FEATURE FEATURE

The Evolution of Information

Systems Audit

F
rom the early days of electronic data processing
(EDP) to modern cybersecurity, IS audits have
come a long way. The landscape around
information systems has been changing, but
as in any journey, an eye on the rearview mirror enables
better decision-making and safer travel forward.
By considering the lessons learned and avoiding
the mistakes of the past, the world of information
systems audit can be shaped and prepared to
respond to the future.
Changing Contexts
The factors that play a significant role in information
systems audit can be broadly classified into a few
contexts, including:
The Business Environment
Organizations that dominate the rankings in terms
of revenue and market capitalization today are very
different from those that were leaders a few decades
ago. In fact, many of those former leaders have fallen
out of the rankings or even ceased to exist. From
a brick-and-mortar world of material things and
commodities, the modern global economy now leans
heavily on technology and services.
This has caused organizations to prioritize innovation
and creativity over functioning and growth. Innovation

• The business environment

• The technology landscape

• Sociopolitical global trends

• The need for governance

Information systems audits do not live in a world

of their own; they are performed in the context of
these environments. Understanding the current
state of each of these contexts can help the auditors
determine how the world of information systems
audit needs to change to stay relevant and useful.

A N A N T H A SAYA N A | CIS A , CIS M, CI A

Has experienced the evolution of IT since its early days in the 1980s. After conducting information systems audits for more than a
decade across systems in banking, finance, manufacturing, supply chain and project management in a variety of IT infrastructure
landscapes, Sayana moved to a leadership role in core IT. He managed the implementation and maintenance of many solutions,
including enterprise resource planning (ERP), web portals and the related IT setups used to build and manage information security
in different software and domain environments. He has led digital transformation, including the implementation of new digital
technologies such as the Internet of Things, augmented reality, virtual reality, mobile applications, big data analytics, machine learning
and artificial intelligence for various solutions in engineering, manufacturing and project management. Four decades of experience
have given him tremendous insight into managing, securing and auditing IT systems. Sayana is now retired and is currently mentoring
digital start-ups. He has volunteered with ISACA® for many years, including as a founding coauthor of the IT Audit Basics column in the
ISACA® Journal and past Journal article peer reviewer. He was one of the founders of the ISACA Mumbai (India) Chapter and served as
its president. He has also been a member of the CISA Test Enhancement Committee. He has spoken at numerous conferences and
written many articles. He can be reached at asayana@gmail.com.

