IT is continuing to progress. Personal and business computing solutions are increasingly elaborate and far-reaching. And concepts such as the Internet of Things (IoT), machine learning (ML) and artificial intelligence (AI) have begun to be applied in a practical way.
Such progress benefits individuals, for whom it promises a change in the quality of life. It also benefits organizations, which see opportunities for innovation multiplied. At the same time, it has increased technological complexity, increasing the attack surface.
Consequently, the expectations of IT assurance have changed. It is required that professionals in this area achieve a deep understanding of the organization and its changing environment. It is a big challenge for them, and they must master a varied and intricate volume of knowledge from various sources and disciplines to perform their work efficiently.
Meanwhile, classic assurance strategies, mainly those of internal control documentation, do not respond to these new requirements. They are limited and insufficient for most IT assurance jobs. They lack the necessary methods, techniques and tools because they are based on standards inherited from general assurance, not oriented to systems engineering. Among other vulnerabilities, they do not enable the discovery and correlation of the multiple organizational and computer components, diversity of internal and external agents, and of the set of related facts.
If IT assurance jobs do not meet these new requirements, organizations will be exposed to negative impacts. Incomplete and superficial knowledge of internal control may result in test procedures that are lacking or ineffective. Therefore, IT assurance reports will not reflect reality, and their conclusions cannot establish with certainty the degree of IT’s contribution to the organization's mission.
In my recent Journal article, I show how to meet and overcome this challenge through a new methodology and software for planning IT assurance work, which I have named IT Semantic Audit.
Editor’s note: For further insights on this topic, read Huáscar Méndez’s recent Journal article, “Innovation in the IT Audit Process,” ISACA® Journal, volume 1, 2020.