Leading in a time of technology disruption – An audit firm perspective

Leading in a time of technology disruption – An audit firm perspective

The first commercial floppy disks, developed in the late 1960s, were 8 inches (200 mm) in diameter; they became commercially available in 1971 as a component of IBM products and then were sold separately beginning in 1972. The storage capacity of this disk was a mere 360Kb of data. So minute that it was only capable of handling a few lines of text. Privileged to be entering the Y2K period, I am grateful to having been exposed to the world of computing in year 2000 and by this time, the floppy disk was now carrying only 1.4Mb of data. This was a bit more that what Bill Gates is famously quoted to have recommended as he said, “640K ought to be enough for anybody.” It was fashionable for one to be seen carrying a case full of these and in different colours as a show of high technological appreciation. Only to imagine that these were 10.44Mb of data, a lot of millennials would be forgiven for laughing uncontrollably at that imagination. Fast forward to 2020 and Kingston has released a 2Tb flash drive. Within 30 years data holding capacity has increased a million times. An evolution that if Jimi Hendrix were to wake up from his eternal sleep he wouldn’t believe that he can now put his entire music collection on a flash drive which fits in his watch pocket. Such has been the development of technology in every direction that today it continues to present us with a threat of loss of so many jobs and people’s livelihoods. You talk of IoT, block chain, artificial intelligence, data science, robotics to mention but a few. These emerging technologies are reshaping the world of computing by providing new possibilities in a world of ever increasing data.

The accounting and audit field is one that has not been spared by this  technology advancement. Research and development teams in some of the top accounting and audit firms in Zimbabwe are grappling with a need to stay up to date with technology while balancing that with matching staff skills and this technology. Some of the firms have adopted a re-skilling strategy to ensure personnel are adequately equipped to manage these technological changes either within or external to the firm. This strategy has seen some personnel crossing the floor from performing purely accounting and audit functions into combining these with some of the emerging technology driven ones like data analytics and technology risk assurance. Though this strategy may seemingly be a viable option it has not been an easy one for many to transition into. However, with dedication, effort and high quality learning support from within the firm, Forbes Research shows that more than 90% safely make it through and enjoy using this diverse combination of skills. Those successful have also indicated that they have found themselves being of value to their firms and clients than they were in a mono-direction career.

To promote the continued development and use of these emerging technologies from quantum computing to internet of things all which generate insurmountable amounts of data, firms in developed countries have anchored new service lines on them. This has ensured that apart from providing a platform for continued career development within, firms have been able to retain their best staff. In addition, firms have managed to get a return on the technological investment by offering these services to their clients. In that regard firms have become innovation hubs within their spheres of influence and an anchor for supporting client technology strategy.

But what of the firms that are in developing nations such as Zimbabwe? Much of these technologies have not taken root and are seemingly an expensive investment . The author however contends that this is the time that firms should be investing in technology, not only as way of improving their employees but a way of expanding the revenue lines. With many still coming to terms with the impact of Covid19 which has threatened the very existence of many companies this is the time that firms should be rising to the occasion and shoring up their technological capabilities. During this Covid19 driven lockdown period research has shown that there has been extensive use of technology in many areas such as education, work from home, robots in hospitals, drones for deliveries, applications for information dissemination among other things. This unprecedented use of technology has seen many companies revising and investing in their technology transformation strategies in areas such as data analytics, cyber security and more. Audit firms in Zimbabwe should be looking at diversifying their lines of service to include those that have been opened up by technology not only to retain their valuable employees but to remain profitable in the wake of the global pandemic and thereafter. The big four affiliated firms -PwC, Deloitte, KPMG and EY - already have access to these world class technologies and it becomes a matter of making more research into understanding client and matching these with such technologies.

In addition to investing in other lines of service such as software development and cyber security, firms can also invest immensely in data analytics. In a recent study conducted by the Forbes magazine, it has discovered that data science and artificial intelligence can improve audit quality. Through the use of this technology firms can gain more knowledge and insights  that reveal more about a company, its risks, its  financial reporting controls and its operating environment. The bottom line is that these technologies will empower and enable audit engagement teams to make key judgments and deliver high-quality audits. These capabilities may allow auditors to test 100 percent of a company's transactions instead of only a sample of the population. Firms need to promote the use of technologies among its staff members to generate the required interest in their use.

Audit firms in Zimbabwe have the opportunity to become technology strategy drivers in Zimbabwe, to influence and drive the implementation of the use of technology. Research shows that employees in Zimbabwe have not been productive during this lockdown period as a result of challenges that include;

·       Prevalent use of legacy technologies which are not capable of supporting a work from home strategy

·       Low usage of business applications that support secure remote access.

·       High cost of internet services, and

·       Lack of investment in emerging technologies

With its vast pool of experienced and skilled personnel both in and outside of Zimbabwe, the audit firms have the potential of becoming the technological hub of the nation or even Africa as a whole. There is need for someone to take a stand and seize the current opportunity and provide leadership in building up Africa’s own Silicon Valley in Zimbabwe. The extent to which these advancements will shape the future of audit is yet to be determined but the time to make inroads is now. It only takes the will and much will grow from it. My favourite author says; “Do what you can, where you are and with what you have”. The time for looking externally to what people can do for us is over. It is time for audit firms in Zimbabwe to take a stand and create a technological footprint that supports a drive towards a digital economy.

Consider transitioning to a Career in Cyber Security

The information Technology industry is one that has over the decades experienced fast paced growth and has impacted on people’s political, economic and social standing in copious ways. Technology has disrupted many industries, changing and redefining the way services are delivered from manufacturing, agriculture, marketing to medicine. Amidst all this magnificent development, another industry was born, the world of cyber security. Like they say in physics that “for every action, there is an equal and opposite reaction”. The heavy losses incurred by firms and individuals through cyber-crime has created a need for an equal response. The cybersecurity industry has germinated to counter the devastating effect of cybercrime which has since been dubbed the “world’s fastest” growing industry. Motivated by easy pickings, driven by skill and having the patience of a chameleon, “black hats” as they have come to be known have operated under the radar for a long time. With some of these criminals being funded by well-resourced organisations and to some extent by governments, they have managed to successfully carry out some of the world’s biggest information heists. Arguably among some of the greatest information swoops of all time is the J.P Morgan Chase hack which saw the bank losing information on 75 million of its customers. Cyber security has thus become a sign of hope and a pinnacle of defense against such barbaric acts which some governments have taunted as acts of terrorism.

