I was a member of an innovation team because of my expertise in servers, Active Directory and general information security practices. However, I also brought my audit background. Because of this, I entered the team with trepidation. I wondered how the innovation effort would honor the processes and controls we had in place to protect the organization. As an auditor, I realized that people operating outside of their domains could lack the knowledge of necessary safeguards and, due to the intended rapid pace of prototyping and development, they would not think about them.
I started thinking about what an auditor should bring to the team. What I quickly realized is that we already have guidance on how to handle an innovation situation. Effectively, we are performing the same function as we do for projects, but at a greater-than-normal speed. In reality, this is no different from working on an emergency project. As an IT industry, we have had a number of global efforts of this type, whether we are talking Y2K or figuring out how to achieve EU General Data Protection Regulation (GDPR) compliance. Individually, most of us have been on those types of projects specific to our industry or our organization.
Practically speaking, just like on those types of projects, communication is key for innovation. It is easy to sit back and wait for people to come to us. However, given the rapid pace of innovation, they will not. To be effective, we must be proactive. Reaching out, especially by methods other than email, is crucial to being an active part of the team. The more we communicate, the more trust we build. The more trust we build, the more weight our fellow teammates are going to give to what we share. Therefore, we have to pour more energy and effort into innovation than our standard practice if we want to ensure that critical controls are met and ensure that proper controls are built into whatever is new. At the end of the day, innovation is like any other project initiative: It is about people.
Read K. Brian Kelley’s recent Journal article:
“Innovation Governance: Innovation and the Auditor,” ISACA Journal, volume 3, 2019.