Business in current world is enabled, disrupted and moves to next Horizon through Technology. Business strategy are becoming inextricable interwoven with Information technology. Technology leader currently are Key driver of business strategy execution. Audit plan should therefore largely now be IT Audit plan

Information Technology (IT) has undoubtedly become an essential component of any Business vision, mission, principle, strategy and plan. Current day innovation, collaboration and communication is through digital information technology . Information Technology enables to streamline business processes, minimize costs, increase performance, optimize profit, provide better customer service, and support better relationships with key business stakeholders. Technology and Information plays a prominent part in companies of all sizes, from multinational organizations running on private cloud to small businesses using public cloud for emailing, storage, collaboration and compliances. Gone are the days when Technology was considered merely an enabler, today it is being seen as a key driver to emerging business models. information Technology now is a cost of doing business as well as an incentive to expand it.

Internal auditors face a major challenge in how to better address a company-wide evaluation of IT risks and controls within the framework of their overall assurance and advisory services in this information technology focused digital age. Earlier IT audits were based on the risk assessment of the organizations; however, modern times require a new thought since many risk and compliance are still emerging. The best way to deal with this will be to develop IT Audit plan that aligns better with the organization business objective and model.

Understanding business objective, Internal and external threat for defining IA IT plan 

As per IIA, Internal audit mission is “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight” To achieve the same IA function need to clearly understand business objective, organization strategy and its execution approach.

They need to look at External risk factors like climate risk, societal risk, natural and political threats ,health risk, general economic downturn that could result in a sudden, unforeseen loss of demand or supply. They also need to consider treasury risk, third party, and regulatory constraints. Internal risk could be Governance risk, strategic risk, operation related risk, data risk, liquidity and cash flow management risk, technology risk, fraud risk or Human resource management related risk. Risk is assessed based on materiality, complexity, volatility of transaction, volume of processing, judgement involved. To manage this risk business are moving ahead with digital tech strategy so that they remain nimble, scalable, stable and have options.

Internal audit thus needs to see how technology is working as enabler as well as disruptor, identify risk which may prevent technology in enabling achieving the goal as well as consider risk which emerges with technology adoption. Some of the risk which need to be considered are technology governance risk, technology ethic risk, data risk, information technology architecture risk, cybers and privacy risk, third party risk, cloud risk and finance and compliance risk. We have seen large to small enterprises struggling and working with quick fixes to resolve the emerged technology risk.

IT mapped to business and process which should define scope not processes mapped to IT.

Traditional planning approach of looking at Qualitative and qualitative materiality, mapping processes, sub processes and identifying technology enabling them and accordingly scoping IT audit is not going to work in current digital environment, since business nowadays is and through technology. If we take Traditional scoping approach, we may just look at limited side of business objective assurance, advisory or insight. Auditor now need to look at technology audit with different radar altogether. Based on insight gain from business understanding they need to pick up technology and map process in it . This is more so because technology has moved ahead the journey from being enabler to disruptor based their influence on Interaction, information and compute.

To enable better compute, storage and agile solutions business are moving toward cloud (Public or private) and distributed platform enabling distributed trust, connectivity and asset. IT audit should therefore scope in aspect of Cloud and distributed platform to see if value of compute is truly achieved. IT audit scope should cover aspect of cloud /distributed platform strategy alignment to business, third party due diligence, contracting, aspect of cloud /distributed platform , system hardening and configuration, cyber, privacy and resilience and monitoring cloud /distributed platform from business objective achievement.

Data is one of biggest asset of company, it enables analysis for providing insight and foresight. Information technology audit should scope in aspect of Data governance , data management, data architecture and analytic management. Data governance, data ethic, data management, data privacy and Data leakage and prevention audit enable building trust in data for effective analytic and enabling organization to move ahead in journey to predict, prescribe, augment and. Automate. Artificial intelligence success actually depends on Data ethic, governance and its management. Thus, before even company begin the journey of AI, Audit of Data ethic, governance and its management become essential.

Digital transformation and digital experience are buzz word in today environment. IT audit plan should cover aspects of digital strategy, digital transformation due diligence review, Digital platform and technology selection and adoption audit, review of cyber and privacy aspect of digital journey, and audit of monitoring aspect of digital experience.

Company today Interact through technology, thus Audit of social media, websites, Intranet portal, customer and vendor portals, employee connect, Banker and regulator connect interfaces are some of areas which need to be carefully assessed and reviewed for scoping by Internal auditor when preparing the annual audit plan.

Some illustrative area for IT audit

Based on the objective of organization, the initiation point for the audit process would be to identify the IT Audit universe that creates a comprehensive list of potential audit subject areas. Based on Audit universe, risk assessment and prioritization audit plan should be prepared. Beside traditional IT audit areas like ERP review, application review, Infrastructure review, OS and DB review, cyber and privacy review, network security review, Business continuity and resilience audit and Software asset management reviews. Following are some of illustrative area which could be considered for IT audit :

• IT governance and strategy audit
• Cloud and distributed platform audit
• Data governance and management audit
• Data analytic and AI audit
• Social media audit
• Digital transformation audit
• Emerging technology like RPA/ Block chain audit
• Cyber security
• Privacy audit
• Digital experience and digital reality audit
• Data protection audit

However, Internal audit biggest challenge to plan and perform this audit plan will be skill shortage. Internal Audit generally face the risk of being undermanned and lacking the right set of specialized technology skillset in their workforce. This challenge is more considering technology skill set in emerging area is generally also not available. The Chief Audit Executives (CAEs) need to consider these internal factors while defining the Audit plan and probably address this through co-sourcing or inviting guest auditor or addressing the same through adequate training and change management within IA function.

Nonetheless considering omnipresence of technology in business. Comprehensive IT audit plan and execution is key to success of Internal audit function in their role as assurance, advice, and insight provider to the business.