Shuaib Shakoor, CISA, executive director for internal audit at professional services firm JLL, has seen the audit profession evolve with the rapidly changing technology landscape. Shakoor recently visited with @ISACA to discuss how internal audit is changing, how audit teams should approach cyberrisk and the challenges that accompany implementing emerging technology. The following is a transcript of the conversation:
You are currently executive director for global internal audit with JLL – can you tell us a bit about what that entails and what some of your primary challenges are these days?
I am currently responsible for the Enterprise Systems and Analytics audit portfolio at JLL. My team focuses on the execution of an annual audit plan to provide assurance/strengthen technology and data-related internal controls across a wide range of business, financial, compliance and operational risks. I am responsible for advancing the information technology, cyber and analytics skills of the audit team, and guiding their application of audit methodology. I am also responsible for building and managing relationships with senior technology and other business leaders in the company, as well as working closely with the chief audit executive (CAE) to deliver work that provides assurance over the key risks for technology applications and processes, data governance and systems infrastructure.
My biggest challenge these days is attempting to address current technology-induced risk through timely audits and wading through the onslaught of new and emerging risk while simultaneously trying to filter out the noise to go after the real bad stuff. The notion of a pre-emptive risk analysis is always on my mind – how can I better leverage cognitive technologies, analytics and AI to go beyond the qualitative risk analysis most of us perform to something that truly detects, predicts and prevents risks. I am a big believer in crowdsourcing risk from across the enterprise to help inform our risk posture and ultimately reduce the cost associated with risk management for the company. While the theory is sound, putting it in practice has its own set of challenges.
How has internal audit changed the most during your time in the field?
I’ve seen our focus shift from testing auditable entities based on some arbitrary rotational plan to testing those entities that focus on business, process and strategic risks. We have shifted from looking at historical data to inform us on risk to being more risk sensing based on things that are happening now and in the near future. We have gone from being the policing function to being a trusted consultant and advisor while providing assurance across all facets of enterprise risks and not just traditional financial risks. Lastly, we have become more sophisticated with using data as a compass to zero in on key risks and tell a compelling story that drives action within the enterprise and moves past the hypothetical.
Where can audit teams add the most value when it comes to dealing with cybersecurity risk?
As the third line of defense at most organizations, internal audit’s role in helping manage cybersecurity risk begins with having strong communication channels and working relationship with the first and second line to properly understand cyberrisk at the organization. By knowing what cyberrisk challenges the company faces, IA can upskill appropriately and then consult, advise and help build a pragmatic cyberrisk management program that proactively considers cyberrisk and information security in all new initiatives – effectively creating a “continuous security assurance by design” program. Of course, performing traditional cybermaturity assessments is still critical and highly recommended – outputs from the assessment can be used by IA to objectively and independently inform the board and audit committee on the company’s cyberrisk posture. Outputs of the assessment can also be used by IT to upskill talent, get funding and create a road map for remediation.
What makes the most sense in terms of implementing emerging technologies into audit projects and processes?
Build up to it. There is no need to change your methodology overnight to incorporate robotic process automation (RPA), for example. Come up with use cases, test them out and then roll them out gradually. Finally, ROI for automation should not always be measured by time saved – it’s more about freeing up time to do more meaningful tasks; that is where the true value is within audit.
You were previously a director of internal audit at United Airlines, and of course that is an industry that has been walloped by the pandemic. What do you see as some of the lingering challenges or opportunities for audit teams that the pandemic has set in motion?
The great resignation. We do not and will not have the right human capital to go after risks in the traditional sense. The adoption of technology to augment how we perform risk assessments, sense risk events and prevent outbreaks from breached risks will become critical to the success of our profession.
What intrigues you most when you think about where the field is headed in the next 5-10 years?
I’m looking forward to a truly risk-sensing audit function coming to life and to real-time risk assessments based on patterns of behavior where we can anticipate risks, correlate them to different parts of the business, effectively mitigate risk events before they occur and make adjustments to audit plans as risks unfold in real time.