Robert Findlay, CISA
Robert Findlay has had a 30-year career in a variety of IT roles,
including computer operations, programming, project management,
IT audit and emergency project management, and has held
positions such as information security manager and chief
information officer (CIO).
He has taken some time off to travel extensively around the
world. Part of this travel involved six months in the Caribbean
Islands, researching forts and castles across all the islands, and
in Central America. On this trip he was shot on two occasions
and involved in half a dozen knife fights. Now, he sticks to calmer
hobbies such as marathon running, long-distance hill walking and
studying for a degree in international studies.
Q How do you see cloud computing changing the way we do business? What are your thoughts
on auditing cloud computing?
Even less technical are the threats from poor
governance. It is rare that I come across any IT
management team that has read contracts, never
mind applied them; in most cases, contracts do not
exist. Similarly, management—of all kinds, not just
IT management—does not pay attention to laws,
regulations and agreements that apply to their
For companies to protect themselves, a good
start is to read all regulations and contracts and
set up compliance projects. Similarly, they should
review their data and set up a robust reporting
system to monitor exceptions to policy and a
compliance framework. Too many managers do not
understand their own data.
Do you have something
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
A People are very reluctant to commit to cloud computing because of data security
risk, a lack of trust in third parties to hold personal
data securely and to be responsive to incidents, and
concerns over moving to new providers if a change
Personally, I see these concerns as an anchor
on cloud computing, and I can see only slow
progress in niche areas for this service in the short
term. Longer term, cloud computing could grow
massively if location-of-data issues are resolved.
Consequently, these issues should be the
focus for auditing. I like to investigate the
contracts and the security of the third party. If
they do not let me in, then I am suspicious of the
Q How do you think the role of the IT auditor/ professional is changing or has changed? What
would be your best advice for IT auditors as
they plan their career paths and look at the
future of IT auditing?
Q What do you see as the biggest risk being addressed by IT auditors and/or security
professionals? How can businesses protect
A External technical risks are most often discussed, but my experience is that the
biggest threats to organizations are IT-related,
but internal and often nontechnical. I see a lot
of internal fraud through a lack of application
controls, caused by developers of applications who
are not pressed into applying strong validation,
segregation of duties or good security reports to
allow managers to review patterns of behavior.
A The role of the IT auditor is far more risk-based than it was when I started; then,
technical operating system reviews and database
audits were the order of the day. As a result of
this evolution, IT auditors must understand it all:
IT, finance, business and environmental risk. At
the same time, they must have enough technical
knowledge to warrant a specialist position. My
advice is to keep abreast of the issues and keep