Comprehensive audit indispensable in dynamic IT field
May 31, 2016
In the increasingly more complex IT field, comprehensive auditing is indispensable, argues Ir. Pieter Schoehuijs, Group CIO at Capgemini. He is teacher in the module Comprehensive IT-Auditing, the last part of the Executive Master of IT Auditing. He explains the added value of a comprehensive audit.
What is comprehensive auditing?
A comprehensive audit is much more than just a tag indicating that everything is working properly. One looks at the entire correlation and the context in which something is done, instead of only a specific aspect. Your assessment also includes the organization's structure, peoples' knowledge and expertise and external influences. It is more of a management interview than purely a technical view. Of course, in this way one connects far better with the company's value creation.
What is the importance of comprehensive auditing?
During the past few years, the IT field has become increasingly more dynamic. Formerly, systems were larger and projects often lasted for one or more years. One could conduct project or system audits, audit IT general controls, one could use frameworks such as COBIT. All of that still exists up to a certain level, it provides a strong foundation.
But that foundation is now being built on more and more rapidly and with greater diversification. We make use of cloud solutions, infrastructures and platforms as a service. We don't do that with just one supplier, but with several parties. Software is also simply consumed from the cloud. So part of the IT has been subcontracted very flexibly, increasingly to offshore countries such as India. Instead of multi-year projects, we have lean development DevOps, in which a new version is delivered in short time-frames every few weeks.
All these issues certainly don't make it easier from a CIO and management perspective. Comprehensive auditing is exactly what you need to do in that field. Because if you audit the HR system or a particular project, it will look entirely different from ten years ago.
The IT auditor is given a new strategic role?
Absolutely. Nowadays, each large project within a company has an IT component. As CIO I am also more often in the board room and am more frequently invited to participate in non-IT processes. The IT auditor must go along with the developments. One must not focus exclusively on one component or aspect, but one must be able to translate to the question: what is in the company's interests? A comprehensive audit helps in this respect.
Can you give an example?
A company that is run as a financial holding demands a totally different form of governance, IT organization, IT landscape and risk management from a more integrated company. So in practice one sees that companies deal with this very differently. They make a considered choice for instance to execute something in a light or a heavy manner, as the case may be. And that is not inherently good or bad, but a choice that hopefully suits the company. That depends a lot on the context.
What are the characteristics of a good comprehensive auditor?
You must be willing to look broadly and have a genuine interest in the business processes. What is the company trying to achieve, why does the company exist, what are they doing, how does that work and how does IT support those business processes? Look at IT through corporate glasses, as a non-IT person. That requires strong communications skills. One has to talk a lot with people outside the IT organization, such as employees of the purchase department and other business units.
What do you want to give the new generation of IT auditors?
In IT auditing we are used to checklists and models. And we also need them, mind you. But don't come up with a standard checklist if you are doing an audit somewhere. Approach something with an empty sheet of paper and pose a few silly questions. Why do we do this, what is the significance of that, how does that change with time, what does someone else consider to be important? The emphasis must lie on that kind of conceptual thought. Comprehensive auditing is a way of considering the complete set of methods and to keep your eyes open: when do you apply what, and how. It is the strapping of the tool box.
Executive Master of IT Auditing
Pieter Schoehuijs is Group CIO at Capgemini and teacher in the module Comprehensive IT-Auditing of the Executive Master of IT Auditing. This program will strengthen your IT knowledge and you will develop a unique combination of technical and communicative skills.
Read more about this master