Sia Chin Hoe shares his thoughts on the evolving role of audit professionals.
As digital transformation continues to become a critical business focus for organizations worldwide, there is an increasing demand for technologically capable employees in both the accounting and finance fields. This is true for IT Audit professionals (or IT Auditors), who follow all the same ethical and independence parameters as financial auditors but must also understand the process flow of businesses and the implication of the governance of IT systems, processes and IT application controls.
Sia Chin Hoe, KPMG in Malaysia’s Head of Information Risk Management and IT Audit practice, is no stranger to the field of IT Audit. Not only does he have more than 18 years of experience in both financial and IT Audit, he happens to be a Certified Information Systems Auditors (“CISA”), a designation issued by the Information Systems Audit and Control Association (“ISACA”).
As businesses focus on digitally transforming their business models and look into new technology investments, previously unseen vulnerabilities may start making themselves known. A scenario where an organization’s leaders and employees are unfamiliar with new technologies and processes can lead to serious repercussions – for example, this could create new weaknesses in the organization’s business processes or present threats in their operational and cyber security. And this, in turn, could result in companies experiencing financial loss or reputational damages.
This is where information technology (IT) risk management becomes crucial. Contrary to its name, IT related risk is not just about managing technology. To best manage this risk, organizations must hire the right people with the right knowledge and skills as well as invest in learning and development to ensure their employees are ready to respond to the any serious technology breaches.
With IT and digital transformation a norm in the corporate sector, auditors are required to have basic understanding of emerging technologies as well as the know-how to evaluate them. This, of course, has little to do with numbers. Take blockchain technology for example; auditors need to develop new procedures to obtain audit evidence directly from blockchain, which are out of the control of the companies being audited.
Auditors today need to rely on automation, deploy more analytics, and know how to utilize audit tools that incorporate machine learning capabilities. With technology at the center of businesses, auditors are expected to understand and evaluate companies’ accounting policies for digital assets and liabilities. However, this has yet to be directly addressed in International Financial Reporting Standards.
Today, almost everything relates to information technology. This is just as true for auditors as they now have at their disposal audit tools that make use of technologies such as automation, analytics and even machine learning capabilities to improve the quality of their audits.
From a broader perspective, the auditors of today and tomorrow need to have a fundamental understanding of IT strategy, IT risk management, IT governance and the ability to assess a clients’ overall IT/IS security position, in order to better identify risks in technologies related to financial reports or financial statements audit.
This is why financial auditors with IT audit or data analytic skills are becoming increasingly sought after, and also why I opted to take the Certified Information Systems Auditor (CISA) certification to become a certified IT auditor.
With technology and cyber risks now a part of the Board agenda, Board and Audit Committees members are expected to scrutinize the organization’s state of security program or discuss issues about cyber security breaches. This has resulted in it becoming more common for companies to invite auditors to attend the Board and Audit Committee meetings.
In this regard, it is no longer enough for auditors to just be financially savvy. Auditors of all levels should develop basic IT audit skills and learn how to test for and identify IT dependencies relevant to audits of financial statements. It may seem daunting to pick up new technical skills from scratch, but with the right determination this can be accomplished through further learning. The most time effective way to do so would be by hitting the books or opting for another certification related to IT audit, cybersecurity or data analytics.
Majority of my clients are engaged with IT such as e-Commence, e-Money issuers, e-wallet operators and ePayment gateway businesses, and they recognize my qualifications as an excellent indicator of my proficiency in technology controls. In fact, I am often asked for consultation on the processes and controls in addressing my client’s IT risks, such as testing controls within their new systems or validating data integrity because they worry that the new system may be rated as “ineffective”.
I am happy that my clients see me as more than just an accountant as this enables me to continue working shoulder-to-shoulder with them to deliver real results.
Though there is no harm in learning new skills, it is always a personal choice. As the workforce continues to evolve, it is important to remember that a vastly different set of skills is required to succeed in any career path compared to 10 years ago. In order to secure a sustainable career, we have to ensure our knowledge and skills are future-ready.
Auditors who are interested in picking up an additional certification must first consider how they want to market themselves or what specific field(s) to build their professional careers in. Within the next 10 years, more companies are expected to embrace automation and rely more on IT controls. This will certainly increase the demand for broad skilled auditors who are knowledgeable about more than just accounting, and it is important that the next generation of auditors take this into consideration.
Learn more about our IT Audit Practice at www.kpmg.com.my/IRM