The changing technology landscape entails that more opportunities are being availed by the increasing demand in skilled, motivated workforce especially in the area of cyber security as it is famously known. In the United States alone, US Department of Labor predicts the career landscape for cyber security will increase by 28% from 2016 to 2018. This increase is much faster than the average for all occupations in all sectors of the economy. Below is an extract of summary of statistics presented by the US department of Labour;

This huge demand entails that transition into information security is a worthwhile option for many. The growing criminal activity also has seen governments enacting legislation to protect themselves, and entities operating with their jurisdictions. Such moves have also seen service providers being required to provide specified levels of protection to information. A case in point is the GDPR [General Data Protection Regulation] recently introduced in the European Union which businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states with non-compliance could cost companies dearly. This requirement thus sees a surge in the amount of skilled professionals required to meet the obligations thrust upon firms by such legislation through services such as information systems audit and compliance.

The question of career transition therefore becomes key. As some careers are taken over by technology and the need for cyber security experts surges the call to join in is becoming even louder. With a qualification and experience in accounting, auditing or risk, and IT in general, it presents many with an opportunity to easily enter into information security. However, this should not be an impediment for those that are not in this domain. One simply needs to take an audit of their career, organisation and possible areas of entry. Key to all is the motivation, enthusiasm and drive to be a cyber security expert. So where does one start?

The initial step towards a career in information security commences with an audit of self and current situation and take steps to become an expert. The current information security landscape of the organisation provides one with the areas which one can enter into to exploit the opportunities available to them. Among some of the things that can be done, one needs to take on more information security related tasks or projects within their organisation and to be a leader on projects. As one charters a new career there is need to build goals that directly relate to the new performance initiatives. In this way, one will be able to begin the journey on a new path albeit with support from the manager. Lastly, networking with other employees and managers presents another clear repository which one can make use of in ensuring one remains on the path to repositioning themselves.

Perhaps one of the most critical steps, is acquiring enough skills for one to become a competent cybersecurity expert. The growing need for cybersecurity experts has also been heavily supported by the growing number of institutions which provide information security certification, skills and education. Among some of the notable certifications which have become highly regarded and rewarding in the industry include:

It is imperative to note that among the top ten certifications of 2017, five of them are security oriented certifications. Certifications provide one with requisite knowledge and skills to actively participate in information security programs. Therefore, this is major step towards transitioning into the information security arena.

The growing need for security experts provides one with an alternative career path. It takes zeal, enthusiasm, networking, initiative and focus to become the most sought after cyber expert. And as one leader said “If you feel safe in the area you’re working in, you’re not working in the right area. Always go a little further into the water than you feel you’re capable of being in. Go a little bit out of your depth. And when you don’t feel that your feet are quite touching the bottom, you’re just about in the right place to do something exciting”. Why not start today? Why not start now?

The need for IT audit to enhance decision making in Enterprise Risk Management among Zimbabwean firms

Introduction

The Information Communications Technology (ICT) industry has evolved immensely since the turn of the 21^st millennium. The contribution of ICT to the general business performance through the use of bookkeeping and reporting systems has helped firms grow their revenue and in some instances avoid winding down. Information systems have introduced a layer of efficiency in the manner in which businesses operate through provision of better ways to manage information and communications among companies. The introduction of these systems have not only brought with them efficiency but cybercrime and malicious system access which have had a negative impact on the confidentiality, integrity and availability of data. Globalization efforts among trade partners and nations have also significantly made use of ICTs to bridge geographical boundaries and distances.

The negative effects of the introduction of systems necessitated the introduction of control mechanisms to ensure proper usage of these systems using a process called auditing. Auditing is a means of evaluating the effectiveness of a company's internal controls. Maintaining an effective system of internal controls is vital for achieving a firm’s objectives, obtaining reliable financial reporting on its operations, preventing fraud and misappropriation of its assets.  The risks associated with the introduction of computer systems again called for the introduction of means of monitoring and controlling the use of the computer systems in business called information technology audit. The role of information technology control and audit is a critical mechanism for ensuring the integrity of information systems and the reporting of organization finances to avoid and prevent future financial crises.

Asian Risk Management Institute explain ERM as a disciplined and cohesive approach to risk that support the configuration of strategy, process, people, and technology, and allow firms to categorize, rank, and effectively accomplish their serious risks. The Information Systems audit contributes to the enterprise risk management effort by assessing the organisation’s critical systems, technology architecture and processes to assure information assets are protected, reliable, available and compliant with organisation’s policies and procedures, as well as applicable laws and regulations with the country of operation. Significant relationship was found between the level of ERM implementation and the firm’s value. This finding therefore makes it imperative that efforts be directed towards strengthening enterprise risk management through the use of technology to continue increasing firm value.  IT risk systems and their integration with the enterprise risk management process varies widely among enterprises, the auditor must define the scope of the audit to fit the enterprise. This assertion therefore presents the need to assess how effective IT audit systems improve enterprise risk management decisions in firms.

Background

The production of audited company statements is a requirement enshrined in the Zimbabwe companies act 243 (3). The requirements mandates firms to appoint auditors to produce audit reports for the respective company accounts kept within the firm. The adoption of ICT systems by a majority of firms in Zimbabwe has helped them manage information better as well as increase productivity, monitoring and evaluation. This increased use of ICTs in firms has thus paused significant risk to firms in the growing cyber space form cybercriminals. Malicious has also been report to have been generated from organisation’s own employees and system users. To effectively manage the IT risks introduced to the business processes, many firms have adopted the use of IT auditors, internally and externally to review the controls within IT infrastructure, identify the risks and put forward recommendations on how the risks can be managed. The uptake and use of IT audit has been slow with majority of firms preferring to use only financial auditors. However, a report by (PWC, 2011) indicated that threats from the use of ICTs is growing phenomenally with global cybercrime costs estimated to be 400 billion USD by 2017. Some organisations have therefore embraced this growing threat and embarked on a drive to strengthen their enterprise risk management process with the use of IT auditing providing a mechanism for planning, and evaluation of the effectiveness of measures that have been implemented.

