Rob Fijneman joined KPMG in 1986 and performed many different client facing and management roles. He led KPMG’s IT advisory practice in the Netherlands from 2004-2009 and was a member of the global IT Advisory team in the same period representing the region Europe, Middle East and Africa. Currently he is lead partner for 3 global accounts. As a professor at Tilburg University he is leading a Master of Science program in IT Auditing and is guest lecturer for Information Management and Accountancy.
“Well we know where we’re goin’
but we don’t know where we’ve been
and we know what we’re knowin’
but we can’t say what we’ve seen
and we’re not little children
and we know what we want
and the future is certain
give us time to work it out.
We’re on a road to nowhere
Come on inside
Takin’ that ride to nowhere
We’ll take that ride”
We’re on a road to nowhere. It was 1985 when the Talking Heads recorded that song, and it still resonates throughout our practice today. Although we do not have all the answers, and we never will, our intention is to be forward-looking, and we are willing to take that ride.
Ten years earlier, around 1974, KPMG launched the first IT audit practices, demonstrating the need for a specialized service to support the financial auditor. IT became relevant in supporting the financial back-office processes, and the regular financial auditor was not able to cope with the technical details. Since that time, the developments have been tremendous, of course encouraged by the push for technology, which continues to this day. IT is fully embedded in everyday life and in economic reality. Today companies are shifting to become such things as the first fully digital insurer or a digital hospital, among other examples.
The IT audit and assurance portfolio has evolved to support the full CIO and CFO agenda. The life cycle of IT, starting from strategy through to handling legacy systems, from development to operation and maintenance, from conceptualizing business cases to improving IT cost efficiency, from narrow IT support to full stakeholder management, is now the working domain for the modern IT advisor and assurance provider. IT has become a Board agenda item, and a well-equipped IT auditor must play a role on this level. It is not only about having the technical skills, but many other competencies are required to be a top specialist in this field.
Tilburg University conducted a retrospective of 25 years of IT auditing education and research in 2013. As part of that retrospective, an interview cycle was performed to discuss driving forces for our profession. What will the IT landscape look like in 2025, and what contributions are expected from the IT audit and advisory function? Being dynamic and moving forward creates huge opportunities for our profession, while staying in an “as-is mode” will probably be hugely downplayed. At KPMG we strongly embrace the dynamic and forward-looking approach, as most transformations will be based on technology. This identifies the need for IT specialists who can work with the following 5 driving forces:
- Full transparency. In the past year more data was produced than in all years before. Such data increases social transparency. Consumers can find answers to their questions in a flexible way. There is no place any longer for secret data and hiding information. This creates huge opportunities for an IT auditor in terms of validating the quality of data and processes; on the other hand, the need for IT audit and advice could decrease dramatically if consumers are empowered to find their own answers.
- Shared values. Today’s society will shift towards implementing the shared value approach of Harvard’s Professor Porter. Companies are not only driven by maximizing profit, but also by people with global concerns, which needs to be reflected in the reporting. This has inspired integrated reporting, which at KPMG we define as a “True Value” approach. How will the IT auditor and advisory services contribute to these concepts? How can we make sure our services are embracing the shared values? Big data approaches can be of enormous help in this space. Our current assurance services, focused on providing assurance about the quality of historic data, will not be enough. We must provide assurance about the quality of data at every moment in time.
- Earned trust. We do not rely any longer on institutes. In today’s world we tend to trust other individuals. On the Internet we rely on public opinion as a basis for buying services or products. In the corporate world we still see waves of legislation and compliance rules in reaction to incidents, whereas in general we want to decrease the volume of legislation and rules. The decreasing importance of institutes also positions the IT auditor and advisor differently. Of course your home base helps in creating credibility, but your individual behaviors and skills are much more important. How well do you perform as a team member, and which new services do we need to develop to earn the trust of society?
- Always in beta. Information Technology always has inherent flaws. This basically triggers the need for ongoing IT audits. Instead of performing these audits afterwards and fixing problems from the bottom up, we will be forced to act from the top down, ensuring the system is secure by design. How can we contribute to the definition and implementation of secure solutions? The forward-looking agenda for information risk management not only covers incident handling, but also covers topics like risk appetite, worst-case scenario, and agility to respond. The IT auditor needs to play a role as a partner in the business.
- Not an “either-or” but “we need it all” society. We will need in-depth specialists to validate the details of new and embedded IT solutions and controls. It is expected that the need for specialists will increase. On the other hand, we also need generalists who can identify the full value chain and make sure all specialized answers can be integrated into answers for our clients. This will create huge dynamics in which assurance products probably will also change. Only providing assurance for discrete topics covering historic data is not acceptable in the new world.
There are huge opportunities for IT audit and advisory: that’s the optimistic approach. It is about matching the demands of the future, in dialogue with all stakeholders. Our IT auditors and advisors are equipped for this journey. We certainly will drive these services towards 2024, which for KPMG will mark a special anniversary: 50 years of providing IT audit and advisory services.