© 2022 ISACA. All rights reserved. www.isaca.org VOLUME 1 | 2022 ISACA JOURNAL 1
 and creativity, spanning every function in the
organization, can result in amazing new products,
business models, methods of acquiring and servicing
customers and financing models, and helps create
more efficiency in every process.
The organizational ethos has also changed
dramatically. A greater focus on inclusion, diversity,
empowerment, trust, collaboration, teamwork,
outsourcing and gig workers has changed how work
is accomplished. In addition, although the digital
technologies to enable work from anywhere have
been available and practiced by many organizations,
the COVID-19 pandemic made the adaption of
working from anywhere an urgent and important
change for every organization.
The roles of IT and digitalization are significant
in every one of these aspects. Organizations that
leverage IT and digital technologies are the winners in
today’s game.
“The frequency and scale of
cybercrimes and the profiles and
powers of the actors involved
are also changing.”
The Technology Landscape
An aggregation of physical equipment in a glass-
enclosed space is no longer the metaphor for IT. An
application on a mobile phone is likely a better icon of
today’s technologies in this click-and-swipe world.
Over the past few decades, the capabilities of
computing power, storage and communication,
accompanied by significant advances in programming
languages and platforms, have exploded, moving
from tedious batch processing to online, real-time
processing and responses that yield instant results.
Cloud computing has become pervasive and
produces significant computing power, storage and
processing tools available to people all over the world.
The phenomenal increase in network coverage and
speed have made the Internet available to a very large
population of the world. Today's mobile devices pack
the punch of large servers of the past and provide
dazzling high-resolution touch displays, audio, video,
2 ISACA JOURNAL VOLUME 1 | 2022
location and communication capabilities that are
available anywhere and anytime.
New technologies and tools have also been added
to the fold. The Internet of Things (IoT) connects
automobiles, appliances, machines and other
inanimate objects seamlessly into digital solutions
through a combination of sensors, tracking tags and
gateway communication devices.
Virtual reality, augmented reality and mixed reality
applications are being integrated with engineering,
manufacturing and other solutions. Blockchain
technology is finding applications in fields such as
finance and supply chain. Cryptocurrencies could
dramatically change the world of finance; even the
world of art is experiencing disruptive technology
through nonfungible tokens (NFTs). Artificial
intelligence (AI) is benefiting from advances in
hardware and software that make it more viable.
Powered by big data analytics and machine learning,
AI is finding its way into the mainstream and getting
embedded in solutions to aid human capabilities and
decision-making. Robotic process automation (RPA)
is being used to convert routine manual tasks to
being completely performed by software, eliminating
tedious human effort.
Although digital technologies put convenience and
power in the hands of consumers and end users,
the backend complexities of how these solutions
are created and maintained have increased security
considerations exponentially.
The pace at which new technologies and solutions
are being developed is mind-boggling and shows no
signs of slowing down or stopping. The next major
paradigm shift will occur when quantum computing
becomes mainstream.
Although it may be impossible for one person to
gain expertise in all of these technologies, modern
information systems auditors need to perform their
work in this landscape.
Sociopolitical Global Trends
Globalization is grappling with the forces of
localization. Global and local regulators are requiring
organizations to abide by a large set of requirements
for complying with regulations by governments
and other regulatory bodies. Economic disparities
and inequities have widened, leading to an increase
© 2022 ISACA. All rights reserved. www.isaca.org
in crime. Specifically, the frequency and scale of
cybercrimes and the profiles and powers of the
actors involved are also changing.
Organizations should focus on the climate and
environment, proving that they are socially responsible
citizens—caring for the larger world and not merely
increasing revenue and profits. Multiple demands such
as these on organizational management may, at times,
dilute the focus and importance that need to be given
to securing the enterprise.
Given the multiple demands on management in this
changing climate, it is important for the auditor to
perform their duties to ensure that the objectives of
securing the enterprise get due attention consistently.
The Need for Governance
The need for governance has never been greater.
Organizations work to be on top of the curve and
deploy the necessary technologies and business
models, but that means nothing if boards,
regulators and management do not take care of
the inherent risk and pitfalls that the environment
presents. Governance is necessary to ensure that
risk management objectives and limits are set
and communicated and that policies are framed
for management to implement and follow. A
comprehensive audit system and process needs to
be reviewed against local and global standards with
regulatory frameworks and risk mitigation adjusted
as needed on an ongoing basis.
For the well-being of the organizations, the audit
team needs to be capable, dependable and cognizant
of all the factors in the landscape that affect
operations or else they run the risk of becoming
irrelevant or ineffective.
Changes to Information Systems Audit
Given the significant changes to the environment,
information systems audit teams need to be able to
also adapt by recognizing three significant factors
that can affect their reality.
1. Nature and Shape of IT Solutions
IT solutions in the past were largely inward looking
and used by the employees of the organization. In
the past, fewer applications were exposed to the
Internet, and many others were available only within
an intranet—an organization’s private network.1
© 2022 ISACA. All rights reserved. www.isaca.org
“The interconnections and integration between
solutions also need to be considered during
these audits.”
Today, the distinction between an intranet and the
Internet has practically disappeared. With many
solutions hosted in the cloud, users spread all
over the world, and the increased use of mobile
devices, the physical segregation is often impossible
or impractical.
IT solutions in earlier days assisted the organization
in its processes. They were often focused on batch
processing and had little interface with end users.
Modern solutions do not merely assist in the process
but are often the process itself. For example, financial
transactions are processed entirely on computer
systems, while logistics, transportation, scheduling
and manufacturing are all driven, controlled and
monitored by computer systems.
The information system auditor's approach to what
to audit will need to change. An isolated audit of
one application solution or an infrastructure setup
may serve a limited purpose. The interconnections
and integration between solutions also need to be
considered during these audits.
2. The Nature of the Enemy and Attacks
The cybersecurity landscape is constantly under
threat, and the task of keeping systems secure is more
complicated than ever. It is often not just a disgruntled
employee or a random hacker attacking systems
today. State-supported or sponsored cyberattacks
are also mentioned in the media. The emergence of
various cryptocurrencies as a method of payment has
enabled ransomware and other threat-based attacks
to find anonymous methods of enrichment. Constant
vigilance is required to remain secure and protected
from attacks.
The auditor needs to evaluate how the enterprise is
geared to face these threats. Whether strategies for