Auditing in Zimbabwe

The auditing professions is regulated by the PAAB. Its role is to regulate the audit profession. It can be noted that many organisations have internal audit departments within their organisations with the mandate of carrying out reports which are directed to the board of directors. For the purposes of publication, a number of organisations engage the services of external auditors to issue audit opinions on the status of their financial position. For other organisations, forensic audit processes are initiated to allow for specific issues to be investigated within firms.

Internal auditors are tasked with using a risk-based approach, internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including the manner in which the board and operational management achieve risk management and control objectives. Without internal auditing, organisations would be besieged by fraud, theft, waste and inefficiencies that make them less competitive.

I.T audit in Zimbabwe

IT audit in Zimbabwe has been a growing phenomenon and many organizations are embracing the need for well-trained information systems auditors. IT auditors have played a pivotal role in assisting firms to manage risks related to IT systems. IT audit not only points to vulnerabilities but it also helps organisations assess exposure levels and compare those with the baseline risk appetite defined within its global ERM strategy.

 
The growth of cybercrime as mentioned above has also contributed to the growth of IT audit functions to include forensic investigation. IT audit professionals have found themselves needing forensic investigation skills as crime escalates. The ability to recover from attackers and exploited threats in the major key to establishing IT risk resilient organization.

It is imperative that firms in Zimbabwe continue to invest in equipping their audit functions, especially those related to IT as business embrace technology in doing business. IT auditors also need to be trained and have their skills upgraded in order for them to be able to help organisations detect and respond to cyber threats.

Why IT audit should be considered??

Access Control

Unauthorised access to information and systems is one of the dangers paused by both internal and external actors. This deliberate breach on systems security causes damage to files, and perhaps the integrity of systems and organisations.  Firms need to engage well skilled IS audit personnel to diligently evaluate controls on information to avoid both intentional and unintentional disclosure and changes to files. Policies and procedures need to be employed to manage and limit access to information systems resources. The policies adopted should point out on how access is allocated to both internal and external stakeholders to the organization and it is the work of the auditors to verify that such policies are being adhered to by asking common sense questions regarding aspects of access control such as password change policies, time limitations, and so forth.

Network Security

Computer systems have largely been connected through the use of networks which has seen the advent of such concepts as the internet of things. Network systems protection becomes very important in this era of the internet to ensure no authorized access is granted. Measures also need to be taken to protect data that is transit to ensure that no unauthorized access occurs. The development of protocols and standards have ensured that systems from different vendors can be connected. That interconnectedness of devices also means that more vulnerability to external players who could be remotely locate and yet have active access to systems through networks.

Companies must consider all of the ways in which data flows into and out of their systems and target the weakest links in order to protect against such malicious activity. The transmission of information across airwaves, through technology such as wireless routers and infrared ports, is especially open to hacking because signals are not contained physically.

Investment is therefore needed in ensuring that networks are hardened to protect against attacks.

Asset Management

The computers and other technological devices which store such data are themselves valuable and costly as well. Hardware equipment is subject to theft, damage, impoundment, and maintenance costs. Portable devices such as laptops are especially vulnerable to the two former risks, whereas they and all stationary devices are subject to the two latter risks. Upon the decision to dispose of hardware, an organization must take into account the sensitivity of the data on the machine in determination of its destruction process.

People pose additional risks in consideration of asset management when they become addicted to counter-productive computer activities, download hacker-enabling files, and share illegal files using their machines. The computer activity of employees should be managed carefully, and clear policies should outline computer use expectations. Technological solutions are also available that limit use and monitor activity.

Software Acquisition and Development

An organization’s purchase of software applications poses risks in terms of its usability, effect on customers, legal issues, and effect on company processes. Software tends to be most expensive when developed within a company with the input of outside consultants, and software intended from its onset to perform its function within the company tends to reduce overall risk and minimize costs. A company must be especially careful when choosing Internet-based applications because the lifespan of software is much shorter due to competition and the speed of development.

A successful internal auditor can take into consideration the multi-faceted and ever-changing nature of technology risks within a company and ensure that measures imposed by management provide both flexibility and restriction where they are necessary to allow for effective and realistic business function. The use of common sense in general audits can lead to significant findings even when compared to complex technical reviews, which yield ineffective results if not supported by a strong foundation.

Conclusion

Overall IT audit is a key component of ERM as can be obtained. Firms therefore need to relook into their IT and Risk Management strategy to ensure the aspect of IT risks is considered and given its priority when necessary. Investment should be directed towards equipping IT auditors and information security personnel to further cement the organisation’s cyber resilience. The above recommended areas are only but the beginning to a journey in which IT audit becomes a critical component of risk planning and management in firms.

