Timo Heikkinen is a senior audit manager for Nordea Bank in Helsinki, Finland. With more than 15 years of IS auditing experience, he is responsible for the execution of Nordea Group’s overall internal audit strategies and planning, managing and leading business-IT and outsourcing-related audits across the Nordea Group. He is also a member of ISACA’s Relations Board.
What’s on your desk right now?
How has social media impacted you professionally?
What are your favorite benefits of your ISACA membership?
What do you do when you are not at work?
- Spend time with my family.
- Play football (soccer) and watch my sons playing football (soccer) and ice hockey.
- Just simply, enjoy life.
How do you think the role of the IS auditor is changing or has changed? What would be your best piece of advice for IS auditors as they plan their career path and look at the future of IS auditing?
The IS auditor’s core role has not changed much over the years. The IS auditor is and should be primarily responsible for providing an objective assurance on the risk and control processes of the organization. In that way, the IS auditor is in the best position to improve risk and control practices in the organization. Many things (e.g., emerging technologies, regulatory obligations, outsourcing) have, of course, changed how the IS auditor’s audit universe looks now compared to what it was earlier. Those things have all brought new challenges to the IS auditor’s working environment. My piece of advice for IS auditors is to constantly keep your knowledge updated and build a trusted partnership with key management representatives.
What do you see as the biggest risk factors being addressed by IS audit professionals? How can businesses protect themselves?
One of the biggest risk factors that IS auditors should be closely monitoring is risk related to services being provided by third parties. Whenever an organization outsources something, it cannot outsource the management responsibilities related to risk and controls. There is a tendency to trust and expect too much of third parties, but as an IS auditor, trust is not a good control. Business management needs to understand and manage risk related to services being provided by third parties.
How do you believe your software engineering background has supported your career and current role as a senior audit manager?
My software engineering background has helped me to understand in practice not only how the applications are being developed and maintained, but also the nature of controls that need to be implemented to applications.
How have the certifications you’ve attained advanced or enhanced your career? What certifications do you look for when hiring new members of your team?
Certainly, my certifications have enhanced my career. Having a certification shows a true commitment and dedication to your chosen occupation. At my organization, the Certified Information Systems Auditor (CISA) designation is mandatory for all IS auditors. Therefore, our company strongly encourages and supports all new hires in obtaining the CISA certification.
What will be the biggest compliance challenge in 2015? How will you face it?
I would say that in the banking sector, which I represent, the biggest compliance challenge is coming from the regulatory side. We face new challenges to ensure compliance with both existing and emerging regulations. To face these challenges, auditors need to ensure that management is aware of and has taken appropriate actions to sustain ongoing compliance with these regulations.