Questions From the IT Audit Mailbag: Supporting Your Journey to Becoming a Triple-Threat Auditor

The Internal Auditors of the future will be agile, well-rounded, tech-enabled auditors for whom innovation is instinctual. 

They need to be great at:

• Auditing things they’ve never audited before
• Applying data analytics
• Leveraging AI to augment analytics and assurance activities

That’s all why leading Internal Audit teams focus on building “triple-threat” auditors with core competencies in (1) analytics and AI, (2) IT audit, and (3) innovating traditional Internal Audit acumen. The rapid proliferation of AI tech — and AI risks — only increases the urgency. 

But we can’t be the triple-threat auditors our organizations need if we keep operating in silos, with formal walls separating IT auditing and business process auditing. 

The first step toward becoming an Internal Auditor of the future is becoming a more integrated auditor.

That doesn’t mean you have to be an expert in cybersecurity, cloud computing, malware, or AI bots. It means developing a core competency enabling you to:

• Test and provide assurance over common ITGCs
• Discuss common IT frameworks auditors should know about
• Understand how common IT components create risk and impact business process controls and financial reporting
• Validate the completeness and accuracy of key systems (and key systems’ data and reporting)

Are you up to the challenge? What about your team? What IT audit questions do you have? 

Below are some of the questions that came up over the four weeks of the Internal Audit Collective’s most recent Synergy course, built to equip auditors with the IT audit skills needed to future-proof their careers. In today’s article, Synergy instructor Toby DeRoche — a longtime IT audit leader, trainer, SME, and consultant focused on IT risks and controls, cybersecurity, governance, and compliance — shares his perspectives. 

1. Improving IT Risk Assessments

Q: What are some lessons learned from recent audits that significantly changed/improved your approach to IT risk assessments?

A: One thing that changed my perspective on IT risk assessments was auditing our incident response plan process. In the incident response plan, you’re able to see what the business views as the most critical systems and processes, how long the systems can be down, and how much the business depends on vendors to meet their SLAs on recovery times. We used that information to better understand actual risk appetite and criticality in the risk assessment.

Another lesson was relative to AI use. One of our development teams is using AI to assist in code writing. While the AI does a good job, we built the process to include a human review before the code could be committed to production. Two issues came up. First, the reviewers were NOT actually reviewing. They were just accepting the AI’s code and hitting a review button. Second, an upgrade was pushed out for the AI one weekend, and on Monday morning, the code started auto-deploying its own code without stopping for approval. The lesson learned was that AI usage must be monitored very closely. Even when you think you have good controls in place, they can be bypassed.    

2. Auditing Transitions to a Cloud Environment

Q: As organizations continue moving toward cloud environments, how do you see the role and testing approach for ITGCs evolving over the next few years?

A: I have actually found that testing ITGCs is not that different in cloud versus on-premise environments. The biggest difference in testing is related to third-party risk management. Testing things like vendor risk assessments, SLA management, and SOC reports all come into scope in a cloud environment.

Q: We are in the process of moving to a cloud-based environment. To provide the most value, at what stage should Internal Audit become involved in the cloud migration process?

A: Very early. I would recommend setting up a call with whomever is leading the cloud migration project and covering the expected System Development Lifecycle (SDLC) controls. We have a template for these controls shared on the Internal Audit Collective’s community page, and a complete template with an RCM and guidance is available to all Synergy program participants. 

Q: What are the most important risks or control areas to which Internal Auditors should pay close attention during and after the migration?

A: During implementation, the most critical part of the cloud migration will probably be how they relocate existing on-premises databases to the cloud. Questions to consider:

• Is it a simple move (i.e., take a current backup and restore to the cloud) or does it involve any transformation (like moving a SQL database into a Snowflake environment)? 
• How are they ensuring the completeness and accuracy of the data? 
• Is there a reconciliation process to prove the data moved over correctly? (They may start talking about hash totals. This is a quick way for IT to show that it’s correct.)

The next critical area will be the setup for security settings. Who can access what data? If you’re using AWS or Snowflake, things to watch include root accounts, S3 bucket settings, and custom permission sets.

It will also be important to discuss backup procedures after the migration. For example, what would they do if the company was hit with a ransomware attack and had no clean backup to restore?

Q: What are some effective ways Internal Audit can validate that the cloud transition was smooth and key controls are operating as expected?

A: Internal Audit can establish that minimums were met if they can show that they:

• Completed a vendor risk assessment
• Confirmed a complete and accurate transfer of data
• Produced an initial user access review

For a more complete picture of the control environment, use the Internal Audit Collective’s SDLC template (mentioned above) for a few more control items.

Q: Is there a practical checklist Internal Auditors can use to perform a quick post-migration review or health check for an IT team that generally follows NIST guidance?

A: If they generally follow NIST, they should have good practices. This checklist (while not NIST-related) is helpful.  

3. Auditing Automated Controls

Q: How can audit teams effectively validate automated controls when documentation is limited or the system is highly customized?

A: While it really depends on the application, the most common approach is to follow a single transaction from start to finish. For third-party applications that have been purchased, you can explain how the software works, show configuration settings, and then follow a transaction. If it’s a homegrown application, the development team may be able to point to the code section that drives the automation. If you are not comfortable with this level of technical review, you can use AI to help explain portions of the code in simpler terms.

