Assignment 1: Careers in IT Audit
In the readings this week were several articles on personal characteristics and skills needed in this profession in the area of IT audit and data analytics. I would like each of you to identify one of the four areas from the PwC article Data Driven that you are most likely to do or have the most interest in at this point. Explain what that area interests you and what you see yourself doing in 10 years.I would then like for you to describe, using all of the readings for the week, the skills needed to be successful in that career over the next 12-15 years. Then, I would like for you to do an honest self-assessment of your skills identified in the articles that you possess at this point and conclude how well you are currently prepared for this work.
As an example of this, I will do briefly do a self-assessment of my Excel skills. I have not tried to give you an example of the entire assignment, just the type of self-assessment one might do.
The EY article, Analytics Mindset, people in data analytics should have a mastery of excel. I have significant experience using excel to manipulate data and have used advanced functions such as VLOOKUP and Pivot tables. However, a key skill within excel that I need to improve is speed. For example, I typically use the mouse when highlighting data. Audit managers and partners have reported to me that employees who do not regularly use the keyboard, instead of the mouse, will not acquire the speed necessary to complete jobs on time. Thus, a key skill I need to improve in Excel is mastering the key strokes to improves my efficiency using the tool.
To get the best grade on this assignment, you need to demonstrate that you have been thoughtful in doing this. In the self assessment, you need to explain why you rated yourself in various ways. Note that I used the EY article to identify a key skill. You should not necessarily assume that that is the only way to do this assignment.
The assignment should be no more than three pages single-spaced. You will be graded in part on how well you respond to the items in bold. You may use other material than the articles to sufficiently answer the questions.
Writing structure, grammar, organization, coherence, answering the questions asked, and seriously endeavoring to thoughtfully respond to what was asked all count.
Please answer all of the questions thoroughly in 3 pages single spage
Explain what that area interests you and what you see yourself doing in 10 years.
The area in the Data Driven PwC article that interest me is Audit. In the next ten years, I envision myself working in public accounting and being an audit manager/partner.
I would then like for you to describe, using all of the readings for the week, the skills needed to be successful in that career over the next 12-15 years.
Please describe the skills needed to be successful in Audit based on the readings
An honest self-assessment of your skills identified in the articles that you possess at this point
Conclude how well you are currently prepared for this work.
IS Audit Basics: Perspectives From a Seasoned Practitioner
Ed Gelbstein, Ph.D.
It was a bit of a surprise and a huge compliment to be invited to contribute to this column after many years reading the words of Tommie Singleton in this space. I shall do my best not to disappoint. To give you a hint as to where this column is going during the upcoming year, let us start with a summary of some lessons learned in my many years dealing with information systems, technologies and audits.
Change is fast and profound. Over the last five decades, technical innovation and new legislation relating to data and information have caused major dislocations. These, in turn, have created the need for new approaches to IS/IT audit. Some of these changes are outlined in figure 1.
While this table is certainly incomplete, the conclusion is that continuous learning is inescapable. Thus, we are required to learn how to learn and then how to unlearn and relearn.1 Failure to do this is a guarantee of professional stagnation and failed careers.
In the IS Audit Basics column, I plan to reflect the lessons I learned both as an auditee and as an IS/IT executive and auditor. I intend for them to be thought-provoking as opposed to sets of procedural “do this” statements.
What We Know We Know
Dependency on IS/IT has become irreversible and its governance and management rely on audit competencies and independence. Innovation cycles are likely to remain short and bring with them new vulnerabilities and management challenges.
Besides, internal and external threats keep changing and, unless mitigated, these could have an adverse and potentially serious effect on organizations. The frameworks for information assurance, security, risk and governance evolve as experience is gained and lessons are learned.
The same is true for audit standards and guidelines. It is prudent to assume that the domains of IS/IT audit have become so large that it is now unlikely that anyone can know everything about it. This makes the development of IS/IT audit strategies that much harder.
On the positive side, the audit profession offers many opportunities for personal and professional growth: progression to chief audit executive (CAE), membership in audit committees, consultancy and senior management roles. The choice is yours, but only if you are prepared.
The following is a good reminder of what the concept of “auditor” covers:2
• I…….Independent (and inquisitive)
Having worked with (and learned much from) many capable auditors, there have been occasions when I came across others who would have done far better to have pursued a different career. Why? Because they showed themselves to be one or more of the following: arrogant, disorganized, undisciplined, opinionated, cynical or emotionally incontinent. Let us say that they were not respected by their victims.
