Philosophical phriday - today's "tech audit" universe

Yesterday I blogged about ISO/IEC 2382 - Information technology - vocabulary. In particular, one of the ~2,000 ISO definitions stood out enough to catch my beady eye:

“Computer-system audit: examination of the procedures used in a data processing system to evaluate their effectiveness and correctness, and to recommend improvements”.

Errrr, that covers some of the audit work I have undertaken, led/managed, been subjected to or heard about in my career* but omits rather a lot e.g.:  

1. IT governance arrangements, strategies, information risk and security management, direction and oversight, structure, integration with other business functions, rôles and responsibilities, accountabilities, reporting lines, assurance, continuous improvement, barriers and progress;
   
   
2. Staffing levels and competencies, recruitment and retention, succession planning, contractors and consultants;
   
   
3. Security administration, joiners/movers/leavers, culture, awareness and training, accounts/identification and authentication, help desk;
   
   
4. Policies, procedures and other documentation, laws, regulations, contracts, licenses, conformity and compliance;
   
   
5. Intangible information assets, proprietary and personal information, intellectual property, trade secrets, knowledge, expertise, competences;
   
   
6. Security architecture, design and engineering; management of assets, information, changes, configurations internal/corporate and external/vendor/supply chain relationships, SBOM;
   
   
7. Specification, selection, implementation, configuration, use, monitoring, maintenance and effectiveness of cyber and other controls to mitigate all manner of information risks;
   
   
8. Software/systems development methods, projects/initiatives, business cases, investment returns;
   
   
9. Systems, networks, applications, databases, middleware, tools and techniques (IDS/IPS/SIEM etc.), product selection, support;
   
   
10. Cloud computing, virtualisation, zero-trust "IT sans frontieres";
     
11. Artificial Intelligence, automation, autonomous systems, innovation;
    
    
12. Internet of Things, home, mobile and hybrid working, BYOD, return-to-office;
    
    
13. Penetration testing, system and application testing, approvals and authorisations, exceptions and exemptions;
    
    
14. Threat intelligence, vulnerability intelligence, risk intelligence, business intelligence, and in fact intelligence in general (artificial or natural!);
    
    
15. Vulnerability management, patching, 'tech debt' (legacy), systems accreditation, change management, version control, Y2k+;
    
    
16. Access rights, cryptography, backups, antivirus, privileges, logging, alarms and alerts and myriad other security, privacy and safety controls;
    
    
17. IT/OT installation/site/facilities audits, physical security, essential supplies, cabling, fire and flood protection;
    
    
18. IT/OT/security operations management, maintenance, monitoring, maturity, metrics;
    
    
19. Frauds, thefts, incidents and near-misses, post-mortems/post-incident reviews, whistleblowing, special investigations;
    
    
20. Business continuity, resilience, adaptability, flexibility, redundancy, recovery, contingency, exercises, dependencies etc.

Overall, the main purpose is to provide management with assurance that everything tech-related is broadly OK ('adequate'), while everything important, critical or vital for the business is being handled well.

Patently, the IT audit universe has expanded substantially since the 1990's. "Computer audit" and "data processing" in the ISO definition are outdated terms for outmoded concepts. Those 20 topic areas I've listed mean there's a lot more to this than 'examining procedures' and 'evaluating effectiveness and correctness' ... and to be honest I suspect there are more than 20**. 

So, bearing all that in mind, I've come up with the following updated term and definition: 

"Technology audit: audit to provide management and other stakeholders with assurance concerning Information Technology, Communications Technology, Operational Technology, Mobile Technology, Virtual Technology and Smart Technology. This involves auditing technology governance and management arrangements and pertinent topics such as information risk and security management, security architecture and controls, compliance and business continuity."

What do you think? Does that succinct paragraph describe the field 'effectively and correctly'?  As always, comments are welcome.

* To be clear, I've performed or been involved with many - but not all - of the audit types on this long list. I'm only human, not superhuman.

   

** As if 20 audit topics are not more than enough to keep us busy, we are frequently called upon to provide tech support and guidance for our esteemed colleagues in internal or external audit functions, and to help out on other kinds of audit involving technology - which today means most of them (e.g. assessing the integrity of a company's finance systems, data and related processes to determine whether the accountants performing statutory financial audits can place reliance upon the numbers on their screens). Add-on the routine overhead of departmental admin, courses and self-study, planning, reporting, relationship building etc. within the stressful context of audit work generally, it's no wonder I find tech audit work exhilarating but tiring. Been there, done that, got the ulcers.