What the Post-Pandemic Future Holds for IT Auditors

Diego Fratus, CISA, CIA, CCSA, CRMA and Cedric Blotin, CISA
Author: Diego Fratus, CISA, CIA, CCSA, CRMA and Cedric Blotin, CISA
Date Published: 9 May 2023

The COVID-19 pandemic disrupted enterprises in 2020 in the form of delays in the delivery of raw material and finished products, increased transportation costs, travel restrictions and shifts in consumer priorities as essentials were prioritized rather than luxury goods. Some organizations were forced out of business because they failed to react to changing technologies that gained traction as consumers were driven to make purchases online. COVID-19 acted as a catalyst that accelerated digital transformation, modified how brands interact with their customers and disrupted IT audit practices.

Technology at the Heart of the Digital Revolution

Consumers, especially luxury brand consumers, expect an exceptional level of service, and the success of brands often depends on their abilities to provide seamless and personalized experiences across all distribution channels. This degree of attention requires sophisticated IT systems and technology infrastructure that can support a seamless customer journey. Ecommerce platforms, customer relationship management (CRM) tools and point of sale (POS) systems are examples of technologies currently used to enhance client engagement and the consumer experience. With the addition of such technologies, IT auditors can play a crucial role in ensuring that an organization's IT systems and processes support a positive consumer experience. By helping enterprises identify opportunities for digital transformation, ensure data privacy and security, improve website and mobile application functionality and enhance customer service through technology, an IT auditor can help to deliver a better consumer experience that meets the high expectations of all consumers.

Consider a specific instance of transformation in action. Kering, a French luxury goods corporation that owns and manages high-end fashion and lifestyle houses, has been on a journey to internalize the management of its houses’ ecommerce websites as part of an integrated approach between physical and digital stores, since 2019. This migration has been a key phase of Kering’s business strategy, especially in light of the rapid increase in online transactions due to the COVID-19 pandemic. In 2021, online sales accounted for approximately 15 percent of Kering’s luxury houses' retail sales on average, a higher proportion than 2019 and 2020.1 Luxury brands are highly focused on providing online customers with the standards of excellence seen in their boutiques, which requires heightened attention to the quantity and quality of their interactions, underpinned by optimal use of customer data and CRM systems to deliver personalized messages and experiences to customers based on their profiles and purchasing histories.2 In stores, digital platforms also support store assistants and managers in their daily activities (e.g., real-time access to inventory levels, customized styling recommendations).

However, brands should not only rely on traditional technologies, but also leverage disruptive technologies such as artificial intelligence (AI), augmented and virtual reality (AR and VR), and non-fungible tokens (NFTs), which are reshaping the luxury world and the retail experience.3

Brands should not only rely on traditional technologies, but also leverage disruptive technologies such as AI, AR and VR, NFTs, which are reshaping the luxury world and the retail experience.

In response to the waste reduction challenge faced by the fashion industry, Kering works with AI technology to improve sales forecasts, optimize production and distribution, and anticipate seasonal demand to limit the quantity of unsold products at the end of each season.

New business models are also being explored. Some enterprises have begun to accept cryptocurrency as a form of payment or entered the metaverse. With regard to Web3, Kering’s Chief Executive Officer (CEO) Francois-Henri Pinault explained 3 different scenarios that must be tested:4

  1. Opportunities for product extension into the virtual world (e.g., NFTs linked to physical items)
  2. Opportunities for new product categories that are not available in the physical world
  3. New services, new approaches and smart contracts (e.g., digital IDs)

The use of AR and VR can be also beneficial for brands in several ways, especially for retailers that rely on online storefronts. AR and VR can enhance a customer’s experience by allowing them to try on apparel to see how they would look without having to physically wear the item. These technologies can also be used to showcase products in an engaging and interactive manner, such as through a virtual showroom. Personalization is another benefit. AR and VR can be used to customize products and services for individual customers. And, AR and VR can be used for storytelling purposes, allowing brands to create immersive experiences that take customers on a virtual tour of the brand's history and heritage.

In this context and as technology continues to mature, the number of IT systems utilized by enterprises continues to grow, and so does the risk associated with them. As risk increases, so does the importance of thorough, actionable IT audits.

