IT Audit For Beginners: What is an IT Audit? | ACI Learning Audit

ACI Learning | Audit
20 Oct 202112:57

Summary

TLDRIn this informative video, Chief Audit Executive Rob Clark discusses the evolution of IT auditing over the past three decades. He emphasizes the shift from segregated financial and operational audits to a more integrated approach, requiring auditors to possess both IT and security knowledge. Clark highlights the importance of continuous learning, risk assessment, and strong soft skills, including emotional intelligence and effective communication, to build trust and provide strategic advice within organizations.

Takeaways

  • 😀 The field of IT auditing has evolved significantly over the past decades, with a shift from segregated functional focus to a more integrated approach.
  • 🔍 Initially, IT auditing was about interfacing with systems to provide data for financial auditors, but it has since expanded to include a broader understanding of IT security and infrastructure.
  • 📱 The prevalence of information technology has increased exponentially, with modern devices having more computing power than the large data centers of the past.
  • 🛡️ IT auditors now need a comprehensive skill set that includes knowledge of IT security to integrate these aspects into their audits effectively.
  • 👥 The role of an IT auditor has matured to include partnership with IT teams, emphasizing collaboration over confrontation in audits.
  • 🌟 Emotional intelligence is crucial for IT auditors to build rapport and communicate effectively with various stakeholders, including senior leadership and boards.
  • 📚 Continuous learning and staying updated with the latest IT and security trends is vital for IT auditors due to the rapidly changing technology landscape.
  • 🛠️ Technical skills are essential, but they must be balanced with the ability to understand and assess risks from a strategic perspective.
  • 📈 IT auditors should be adept at risk assessment, evaluating how technological tools and techniques can either mitigate risks or present new opportunities.
  • 💡 Communication skills are key for IT auditors to convey complex technical information in understandable terms to non-technical stakeholders.
  • 🚀 For those considering a career in IT auditing, having a passion for technology, coupled with strong soft skills, will set them up for success in the field.

Q & A

  • What is the role of an IT auditor according to Rob Clark?

    -An IT auditor's role is to make a positive impact on the organization by examining IT infrastructure and security, ensuring that the organization's strategic goals are not impeded by risks.

  • How did Rob Clark initially get into the audit profession?

    -Rob Clark got into the audit profession by mistake, not initially intending to spend a career in auditing and compliance, but finding a unique opportunity to make a positive impact.

  • What was the initial focus of IT auditing when Rob Clark started his career?

    -Initially, IT auditing was segregated with financial auditors, operational auditors, and EDP (Electronic Data Processing) auditors, with the latter serving as an interface with systems to provide data for financial auditors.

  • How has the role of IT auditors evolved over time?

    -The role of IT auditors has evolved from being segregated to an integrated skill set where everyone on the team has knowledge of IT security and can integrate it into audits.

  • What are some of the necessary skills for someone joining an IT audit team today?

    -Today's IT auditors need to have a collective skillset that includes knowledge of IT security, the ability to examine IT infrastructure and security, and the emotional intelligence to integrate these skills into audits effectively.

  • Why is emotional intelligence important for IT auditors?

    -Emotional intelligence is important for IT auditors to effectively communicate and interact with clients, technology partners, senior leadership, and the board, ensuring that technical information is conveyed in layman's terms.

  • What is the importance of continuous learning in the field of IT auditing?

    -Continuous learning is crucial in IT auditing because technology is ever-changing, and auditors must stay updated on new tools, techniques, and security landscapes to effectively assess risks and recommend improvements.

  • What does Rob Clark look for in terms of technical skills for IT auditors?

    -Rob Clark looks for IT auditors with a combination of technical skills and soft skills, including a passion for understanding information system structures, knowledge of cloud security, the Internet of Things, compliance regulations, and standards.

  • How should IT auditors approach risk assessment?

    -IT auditors should approach risk assessment by starting with the organization's strategic goals and identifying what could impede the achievement of those goals, focusing on areas that could potentially impact the organization's objectives.

  • What is the significance of communication skills for IT auditors?