Introduction The Information Communications Technology (ICT) industry has evolved immensely since the turn of the 21st millennium. The contribution of ICT to the general business performance through the use of bookkeeping and reporting systems has helped firms grow their revenue and in some instances avoid winding down. Information systems have introduced a layer of efficiency in the manner in which businesses operate through provision of better ways to manage information and communications among companies. The introduction of these systems have not only brought with them efficiency but cybercrime and malicious system access which have had a negative impact on the confidentiality, integrity and availability of data. Globalization efforts among trade partners and nations have also significantly made use of ICTs to bridge geographical boundaries and distances. The negative effects of the introduction of systems necessitated the introduction of control mechanisms to ensure proper usage of these systems using a process called auditing. Auditing is a means of evaluating the effectiveness of a company's internal controls. Maintaining an effective system of internal controls is vital for achieving a firm’s objectives, obtaining reliable financial reporting on its operations, preventing fraud and misappropriation of its assets. The risks associated with the introduction of computer systems again called for the introduction of means of monitoring and controlling the use of the computer systems in business called information technology audit. The role of information technology control and audit is a critical mechanism for ensuring the integrity of information systems and the reporting of organization finances to avoid and prevent future financial crises. Asian Risk Management Institute explain ERM as a disciplined and cohesive approach to risk that support the configuration of strategy, process, people, and technology, and allow firms to categorize, rank, and effectively accomplish their serious risks. The Information Systems audit contributes to the enterprise risk management effort by assessing the organisation’s critical systems, technology architecture and processes to assure information assets are protected, reliable, available and compliant with organisation’s policies and procedures, as well as applicable laws and regulations with the country of operation. Significant relationship was found between the level of ERM implementation and the firm’s value. This finding therefore makes it imperative that efforts be directed towards strengthening enterprise risk management through the use of technology to continue increasing firm value. IT risk systems and their integration with the enterprise risk management process varies widely among enterprises, the auditor must define the scope of the audit to fit the enterprise. This assertion therefore presents the need to assess how effective IT audit systems improve enterprise risk management decisions in firms. Background The production of audited company statements is a requirement enshrined in the Zimbabwe companies act 243 (3). The requirements mandates firms to appoint auditors to produce audit reports for the respective company accounts kept within the firm. The adoption of ICT systems by a majority of firms in Zimbabwe has helped them manage information better as well as increase productivity, monitoring and evaluation. This increased use of ICTs in firms has thus paused significant risk to firms in the growing cyber space form cybercriminals. Malicious has also been report to have been generated from organisation’s own employees and system users. To effectively manage the IT risks introduced to the business processes, many firms have adopted the use of IT auditors, internally and externally to review the controls within IT infrastructure, identify the risks and put forward recommendations on how the risks can be managed. The uptake and use of IT audit has been slow with majority of firms preferring to use only financial auditors. However, a report by (PWC, 2011) indicated that threats from the use of ICTs is growing phenomenally with global cybercrime costs estimated to be 400 billion USD by 2017. Some organisations have therefore embraced this growing threat and embarked on a drive to strengthen their enterprise risk management process with the use of IT auditing providing a mechanism for planning, and evaluation of the effectiveness of measures that have been implemented. Auditing in Zimbabwe The auditing professions is regulated by the PAAB. Its role is to regulate the audit profession. It can be noted that many organisations have internal audit departments within their organisations with the mandate of carrying out reports which are directed to the board of directors. For the purposes of publication, a number of organisations engage the services of external auditors to issue audit opinions on the status of their financial position. For other organisations, forensic audit processes are initiated to allow for specific issues to be investigated within firms. Internal auditors are tasked with using a risk-based approach, internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including the manner in which the board and operational management achieve risk management and control objectives. Without internal auditing, organisations would be besieged by fraud, theft, waste and inefficiencies that make them less competitive. I.T audit in Zimbabwe IT audit in Zimbabwe has been a growing phenomenon and many organizations are embracing the need for well-trained information systems auditors. IT auditors have played a pivotal role in assisting firms to manage risks related to IT systems. IT audit not only points to vulnerabilities but it also helps organisations assess exposure levels and compare those with the baseline risk appetite defined within its global ERM strategy. The growth of cybercrime as mentioned above has also contributed to the growth of IT audit functions to include forensic investigation. IT audit professionals have found themselves needing forensic investigation skills as crime escalates. The ability to recover from attackers and exploited threats in the major key to establishing IT risk resilient organization. It is imperative that firms in Zimbabwe continue to invest in equipping their audit functions, especially those related to IT as business embrace technology in doing business. IT auditors also need to be trained and have their skills upgraded in order for them to be able to help organisations detect and respond to cyber threats. Why IT audit should be considered?? Access Control Unauthorised access to information and systems is one of the dangers paused by both internal and external actors. This deliberate breach on systems security causes damage to files, and perhaps the integrity of systems and organisations. Firms need to engage well skilled IS audit personnel to diligently evaluate controls on information to avoid both intentional and unintentional disclosure and changes to files. Policies and procedures need to be employed to manage and limit access to information systems resources. The policies adopted should point out on how access is allocated to both internal and external stakeholders to the organization and it is the work of the auditors to verify that such policies are being adhered to by asking common sense questions regarding aspects of access control such as password change policies, time limitations, and so forth. Network Security Computer systems have largely been connected through the use of networks which has seen the advent of such concepts as the internet of things. Network systems protection becomes very important in this era of the internet to ensure no authorized access is granted. Measures also need to be taken to protect data that is transit to ensure that no unauthorized access occurs. The development of protocols and standards have ensured that systems from different vendors can be connected. That interconnectedness of devices also means that more vulnerability to external players who could be remotely locate and yet have active access to systems through networks. Companies must consider all of the ways in which data flows into and out of their systems and target the weakest links in order to protect against such malicious activity. The transmission of information across airwaves, through technology such as wireless routers and infrared ports, is especially open to hacking because signals are not contained physically. Investment is therefore needed in ensuring that networks are hardened to protect against attacks. Asset Management The computers and other technological devices which store such data are themselves valuable and costly as well. Hardware equipment is subject to theft, damage, impoundment, and maintenance costs. Portable devices such as laptops are especially vulnerable to the two former risks, whereas they and all stationary devices are subject to the two latter risks. Upon the decision to dispose of hardware, an organization must take into account the sensitivity of the data on the machine in determination of its destruction process. People pose additional risks in consideration of asset management when they become addicted to counter-productive computer activities, download hacker-enabling files, and share illegal files using their machines. The computer activity of employees should be managed carefully, and clear policies should outline computer use expectations. Technological solutions are also available that limit use and monitor activity. Software Acquisition and Development An organization’s purchase of software applications poses risks in terms of its usability, effect on customers, legal issues, and effect on company processes. Software tends to be most expensive when developed within a company with the input of outside consultants, and software intended from its onset to perform its function within the company tends to reduce overall risk and minimize costs. A company must be especially careful when choosing Internet-based applications because the lifespan of software is much shorter due to competition and the speed of development. A successful internal auditor can take into consideration the multi-faceted and ever-changing nature of technology risks within a company and ensure that measures imposed by management provide both flexibility and restriction where they are necessary to allow for effective and realistic business function. The use of common sense in general audits can lead to significant findings even when compared to complex technical reviews, which yield ineffective results if not supported by a strong foundation. Conclusion Overall IT audit is a key component of ERM as can be obtained. Firms therefore need to relook into their IT and Risk Management strategy to ensure the aspect of IT risks is considered and given its priority when necessary. Investment should be directed towards equipping IT auditors and information security personnel to further cement the organisation’s cyber resilience. The above recommended areas are only but the beginning to a journey in which IT audit becomes a critical component of risk planning and management in firms.

