It was a bit of a surprise and a huge compliment to
be invited to contribute to this column after many
years reading the words of Tommie Singleton in this
space. I shall do my best not to disappoint. To give
you a hint as to where this column is going during
the upcoming year, let us start with a summary of
some lessons learned in my many years dealing with
information systems, technologies and audits.
Change is fast and profound. Over the last five
decades, technical innovation and new legislation
relating to data and information have caused
major dislocations. These, in turn, have created
the need for new approaches to IS/IT audit.
Some of these changes are outlined in figure 1.
While this table is certainly incomplete,
the conclusion is that continuous learning is
inescapable. Thus, we are required to learn how
to learn and then how to unlearn and relearn. 1
Failure to do this is a guarantee of professional
stagnation and failed careers.
In the IS Audit Basics column, I plan to reflect
the lessons I learned both as an auditee and as
an IS/IT executive and auditor. I intend for them
to be thought-provoking as opposed to sets of
procedural “do this” statements.
WHAT WE KNOW WE KNOW
Dependency on IS/IT has become irreversible
and its governance and management rely on audit
competencies and independence. Innovation cycles
are likely to remain short and bring with them new
vulnerabilities and management challenges.
Besides, internal and external threats keep
changing and, unless mitigated, these could
have an adverse and potentially serious effect on
organizations. The frameworks for information
assurance, security, risk and governance evolve as
experience is gained and lessons are learned.
The same is true for audit standards and
guidelines. It is prudent to assume that the
domains of IS/IT audit have become so large
that it is now unlikely that anyone can know
everything about it. This makes the development
of IS/IT audit strategies that much harder.
On the positive side, the audit profession
offers many opportunities for personal and
professional growth: progression to chief audit
executive (CAE), membership in audit committees,
consultancy and senior management roles. The
choice is yours, but only if you are prepared.
Ed Gelbstein, Ph.D., has
worked in IS/IT in the private
and public sectors in various
countries for more than 50
years. He did analog and
digital development in the
1960s, incorporated digital
computers in the control
systems for continuous
process in the late 60s and
early 70s, and managed
projects of increasing size
and complexity until the
early 1990s. In the 1990s, he
became an executive at the
preprivatized British Railways
and then the United Nations
global computing and data
Following his (semi)retirement
from the UN, he joined the
audit teams of the UN Board
of Auditors and the French
National Audit Office. He also
teaches postgraduate courses
on business management of
He can be contacted at
Perspectives From a Seasoned Practitioner
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
Figure 1—Historical Timeline of Data-related Technical Innovation
The 1960s Migration from analog to digital, emergence of digital, integrated circuits; IBM 360 series of
mainframes; minicomputers from many vendors; SCADA used in industrial control; proliferation of
programming languages (e.g., ALGOL, COBOL, FORTRAN, BASIC). Data speeds were 2. 4 kbps at best
and fax machines Group 2.
The 1970s Transaction processing becomes the norm; early cellular data communications and optical fiber
networks; Internet email and early personal computers; BASIC becomes widespread.
The 1980s First 16-bit PCs; local area networks (LANs) enter the corporate world; packaged software for office
applications becomes available from several vendors; malicious software (malware) appears. Firewall
products on offer; data protection legislation is introduced in the UK.
The 1990s Client-server claims “the mainframe is dead”; graphical user interfaces become ubiquitous; executive
awareness of the critical dependence on IS/IT; Internet access makes its way into enterprises; web
1.0 grows explosively; pioneers enter e-commerce; European Data Protection and US Heath Insurance
Portability and Accountability Act (HIPAA) legislation are enacted; Y2K becomes a concern.
The 2000s Technology users become proficient; malware becomes professional; COBIT 3rd Edition is published
and widely adopted; social networks’ popularity gives rise to corporate issues. Mobile technologies are
transformed by smartphones and tablets; bring your own device (BYOD) and mobile apps become an
enterprise issue. Risk-based audits are widely adopted.
The 2010s Cloud computing; big data; concerns about the theft of intellectual property; threats to individual privacy
and the militarization of cyberspace; the Internet of Things (Io T) and wearable technologies. COBIT® 5
covers several volumes of guidance and separates governance from management.
Beyond Who knows?