    -Communication skills are significant for IT auditors to convey technical information in a way that is understood by various stakeholders, avoiding the use of jargon and ensuring that the message is clear and accessible.

  • What is the relationship between IT auditors and IT partners within an organization?

    -The relationship between IT auditors and IT partners should be collaborative, with auditors taking on a partnership role to work alongside IT partners, fostering a 'we' rather than 'us versus them' approach.

Outlines

00:00

😀 Introduction to IT Auditing

This paragraph introduces the topic of IT auditing and welcomes Rob Clark, the Chief Audit Executive, who is set to share insights on the evolution of the IT auditing profession. Rob discusses his accidental entry into auditing and how it has matured over the decades. Initially, the role was segregated with financial auditors, operational auditors, and EDP auditors. The EDP auditors were responsible for interfacing with systems to provide data for financial audits. The discussion highlights the significant changes in IT, from centralized data centers to the prevalence of IT in everyday life, and the need for a modern IT auditor to have a comprehensive understanding of IT security.

05:01

🔍 The Evolution of IT Auditing and Required Skills

In this paragraph, Rob Clark delves into the evolution of IT auditing, emphasizing the shift from segregated roles to an integrated skill set where auditors are expected to have knowledge of IT security. He discusses the importance of continuous learning and adapting to the ever-changing IT landscape. Rob also mentions the need for auditors to understand risk assessment and the application of emerging tools and techniques within an organization. The paragraph underscores the balance between technical skills and the ability to communicate effectively with various stakeholders, including IT partners and senior leadership.

10:01

🤝 Building Effective IT Audit Teams

This paragraph focuses on the soft skills necessary for IT auditors to be effective in their roles. Rob Clark stresses the importance of communication skills and emotional intelligence to interact with clients, technology partners, and senior leadership. He highlights the need for auditors to translate technical jargon into layman's terms to ensure that their messages are understood and to foster an environment where questions are encouraged. The paragraph also touches on the importance of developing communication skills to establish auditors as valued advisors and strategic thought partners within an organization.

Mindmap

Keywords

💡IT Auditing

IT Auditing refers to the examination and evaluation of an organization's information technology infrastructure, policies, and operations. It is crucial for ensuring that the systems are secure, reliable, and aligned with business objectives. In the video, the evolution of IT auditing is discussed, highlighting its transition from segregated functional focus areas to a more integrated approach requiring a broader skill set.

💡Chief Audit Executive

The Chief Audit Executive (CAE) is the head of an organization's internal audit function, responsible for overseeing the audit process and ensuring it meets the organization's goals and regulatory requirements. Rob Clark, the guest in the video, holds this position and shares his insights on the history and future of IT auditing.

💡EDP Auditors

EDP Auditors, short for Electronic Data Processing Auditors, were the predecessors to modern IT auditors. Their primary role was to interface with systems to provide data for financial auditors. The term is used in the script to illustrate the historical context of IT auditing and how it has evolved to encompass a wider range of responsibilities.

💡Information Security

Information Security is the practice of protecting digital information from unauthorized access, use, disclosure, disruption, modification, or destruction. It is a key aspect of IT auditing, as auditors must ensure that an organization's IT systems are secure against potential threats. The script emphasizes the importance of IT auditors having knowledge in this area.

💡Cybersecurity Posture

Cybersecurity Posture refers to the overall state of an organization's cybersecurity defenses and practices. In the video, it is mentioned as an expectation for auditors to be able to discuss and assess, indicating the critical role of IT auditors in evaluating an organization's preparedness against cyber threats.

💡Risk Assessment

Risk Assessment is the process of identifying, analyzing, and evaluating risks to determine how they might affect an organization's ability to achieve its objectives. In the context of IT auditing, it involves understanding the potential risks to IT systems and data and recommending mitigation strategies. The script underscores the importance of starting with risk when considering IT auditing.

💡Technical Skills

Technical Skills in the context of IT auditing involve the ability to understand and work with the technology systems being audited. This includes knowledge of IT infrastructure, security protocols, and relevant standards and regulations. The video script discusses the importance of these skills for IT auditors to effectively assess and recommend improvements to an organization's IT systems.