Introduction

The Information Communications Technology (ICT) industry has evolved immensely since the turn of the 21^st millennium. The contribution of ICT to the general business performance through the use of bookkeeping and reporting systems has helped firms grow their revenue and in some instances avoid winding down. Information systems have introduced a layer of efficiency in the manner in which businesses operate through provision of better ways to manage information and communications among companies. The introduction of these systems have not only brought with them efficiency but cybercrime and malicious system access which have had a negative impact on the confidentiality, integrity and availability of data. Globalization efforts among trade partners and nations have also significantly made use of ICTs to bridge geographical boundaries and distances.

The negative effects of the introduction of systems necessitated the introduction of control mechanisms to ensure proper usage of these systems using a process called auditing. Auditing is a means of evaluating the effectiveness of a company's internal controls. Maintaining an effective system of internal controls is vital for achieving a firm’s objectives, obtaining reliable financial reporting on its operations, preventing fraud and misappropriation of its assets.  The risks associated with the introduction of computer systems again called for the introduction of means of monitoring and controlling the use of the computer systems in business called information technology audit. The role of information technology control and audit is a critical mechanism for ensuring the integrity of information systems and the reporting of organization finances to avoid and prevent future financial crises.

Asian Risk Management Institute explain ERM as a disciplined and cohesive approach to risk that support the configuration of strategy, process, people, and technology, and allow firms to categorize, rank, and effectively accomplish their serious risks. The Information Systems audit contributes to the enterprise risk management effort by assessing the organisation’s critical systems, technology architecture and processes to assure information assets are protected, reliable, available and compliant with organisation’s policies and procedures, as well as applicable laws and regulations with the country of operation. Significant relationship was found between the level of ERM implementation and the firm’s value. This finding therefore makes it imperative that efforts be directed towards strengthening enterprise risk management through the use of technology to continue increasing firm value.  IT risk systems and their integration with the enterprise risk management process varies widely among enterprises, the auditor must define the scope of the audit to fit the enterprise. This assertion therefore presents the need to assess how effective IT audit systems improve enterprise risk management decisions in firms.

Background

The production of audited company statements is a requirement enshrined in the Zimbabwe companies act 243 (3). The requirements mandates firms to appoint auditors to produce audit reports for the respective company accounts kept within the firm. The adoption of ICT systems by a majority of firms in Zimbabwe has helped them manage information better as well as increase productivity, monitoring and evaluation. This increased use of ICTs in firms has thus paused significant risk to firms in the growing cyber space form cybercriminals. Malicious has also been report to have been generated from organisation’s own employees and system users. To effectively manage the IT risks introduced to the business processes, many firms have adopted the use of IT auditors, internally and externally to review the controls within IT infrastructure, identify the risks and put forward recommendations on how the risks can be managed. The uptake and use of IT audit has been slow with majority of firms preferring to use only financial auditors. However, a report by (PWC, 2011) indicated that threats from the use of ICTs is growing phenomenally with global cybercrime costs estimated to be 400 billion USD by 2017. Some organisations have therefore embraced this growing threat and embarked on a drive to strengthen their enterprise risk management process with the use of IT auditing providing a mechanism for planning, and evaluation of the effectiveness of measures that have been implemented.

Auditing in Zimbabwe

The auditing professions is regulated by the PAAB. Its role is to regulate the audit profession. It can be noted that many organisations have internal audit departments within their organisations with the mandate of carrying out reports which are directed to the board of directors. For the purposes of publication, a number of organisations engage the services of external auditors to issue audit opinions on the status of their financial position. For other organisations, forensic audit processes are initiated to allow for specific issues to be investigated within firms.

Internal auditors are tasked with using a risk-based approach, internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including the manner in which the board and operational management achieve risk management and control objectives. Without internal auditing, organisations would be besieged by fraud, theft, waste and inefficiencies that make them less competitive.

I.T audit in Zimbabwe

IT audit in Zimbabwe has been a growing phenomenon and many organizations are embracing the need for well-trained information systems auditors. IT auditors have played a pivotal role in assisting firms to manage risks related to IT systems. IT audit not only points to vulnerabilities but it also helps organisations assess exposure levels and compare those with the baseline risk appetite defined within its global ERM strategy.

 
The growth of cybercrime as mentioned above has also contributed to the growth of IT audit functions to include forensic investigation. IT audit professionals have found themselves needing forensic investigation skills as crime escalates. The ability to recover from attackers and exploited threats in the major key to establishing IT risk resilient organization.

It is imperative that firms in Zimbabwe continue to invest in equipping their audit functions, especially those related to IT as business embrace technology in doing business. IT auditors also need to be trained and have their skills upgraded in order for them to be able to help organisations detect and respond to cyber threats.

Why IT audit should be considered??

Access Control

Unauthorised access to information and systems is one of the dangers paused by both internal and external actors. This deliberate breach on systems security causes damage to files, and perhaps the integrity of systems and organisations.  Firms need to engage well skilled IS audit personnel to diligently evaluate controls on information to avoid both intentional and unintentional disclosure and changes to files. Policies and procedures need to be employed to manage and limit access to information systems resources. The policies adopted should point out on how access is allocated to both internal and external stakeholders to the organization and it is the work of the auditors to verify that such policies are being adhered to by asking common sense questions regarding aspects of access control such as password change policies, time limitations, and so forth.

Network Security

Computer systems have largely been connected through the use of networks which has seen the advent of such concepts as the internet of things. Network systems protection becomes very important in this era of the internet to ensure no authorized access is granted. Measures also need to be taken to protect data that is transit to ensure that no unauthorized access occurs. The development of protocols and standards have ensured that systems from different vendors can be connected. That interconnectedness of devices also means that more vulnerability to external players who could be remotely locate and yet have active access to systems through networks.

Companies must consider all of the ways in which data flows into and out of their systems and target the weakest links in order to protect against such malicious activity. The transmission of information across airwaves, through technology such as wireless routers and infrared ports, is especially open to hacking because signals are not contained physically.

Investment is therefore needed in ensuring that networks are hardened to protect against attacks.

Asset Management

The computers and other technological devices which store such data are themselves valuable and costly as well. Hardware equipment is subject to theft, damage, impoundment, and maintenance costs. Portable devices such as laptops are especially vulnerable to the two former risks, whereas they and all stationary devices are subject to the two latter risks. Upon the decision to dispose of hardware, an organization must take into account the sensitivity of the data on the machine in determination of its destruction process.