The Role of IT Auditors in the Digital Revolution

IT has become a key instrument for supporting business transformation, particularly in light of the changes in consumer habits due to COVID-19. Therefore, organizations must be strategic when investing in and implementing new solutions. But IT investments do not always achieve their initial targets and may ultimately harm the enterprise, resulting in misalignment with business objectives, security breaches or wasted resources. To minimize these risk factors, IT auditors must provide independent and reasonable assurance that effective controls are in place and that guidelines are followed.

Although the emergence of new technologies is a good opportunity for IT auditors to play a greater role in the organization, new technologies also pose considerable challenges.

However, the traditional approach—conducting compliance-oriented IT audits and monitoring for misalignment with policies or procedures—is now obsolete. Today, auditors must not only focus on risk to the enterprise, but also assist auditees in continuously improving business performance by identifying areas of improvement, providing insights and recommendations, helping to implement best practices, and facilitating training and development opportunities. Although the emergence of new technologies is a good opportunity for IT auditors to play a greater role in the organization, new technologies also pose considerable challenges such as:

  • Increased complexity of IT audit practices—The increased volume of available data, regulations and new technologies are issues that may arise from digital transformation. When contending with significant volumes of data, auditors may experience difficulties with data integrity, reliability, and completeness, or with retrieving or processing data. The use of disruptive technologies also creates new attack vectors, ethical and legal concerns, data breaches, and more. The rapid change in IT regulations worldwide, particularly those related to data and privacy, forces auditors to adapt their work programs to local requirements in terms of data localization and transfer, retention and disposal. An approach that involves implementing a robust data governance framework, investing in data management tools and resources and keeping up to date with IT regulations can help address the challenges of digital transformation.
  • Need for more qualified IT auditors—In the context of digital transformation, there is an increasing need for more qualified IT auditors. IT auditors should not only have experience and knowledge related to IT, security, and regulations, but they should also be able to adapt to modern trends. Newer skill sets that are becoming increasingly important to IT auditors include the use of data analytics and automation tools to analyze large data sets, identify patterns and detect anomalies. Additionally, comprehending the hazards and controls linked to the use of blockchain, cryptocurrency, virtual assets and AI is crucial. Auditors without experience in these domains can benefit from participating in training programs to better understand basic concepts and use cases and provide an effective risk evaluation.
  • Overreliance on existing frameworks—Existing control frameworks such as COBIT®, those of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and those of the International Organization for Standardization (ISO) are helpful, but alone are not complete solutions in today’s IT environment. IT audit characteristics should be tailored to the needs of each enterprise, meaning that auditors should have a clear understanding of the auditee’s business model, major projects, and initiatives, and identify systems and infrastructure that support business operations to determine realistic audit subjects.

Conclusion

Disruptive technologies are reshaping industries to deliver customized experiences to customers. In the aftermath of COVID-19, organizations are now more than ever relying on technology, increasing the demand for IT audits. With a higher level of complexity, IT audit practices have drastically changed, creating new opportunities, but also raising new challenges. Organizations can tackle these difficulties by strengthening their utilization of data management tools, providing IT auditors with training and educational programs and tailoring existing frameworks.

Endnotes

1 Kering, 2021 Universal Registration Document, 2021
2 Kering, “Kering Announces New Developments in Its Digital Strategy,” 26 November 2018
3 Editorial Team, “3 Retail Technology Trends Transforming Luxury,” Luxe Digital, 18 April 2021
4 Adegeest, D.; “Kering CEO Confirms Team Is Exploring Metaverse Opportunities at Management Level,” FashionUnited, 23 February 2022

Diego Fratus, CISA, CIA, CCSA, CRMA

Is the group internal audit director at Kering. He started his career at KPMG carrying out auditing and advisory assignments. He has more than 20 years of experience in the fields of internal audit, internal control, and enterprise governance across multiple industries and multinational enterprises including Adecco SA, Gewiss Spa, and Percassi Group).

Cedric Blotin, CISA

Is the IT internal audit manager at Kering. He has previous audit experiences with Ernst & Young and Sodexo.