4. Relying on Year-End ITAC Testing 

Q: An organization performs ITAC testing during the first half of the year and roll-forward inquiries at year end to check for any configuration or setting changes impacting control function. The roll-forward inquiries help them determine whether more year-end testing is needed. What are examples of changes where the organization can waive further procedures vs. having to test again?

A: Typically we would look for changes that impact control design or operation. If nothing significant changed, the prior testing can usually be relied upon for the remainder of the year. For example, things like changes in control owners, routine system patching or server maintenance, or even system upgrades that don’t impact the processing logic would generally be okay.

If something changed that could affect the control logic, configuration, data flow, or security around the control, however, additional testing is typically required. For instance, configuration changes to the control could affect how the control operates and require retesting. Examples I’ve seen include:

• Significant changes to approval processes, such as moving from all changes need two approvers to some need one approver and certain types of changes need two approvals
• Changes in business logic, like system upgrades that introduce new workflows that change how approvals are routed
• Changes to key system configurations that impact the control, like moving from logging in directly with passwords to using an identity management system
• Changes to integration or interfaces

Questions to consider that could trigger a retest:

• Were there any system upgrades or patches that changed control logic?
• Were there any configuration or parameter changes related to the control?
• Were there changes to roles, permissions, or access structures affecting the control?
• Were there changes to interfaces, integrations, or data flows?

5. Identifying Next-Generation IT Audit Skills

Q: What skills should the next generation of IT Auditors focus on developing to stay relevant in the evolving technology landscape?

A: Definitely make sure you understand AI and cybersecurity. The big topic right now is that with AI-enabled malware, all of IT ends up being humans versus machines. Historically, cyberattacks required time, patience, and technical expertise. Even well-funded attackers faced constraints. They had to manually research targets, write exploit code, customize phishing emails, and adjust tactics when defenses changed. AI removes many of those constraints.

Attackers can now use AI to:

• Generate highly convincing phishing messages tailored to specific individuals
• Rapidly scan systems for weaknesses and adapt attacks in real time
• Write and modify malware automatically to evade detection
• Analyze stolen data at scale to identify the most valuable paths forward

This is not theoretical. These capabilities already exist, and they are improving faster than most organizations can update their security programs. One AI-assisted attacker can now generate the impact that once required an entire team.

As auditors, we need to develop several key skills. To start, we should: 

• Understand what constitutes effective cybersecurity controls
• Develop IT audit skills — it does not matter what your background is
• Stay current on what attacks look like and engage in the conversation
• Create connections with other Internal Audit Collective members to build connections with others who can help you answer questions when you get stuck

6. Resources for Continuing Learning

Q: Beyond completing the Collective’s Synergy course, what other training courses, books, or certificates would you recommend for Internal Auditors looking to expand their IT Audit skill sets? 

A: First, I recommend exploring more of the Internal Audit Collective’s resources. Roundtable discussions (e.g., Dave Malcom’s “How to Audit Cybersecurity Series”) are a huge help when trying to understand any new topic. The courses offered by the Collective help you build new skills and learn from others in the field. We are even developing new courses delving deeper into advanced areas of IT audit (available soon).

Beyond the Collective, ISC2 offers a free course and certification on the basics of cybersecurity, a good foundation for anyone entering this area for the first time. If you’re making IT audit part of your career goals, you can also consider ISACA’s CISA certification. I got this certification, and it helps when job hunting. It can also help you learn some basics that apply to IT auditing in general. But to gain a deeper understanding of current and emerging IT risk information, I would recommend focusing on the topics covered in the Collective’s webinars and roundtables. That’s as current and real-world as you can get. 

THE LAST WORD: Invest in Expanding Your Audit Competencies

AI will impact headcount sooner rather than later. That’s what I’m hearing, and I agree.

The Internal Audit teams that are training themselves in the skills they need to be the triple-threat auditors of the future are more likely to be safe from these impacts. 

It’s time to lean in and create a plan. 

If you’re a business process auditor, decide how you’re going to become more of an IT auditor. If you’re already well-versed in IT audit, do the reverse. And every auditor needs to become better at leveraging and understanding AI, thinking critically, communicating effectively, building relationships, and cultivating the other human superpowers that will enable them to keep delivering relevant value. 

The Internal Audit Collective is committed to providing the training courses, discussion forums, and how-to resources audit teams need to future-proof their careers. For IT audit:

• **Register for Synergy.** Toby has built a truly excellent how-to training that reliably gets rave reviews. The 16-CPE course balances instructor-led presentations, workshop sessions, and peer discussions to provide everything you need to start becoming a more integrated auditor. The next course begins April 6, 2026.
• Sign up for our “How to Audit Cybersecurity” community events, where Dave Malcom answers your cybersecurity-related audit questions and shares IT audit leading practices.
• Look for an upcoming Internal Audit Collective webinar on data lakes and warehouses. 
• Check out our articles and eBooks focused on topics like targeting cybersecurity risk assessments, scaling your data analytics program, and upskilling your team in Gen AI.

Bottom line, IT audit fluency is no longer optional. Make sure you’re not falling behind. 

‍