💡Soft Skills

Soft Skills are personal attributes that enable someone to interact effectively and harmoniously with other people. For IT auditors, these include communication, emotional intelligence, and the ability to convey complex technical information in an understandable manner. The script highlights the need for a balance between technical and soft skills for auditors to be successful.

💡Emotional Intelligence

Emotional Intelligence (EI) is the ability to recognize, understand, and manage one's own and others' emotions. In the video, it is mentioned as a critical soft skill for IT auditors, allowing them to build rapport and communicate effectively with various stakeholders, including IT partners and senior leadership.

💡Partnership

Partnership in the context of IT auditing refers to the collaborative relationship between auditors and the IT department or other stakeholders within an organization. The script emphasizes the importance of auditors taking on a partnership role to work alongside IT professionals, fostering a more effective and positive impact on the organization.

💡Continuing Education

Continuing Education is the pursuit of learning beyond the formal, initial education stage. For IT auditors, it is essential to stay current with the ever-evolving technology landscape. The script mentions the desire for auditors to have a 'constant burning desire for continuing education,' reflecting the need for ongoing learning in the field.

Highlights

Introduction to IT auditing and the role of the chief audit executive, Rob Clark.

Evolution of IT auditing from segregated functional focus to an integrated skill set.

Historical perspective on the transition from EDP auditors to modern IT auditors.

The importance of IT auditors understanding the organization's impact on data security.

The shift from physical data center control to mobile computing capacity.

The necessity for IT auditors to have knowledge of IT security in audits.

Skills required for joining an IT audit team, emphasizing collective skills and knowledge.

The expectation for auditors to examine IT infrastructure and security.

Importance of emotional intelligence in IT auditing for effective communication.

The role of auditors as partners with IT teams for a positive impact.

The need for continuous education and expanding skill sets in IT and security.

Technical skills required for IT auditors, including understanding information system structures.

The significance of risk assessment and the balance between technology and risk management.

Importance of soft skills in IT auditing, especially communication and emotional intelligence.

The challenge of translating technical jargon into understandable terms for stakeholders.

The future of IT auditing and the combination of technical and soft skills for success.

Encouragement for those interested in IT auditing to pursue the field for its impact potential.

Call to action for viewers to subscribe for more content on IT auditing.

Transcripts

play00:00

are you interested in the field of i.t

play00:01

auditing do you want to become an i.t

play00:04

auditor stay tuned for more information

play00:06

[Music]

play00:08

[Applause]

