ISACA Journal - 2012 Volume 3

Robert Findlay, CISA Robert Findlay has had a 30-year career in a variety of IT roles, including computer operations, programming, project management, IT audit and emergency project management, and has held positions such as information security manager and chief information officer (CIO).

He has taken some time off to travel extensively around the world. Part of this travel involved six months in the Caribbean Islands, researching forts and castles across all the islands, and in Central America. On this trip he was shot on two occasions and involved in half a dozen knife fights. Now, he sticks to calmer hobbies such as marathon running, long-distance hill walking and studying for a degree in international studies.

Q How do you see cloud computing changing the way we do business? What are your thoughts
on auditing cloud computing?

Even less technical are the threats from poor governance. It is rare that I come across any IT management team that has read contracts, never mind applied them; in most cases, contracts do not exist. Similarly, management—of all kinds, not just IT management—does not pay attention to laws, regulations and agreements that apply to their businesses.

For companies to protect themselves, a good start is to read all regulations and contracts and set up compliance projects. Similarly, they should review their data and set up a robust reporting system to monitor exceptions to policy and a compliance framework. Too many managers do not understand their own data.

Do you have something to say about this article?

Visit the Journal pages of the ISACA web site ( www.isaca. org/journal), find the article, and choose the Comments tab to share your thoughts.

Go directly to the article:

A People are very reluctant to commit to cloud computing because of data security risk, a lack of trust in third parties to hold personal data securely and to be responsive to incidents, and concerns over moving to new providers if a change is necessary.

Personally, I see these concerns as an anchor on cloud computing, and I can see only slow progress in niche areas for this service in the short term. Longer term, cloud computing could grow massively if location-of-data issues are resolved.

Consequently, these issues should be the focus for auditing. I like to investigate the contracts and the security of the third party. If they do not let me in, then I am suspicious of the control environment.

Q How do you think the role of the IT auditor/ professional is changing or has changed? What
would be your best advice for IT auditors as
they plan their career paths and look at the
future of IT auditing?
Q What do you see as the biggest risk being addressed by IT auditors and/or security
professionals? How can businesses protect
themselves?

A External technical risks are most often discussed, but my experience is that the biggest threats to organizations are IT-related, but internal and often nontechnical. I see a lot of internal fraud through a lack of application controls, caused by developers of applications who are not pressed into applying strong validation, segregation of duties or good security reports to allow managers to review patterns of behavior.

A The role of the IT auditor is far more risk-based than it was when I started; then, technical operating system reviews and database audits were the order of the day. As a result of this evolution, IT auditors must understand it all: IT, finance, business and environmental risk. At the same time, they must have enough technical knowledge to warrant a specialist position. My advice is to keep abreast of the issues and keep skills current.