People pose additional risks in consideration of asset management when they become addicted to counter-productive computer activities, download hacker-enabling files, and share illegal files using their machines. The computer activity of employees should be managed carefully, and clear policies should outline computer use expectations. Technological solutions are also available that limit use and monitor activity.

Software Acquisition and Development

An organization’s purchase of software applications poses risks in terms of its usability, effect on customers, legal issues, and effect on company processes. Software tends to be most expensive when developed within a company with the input of outside consultants, and software intended from its onset to perform its function within the company tends to reduce overall risk and minimize costs. A company must be especially careful when choosing Internet-based applications because the lifespan of software is much shorter due to competition and the speed of development.

A successful internal auditor can take into consideration the multi-faceted and ever-changing nature of technology risks within a company and ensure that measures imposed by management provide both flexibility and restriction where they are necessary to allow for effective and realistic business function. The use of common sense in general audits can lead to significant findings even when compared to complex technical reviews, which yield ineffective results if not supported by a strong foundation.

Conclusion

Overall IT audit is a key component of ERM as can be obtained. Firms therefore need to relook into their IT and Risk Management strategy to ensure the aspect of IT risks is considered and given its priority when necessary. Investment should be directed towards equipping IT auditors and information security personnel to further cement the organisation’s cyber resilience. The above recommended areas are only but the beginning to a journey in which IT audit becomes a critical component of risk planning and management in firms.

Dreams of a ”Born Free Generation” – A response to your inauguration pledge Mr. President

The author of the “I have a dream speech”; Martin Luther King once said “When the architects of our republic wrote the magnificent words of the Constitution and the Declaration of Independence, they were signing a promissory note to which every American was to fall heir. This note was a promise that all men, yes, black men as well as white men, would be guaranteed the "unalienable Rights" of "Life, Liberty and the pursuit of Happiness.” This was indeed a speech filled with sentiment and expectation, a speech by a young man looking forward to a better future in a new America. The apparent reference to the constitution signified the desire for justice, for equity, and for freedom in every citizen’s pursuit of happiness. The same underpinning aspirations and desires of Martin Luther can be likened to the desires of every young person in Zimbabwe today. The goings on in our country’s political arena over the past few weeks have prompted the existence of an atmosphere filled with euphoria, anxiety and expectation of a turn in our country’s fortunes particularly for the many young people. Indeed, the climax of the events have culminated in the change of the macro-political dynamics of our environment prompting many to dream of a change in every direction. The discourse by the new Zimbabwean president spoke to the innumerable challenges that have inundated the life of every Zimbabwean and provided a promissory note for a deviation from the current status quo.

For any young person who was not privileged enough to have fought in our country’s war of liberation, the experience of independence is confusing, exciting and to some extent depressing due to the unpredictability of future events. Those who were there at Rufaro stadium 1980 independence day celebrations do attest to having gone through the same experience of what happened over these few weeks. The majority of the young people of the 1980s expected the status quo to change and surely for the initial periods much of the things changed for the better. Education, Health, Jobs, Freedom of Expression and association were all available and in abundance. The socialist mantra propagated by the then regime of Robert Mugabe delivered free education and health and promoted young educated black youths into positions of government. The move benefited our nation and years of success patently came by. But somewhere along the years, complacency creeped in, performance was no longer the primacy and political polarization and violence was the order of the day.

Our nation is on built on the ethos and sacrifices of the liberation struggle. The gains of independence have greatly influenced the manner in which our nation has been governed since 1980 and any departure from it has been met with ruthless antagonism.  Undeniably, the sacrifice of the pre-1980 generation ought to be respected for they fought a system of oppression and one that was greatly starved of the life and civil liberties and administered on the lines of race. The majority of the fighters believed in a system of equity, particularly for one Josiah Tongogara once said “What some of us are fighting for is to see that this oppressive system is crushed. We don’t care whether, I don’t even care whether I will be part of the top echelon in the ruling, I’m not worried but I’m dying to see a change in the system, that’s all, that’s all. I would like to see the young people enjoying together, black, white, enjoying together. In a new Zimbabwe, that’s all”. This was the dream of a fighter who unselfishly put his life on the line for a better Zimbabwe and better fortunes for generations to come. The sacrifice of the man admittedly has to be understood from the context of his words for today we carry the same desire and dream.

Now we enter into this new era, we have again to revisit these visions and dreams of the yesteryear generation and seamlessly marry them with those of the present and future generations to create a better nation. Your promise Mr. President as the head of state to chart a new direction does provide hope for a better Zimbabwe which must be driven by leadership and astute management:

Leadership - The early years of independence were characterized by diligent leadership, committed to serve its people under the dictates of a new constitution. Unlike the situation where corruption and nepotism were publicly upheld and encouraged by those in the public office, the new Zimbabwe wants leaders who provide equal opportunity for all and distaste for corruption. Corruption is a cancer that has consumed our nation creating an environment where no one is able to help without soliciting for a bribe particularly in the higher offices. The generation wants a crop of leaders who provides them with direction which points them towards development and prosperity. Our parliamentarians and ministers ought to adhere to their oath of office be the servants which they undertake to be and it starts with you Mr. President. Leadership entails embodying the very promise that you preach about and this is our dream for Zimbabwe. Every young Zimbabwean dreams of the day that this nation will be Magufulified!

Management - The very reason we are in this “new era” was the lack of energy to properly drive government business especially by the Chief Executive. It is thus hoped that this process will be characterized by increased levels of energy to manage principally the civil servants who have become an idle force.

Planning – our dream is to see more deliberate planning from government. Directness of plans ensures all personnel are in sync with what is expected of them. Industries have suffered predominantly from lack of planning taking into context the existing business environment. More planning should go into how parastatals should be resuscitated so that our economy can work again. Social safety nets need to be revamped to allow workers to easily move into retirement allowing for more energetic young men and women to assume office.

Implement – admittedly, some of form of planning has been done but it is the implementation which many analysts have decried. The land redistribution has always been hailed as one of the noble empowerment programmes of our time. It is how it was done that left many pessimistic of its perpetual benefit. Many questions were left hanging from compensation to resourcing of the eventual beneficiaries to sustain productivity. The incoming president spelled out a plethora of changes that must to be put in place and everyone is fond of that. What we all await is the implementation, actions must certainly speak louder than words.