play00:12

welcome to this video we're going to

play00:14

talk a bit about it auditing and with us

play00:17

today is rob clark he's the chief audit

play00:20

executive and very knowledgeable about

play00:21

the history of it auditing and i look

play00:24

forward to his insights in terms of how

play00:26

the profession has evolved rob can you

play00:29

start out by telling us a little bit

play00:31

about what has been the evolution and

play00:33

how we have matured in terms of what i.t

play00:36

auditing is all about well thank you dr

play00:38

murdock it's a pleasure to be here and

play00:40

uh yes i'd i can talk about the history

play00:43

of it auditing because

play00:45

i am that old i've been doing this now

play00:48

for i can't even believe i'm old enough

play00:50

to say that i've been doing this for for

play00:51

three decades but

play00:53

i got into auditing

play00:56

really

play00:57

kind of by mistake i really didn't think

play00:59

that i was going to end up spending a

play01:01

career in auditing and compliance

play01:04

but what i found was a very unique

play01:07

opportunity

play01:08

to make a positive impact on the

play01:10

organization and when i first got into

play01:14

the audit profession it was it was very

play01:16

segregated in terms of its functional

play01:19

focus we would have

play01:21

financial auditors on one side of the

play01:23

audit house we would have perhaps some

play01:25

operational auditors and then we would

play01:27

have what was referred to as

play01:29

edp auditors electronic data processing

play01:33

auditors so yeah i'm kind of dating

play01:34

myself

play01:35

and

play01:36

the function of the edp auditors back in

play01:39

the day was to more or less

play01:41

be the interface

play01:43

and with the systems in order to provide

play01:46

data

play01:47

for the financial auditors so that they

play01:50

could do some of their sampling and

play01:51

analysis

play01:52

and

play01:53

and occasionally the edp auditors would

play01:56

end up having conversations with and

play01:58

interacting with the folks within the

play02:00

data center

play02:01

and computing back at that point was

play02:04

largely controlled through

play02:06

a key

play02:07

in the door

play02:09

in the lock of a door because we were

play02:11

separating and controlling access to our

play02:14

key data because it all resided in one

play02:16

data center

play02:18

and now boy have times to change right

play02:20

because now information technology is so

play02:23

prevalent and we have on

play02:26

our phones the computing capacity that

play02:29

used to take up

play02:30

racks and racks and huge buildings in

play02:32

and of themselves so now what we're

play02:34

looking at is the migration of

play02:37

uh i don't have on my teams anymore

play02:40

people who just have the title of a

play02:41

financial auditor or an operational

play02:43

auditor or even just an i.t auditor i'm

play02:46

looking for that that integrated skill

play02:49

set where

play02:51

everyone on the team is going to be able

play02:53

to have a certain knowledge of it

play02:57

security so that we can integrate those

play02:59

into our audits

play03:01

so what are some of the skills that are

play03:03

necessary to be able to join such a team

play03:07

well i think one of the things that that

play03:09

i look for as when i'm building out an

play03:12

internal audit team

play03:14

is is really the if we're looking at it

play03:16

from the perspective of the chief

play03:18

auditor our responsibility is to ensure

play03:20

that we have the collective skills

play03:22

knowledge and competencies in order to

play03:24

be able to accomplish our audit plan and

play03:26

in every audit function there is going

play03:29

to be

play03:30

the expectation that we are going to

play03:32

examine our i.t infrastructure in our

play03:34

i.t security uh you you get into a board

play03:38

room and you're given a presentation and

play03:40

people expect you to actually speak to

play03:42

what the posture of cyber security is

play03:43

for your organization

play03:45

so what i look for when we are building

play03:48

out a team and for somebody who's

play03:49

watching this who's perhaps giving

play03:51

consideration to

play03:52

venturing into the world of auditing

play03:54

what i would say is it's a it's a

play03:56

wonderful field to get into

play03:58

because you have an opportunity to make

play04:00

an impact on our organizations in a very

play04:02

unique way

play04:03

and what i look for is not only those

play04:06

who have the

play04:07

the skills knowledge and competencies

play04:09

and awareness of the concepts of

play04:12

information security and information

play04:14

systems but also those who have the

play04:18

the lack of a better term the emotional

play04:19

intelligence to be able to figure out

play04:21

how we can integrate that

play04:23

the last thing we want to do is go into

play04:25

an engagement and start throwing around

play04:27

a bunch of buzzwords and trying to take

play04:29

the position

play04:30

and try to impress the i.t partners

play04:33

within our organization

play04:35

that we are subject matter experts in

