Fifty years of the ISACA® Journal is quite an achievement in this age of digital disruption. Indeed, over the last 50 years there have been vast changes in IT. Opinions vary, but one of the most disruptive was the invention of the Internet, which, in turn, led to the creation of cloud computing.
Considering cloud computing and reviewing ISACA’s Amazon Web Services (AWS)1 and Microsoft Azure2 audit programs can put into perspective how the fundamental IT controls have not changed much in 50 years. For example, governance, disaster recovery, and identity and access management (IAM) are still key concerns, as I noted when I reviewed an EDP Auditor article from 1984 titled “Automated Audit Risk Analysis.”3
The most striking thing to note is that there are no external risk factors mentioned in the 1984 EDP Auditor article. The most logical explanation is that, first, in 1984 there was no Internet to speak of, which means that cybersecurity risk did not yet widely exist and second, there was little or no IT-related regulation or the associated compliance requirements.4
These regulatory and compliance requirements seem to have emerged as a key difference in the IT auditor’s perspective over the last few years. The Internet has brought interconnection and, with it, added complexity, including cybersecurity risk. However, it is no longer acceptable to simply mitigate this risk; practitioners must also be able to demonstrate that the proper controls have been implemented and that risk has indeed been mitigated across the enterprise. In other words, practitioners must be able to demonstrate security and compliance.
And while it is important to acknowledge that the law can be slow to catch up with technology, there has been an abundance of legislation and compliance requirements put in place for technology in recent years, including the US Sarbanes-Oxley Act of 2002 (SOX), the EU General Data Protection Regulation (GDPR) and the global Payment Card Industry Data Security Standard (PCI DSS). There are many others in the pipeline. These regulations are often overlapping and complementary, but there can be conflicts and tension between them that result in increased complexity and compliance gaps.
Three Lines of Defense
To help mitigate risk and demonstrate compliance, The Institute of Internal Auditors (IIA) released its Three Lines of Defense model in 2013.5 However, the main challenge with this model has been that it assumes that there are distinct lines of defense and that the execution of risk management and controls is vertical and linear. If the model is applied rigidly, this can create silos, meaning that those responsible for activities within each line of defense view the management of risk and the provision of assurance solely from the perspective of their respective line, creating a high potential for duplication and inefficiency. This may also create gaps in coverage between the lines, with important risk areas not being managed effectively.6
As a result, The IIA updated the model in July 2020. It reiterates that internal audit’s independence from management ensures that it is free from hindrance and bias in its planning and in the carrying out of its work,7 while also noting that independence does not imply isolation.8 Indeed, there must be regular interaction between the internal audit team and management to ensure that the work of internal audit is relevant and aligned with the organization’s strategic and operational needs. There is also a need for collaboration and communication across both the first- and second-line roles of management and internal audit to ensure that there is no unnecessary duplication, overlap or gaps.9
As IT becomes even more pervasive and complex, combined assurance is likely the only way that IT audit will be able to provide assurance over the next 50 years.
Combined Assurance
This need for collaboration provides a path to combined assurance, which aims to align assurance processes between internal audit and other assurance providers (e.g., the second line) to deliver deeper insights on governance, risk and control management to senior management and the audit committee.10
True combined assurance represents the ultimate level of coordination, including elements such as combined scheduling, consolidated planning and reporting, shared terminology and the use of common and shared technology.11 As IT becomes even more pervasive and complex, combined assurance is likely the only way that IT audit will be able to provide assurance over the next 50 years.
However, combined assurance will require an iterative approach and, as such, it is likely to be some time before many enterprises are able to implement it. To get started, IT auditors should consider completing several steps:12
- Publish an audit plan in advance—Unless the element of surprise is a requirement for an audit, publishing the audit plan as far in advance as possible is beneficial. Although this means that management might improve controls before the audit, it is likely that any existing risk will be mitigated, even if the review is subsequently cancelled.
