By MIA Sustainability, Digital Economy and Reporting Team
IT audit is not just a necessity but a strategic asset for any business aiming for sustainable growth and resilience
What exactly is IT audit, and why is it becoming so crucial in today’s digital landscape?
In a world that is continually evolving with advanced technologies and digital solutions, the role of auditors is more significant than ever before. IT audit ensures that organisations comply with regulations but are also secure and efficient in their digital operations.
The first complimentary webinar of MIA Digital Month 2024 focused on the topic of Exploring IT Audit: Empowering Auditors for the Digital Era. The session was moderated by Steven Chong, Member of the MIA Digital Technology Implementation Committee (DTIC), who was joined by Eddie Leng, Founder and Director of ALE Advisory Sdn Bhd and Sia Chin Hoe, Audit Partner and Head of IT Audit, KPMG Malaysia.
Key Takeaways
As businesses rely more heavily on technology, understanding IT systems and controls is essential in safeguarding against risks and ensuring data integrity. “IT audit has evolved significantly over the last decade. Traditionally, it was often misunderstood as simply installing audit software or handling basic IT-related checks. Today, it encompasses a broader and more sophisticated scope, critical for ensuring that an organisation’s IT system is robust, secure, and in line with regulatory requirements,” said Steven.
As noted by the panel, IT audits can be carried out in-house or by external auditors with expertise in IT. With the emergence of advanced technologies, the role of IT auditors has expanded. They must now possess a deep understanding of complex IT environments such as cloud computing, data analytics, and cybersecurity protocols. This level of expertise allows them to identify potential vulnerabilities and recommend solutions that not only protect but also enhance the organisation’s technological infrastructure.
To grasp the significant role of IT auditors, it is crucial to first understand what IT auditing entails. According to ISACA, a global professional association and learning organisation in the digital trust field, the term “IT audit” traditionally suggests certain familiar procedures such as ensuring the functionality and integrity of an entity’s tools, systems and networks; testing and monitoring the security of IT systems against intrusion or misappropriation; and providing assurance around the compliance of IT activities with relevant enterprise polices, industry best practices and government laws and regulations.¹
However, the archetype of IT audit is changing. As society in general becomes more data driven and organisations increasingly look to leverage data to power processes, inform business decisions and generate value, IT audit must, in turn, provide business leaders with more timely and actionable risk assessments and input for effective governance of data and other IT assets.²
“For instance, many organisations have adopted cloud technology. How does it work exactly? What controls and risks are involved when using this technology? These are areas that IT auditors need to clearly understand and be an expert in,” explained Eddie.
According to Sia, many, if not all organisations depend on IT systems for their financial reporting process nowadays. Thus, auditors must verify that these systems are providing accurate and reliable information. “IT audit is a crucial part of the financial audit. Companies that are using IT systems for their financial reporting process should perform IT audit on their system. This process involves evaluating both manual and automated IT controls. IT auditors need to evaluate the adequacy and appropriateness of the design and implementation of these controls, and to test the effectiveness of their operations to ensure that the information within the IT systems is reliable, complete and accurate,” explained Sia.
“In practice, IT audits can cover a wide array of areas. A common type is a general IT controls audit, often performed for external audit clients. This involves reviewing overall IT governance; confidentiality, integrity, and availability of data integrity; and system security controls. Another critical area is cybersecurity audits. Given the ever-increasing cyber threats, these audits examine an organisation’s defence against hacks and breaches,” said Eddie.
An emerging area is auditing systems that utilise artificial intelligence (AI). “With AI becoming integral to many business processes, IT auditors need to assess how AI solutions are implemented and controlled. This involves looking at the AI algorithms, their decision-making processes, and how they fit within the broader IT control environment. By staying ahead of these trends, IT auditors ensure that organisations do not only meet current standards but are also prepared for future challenges,” added Eddie.
It is crucial for an organisation embarking on adopting a new technology to also set up the controls that are adequate for their environment. “Controls should start from day one. Business owners or C-suite levels in an organisation should identify the risk of any new system and develop controls for proper implementation,” said Sia.
Empowering auditors for IT audits
An IT auditor does not need to come from an IT background. While a basic understanding of IT is helpful, many IT auditors have accounting or other non-IT backgrounds.
However, it is essential to possess a basic understanding of IT systems, which will be helpful in the role of an IT auditor. IT audits go beyond merely assessing IT internal controls. They evaluate all facets of IT risk – security, change controls, and operational issues, among others. “Among the many challenges currently faced by an auditor is that we might not be updated with the audit process of any latest development in technology, such as AI. Typically, an auditor needs to communicate with various stakeholders in obtaining information and understanding it clearly. With technological advancements, how would an IT auditor audit a company that uses an AI system? How do we talk and get information from AI?” pondered Sia.
Both Eddie and Steven shared that through available certifications and resources, IT auditors will be empowered with the necessary expertise to navigate the complex landscape of digital audits. These certifications will ensure that professionals are equipped to handle the nuances of IT governance, cybersecurity, and other related areas effectively.
IT audits are indispensable for businesses in today’s digital age. Understanding and performing IT audits can significantly bolster your organisation’s integrity and trustworthiness. So, embrace IT audits – they are not just a necessity but a strategic asset for any business aiming for sustainable growth and resilience.
1 “IT Audit: A look ahead”, 31 December 2021; https://www.isaca.org/resources/isaca-
journal/issues/2022/volume-1/it-audit-a-look-ahead
² Ibid.