Tony Redlinger has spent most of his career as an IT auditor for such organizations as Aegon, CoBank, and the Los Alamos National Laboratory. These days, he serves as a senior manager for internal audit at IHS Markit, a global information and analytics services provider. Tony is also a senior instructor for MISTI's IT Audit and Controls, an integrated auditing course for today's internal auditor. We recently sat down with Tony to talk about the challenges of being an IT auditor, what's next for cybersecurity, integrated auditing, and more.
Q: What drew you to the profession and what do you like most about it?
A: How I got involved in internal audit can best be described as a happy accident, which is a common story for internal auditors. The internal audit department of the company I worked for at the time was doing a road show explaining what internal audit did. At the end of the presentation, a pitch was made for an opening for an IT audit position, so I approached the audit director about the position, and after nine months and a persuasive letter, I was hired. It was meant to be an integrated auditor position, but because of my technical skill set, I did primarily IT audits. Ironically, I originally got into audit because I knew a couple of people who had moved from internal audit to investments, which is what I wanted to do at the time, or at least I thought I did. I ended up loving internal audit and stayed there. I love that every day is different and it can be challenging but you get to see and learn from so many different parts of the organization.
Q: How did you get to the position you are in now?
A: Perseverance. It's easy to get frustrated in this position because its challenging and the technology is always changing, but that's also what makes it so rewarding. You have to press on and always be sure that you are adding value.
I have worked in four different internal audit departments, and I have learned something in each of them on which I can build. For example, in one of my first IT audit jobs the audit director told me to run each audit as if it were my own business. He told me to take charge and not to just follow the processes mindlessly, but to do what I saw as necessary to providing a good audit. Another thing I have learned is that you can't sit still and wait around for other people to tell you what to do; you have to drive things and make your own way. So maybe the answer is continuing to learn and being willing to change.
Q: What is something that you are struggling with in your job right now?
A: Marketing the internal audit function. There are still far too many people who don't understand what internal audit does. They think we're a compliance function or a SOX function, or a finance function, or, in the worst case, something related to the IRS. Over my career, I have seen organizations where I have worked look to external audit firms, often with less experienced individuals, to provide guidance when internal audit has the same or better qualifications. When I have the opportunity to discuss what internal audit does, I like to point out that the definition of internal auditing that is included in the standards most audit departments follow does not include the word "compliance" or the word "finance."
I really do believe that internal audit is there to help, but we need to do a much better job of communicating our contributions. For example, the Sarbanes-Oxley Act does not include any requirements for internal audit, yet many internal audit departments perform SOX testing. Internal auditors are performing the testing required of management, which frees management to perform other duties and increases the reliance of the external audit firms on the work because of internal audit's independence. Isn't this adding value?
Q: Do you think that internal audit and IT audit struggle with cybersecurity? Anything you think they could be doing differently?
A: First, I have to say I have never liked to term "cybersecurity." We should be talking about information security because we are trying to protect sensitive information that can be compromised in technical and non-technical ways. The media has latched on to the term "cybersecurity," but it's important to recognize that in most cases we are talking about information security. I think the struggles internal auditors or IT auditors have with cybersecurity are because it is so broad in nature. Part of the solution is education so management, executives, and boards understand the breadth of cybersecurity. From a tactical perspective, auditors need to break it into manageable components, such as security policy, security organization, and incident response. Each of these could be an audit on its own. We should also incorporate cybersecurity into all our audit engagements, similar to what we should be doing with fraud. That will give us broader coverage of cybersecurity issues without necessarily performing a cybersecurity audit every year.
Q: How about integrated auditing? What are forward thinking companies doing with integrated auditing that maybe others can learn from?
A: Integrated auditing is something I've heard discussed from its beginning, but it's rare to see it implemented effectively. It's not often that integrated auditors really take a holistic approach. They either focus too much on the technology and not the business process it is supporting, or they focus on the processes without really understanding the technology well. Another common mistake it that they don't define what they mean by integrated auditing. That can mean a lot of things to a lot of people. You have to define it first.
It's critical to look at the technical aspects of all audits because the business is so dependent on technology. To get better, companies need to train all of their auditors on the fundamentals of IT audit. Even then, not everyone is interested in the IT aspect of an operational audit, so it's critical to have the right audit team with the right set of capabilities. IT auditors aren't off the hook either. IT auditors need to understand how the business uses the systems we audit in order to better identify risks and make meaningful recommendations on improving the control environment.
Q: What are some things that IT auditors can do to become better at their jobs?
A: Seek to understand. Too often, we find ourselves with a check-the-box mentality without really understanding why we are checking the box or why it's important. I hear information security professionals make comments about the internal auditors coming with their checklists, which makes me cringe, but at the same time I believe the criticism is justified. Even with training, I see too many internal auditors look to a manager or supervisor to direct them to the proper training. Learn the systems being audited, and as mentioned previously, learn how those systems support the business. And take ownership of your own training and development.
Q: Can you point to any outside resources that you use that have helped you along the way?
A: There are so many, starting with the professional organizations: IIA, ISACA, ACFE, (ISC)2, ISSA, SANS, and others. MISTI also offers some excellent resources, of course. All of these offer great training and have invaluable resources available to help in execution of audits. The personal connections through attending professional events also provides a wide network of resources. Accounting and consulting firms have also been helpful. I have worked in organizations that have used a co-sourcing model, and building those relationships has allowed me to pick up the phone and bounce ideas off someone when I need it. While not an outside resource, I think we often overlook internal resources available to us, including those we are auditing. The people we are auditing are very skilled and knowledgeable about what they do, and we need to take advantage of that knowledge.
Q: Last, what is something you did in your career that you are glad you did and would never change?
A: I got involved very early in my career. I gave my first presentation at a conference about four months into my audit career. Presenting to others requires that you do your homework and really understand what you are presenting. I also passed the Certified Internal Auditor exam during my first year of auditing, which really helped me to understand the processes I had been performing. I took the initiative to do these on my own and did not wait for someone else to direct the course of my career. There are so many opportunities in internal audit and IT audit. This field can be whatever you want it to be, but you have to take charge of your own career.