IT Audits: Running to Stand Still

The work life of an IT auditor can be a thankless one. As the IT department becomes busier, it is increasingly difficult to get IT audit reports over the line. When they are completed, what is the reward? A new assignment in a new area with new technology. Indeed, resources are often so stretched in both IT and audit that the days of auditing applications or processes to a cycle are a thing of the past. IT auditors can literally feel that they are running to stand still.

This can result in individual applications or IT processes being audited less often. Therefore, when an incident does arise in these areas, the question is then asked—didn’t audit review that? Well, yes, in 2017! Things may very well have changed a lot since then. The fundamental problem with any IT audit is that it is a point in time. Even if you perform a stellar audit, find all the issues and have them all mitigated immediately, there is still a chance that the next change to the application or process will introduce or reintroduce the risk.  

What is the solution? Continuous auditing can help. This approach allows IT auditors to identify key risk, gather the required evidence using automated, computer-based solutions, and monitor them on a continuous basis. Where a level of maturity exists, continuous auditing can evolve to become continuous monitoring, allowing the first or second line to monitor the risk. Audit will then provide continuous assurance, a combination of continuous auditing and testing of first and second lines of defense continuous monitoring solutions. 

The risk indicators (a metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite) can be identified using COBIT 2019.

Editor’s note: For further insights on this topic, read Ian Cooke’s recent Journal article, “Defining Targets for Continuous IT Auditing using COBIT 2019,” volume 5, 2020.