play04:37

all things i.t it's the first way to

play04:40

lose credibility what we want to do is

play04:42

actually come alongside of our i.t

play04:45

partners and i use that term partners

play04:48

intentionally because i believe that the

play04:50

best way for us to be able as auditors

play04:52

to be able to affect change and to have

play04:54

a positive impact

play04:56

is for us to take on that partnership to

play04:58

get on the same side of the table as it

play05:00

were

play05:01

and and actually i do that in in our

play05:04

entrance conferences we we don't i try

play05:06

not to

play05:07

sit directly across the table and have

play05:09

that sort of us versus them

play05:11

approach but really to get on the same

play05:13

side of the table and say let's look at

play05:16

these things together so the it auditor

play05:18

has to be familiar with what the

play05:21

landscape of risks is and those are ever

play05:25

changing so i look for somebody who has

play05:27

a that constant burning desire for

play05:30

continuing education for always wanting

play05:32

to learn and expand their skill sets in

play05:35

all things related to i.t and security

play05:38

so what are some of the the hot topics

play05:40

these days i'm going to ask you in a few

play05:42

moments so you can start getting ready

play05:43

mentally for soft skills but let's start

play05:45

with the technical side of the skill set

play05:47

so what are some of the the technical

play05:49

skills that you will wish that it

play05:51

auditors who are interested in this

play05:52

field will have as they begin their

play05:54

journey

play05:56

well uh it does have to be a combination

play05:58

of the technical skills and soft skills

play06:00

but let's talk about the technical

play06:01

skills first

play06:03

i think for somebody who is considering

play06:04

entering the field of i.t auditing

play06:08

chances are if i'm talking to that

play06:10

person right now if we're talking to

play06:11

that person it's somebody who just has a

play06:14

passion for

play06:16

the

play06:17

maybe they

play06:18

define themselves as a nerd uh and and

play06:22

somebody and i use that term

play06:23

affectionately i refer i put myself in

play06:24

that same category so i'm not saying

play06:26

that disparagingly but somebody who

play06:28

really has an understanding of and a

play06:30

desire to understand all of the

play06:32

different aspects of what it takes to

play06:35

to build an information system structure

play06:37

at an organization everything from

play06:41

cloud security to the internet of things

play06:44

to understanding all of the compliance

play06:47

regulations and the the standards the

play06:50

guidance uh somebody who

play06:52

is not afraid to sit down and go through

play06:55

all 800 pages of the nist guidance the

play06:58

national institute of standards and

play06:59

technology guidance because that

play07:00

actually provides a really good

play07:02

framework for all of the things that we

play07:05

as an organization need to be focusing

play07:07

on so i look for somebody who has the

play07:09

technical expertise

play07:10

perhaps they have come from an i.t

play07:13

background or in their education or in

play07:15

prior jobs

play07:17

but it doesn't necessarily require an

play07:19

advanced degree in computer science in

play07:22

order to be a good

play07:23

it auditor it takes the aptitude and the

play07:26

desire to constantly learn

play07:29

because the technology is ever changing

play07:31

and so i look for somebody who is

play07:32

passionate about trying to expand their

play07:34

skill sets on a continuing basis

play07:37

you mentioned in passing just a moment

play07:39

ago risk assessment and just awareness

play07:42

about risk so from what you just

play07:44

described it sounds to me as though they

play07:46

need to be able to balance some of the

play07:48

technologies and the techniques and the

play07:50

different uh tools that are available

play07:52

and continue to emerge just about every

play07:54

day and be able to think from a risk

play07:56

perspective in terms of how does this

play07:58

help us either neutralize some of the

play08:01

risks that can impact organization and

play08:03

and threaten its is

play08:05

its ability to achieve its objectives

play08:07

but also as an opportunity how can this

play08:09

tool technique be applied in my

play08:11

organization perhaps as a recommendation

play08:13

for the organization to consider uh and

play08:16

perhaps adopt is that also very

play08:18

important in this case oh it's critical

play08:20

everything has to start from an

play08:21

understanding of the risk and there's a

play08:24

there's a couple words that you just

play08:25

mentioned as you tee that up that i want

play08:27

to be able to kind of pull out

play08:29

one is just the concept of the

play08:31

evaluation of risk and the other thing

play08:34

that you the other word that you

play08:35

mentioned is tools

play08:37

so we ought to as auditors in order to

play08:40

be effective at helping to identify

play08:42

areas of risk or to utilize tools in the

play08:46

assessment of that and when we're

play08:47

