In a world that is changing so rapidly in large part because of data and technology, it’s no surprise that we get questions about the ever evolving role of the IT Auditor. Boards and Executives report they’re facing an increasingly diverse and significant set of top risk, many of which relate to emerging technologies, digital disruption, cyber security, privacy, and making effective use of data. They also say with a clear voice that they expect their IT Auditors to provide assurance and advice with the necessary depth of insight. Helping clients manage risk and deliver strategic value through the best use of the right technologies? This sounds like a job for the IT Auditor.
So, what is IT Audit at Protiviti? Today’s IT Auditor does far more than help to identify and evaluate risk and strengthen the IT control environment. Today’s IT Auditor serves as an advisor to management and the Board and, in many cases, serves as an internal consultant for the organization helping to drive broad-based improvements in the organization’s use of technology. Today’s IT Auditor also often leads the internal audit function in advancing its own use of data and technology to enable delivery of more efficient, effective, and valuable internal audit activities. The following are all questions they help the organization to answer: Are our systems secure from security threats? Are we appropriately protecting the sensitive data we’re entrusted with? Is our technology environment sufficiently resilient and could our systems be recovered in an emergency? Is the technology we’re using fit-for-purpose and supporting the organization’s strategy? Are we able to capture and make use of the right data to drive quick and quality decisions? Do we have the right processes in place to manage our key IT service providers?
What role does an IT Auditor play? IT Auditors are involved in everything from conducting risk assessment, scoping of individual reviews, interviewing key personnel, review system configurations and data, using a variety of tools (security scanning, analytics, robotics etc.), performing control tests, documenting results, and making recommendations.
Why is the IT Audit role an exciting one? Today’s IT Auditor conducts a wide range of reviews: identification and tests of core IT controls (often in support of regulations for public companies), traditional compliance type-audits, reviews of IT operational processes, and advisory and consulting projects (often performed in direct partnership with IT personnel). As we’ve noted, they are involved in assessing and advising on virtually every aspect of the way an organization uses (or should be using) technology to protect and enhance enterprise value – security, privacy, software development, disaster recovery, technology governance, business intelligence, and many others. The advisement in this area is communicated not only with the necessary level of technical depth, but also in consideration of broader business context.
Tell me more. We’ve got you. We caught up with a few of our experts to understand recent projects that they’ve worked on in the IT Audit space. We discuss project work, the value of that work, and the future of IT Audit. Let’s get to it!
Project 1: Seeing the Big Picture
We first caught up with Edward who chats with us about a Vulnerability Management Assessment he worked on for cloud-based software company. The team was tasked with assessing the vulnerability management environment of the company and providing recommendations on improving and further maturing their process. The goal was to look at how vulnerabilities in the environment were being identified, tracked and ultimately addressed, and to find improvements within that process.
Why was this project unique?
“It was really exciting that we centered on the vulnerability management function, which is where our client is essentially looking at their IT environment for weaknesses that could be exposed. I’ll also note that we worked with several other functions within the organization. To this point, it was interesting to see how the business functions and not be so siloed, which is really what you’re able to do within the IT Audit solution… you focus on the business as a whole. From that, we saw some really neat technology with this client. Not only can we take the base knowledge of that technology back to Protiviti for process improvement, but we also can take that knowledge and use it in recommendations with our other clients.”
What was the end result of the project?
“The team actually came up with several different findings surrounding the process that we were able to take to the management team. These were exciting findings, and even more exciting was the dialogue that started as a result. Some of the materials that we found in our assessment led to broader implications for the company and started to drive conversations around the best practices and culture of the organization, and we were a part of that discussion.”
Talk to me about the client relationship on this particular project.
“I think the reason we are able to continue working with this client on multiple projects is because we can provide what they need in several areas of the business, with our comprehensive solution offerings and the established connection to their teams! We interact with the client often and have great relationships with their people.”
What’s the future of IT Audit look like, in your opinion?
“Audit, especially in the IT space, is different in that you get to see a lot within an organization. In very technical roles, you tend to only get to see that one section of work that you do in your specific area of focus. In audit, you get to see the bigger picture and make those connections on a high level, and that’s something I really enjoy. From a growth perspective, there’s a clear line of progression and a clear line of training at Protiviti. Once you gain that baseline knowledge, people will look towards you to drive the engagements – it’s unique, and you don’t get that kind of responsibility at every company — especially in the consulting industry.”
Project 2: Identifying the Real Problems
We met up with Sarah, a Senior Consultant, and Jade, a Manager, to learn about a key project they’ve worked on. The scope of the project was to do a Pipeline Change Management Audit.
Why was this project unique?
“This client followed a different type of methodology, so it was not a traditional segregation of duties. It was exciting in that it was a whole new approach for us in thinking through ways to mitigate risk and also educating the client on how to effectively deploy changes in production from a controls perspective.” – Sarah
What was the end result of the project?
“We came up with several high-level observations and ranked those from high to low risk, which helped the client prioritize their efforts and resource allocation. For context, the initial scope of the project was to look at three different teams – and realistically there were about six or seven teams. From a security perspective, the client wasn’t even aware of how these additional teams were supporting the performance of their current processes. When you think you have ‘x’ number of steps to get something done, and there’s double or triple that amount, it can be eye-opening.” – Sarah
Our client relationships are important to us. Using one memory, can you describe this client relationship to me?
“One day the project sponsor came up to me and said, ‘We have had other auditors in here before, and I just really appreciate that you smile when you’re here. We sometimes have people who come in and just do their work and don’t interact with us, and it’s been nice to get to see your positive attitude.’” – Sarah
What did this project mean to you?
“Interesting work and learning to perform audits utilizing a ‘newer’ methodology is exciting and challenging. Most people in professional services want to be in consulting because of the constant challenge and ever-changing engagements due to new clients, industry, regulation, etc. I felt that this was especially true on this particular project as we learned a new topic from end to end in a very short time period!” – Jade
“It’s fun that we’re able to go in to projects that cover a diverse array of areas. New industries, new clients — and you’re learning the business and how it integrates with technology. That knowledge makes us well-rounded as consultants and it also keeps things interesting for me from a personal growth perspective! I constantly feel like I am being exposed to new things.” – Sarah
Now that you’ve heard from a few of our team members, hopefully you feel like you have a better understanding of how IT Audit adds value within our organization and for our clients. With that, there is only one question left to answer.
Why Protiviti? With great visibility to leadership at Protiviti and at our clients, you will not only have the opportunity to interact with and learn from seasoned executives but will quickly get to see the value of your work firsthand. Protiviti’s IT Audit teams often partners with our other teams to bring all the necessary skills to our client. It’s through these diverse teams that we bring a unique expertise to our clients! Our teams are always working on behalf of our client’s management and helping them to solve problems and achieve goals. Our IT Audit experts are involved in evaluating and using many of the latest technologies which means that there are constant opportunities for learning and skill development. Last but certainly not least, we pride ourselves on our culture, which is rooted in our core values of integrity, inclusion, and innovation. For a glimpse further inside the organization, be sure to follow us on our social platforms!
Are you seeking a career in IT Audit? Join Us!
We’re looking for more great people – come join us on our journey! For meaningful career opportunities and open positions, visit Protiviti.com/careers.
To Learn More — Follow Us!
To learn more about our company culture, be sure to follow the hashtag #LivingProtiviti on your social platforms.