The turn of the calendar to a new year is always a great time to take pause and reflect. Now that 2019 is in full swing, I wanted to take a quick snapshot of hot topics and trends for the IT audit field in 2019. And just to make sure I wasn’t completely winging it, I checked in with a couple valued industry contacts.
1) Security and availability remain atop nearly all IT (and by association IT audit) departments’ list of top priorities. As John Steensen, a senior director of technology audit for Visa noted, “At Visa, Job #1 is security and Job #2 is systems availability.” This is echoed daily in conversations with heads of IT audit from around the country. IT auditors can continue to expect a steady diet of: firewalls and routers; internet, intranet and web services; remote access systems; telecommunications (data and voice); threat intelligence; systems security (penetration testing, vulnerability management, malware protection); activity and event monitoring; cyber defense and incident response, Dev-Ops, and AWS and cloud infrastructure.
2) Heightened focus on data and data governance. Dan DerGarabedian, the head of information technology and data audit (a title that is in itself telling) for BNP Paribas USA, noted that “Data governance, management and quality has been a very hot topic in the banking industry, and the trend is continuing.” As a result, they value candidates with “hands-on experience in enterprise data management.” Ronnie Dinfotan, VP of information technology internal audit for First Republic Bank in San Francisco, echoed that sentiment, noting that “These days, data savvy resonates more in the world of technology as opposed to only having network savvy.”
3) Increased focus on data analytics. In part related to the above, we continue to see increase focus on the use of data analytics for more efficient and effective auditing. As DerGarabedian noted, “Ten years ago, data analytics were a ‘nice to have.’ Today, it is an absolute and necessary (and expected) skill set to have within your audit department.” Among the desired skillsets, DerGarabedian further noted, are Python, SQL, and the use of visualization tools such as Tableau.
4) Return of the technical IT auditor. Over the past several years, in an effort to address more complex IT environments and heightened technology-related risks, we have witnessed an unmistakable trend to add more technical muscle to IT audit departments. Steensen noted that “at Visa, over the past year we have been transitioning to more of a ‘practitioner hiring model,’ where we seek out experienced technology practitioners with audit experience … and the payback has been great – our audits are deeper, more insightful, and address technical issues at a deeper level than ever before.” (For a more detailed examination of this trend and its challenges see my blog post, “Return of the Technical IT Auditor”).
5) New areas of focus. Continued movement to the cloud, big data, and other technology advancements have continued to bring new areas for IT auditors to focus. Steensen noted some of these new areas of focus for technology audit at Visa: Robotic Process Automation (RPA), machine learning and artificial intelligence, textual analysis, and blockchain, while continuous monitoring/auditing continues to evolve.
Ronnie Dinfotan sees value in an IT auditor with a forensic skill set. “I think the cybercriminals have figured out a long time ago that vulnerability tools were going to detect their backdoor services, and that an IT auditor with a forensic skillset and malware detection experience is what is needed to match some of today’s cybersecurity issues.”
Finally, increasing movement to the cloud requires IT audit to take into account consideration of the legal and contractual perspective. Thierry Dessange, an SVP and audit director with Wells Fargo, notes that, “Everyone is moving to the cloud. As an IT auditor, what should you consider when your organization is confronted with the complexity, and often inflexibility, of a third-party cloud computing contract? Ensure you’ve got the right skills at the table (i.e., legal, information security, finance, IT, operations, sourcing, etc.). You also should be clear about what types of compensating processes, and associated costs, need to be in place where the contract doesn’t provide you with all of the elements that you would want from the third-party cloud service provider.”