Monitoring – the lack of monitoring and evaluation has always contributed to the failure of any project as it can go off rails at any time without anyone keeping track. The same can be said about our independence project called Zimbabwe. It was allowed to go off the rails because checks and balances were taken to the shelves of a single office. Our dream is to see non performers being held accountable, our monitoring institutions, Auditor General, ZACC, LSZ, all have to be respected and their input considered seriously.

Truly, your words have made us dream and our dream is for a better future, a future driven by unity, equity and freedom. The march on Zimbabwe, attended by thousands on the 18^th of November 2017 illuminated the very wishes of this nation. It exemplified the true vision and dream of the future generation, a nation that is not divided on racial, political or religious lines. But a nation united by the common goal of success and a better life for all. Your request for every Zimbabwean to play their part has not fallen on deaf ears, we will do our part just like we have supported this entire process as per the request of the powers that be, we look forward to the servant leadership you have assured us to take us to a new Canaan.

Ransomware and the Zimbabwean Business Environment: The advent of WannaCry!

Cybersecurity has become one of the most essential board room topics the world over as directors’ grapple with the ever growing threat of cyber thugs. Having been overwhelmed by the competitive edge offered by automation, Large corporates and even MSMEs adopted these systems to remain relevant in the business environment of the time. The Y2K effect further drove the consequence of automation to every dynamic business. In the year 1999, businesses came face to face with the reality of critical transition as risk managers raised the alarm of possible trials of system transition to the year 2000.  However, as the years passed by firms realised there weren’t as exposed as previously anticipated and normalcy returned to business. Scroll a decade later and ICT had been transformed to become the centre of service delivery accounting even for the extinction of a number of careers in the process. With the benefits of automation also came the risks of cyber threats. This illicit industry has grown massively into a billion-dollar alternative career excursion. Systems have been attacked and users have lost personal information to the criminals who have since evolved into one of the most feared terror campaigners of the present day.

 

On Friday the 12, 2017 the world woke up to yet another doomsday piece of news: WannaCrypt ransomware attack should make us wanna cry! Dubbed as one of the worst attacks of this generation, the ransomware attacked more than 200 000 in more than 150 countries in shortest period of time ever recorded. The attacks were perpetrated through a known Microsoft system vulnerability, the attackers used leaked techniques for hacking Windows OS that were discovered by the National Security Agency. Despite Microsoft having issued a patch for the vulnerability in March 2017, many legacy systems had not been updated with this patch and thus fell victim to this group known as Shadow brokers. Despite the discovery of a kill switch by a British firm, MalwareTech, the ransomware has since affected some African countries such as South Africa, Nigeria, Angola, Egypt, Mozambique, Tanzania, Niger, Morocco and Tunisia and companies particularly those still using the legacy systems.

 

Why is WannaCrypt special?

WannaCry is not just a ransomware program, it is also a worm. This means that it gets into your computer and looks for other computers to try and spread itself as far and wide as possible. Ransomware has a habit of mutating, so it changes over time in order to find different ways to access computers or to get around patches.

So how does this malware work?

WannaCry works by encrypting data on a computer that has been infected. It then tells the user that their files have been locked and displays information on how much is to be paid and when. The ransomware takes control of files on Windows computers and demands the payment of $300 dollars in virtual currency Bitcoin before it can restore access or double the cost after three days. The ransomware encrypts data on the computer using an encryption key that only the attacker knows. If the ransom isn't paid, the data is often lost forever.

But why did it take so long to find solutions to the attacks and what can be done about it?

Practically some organisations in Zimbabwe view IT security IT security and cyberattacks more as a business development opportunity than as a chance to put their collective heads together to eliminate threats. The pace at which the industry is growing coupled with the rate at which Zimbabweans are adopting automation calls for more concerted efforts to be directed towards addressing information security issues, risk management and overall guaranteeing the continued existence of the firm.

Keep windows updates off? – Zimbabwe is one of the countries with the highest piracy rate for Windows Operating Systems and as such, many of the mechanisms are directed towards making these systems unable to update. However, WannaCry requires that all systems be properly updated hence highlighting a serious challenge for many organisations.

Upgrade legacy systems – in addition, many companies in Zimbabwe are running legacy systems which are seldom updated. This ignorance is driven by the lack of knowledge of the implications of not updating as well as lack of capacity in ICT functions to closely monitor systems updates. The situation is further exacerbated by the lack of standard operating procedures on ICT systems which would allow for continuous monitoring and adherence to global ideals for ICT service management.

Don’t pay - Security experts warn there is no guarantee that access will be granted after payment. Some ransomware that encrypts files ups the stakes after a few days, demanding more money and threatening to delete files altogether.

User Training – in the previous articles that I have written, I have highlighted the importance of people within any information processing system. People are key to the safety of the system from any kind of attack and research attributes their relevance to about 90%! What does this entail; user awareness of how to respond and how they work remains key. Users need to be trained to know their system and to have ownership of that system. When users are well trained and equipped, attackers will find little room to manoeuvre as users will be vigilant. I have noticed that in Zimbabwe, new users rarely undergo IT induction to make them aware of their value to the system. Many thus end up experiment for they do not know what they are doing! Managers thus need to invest in continuous training and interaction of ICT functions and other business related units in order to make them aware of their environment.

Invest – apart from investing efforts in their users, managers also need to channel their resources into ICT function in the organisation through ensuring that ICT personnel receive adequate training in order for them to properly manage ICT infrastructure. Investment also ought to be put in the direction of research and continuous environmental monitoring. Research allows the organisation to keep abreast with the ever changing world of technology and hence allow them to cope with the demands of such changes. Moreover, Business continuity planning and Disaster Recovery Planning also take centre stage. WannaCry is surely going to test the resilience of such mechanism as more data stands at the risk of being lost. It is the duty of every manager and every user to ensure that information is protected for WannaCry is a sure sign that more is on its way!

Natural attrition or environmental consequence - the demise of the teaching profession in Zimbabwe – “Inspired by Mufundisi Lovedale”.

