Zain Haq, one of the expert IT Auditors (and York U Alumnus) we’ve recruited to teach in our new Certificate in IT Audit Execution (now changed to Certificate in Information Security Audit), knows exactly what it takes to succeed on the job. Currently acting as Audit Manager with Manulife Financial, a multinational financial services organization, Zain brings years of experience navigating the complex world of government regulation, IT systems and risk management in complex digital environments.
Zain answered some of our questions about IT auditing, what industry changes to expect in the near future, and how our program sets students up for success on this rewarding career path.
How did you start your career, and what has been the key to your success?
I started as an IT Audit Associate with PricewaterhouseCoopers (PwC) Risk Assurance Services practice in November 2011. I was a part of the CATO (Chartered Accountants Training) program whereby, over the course of three years, I gained exposure in different IT audit practice areas.
A major factor in my career success has been my mental readiness to get out of my comfort zone and accept challenges. Each client has a unique IT environment with a complex set of infrastructure, applications and other IT components. As an IT Auditor, I need to comprehend these complexities and scope the engagement accordingly. Additionally, different clients perceive IT audits differently. Some view it as a value-added process to improve their practice while, for some, it is just a regulatory requirement to fulfill. By understanding a client’s perception of the IT audit engagement, and their level of comfort in accepting audit results, I am able to adapt my approach in dealing and communicating with client personnel to ensure the client is satisfied with the findings while delivering the audit objectively.
Why is it so important to learn how to fully execute an IT Audit (rather than only focusing on mastering the knowledge domains?)
IT audit is more than just mastering the knowledge domains. One should view IT audit as a process. You start with understanding your client, their management culture and their IT environment. You then prepare a list of audit requirements, share it with your client and develop a strategy and timeline to execute the audit. Mastering the knowledge domains alone won’t help you execute these steps successfully. Therefore, to be a successful IT Auditor, you need to understand and effectively execute each step of the IT audit engagement. That’s what the Certificate in IT Audit Execution (now changed to Certificate in Information Security Audit) does differently.
How are government regulations changing the world of IT Auditing?
As we witness a dramatic increase in privacy breaches and cyber attacks, regulatory organizations around the world are increasingly challenging organizations to equip their systems and processes to adequately protect their systems and data. Regulations like PIPEDA (Canada) and GDPR (European Union) are a prime example of such regulations. The process of IT auditing helps to objectively and independently determine whether companies have implemented the right control processes to comply with such regulations. Therefore, IT auditors need to keep themselves abreast of these regulations to effectively plan, execute and report the IT audits.
What trends and changes do you predict for the field over the next few years, and how do they effect someone starting their career as an IT Auditor?
Technology experts are exploring an increased use of emerging technologies, like Robotics Process Automation (RPA) (a software application or bot programmed to execute basic human tasks that are usually manual in nature) in different stages of the IT audit. Common audit tasks, such as data cleansing/analysis, risk assessments, sampling stratification and certain reporting activities, will at some point be partially or fully performed by automated software programs. Therefore, IT Auditors will need to understand these emerging technologies and be agile in adapting them to use in their day-to-day work.
How does our program prepare students to enter the job market? What makes our program unique?
Our Certificate in IT Audit Execution (now changed to Certificate in Information Security Audit) aims to make students well-versed with the end-to-end process of IT Auditing. A typical IT audit engagement begins with planning the engagement (i.e. scoping, budgeting, timing and resource allocation activities). It then heads into the execution phase, which is the assessment of design and operation of the in-focus IT controls. And lastly, we enter the reporting phase where the final audit report is prepared and socialized with the Auditee. Our program covers each of these three phases as a separate course, so that students attain the required expertise to plan, execute and report IT audit engagements effectively.
Ready to learn how to fully execute and IT audit with confidence? Get program information