The Future of Audit
By Chris Dimitriadis, PhD, CISA, CISM, CRISC, Chief Global Strategy Officer, ISACA
We have arrived at an era where several key technologies – cloud computing, the Internet of Things (IoT), artificial intelligence, 5G, blockchain, big data – are combining to build more sophisticated and impactful digital ecosystems. These technologies are driving enterprise digital transformation projects that yield vital innovations, but also can lead to unforeseen problems if related business processes are not properly governed and audited.
Auditors have a critical role to play to ensure that their organizations can effectively and securely transform, but the traditional auditor knowledge base of 10 to 20 years ago no longer is sufficient in today’s technology environment. As we glimpse into the future, we will need a more holistic kind of auditor capable of drawing upon knowledge from adjacent professions such as cybersecurity, risk management, IT governance and data privacy. This is essential because auditors need to both inherit ideas from those professions toward innovating their techniques, as well as gain a deeper understanding on what they are planning to audit. Cybersecurity and privacy, for example, are progressing as professions very rapidly and auditors need to gain good understanding on the latest risks and controls for adjusting their auditing practices and depth. Risk management is also an integral part of auditing, and the latest approaches in quantified risk management need to be adopted as well. IT governance and management dictate how digital transformation projects are executed, linking technology to the business, and auditors need to align to the state-of-the-art processes in the field for achieving assurance.
The prevalence and importance of digital transformation cuts across industries. For example, in the energy sector, smart grids are connecting devices from power plants to distribution networks and the end consumer. In healthcare, wearable devices are alerting healthcare providers when a patient is experiencing symptoms, with a complete record of the data collected by the device. Thanks to advancements in agricultural technology, farmers can identify with pinpoint precision which areas require more water, pest management or are afflicted with a crop disease. The list goes on – virtually every industry is being revamped due to these new, transformative capabilities.
In each of the examples noted above, technology is the key enabler. It stands to reason, then, that in order to be trusted advisors for these business-critical transformation projects, auditors will need to stretch beyond their previous comfort zones and become more fluent in emerging technologies and how they impact business projects. In many cases, this will mean the need to become well-versed in AI, which is being leveraged for real-time auditing, new pattern identification and related analytics. Gone are the days when auditors can be reactive to risk based on historical data; today’s technology environment moves too quickly for processes that are not focused on ongoing, real-time assessments. Along those lines, the widespread adoption of cloud computing brings access to larger datasets from cloud repositories, meaning knowledge of cloud environments and auditing cloud systems will increasingly come into play. And as blockchain implementations penetrate a growing range of industries, the ability to evaluate blockchain adoptions is another area auditors will need to be able to authoritatively assess.
Technology implementations also are making the relationships between organizations and their vendors more complex. Auditors now need to understand and provide assurance around practices such as:
- Adoption of zero-trust approaches
- Establishment of dynamic and agile auditing practices
- Audit of the whole lifecycle, from design to operation, taking supply chain considerations into account
- Technology enabling the assurance process as complexity increases
- Understanding cyber risks and controls so they can be audited effectively
- Embedding privacy audits in the overall assurance program (and avoiding siloed approaches)
Finally, auditors will need to be increasingly mindful of supply chain considerations as new digital ecosystems emerge. In an increasingly complex supply chain environment – and one that has been challenged mightily by the pandemic and related labor challenges – auditors must be able to manage risk, establish effective monitoring processes and assess performance, among a wide range of other responsibilities. The pandemic era has also underscored the importance of sound business continuity planning, and auditors can deliver useful assessments for whether those plans are sufficient and can be reliably executed. Vendor management, supply chain relationships and business continuity all require layered knowledge from auditors in areas such as risk management and IT governance.
There is a common thread in the considerations highlighted above: the future for auditors will hinge upon auditors’ ability to become generalists, layering knowledge of areas such as security, privacy, governance and emerging technology on top of their vertical expertise in audit. Auditors can also become all the more valuable to their organizations by turning their attention to understanding the gaps between humans and technology, which will affect areas such as ethics and various soft skills that make a big impact for enterprises. Rather than see these challenging new dynamics as career risks, they can serve as major opportunities for auditors who are willing to be lifelong learners – as we should all aspire to be. Auditors will remain in-demand and be increasingly integral to their enterprises for creating value, as long as they evolve with the times and updates their skill sets accordingly.