Ensure strong audit leadership. Whoever owns the audit function, whether it’s the CFO, CIO or some other executive, must be held responsible for the results and effectiveness of an audit.
“Hopefully, this will create the culture change necessary to perform effective audits,” Pike says. “It doesn't necessarily mean that a breach is his or her fault. What it does mean, however, is that the audit owner should ensure that employees in [the] organization can answer difficult questions about IT capabilities and architecture.”
If an auditor goes out to the field to audit a development workflow in an environment regulated by the Health Insurance Portability and Accountability Act and knows little about HIPAA, development processes or the actual workflow, the audit isn't going to work, Pike says. “Auditors must have the requisite knowledge required to approach [an] audit with skepticism,” he says.
Those in charge need to make sure audits account for the latest technology trends within the organization. The combined influence of mobile, cloud, big data/analytics and social media has brought about new challenges for security auditors.
“It is a steep learning curve for the auditors along with the CIOs, CISOs and risk professionals,” says Khushbu Pratap, principal research analyst at Gartner. “Digital business innovation disrupts risk and security management. Clearly, this also brings about new challenges on providing independent assurance on such risks.”
Sign up for CIO Asia eNewsletters.