Transforming IT Audit in the Digital Era

Robotic Process Automation and Other Key Advances

A number of technological advances are emerging that, when implemented by IT audit, will upend the traditional approach to IT auditing. Among the advances: robotic process automation, advanced analytics, and process mining. Protiviti’s Andrew Struthers-Kennedy and Ashley Cuevas explore several changes coming to the IT audit function, and how each will increase the department’s business value.

with co-author Ashley Cuevas

Organizations everywhere are progressing on their digital journeys at a healthy clip. They’re evaluating and adopting new technologies quickly and compressing the time it takes for a project to go from concept to implementation. In this fast-paced, technology-driven climate, IT auditors and IT audit functions must also evolve and transform, with no time to waste.

IT auditors need to be more agile, dynamic and progressive in the ways they assess potential risks in IT initiatives and the overall IT environment. And they can start by stepping up their engagement and alignment with IT and business stakeholders across the organization.

Collaboration and Partnerships Are Key

For IT audit leaders, the focus should be on building strong relationships with other leaders and subject matter experts who can provide valuable top-down direction. IT audit’s success also hinges on its reputation in the organization. IT auditors must be able to add value through their work on IT projects and activities. Their work cannot be focused solely on controls and compliance. Rather, they need to build reputations as capable risk advisers who help ensure that guardrails are in place so that technology projects are managed in a risk-savvy manner without unduly impeding progress and innovation.

What should this involve? Effective partnering and collaboration with central IT, compliance teams and line-of-business stakeholders are required, along with key stakeholders in functional areas such as finance, human resources, legal and sales and marketing. IT auditors have to understand not only the technology usage across the organization, but also the alignment between systems and technologies with business objectives of their stakeholders.

Early Is Better

What’s more, IT auditors need to become involved with projects early, more often and in a more integrated fashion. In today’s fast-paced environment of digital transformation, the traditional retrospective approach to IT auditing is no longer effective. The IT audit should span the entire technology project lifecycle, beginning with project concept and business case development and extending into the planning and design phases, through development and testing and throughout the implementation and post-implementation phases.

IT audit functions that are involved early and throughout the technology implementation lifecycle increase the likelihood that project risks will be identified, escalated, evaluated and acted on in as close to real time as possible.

The audit plan, too, should evolve from an annual plan to a real-time plan so that IT audits are implemented where and when they’re needed.

Finally, with today’s growing business challenges and the rapid speed of technology changes, stakeholders expect IT auditors to deliver real-time risk advice along with strategic insights. To this end, IT auditors need to operate in a continuous learning mode, actively monitoring the market and technology trends, new vendors and new solutions. Armed with this insight, they can effectively help organizations understand and manage existing and potential future risks and can knowledgeably evaluate technologies as they’re introduced into the business.

The most successful IT auditors are those who can strike this balance between providing risk assurance and imparting strategic advice that helps move the business forward.

A Look at Robotic Process Automation

Robotic process automation (RPA) is one of many emerging technologies rapidly gaining traction among enterprises. RPA presents both opportunities and risks for IT auditors.

RPA automates simple processes by following defined steps, particularly routine back-office tasks that require no (or significantly reduced) human intervention. Say, for example, a company implements RPA in its system access and provisioning processes for new employees. Traditionally, the request, review, approval and access provisioning require quite a bit of time and resources, as well as interactions with multiple systems, while at the same time introducing the risk of manual error. Automating portions of these activities shortens the provisioning time and reduces the risk of human error significantly. New employees get access to the system they need faster and can start being fully productive sooner.

Naturally, IT auditors need to be knowledgeable about RPA to provide the business with effective advisory and assurance input. This knowledge also fuels more informed decision-making and agile course-correcting when businesses need change.

Among other things, IT audit must evaluate whether each application of RPA is operating as intended. This is accomplished by looking at a variety of risk and control points, such as governance, performance, security, identity management, integrity and change management, among others. Ideally, the IT auditors would have been involved in the RPA project pre-implementation and would have helped integrate governance, risk and controls into the RPA process. At a minimum, IT audit should actively pursue opportunities to review previously implemented RPA use cases for appropriateness.

RPA also can help make IT audit activities more efficient and comprehensive. Auditors can use automation such as RPA to streamline and address gaps in processes and controls. Automating routine activities, such as data gathering, criteria evaluation and reconciliations, frees up IT auditors to focus more of their time and effort on anomalies and high-risk areas.

Analytics and Process Mining

Although they’re not new fields, data analytics and data mining have received greater attention of late with the focus on digital transformation. Process mining, a new breed of analytics solutions, is emerging and offers the potential of game-changing improvements in efficiency and insight. As with RPA, more organizations are exploring and applying advanced analytics such as machine learning, deep learning and natural language processing to their business operations.

Advanced analytics enable IT auditors to increase their risk coverage across a myriad of data. They can identify trends and predict areas of higher risk. Analytics help IT auditors implement governance that helps enforce accountability, demonstrate value and measure progress.

Similarly, using data output such as system event and transaction logs, process mining provides a deeper view into how a process is working. Such capabilities allow auditors to significantly streamline activities such as walkthrough, focus their attention on the areas of highest risk (e.g., non-routine methods of transaction processing) and get to the point of close-to-continuous monitoring of high-risk areas of the business. This allows IT auditors to help answer questions about what’s happening now and what might happen next, rather than to be able to report only what has already happened.

Closing Thoughts

Advanced analytics, process mining, RPA and other technologies are giving IT auditors the tools and knowledge they need to turn the traditional rearview approach to IT auditing on its head. In the digital era, IT auditors need to be proactive and embrace new levels of engagement and expertise that will help them add even greater value to the business.

References:

“Business and Digital Transformation’s Effects on IT Audit Groups,” ISACA and Protiviti: https://blog.protiviti.com/2018/04/05/business-digital-transformations-effects-audit-groups-new-research-isaca-protiviti.

“Transforming the IT Audit Function—Taking the Digital Journey,” ISACA Journal, Volume 1, 2016, https://www.isaca.org/Journal/archives/2016/Volume-1/Pages/transforming-the-it-audit-function.aspx.

Ashley Cuevas is a Director in Protiviti’s IT Consulting practice and based in the Houston office. She has a BBA in Information Systems and Decision Sciences with a concentration in Internal Audit from Louisiana State University.

Over the past 10 years, Ashley has worked with a variety of clients, mainly in the energy industry, performing various risk and business consulting projects, as well as IT internal audits. She has provided client services related to ERP implementation risk, configurable controls identification, segregation of duties, sensitive access, application security design, and security and change management process improvement. Additionally, she has led numerous SOX engagements.