incidence emergency response, disclosures, recovery
from disasters, communication management and
reputation recovery are in place and tested should be
verified by the auditors.
VOLUME 1 | 2022 ISACA JOURNAL 3
 3. The Significance of Privacy
Every system that captures, stores and processes
personally identifiable information (PII) has to operate
under regulations that protect privacy and remain
within that framework with respect to consent,
protection and nondisclosure.
Hence, the auditor needs to identify the specific
privacy regulations that impact the solutions and
include a verification of how the solutions comply
with the privacy requirement pertaining to that region
in their audits.
“Powerful big data analytics
are helping auditors find
anomalies and patterns of
wrongdoing—sometimes before
the event occurs.”
How the Audit Function Responds to
This Change
The audit function can address these significant
changes across several dimensions, including
collaboration, education and training, standards and
guidelines, regulations, and technology.
Independence and Collaboration
The audit function inherently needs to be
independent, unbiased and influenced only by
objective review and reporting. In an organizational
context, the reporting structure, resourcing and
management of the audit function must remain
free from influence by the technology or business
functions, and the team should have access to top
management and the board.
However, given that the information systems audit
function requires significant technology and
business skills, collaboration and teamwork
are essential. The challenge is to obtain the
needed skills by working together without
compromising independence.
Collaboration and teamwork without compromising
independence can only be achieved through a
mature approach and learning mindset. These are
4 ISACA JOURNAL VOLUME 1 | 2022
the elements of information systems audit that
are under the most stress—digital solutions and
modern business processes are continually evolving
and high-velocity, high-volume transactions are
being processed in real time. In this scenario, the
information systems audit cannot focus only on
reactionary activity. Security and controls need to be
built into the environment during the design, build and
maintenance stages. Mature organizations that find a
way to include this constructive collaboration will set
themselves up for a secure future.
Education and Training
The COVID-19 pandemic has expanded the digital
world. Today, digital learning courses on audit and
emerging technologies are available to people all
over the world. Information systems auditors must
prioritize learning, develop a systematic plan and
make the effort to learn. The managements of
the audit function should include learning as an
important criterion in the evaluation of their teams.
Standards and Guidelines
Although technology has evolved rapidly, many
organizations are working hard to implement standards
and guidelines to make themselves secure. Frameworks
for the secure implementation of many of the
technologies are available either from the manufacturers
themselves or from professional entities.
For example, based on the emerging world of the
Internet of Things (IoT), the US National Institute of
Standards and Technology (NIST) released draft
cybersecurity guidance for manufacturers of IoT
devices and equipment.2 Guidelines for securing
and auditing IoT, cloud and AI have been developed
by industry bodies.3, 4 Information systems auditors
would benefit from studying these types of
frameworks, standards and guidelines.
Regulations
Regulatory bodies are working to keep pace with
emerging technologies. Requirements cover many
aspects of cybersecurity and privacy. This is a big
driver for compliance and has spurred the creation
of products and service providers who consult in
those areas.
It is important for the auditor to be aware of the
jurisdiction of each of these regulations and
how they impact the solutions an organization
in different parts of the world can implement,
© 2022 ISACA. All rights reserved. www.isaca.org
considering where they are hosted and where
their users reside. Noncompliance with regulatory
requirements can cost organizations plenty in terms
of fines and punishments.
Technology
Like the rest of the business, the auditors also need to
embrace technology for their work. New technologies
that drive innovative solutions are helping to better
secure those solutions. Big advances are being made
in encryption and transmission of data. Two-factor
authentication is gaining acceptance, and systems
using biometrics are more efficient and more reliable
than ever. This results in more secure and controlled
access.
AI is being built into more products and can watch
for patterns in traffic and identify attacks before they
cause harm. Powerful big data analytics are helping
auditors find anomalies and patterns of wrongdoing—
sometimes before the event occurs.
Computer-assisted audit techniques (CAAT), as they
were previously known, are evolving. Continuous
monitoring is being built into the digital solutions
themselves, with the goal of autodetecting harm and
self-healing systems.
It is up to the auditor to remain up to date and take
advantage of new technology to assist in information
systems audits and ensure that organizations build
effective security programs and remain secure.
Conclusion
Changes in business, technology and sociopolitical
environments have increased the need for a force to
safeguard organizations, including assets, data and
systems. The information security or cybersecurity
function must be well organized, well staffed,
properly implemented and effectively operated. Every
organization needs a competent, relevant and effective
information systems audit function to verify, report and
offer guidance about the efficient functioning of the
cybersecurity function. This includes:
• The technology capabilities of the IS audit
function need to keep pace with the evolution of
new digital technologies.
• IS audit cannot be a discrete, periodic activity.
Given that the digital solutions of today are
running the enterprise and continuously upgrading
© 2022 ISACA. All rights reserved. www.isaca.org
“Every organization needs a competent, relevant
and effective information systems audit function
to verify, report and offer guidance.”
and evolving, audit should include continuous
assurance and proactive monitoring. It should
also focus on the processes that manage the
technology development and implementation.
An IS audit should focus on the governance
and management aspects of technology and
cybersecurity as much as it does on specific focus
areas of the audit.5
• 
IS audit needs to be cognizant of business
imperatives and align with the aspirations of the
organization, including being agile and innovative
and adopting technologies at a rapid pace. IS
audit’s integration with business management
and technology management should increase and
improve without compromising independence.
Endnotes
1 Sayana, S. A.; “Approach to Auditing Network
Security,” Information Systems Control Journal,
vol. 5, 2003
2 National Institute of Standards and Technology
(NIST), “NIST Releases Draft Guidance on Internet
of Things Device Cybersecurity,” 15 December 2020,
https://www.nist.gov/news-events/news/2020/
12/nist-releases-draft-guidance-internet-things-
device-cybersecurity
3 Standton, B.; T. Jensen; Trust and Artificial
Intelligence, Draft NISTIR 8332, National Institute
of Standards and Technology (NIST), USA,
March 2021, https://nvlpubs.nist.gov/nistpubs/
ir/2021/NIST.IR.8332-draft.pdf
4 European Network and Information Security
Agency (ENSIA), Cloud Computing: Benefits,
Risks and Recommendations for Information
Security, Greece, November 2009,
https://www.enisa.europa.eu/publications/
cloud-computing-risk-assessment
5 Shilts, J.; “A Framework for Continuous Auditing:
Why Companies Don’t Need to Spend Big Money,”
Journal of Accountancy, 1 March 2017,
https://www.journalofaccountancy.com/issues/
2017/mar/continuous-auditing.html
VOLUME 1 | 2022 ISACA JOURNAL 5