Share with your friends

Career Insights: An IT auditor’s vital role in risk management

An IT auditor’s vital role in risk management

Sia Chin Hoe shares his thoughts on the evolving role of audit professionals. 


Related content


As digital transformation continues to become a critical business focus for organizations worldwide, there is an increasing demand for technologically capable employees in both the accounting and finance fields. This is true for IT Audit professionals (or IT Auditors), who follow all the same ethical and independence parameters as financial auditors but must also understand the process flow of businesses and the implication of the governance of IT systems, processes and IT application controls.

Sia Chin Hoe, KPMG in Malaysia’s Head of Information Risk Management and IT Audit practice, is no stranger to the field of IT Audit. Not only does he have more than 18 years of experience in both financial and IT Audit, he happens to be a Certified Information Systems Auditors (“CISA”), a designation issued by the Information Systems Audit and Control Association (“ISACA”). 

1. There is a lot of buzz regarding the future of work, including the changing workforce and crucial investments into emerging technology. Why is it essential for today’s organizations to manage information technology related risk?

As businesses focus on digitally transforming their business models and look into new technology investments, previously unseen vulnerabilities may start making themselves known. A scenario where an organization’s leaders and employees are unfamiliar with new technologies and processes can lead to serious repercussions – for example, this could create new weaknesses in the organization’s business processes or present threats in their operational and cyber security. And this, in turn, could result in companies experiencing financial loss or reputational damages.

This is where information technology (IT) risk management becomes crucial. Contrary to its name, IT related risk is not just about managing technology. To best manage this risk, organizations must hire the right people with the right knowledge and skills as well as invest in learning and development to ensure their employees are ready to respond to the any serious technology breaches. 

2. In your experience, what impact has technology had on the audit profession?

With IT and digital transformation a norm in the corporate sector, auditors are required to have basic understanding of emerging technologies as well as the know-how to evaluate them. This, of course, has little to do with numbers. Take blockchain technology for example; auditors need to develop new procedures to obtain audit evidence directly from blockchain, which are out of the control of the companies being audited. 

Auditors today need to rely on automation, deploy more analytics, and know how to utilize audit tools that incorporate machine learning capabilities. With technology at the center of businesses, auditors are expected to understand and evaluate companies’ accounting policies for digital assets and liabilities. However, this has yet to be directly addressed in International Financial Reporting Standards.    

3. In your opinion, how has the increasing demand for cyber-related skills contributed to the evolving role of an auditor?

Today, almost everything relates to information technology. This is just as true for auditors as they now have at their disposal audit tools that make use of technologies such as automation, analytics and even machine learning capabilities to improve the quality of their audits. 

From a broader perspective, the auditors of today and tomorrow need to have a fundamental understanding of IT strategy, IT risk management, IT governance and the ability to assess a clients’ overall IT/IS security position, in order to better identify risks in technologies related to financial reports or financial statements audit. 

This is why financial auditors with IT audit or data analytic skills are becoming increasingly sought after, and also why I opted to take the Certified Information Systems Auditor (CISA) certification to become a certified IT auditor. 

4. According to the KPMG Global CEO Outlook 2019, cyberattacks are ranked among the top 5 threats to an organization’s growth. Does this affect the way auditors conduct their assessments?

With technology and cyber risks now a part of the Board agenda, Board and Audit Committees members are expected to scrutinize the organization’s state of security program or discuss issues about cyber security breaches. This has resulted in it becoming more common for companies to invite auditors to attend the Board and Audit Committee meetings. 

In this regard, it is no longer enough for auditors to just be financially savvy. Auditors of all levels should develop basic IT audit skills and learn how to test for and identify IT dependencies relevant to audits of financial statements. It may seem daunting to pick up new technical skills from scratch, but with the right determination this can be accomplished through further learning. The most time effective way to do so would be by hitting the books or opting for another certification related to IT audit, cybersecurity or data analytics.

5. What positive career impact have you experienced from pursuing your additional certifications?

Majority of my clients are engaged with IT such as e-Commence, e-Money issuers, e-wallet operators and ePayment gateway businesses, and they recognize my qualifications as an excellent indicator of my proficiency in technology controls. In fact, I am often asked for consultation on the processes and controls in addressing my client’s IT risks, such as testing controls within their new systems or validating data integrity because they worry that the new system may be rated as “ineffective”. 

I am happy that my clients see me as more than just an accountant as this enables me to continue working shoulder-to-shoulder with them to deliver real results.

6. Would you recommend that others consider doing the same?

Though there is no harm in learning new skills, it is always a personal choice. As the workforce continues to evolve, it is important to remember that a vastly different set of skills is required to succeed in any career path compared to 10 years ago. In order to secure a sustainable career, we have to ensure our knowledge and skills are future-ready.

7. Do you have any advice for auditors who would like to pursue additional certifications but are uncertain about what area they would like to specialize in?

Auditors who are interested in picking up an additional certification must first consider how they want to market themselves or what specific field(s) to build their professional careers in. Within the next 10 years, more companies are expected to embrace automation and rely more on IT controls. This will certainly increase the demand for broad skilled auditors who are knowledgeable about more than just accounting, and it is important that the next generation of auditors take this into consideration. 

Learn more about our IT Audit Practice at 

© 2020 KPMG PLT, a limited liability partnership established under Malaysian law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.

Connect with us


Want to do business with KPMG?


loading image Request for proposal