talking about risk i think it's

play08:49

important that we define what we mean by

play08:51

risk usually if you're having a

play08:53

conversation and and oftentimes when i'm

play08:56

teaching classes i ask people to say how

play08:59

would you define risk and typically the

play09:02

first things that people come up with

play09:04

are

play09:05

fraud or security breach

play09:08

or something that is really

play09:10

you know that they would categorize as a

play09:12

really adverse impact to the

play09:13

organization

play09:15

i like to kind of bring it back a little

play09:17

bit to say let's start with defining

play09:19

risk as

play09:21

those things that would potentially

play09:23

impede the organization's ability to

play09:26

achieve its strategic goals

play09:28

so starting

play09:30

in the in a risk assessment process with

play09:33

what are our organizational goals

play09:35

and what is the the corporation the

play09:37

company's goals mission vision what is

play09:40

it that we are trying to accomplish and

play09:41

then asking the question of

play09:44

what would prevent us from achieving

play09:45

that

play09:46

what would impede our ability

play09:49

very very good

play09:50

along those lines then what kinds of

play09:52

soft skills are very very important to

play09:55

be able to do that effectively

play09:57

uh well that that balance i'm glad we're

play09:59

talking about both of those because in

play10:01

order for an auditor to be effective in

play10:03

order for an i.t auditor to be effective

play10:06

there has to be that combination of

play10:09

the the skills knowledge and

play10:10

competencies so it's not just the

play10:12

technical skills

play10:14

the thing that i see

play10:15

and i've seen over the years uh in

play10:17

trying to develop our i.t audit uh staff

play10:20

and that side of the house those people

play10:22

who have the those those uh technical

play10:25

skills is that

play10:27

sometimes there is a gap in

play10:30

the communication skills uh what we look

play10:34

for is and i mentioned this earlier in

play10:36

terms of the emotional intelligence what

play10:38

we mean by that is the way that we are

play10:40

able to communicate interact with uh not

play10:44

only our clients and our technology

play10:47

partners within the organization but the

play10:50

senior leadership the board the people

play10:52

to whom we're going to be communicating

play10:54

and i think it's absolutely critical to

play10:56

make sure that auditors have a an

play10:59

ability to take the technical

play11:02

and boil it down into layman's terms the

play11:06

last thing that we want to do is go into

play11:07

a board meeting and start throwing

play11:09

around a bunch of acronyms and trying to

play11:12

impress the uh the the audience the

play11:16

recipients of your message with how

play11:18

smart you are and how many uh you know

play11:21

how technical your your knowledge is

play11:24

because what i see when sitting in some

play11:26

of those board meetings is that when

play11:28

people's eyes begin to glaze over

play11:29

because they don't quite understand what

play11:31

it is that we're trying to convey

play11:33

then two things happen number one they

play11:36

begin to just tune out number two

play11:39

they're afraid

play11:40

to ask questions

play11:43

because they don't want to expose

play11:46

themselves as not having knowledge about

play11:49

what it is that you're talking about and

play11:51

so it's our job as auditors to

play11:53

communicate in a way that our message is

play11:55

going to be understood and received so

play11:58

what i look for is the development of

play12:00

those communication skills so that we

play12:02

can really take on

play12:04

that

play12:05

perspective of being a partner a valued

play12:08

advisor a strategic

play12:10

thought partner with leadership

play12:12

you combine those skills those soft

play12:15

skills with the technical skills and

play12:16

you've got a bright future in this

play12:18

industry thank you so much for helping

play12:20

us better understand what are some of

play12:22

the key attributes skills competencies

play12:25

and expectations that someone who is

play12:27

contemplating joining audit and in

play12:29

particular i.t auditing and how they can

play12:32

become successful so your input has been

play12:34

very helpful in better understanding how

play12:36

technical skills need to be balanced

play12:38

with soft skills and to our viewers

play12:40

we have a lot more content to share with

play12:42

you so please subscribe to our channel

play12:44

there's a lot there for you

play12:51

[Music]

play12:56

you

関連動画をさらに表示

Audit Risk Model

Video en Español: “Auditoría Interna: Una Carrera para Hoy, Una Carrera para Mañana”

Top 3 Issues with Audit Programs | Plexus International

Generally Accepted Auditing Standards GAAS

Delving into Key Audit Matters: auditor responsibilities under ASA/ISA701

2.3 Overview of the Audit Process Audit Planning Risk Assessment

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
関連タグ
IT AuditingCybersecurityRisk AssessmentComplianceAudit HistoryTechnical SkillsSoft SkillsCareer GuidanceIndustry InsightsProfessional Development
英語で要約が必要ですか?