A: My software engineering background has helped
me to understand in practice not only how the
applications are being developed and maintained,
but also the nature of controls that need to be
implemented to applications.
Q: How have the certifications you’ve
attained advanced or enhanced your
career? What certifications do you
look for when hiring new members of
A: Certainly, my certifications
have enhanced my career. Having
a certification shows a true
commitment and dedication to your chosen
occupation. At my organization, the Certified
Information Systems Auditor® (CISA®) designation
is mandatory for all IS auditors. Therefore, our
company strongly encourages and supports all new
hires in obtaining the CISA certification.
Q: What will be the biggest compliance challenge in
2015? How will you face it?
A: I would say that in the banking sector, which
I represent, the biggest compliance challenge is
coming from the regulatory side. We face new
challenges to ensure compliance with both existing
and emerging regulations. To face these challenges,
auditors need to ensure that management is aware
of and has taken appropriate actions to sustain
ongoing compliance with these regulations.
Q: How do you think the role of the IS auditor is
changing or has changed? What would be your best
piece of advice for IS auditors as they plan their
career path and look at the future of IS auditing?
A: The IS auditor’s core role has not changed
much over the years. The IS auditor is and should
be primarily responsible for providing an objective
assurance on the risk and control processes of the
organization. In that way, the IS auditor is in the
best position to improve risk and control practices
in the organization. Many things (e.g., emerging
technologies, regulatory obligations, outsourcing)
have, of course, changed how the IS auditor’s
audit universe looks now compared to what it
was earlier. Those things have all
brought new challenges to the IS
auditor’s working environment. My
piece of advice for IS auditors is to
constantly keep your knowledge
updated and build a trusted
partnership with key management
Q: What do you see as the biggest
risk factors being addressed by IS audit professionals?
How can businesses protect themselves?
A: One of the biggest risk factors that IS auditors
should be closely monitoring is risk related to
services being provided by third parties. Whenever
an organization outsources something, it cannot
outsource the management responsibilities related
to risk and controls. There is a tendency to trust
and expect too much of third parties, but as an
IS auditor, trust is not a good control. Business
management needs to understand and manage risk
related to services being provided by third parties.
Q: How do you believe your software engineering
background has supported your career and current
role as a senior audit manager?
Timo Heikkinen is a senior
audit manager for Nordea
Bank in Helsinki, Finland.
With more than 15 years of
IS auditing experience, he is
responsible for the execution of
Nordea Group’s overall internal
audit strategies and planning,
managing and leading
business-IT and outsourcing-related audits across the
Nordea Group. He is also a
member of ISACA’s
Timo Heikkinen, CISA, CGEIT
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article:
“There is a tendency to trust and expect too much of third parties,
but as an IS auditor, trust
is not a good control.
• Learn more about, discuss and collaborate
on career management and compliance in
the Knowledge Center.