- Publish the standards to which the organization is being audited—Unless there is a good reason not to (e.g., when the element of surprise is desired or required), it is beneficial to inform management of the standards to which the organization is being audited and what tools are being used. Again, this may mean that changes need to occur, but risk will be mitigated.
- Have an open-door policy—It is beneficial for auditors to let management know they are available on a consultancy basis, especially for new initiatives. It is necessary to be mindful of independence, but this creates the opportunity to discuss any regulations, laws, standards or tools that can be applied to potential initiatives. This can help management get it right from the outset. It also has the potential to save the organization money—the alternative being altering a system after it has been implemented. Again, risk will be mitigated.
Conclusion
The pervasiveness of complex IT solutions, together with the proliferation of related compliance requirements over the last 50 years, means that it is increasingly difficult for internal audit to provide the required assurance in isolation. Further, the traditional three lines of defense model increases the likelihood of duplication, overlap or gaps in IT risk mitigation. Only by working together across the lines of defense toward combined assurance can enterprises hope to efficiently mitigate risk and demonstrate compliance in the future. Enterprises should take steps, however tentative, to begin their journeys now.
Endnotes
1 ISACA®, Amazon Web Services (AWS) Audit Program, USA, 2019, http://gm0h.caminal-equip.com/bookstore/audit-control-and-security-essentials/waaws
2 ISACA, Microsoft Azure Audit Program, USA, 2020, http://gm0h.caminal-equip.com/bookstore/audit-control-and-security-essentials/waazu
3 Cooke, I.; “Risk Analysis: Then and Now,” @ISACA, vol. 11, 2019, http://gm0h.caminal-equip.com/resources/news-and-trends/newsletters/atisaca/2019/volume-11/risk-analysis-then-and-now
4 Ibid.
5 The Institute of Internal Auditors (IIA), IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, USA, January 2013, http://na.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf
6 BDO United Kingdom, “The Three Lines of Defence Model (3LOD) Has Been Updated—What Does This Mean for Internal Audit?” 19 October 2020, http://www.bdo.co.uk/en-gb/insights/advisory/risk-and-advisory-services/the-three-lines-of-defense-model-has-been-updated-what-does-this-mean-for-heads-of-internal
7 The Institute of Internal Auditors (IIA), The IIA’s Three Lines Model: An Update of the Three Lines of Defense, USA, July 2020, http://global.theiia.org/about/about-internal-auditing/Public%20Documents/Three-Lines-Model-Updated.pdf
8 Ibid.
9 Ibid.
10 Bhakta, A.; S. Myers; “What Is Combined Assurance? Seven Steps to Start a Successful Program,” Auditboard, 22 July 2020, http://www.auditboard.com/blog/combined-assurance-get-started/
11 Ibid.
12 Cooke, I.; “Internal Auditors: So What Do You Do?” ISACA Now, 25 July 2016, http://gm0h.caminal-equip.com/resources/news-and-trends/isaca-now-blog/2016/internal-auditors-so-what-do-you-do
Ian Cooke | CISA, CRISC, CGEIT, CDPSE, COBIT 5 ASSESSOR AND IMPLEMENTER, CFE, CIPM, CIPP/E, CIPT, CPTE, DIPFM, FIP, ITIL FOUNDATION, SIX SIGMA GREEN BELT
Is the group IT audit manager with An Post (the Irish Post Office based in Dublin, Ireland) and has more than 30 years of experience in all aspects of information systems. He has served on several ISACA® committees, was a topic leader for the audit and assurance discussions in the ISACA Online Forums, and was a member of ISACA’s CGEIT® Exam Item Development Working Group. Cooke has supported the update of the CISA® Review Manual and was a subject matter expert for the development of both ISACA’s CISA® and CRIS® Online Review Courses. He was a columnist for the ISACA® Journal from 2017–2020. He is the recipient of ISACA’s 2017 John W. Lainhart IV Common Body of Knowledge Award and the 2020 Michael Cangemi Best Book/Author Award. Cooke is also a member of the International Association of Privacy Professionals’ CIPT Exam Development Board.