurance skill and expertise is required for this. The IT audit function must evolve alongside advancing/emerging technology. Failure to do so could result in critical vulnerabilities, consistent pushbacks from auditees, and costly consequences.
Endnotes
1 UK Government Security, “Assessing the Effectiveness of Security Controls”, 31 January 2024
2 Flexera, State of the Cloud Report, 2019
3 Gordon, C.; “AI Recruiting Tools are Rich With Data Bias and CHROs Must Wake Up,” Forbes, 31 December 2023
4 AON, Global Risk Management Survey
Fene Osakwe
Is a multiple award-winning global cybersecurity and digital assurance professional, International conference speaker, Amazon best-selling author, and Forbes-published thought leader. He has over a decade of experience, working in multibillion-dollar companies and consulting for several financial institutions, telecoms and FinTech companies, state governments, and some universities. He holds over 10 technology certifications. He has set up the security and IT audit functions in several global organizations. In one of his previous roles in the largest telecom infrastructure company in Africa and the Middle East, he established the security and GRC function and matured the practice in ensuring the company was listed on the New York Stock Exchange. Osakwe is also a highly sought-after conference speaker at audit, leadership, and cyberconferences. In the last 12 months, He has spoken at over 20 conferences across 4 continents. He also has a Doctorate in Leadership and Innovation from Geneva. He mentors technology graduates at the University of West Minster. Some of his global recognitions include the Top 10 Global Cybersecurity Leaders Under 40, 100 Inspiring Global Personalities 2022, Cybersecurity Excellence Award (Middle East and Africa), the “Cyber Youth Mentor” for 2022 in Dubai, and cyber educator of the Year 2023, London.