Jul 27, 2022
1 mins read
Our international study discovered a significant knowledge gap in Big Four IT Auditor's theoretical knowledge and practical skill! (Deloitte, KPMG, EY, PwC, and more)
We discovered that the IT auditor's lack of hands-on skill in information technology influences data breach likelihood and technical evidence interpretation for critical infrastructure (power, water, communication, and banking)
𝐓𝐡𝐞𝐬𝐞 𝐫𝐞𝐬𝐮𝐥𝐭𝐬 𝐚𝐫𝐞 𝐠𝐞𝐧𝐞𝐫𝐚𝐥𝐢𝐳𝐞𝐝 𝐭𝐨 𝟏𝟓𝟏,𝟎𝟎𝟎 𝐈𝐓 𝐚𝐮𝐝𝐢𝐭𝐨𝐫𝐬 𝐢𝐧 𝐨𝐮𝐫 𝐢𝐧𝐝𝐮𝐬𝐭𝐫𝐲.
For instance, this assessment expounded on common concepts like least privilege and separation of duties via task-based activities. This strategy required the respondent to test their knowledge against specific technologies like Microsoft Server, Amazon Web Services (AWS), Palo Alto firewalls, Kubernetes containers, and Microsoft Azure.
Unfortunately, as IT auditors, we had inadequate levels of procedural knowledge. IT auditors had an average procedural knowledge score of 19.35 (Level 2 – Assist). See grading scale on page 465 (Note: Level 3 is average proficiency)
These findings suggest that the current education models in IT certification exams, college curricula, certification boot camps, and training seminars do not provide task-based skills to help implementers and assessors improve their procedural knowledge (demonstrable skills) and identify controls that reduce data breach likelihood. See SME and IT Auditor SFIA Procedural Knowledge Scores figure on pages 455 and 465.
However, I'm optimistic about our future. 😁 In Chapter 5 (18 pages), I detail strategies on how we can improve our technical competency and create the next generation of cybersecurity auditors and cybersecurity professionals. Particularly by adopting National Initiative for Cybersecurity Education (NICE) and SFIA Foundation
Creating the Next Generation Cybersecurity Auditor: Examining the Relationship between It Auditors’ Competency, Audit Quality, & Data Breaches - ProQuest