Manchester United saw their stock rise at the early part of the year. Up till February 2019, the team was racking up victory after victory and in the process ended with 11 victories on the road, their best run in the history of the club. The club didn’t need a soothsayer to tell them to change the manager’s status from interim to full time. Fast forward to March 2019 and till this moment, they have lost 7 of their last 9 games and most likely a 10th tomorrow.
Something is definitely wrong somewhere and it could be that every of their opponents have discovered the weakness and inherent risks associated with Manchester United. From Governance to organization structure, to managers and employees. The club is in a deplorable state. It is no longer business as usual; competitors are changing business models to outperform each other. The footballers currently pose the biggest threat. Their last outing against Everton was pathetic. They were defeated in every position. The response of the Management was to tell supporters to expect a massive exodus of players from the club. They believe the current skills of their players are not in tune with the current roles. At the moment, this is what their indicators are revealing.
What is your indicator revealing? You have always conducted precise audits and generated excellent reports. But the issues persist. Management has a better idea and stakeholders just don’t buy your recommendations.
Wait! A wave is coming. This time, you will have to go the extra mile to get the job done.
Dear auditor, business models are changing, are you ready?
Earlier in the year, my company was privileged to be invited to audit an information system used by a microfinance bank. As a team, we had assembled to dish out roles and examine various tasks as usual. On the team were financial auditors, information systems auditors, network administrators, database specialists, server administrators, security managers and a web developer. It seemed like we had the best team around. Off we proceeded to the client’s office. On arrival, we were handed the terms of reference and the usual functions appeared. Tasks range from duplicate check, edit check, reasonableness check, controls assessment, data validity, organizational structure audit, audit trail tamper proof, incident and review logs, bla bla bla.
What caught my attention was the application programming interface (API) audit and application source code audit. The task was to review the whole application for backdoors, code integrity, programming standard and API. Calculating the hash function would have showed if files have been tampered with but because there was no initial hash function of files stored somewhere, the comparison would be baseless. Secondly, verifying all the lines of codes to determine poorly written codes was the big deal and ensuring that the application was built according to best practices.
I asked 3 different developers if there exists a global standard for auditing/developing application codes. Their responses were negative.
"You just have to be a developer to review the codes of another developer."
Well, the web developer on the team did his job and presented the report. I guessed I was not satisfied with his job because no one on the team had knowledge of application development. Verifying the correctness of the report proved to be a problem. In resolving this, I hired another developer to audit the section again and then compared the report with the existing one.
"A valuable lesson I learnt is to ensure that there is always someone on the team who understands and can review what another team member has done."
Then I remembered thousands of active information systems auditors with no knowledge of application development. How do they cross the hurdle of source code audit? Hiring an application developer is good but how do you verify the correctness of the report?
Inability to evolve and align with new business innovations will make one’s skills to be redundant. After the audit, I did a reality check and the result was my enrollment in a full stack Development course the following month. Of course, I’m still under training and the {}<></> are not friendly at all. I don’t intend to be a developer but I want to know and understand what the developer is doing or maybe enjoy my time sipping coffee and reviewing those lines of code myself. At the moment, I can successfully review UI/UX frontend codes. Quite boring but extremely important. I can’t wait to pick up the momentum for my backend classes.
The future is looking to unfold more work for the auditors and security professionals.
The challenges from the cyberspace coupled with the business applications audit, workplace robotics artificial intelligence, Internet of things, Internet of people, Internet of everything, blockchain, data science, cloud computing and others will scale the height for professionals.
I see the role of CISAs evolving as these emerging technologies take over our business landscape. No one is a repository of knowledge. Therefore, the IS Auditor should not be seen as a magician who is supposed to know the job functions of a data scientist, financial auditor, database administrator, network administrator, server administrator, cloud specialist, and every other emerging role involved in these technologies. Professionals in those areas will be hired for the purposes of IT Audit and not as practitioners and then report to the CISA who will serve as the Audit Manager.
Dear professionals, are we ready?
Must Read
Connect
Stay With Us
new on Business