Nothing in this world is static. Everything evolves, and improvements often happen when things evolve.
A long time ago there was only quality control (QC). Goods would be inspected after they were produced and if they were found defective, they would be rejected or sent back for rework. When quantities were huge, statistical quality control methods were used and samples inspected.
This practice of QC did not help much, and the quality of the goods produced continued to be poor and inconsistent. Managements the world over guided by thought leaders such as Juran and Deming began to switch from mere QC to quality assurance (QA) and quality management systems (QMS), which built quality as an integral ingredient into every step of the entire process of manufacturing rather than just at the end.
Along the same vein, security in information systems should not just be an add-on component into a solution; it should be built into the solution at every stage of design, architecture, coding, testing and deployment. The recent developments in agile, DevOps and DevSecOps show the change in direction to embedding and integrating the necessary elements into the processes of building and deploying software.
And what about information systems audit? Like QC, is the expectation that IS audit will come in after a solution is deployed and find the holes? If so, how effective would that be? A lot could have happened before the holes are found.
During the early days of information systems audit, every time I would complete an audit and write a report of all the deficiencies and gaps, I would wonder why I was not helping the information systems team and developers during the design and development stages. This shift has happened slowly over the years.
In the current context of digital solutions being developed in an agile mode and in a DevSecOps environment, the changes to the solutions are mostly driven by user needs and marketing efforts, and they happen quickly. Doing one-time periodic audits of the solutions in this scenario simply does not cut it.
The need now is continuous monitoring. Information systems auditors need to find a way to assess changes as they are made and follow them up with monitoring. The results of a poor modification in software often reflects in the data and logs. Therefore, monitoring needs to also look at the data and logs on an ongoing basis. With so much progress in the automation world, it should be possible to build routines to help the auditor in these tasks.
Editor’s note: For further insights on this topic, read Anantha Sayana’s recent Journal article, “The Evolution of Information Systems Audit,” ISACA Journal, volume 1, 2022.
ISACA Journal turns 50 this year! Celebrate with us—and do not forget you can still receive the print copy by visiting your preference center and opting in!