Introductory …

Reading through one of my former mentor’s article led me to wonder whether his article was motivated by emotional attachment to the demise of his peers’ careers or a natural concern for the education system in Zimbabwe. The thoughts led me to dig deeper into self and into other available pots of information to better respond to some of the questions he posed in his article. My previous research into the causes of inequalities in Africa and in the world led me to evidence of why we are where we are; a world in which the rich walk miles to digest while the poor walk miles to find food. The industrial age of the 1800s saw the exceptional growth of western economies as the means of production improved. With better research and experimentation came even more efficient ways of delivering goods and services. At this time, the western economies were almost 90% richer than the rest of the world. As years passed by, the 1900s saw the emergence of China as a significant global policy maker. Inequalities seemed to have been neutralised by this occurrence, however, the transformation of economies in the 2000s from the industrial age to the information age accounted for yet another astronomical growth in inequalities in the world with the developed economies considered to be 750% richer than the rest of the world.

This full transformation within economies rendered people jobless and some careers extinct. Globalisation which saw the removal of trade and economic obstacles between countries created a mechanism for the transmission of these developments into developing nations such as Zimbabwe. The transformative power of this change brought with it technology and more productive efficiency. The pre independence era was mainly characterised by marginalisation of communities in Zimbabwe with little access to educational facilities. The white settlers envisaged a less educated community as a lesser threat and hence the enforced maintenance of this status quo. White supremacy was the order of the day with the majority black being employed within the farms and other industries owned by the minority few. This phenomenon was not only experienced within the productive sectors of the economy but also within the service industry, teaching being one of them. However, the liberation war victory by the majority brought with it a fundamental change in the culture of the day. A socialist economy was the mantra of the new black government, a government which promised education for all, health for all, land for all among many of the would be pledges of the new administration.

With the ushering in of the new government, the laws of demand and supply also kicked in. The economy now needed more people who were educated enough to run the socialist policies of the new regime and teachers occupied that position to be the ‘enablers’ of the socialist agenda. The new regime invested in the erection of more educational infrastructure which called for even more teachers to take up jobs and drive the strategic focus of the government ahead. Because of the presence of the free market influence of demand and supply, the supply of teachers remained low while demand amplified. As the laws of demand and supply would have it, teaching became an elite profession as government financially incentivised more and more people to take up this role. Because of their role within society of churning out even more prestigious professions such as doctors, nurses and bankers, teachers received even more credit for their stellar work. Teachers were indeed highly regarded in their communities and respected too. Teachers then could afford a lifestyle which everyone within their society respected be it at their homes or in the beerhalls. If electricity were to be found within a given area, then everyone would know the owner of that home would be a teacher. Teachers drove new, and trendy cars of the day and could afford to educate their children, sending them to the best of schools of that time. But the question that is still begging for an answer is what has deeply changed to necessitate the kind of life that teachers live today?

Teachers of today have become the laughing stock of the community, ridiculed even by the students whom they teach. A 2017 teacher can no longer afford to live a lifestyle worthy of a 1980 teacher, worse still not even affording to send their own children to school. Why, why, why? It would be erroneous to claim that teaching in 1980 was over-glorified because in those days, teachers did play a pivotal role to shape the communities to what they are today. The literacy rate which the nation is so proud of is the making of the very teachers we see today. However, a deeper reflection into the aspect of development referred to earlier gives pointers to the very ins and outs why this could be so;

Superior Education

The teachers of 1980 leveraged on an education which no one else had. Achieving a standard 6 was enough to see anyone becoming a teacher in the day. In addition, it took a lot of commitment to any parent to want to send their child to school as many did not have the financial resources which could allow their child to earn the much converted standard 6. But the teaching fraternity of the day rested on its laurels and forgot that the laws of demand and supply is what drove them to occupy that superior position in society. The society we live in is ever evolving and failure to adapt will lead to extinction. Teachers need to realise that gone are the days when teaching was as prestigious because not so many of the people then were educated. The process of continuous learning is a must in order for teachers to survive this ever changing environment. Having been a teacher myself, and having interacted with teachers for some time, I discovered that there is a tendency of teachers thinking that they have arrived when they get to be teaching at a prestigious school. The process of continual developing evades them and they are concerned with getting more and more. I have an inspirational story of one Dr. Chitakure, a true example of continuous learning. Not being satisfied with what he had saw him enrolling for a Master’s Degree in the United States and he challenged himself to the point where he is a Doctor of Philosophy to this day. So teachers cannot cry and complain of lack of opportunities because the opportunities are plenty, the process requires initiative and focus.

Highly Rewarding

As previously alluded to, the high demand for teachers and their low supply meant that their price tag would be higher as well. Teachers were highly remunerated and lived a more than decent life. However, the educational development which saw the churning out of degree holders in their thousands meant there was always pressure on the fraternity. The pathetic economic situation has further exacerbated the situation with the majority of the civil servants not being adequately rewarded for their work. However, the increased literacy rate also meant that the skills premium in industry also rose as more professions started earning more than teachers, this thus meant that teaching was no longer as coveted a profession as before. Because of that lack of interest and so did the respect go with it.

Technology

Technology has not only affected production oriented professions but rather it has cut across the board. Teachers have not been spared by this threat. From satellite stations offering lessons to e-learning platforms providing the much needed material, Technology has transformed the way 21^st century students learn. The Zimbabwe government has been on a STEM subjects drive but I am of the opinion that ignoring the technology threat will only but worsen the situation. Teachers need to embrace technology particularly those that are young so they also make the learning experience much more interesting. Technology may not completely replace the human teacher but the way in which robotics and artificial intelligence are increasingly threatening many careers they cannot go unnoticed. If self-driving cars are a reality, why not robots that can interact with children 24/7?

Concluding…

The inability of teachers to invest in continuous learning will continue to put them on a sliding career path as the world changes. Teachers need to appreciate that they need to continue learning in order for them to remain relevant in their work. Continuous learning is not only through enrolling for more formal education but rather searching for material that is relevant to their area of interest and reading it. Teachers are at the source of information particularly in Zimbabwe which creates an opportunity for them to collaborate with researchers. Research is a good area for continuous learning and creation of alternative career paths for teachers. The teaching experience creates a competitive advantage for them to leverage on when they move into such fields as mentorship, career guidance, psychology, and research. Teachers need to develop skills, skills that renders them relevant no matter the kind of change that the world may throw at them.

Mufundisi Lovedalearticle