Your Credibility and Other Good Things of Which to be Conscious
Credibility is the essential asset for any auditor. If your independent assessments cannot be backed by your credibility, they are worthless and, therefore, as an auditor, so are you. Credibility is built over time by developing knowledge and experience. It helps to:
• Fully understand what your CAE considers to be “good enough”
• Make certain at all stages that anything you say and write is supported by evidence—be it audit tests that you have personally conducted or documentation you have reviewed
• Maintain confidentiality by discussing audit findings and results with only those who need to know
• Remember that gossip, rumors and other inside information are not evidence
• Not jump to conclusions
Integrity is another fundamental requirement for an auditor, involving honesty, fair dealing (or objectivity) and truthfulness.
Finally, after passing the Certified Information Systems Auditor (CISA) examination, you are likely to be dealing with experienced professionals from whom you can learn much. Make sure you take the time to do so, as this is the best way to broaden your understanding and experience of the audit process and the interpersonal and political dimensions of the job. Ask lots of questions, particularly “Why?,” until you are satisfied with your understanding.
It is good to remember that while management understands the role and importance of audits, when the time comes, auditors are rarely welcome. After all, when the auditors descend on a team carrying out project or operational work, the result is disruption: The auditors need documentation and access to data, request meetings over a period of several weeks or more, and keep asking awkward questions.
Bear in mind that some auditees may have had bad experiences if previous auditors created the impression that they were focused on criticism, assigning blame or engaged in the mindless pursuit of perfection. Besides, if members of previous audit teams were not well informed about the role of IS/IT in the organization—its criticality, structure, resources, past performance and related issues—they may have been perceived as not making good use of the time assigned in the audit plan or focusing on irrelevant areas.
It is important for auditors to understand the auditee’s history: What was the scope of past audits? What actions were recommended (particularly those worded “shall” rather than “should”)? And, how many of these implementations were re-audited? It is also important to find out how many of the recommendations were not implemented and why.
Knowledge of the audit history should include the approach taken by your predecessors, the audit strategy, the adopted standards and guidelines, and, especially, the interpersonal relations between past auditors and auditees. A history of disagreements, conflict and lack of trust is hard to recover from and can easily result in mistrust and resistance.
About the Next Column
The next column will continue this introduction to the realities of IS/IT audits by exploring what makes an audit successful from the perspective of the many parties involved: the auditors, the CAE, the audit committee, senior management and, not least, the auditees.
Given that audits are an activity carried out by people who interact with other people, topics related to soft skills will appear in future columns because successful audits depend on how such interactions take place.
You can be confident that IS/IT technologies will continue to change and with them, audit practices. Be prepared!
1 Alvin Toffler, www.alvintoffler.net/?fa=galleryquotes
2 Tangient, “Introduction to Audit,” boruetthsm, boruetthsm.wikispaces.com/file/view/Auditing.ppt
Ed Gelbstein, Ph.D., has worked in IS/IT in the private and public sectors in various countries for more than 50 years. He did analog and digital development in the 1960s, incorporated digital computers in the control systems for continuous process in the late 60s and early 70s, and managed projects of increasing size and complexity until the early 1990s. In the 1990s, he became an executive at the preprivatized British Railways and then the United Nations global computing and data communications provider. Following his (semi)retirement from the UN, he joined the audit teams of the UN Board of Auditors and the French National Audit Office. He also teaches postgraduate courses on business management of information systems. He can be contacted at [email protected]
A very good insight into audit basics( IT& non IT) looking forward to the next installment!
Posted by Patrick904 on 12 Jan 2015
This is a great article and I long for the next article from Ed Gelbstein. Ed, in your article you made mention of an auditor not drawing his conclusions from hearsay or gossips. My question is incase one hears of such gossips, what should you do as an auditor. Do you investigate it?
Posted by Seyram676 on 21 Jan 2015
My favourite line from this article is: “Credibility is the essential asset for any auditor. If your independent assessments cannot be backed by your credibility, they are worthless and, therefore, as an auditor, so are you.” Maybe we need to incorporate a “C” for credible into the following list: •C….. Credible •A……Analytical •U……Unbiased •D……Diplomatic •I…….Independent (and inquisitive) •T……Thorough •O……Objective •R……Reliable
Posted by Jasbir on 11 Feb 2015
Excellent read, anxiously waiting for the next article.
Posted by Kamran461 on 03 Aug 2015
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.
© 2018 ISACA. All Rights Reserved
• Site Map
• Contact Us
• Press Room
• IP Guidelines