The need for improved control over IT, especially in commerce, has been advanced over

the years in earlier and continuing studies by many national and international
organizations. Essentially, technology has impacted various significant areas of the
business environment, including the use and processing of information, the control
process, and the auditing profession.

• Technology has improved the ability to capture, store, analyze, and process
tremendous amounts of data and information, expanding the empowerment of
the business decision maker. It has also become a primary enabler to production
and service processes. There is a residual effect in that the increased use of
technology has resulted in increased budgets, increased successes and failures,
and better awareness of the need for control.
• Technology has significantly impacted the control process around systems.
Although control objectives have generally remained constant, except for some
that are technology specific, technology has altered the way in which systems
should be controlled. Safeguarding assets, as a control objective, remains the
same whether it is done manually or is automated. However, the manner by
which the control objective is met is certainly impacted.
• Technology has impacted the auditing profession in terms of how audits are
performed (information capture and analysis, control concerns) and the
knowledge required to draw conclusions regarding operational or system
effectiveness, efficiency, and reporting integrity. Initially, the impact was focused
on dealing with a changed processing environment. As the need for auditors with
specialized technology skills grew, so did the IT auditing profession.

Technology is constantly evolving and finding ways to shape today’s IT environment in

the organization. The following sections briefly describe various recent technologies that
have and will certainly continue to revolutionize organizations, how business is done, and
the dynamics of the workplace.

Enterprise Resource Planning (ERP)

According to the June 2016 edition of Apps Run the World, a technology market-
research company devoted to the applications space, the worldwide market of ERP
systems will reach $84.1 billion by 2020 versus $82.1 billion in 2015. ERP is software
that provides standard business functionality in an integrated IT environment system
(e.g., procurement, inventory, accounting, and human resources [HR]). Refer to Exhibit 1
for an illustration of the ERP modular system.
ERPs allow multiple functions to access a common database—reducing storage costs and
increasing consistency and accuracy of data from a single source. Additionally, ERPs:

• Have standard methods in place for automating processes (i.e., information in the
HR system can be used by payroll, help desk, and so on).
• Share real-time information from modules (finance, HR, etc.) residing in one
common database, hence, financial statements, analyses, and reports are
generated faster and more frequently.

Some of the primary ERP suppliers today include SAP, FIS Global, Oracle, Fiserv, Intuit,
Inc., Cerner Corporation, Microsoft, Ericsson, Infor, and McKesson.

Despite the many advantages of ERPs, they are not much different than purchased or
packaged systems and may therefore require extensive modifications to new or existing
business processes. ERP modifications (i.e., software releases) require considerable
programming to retrofit all of the organization-specific code. Because packaged systems
are generic by nature, organizations may need to modify their business operations to
match the vendor’s method of processing, for instance. Changes in business operations
may not fit well into the organization’s culture or other processes and may also be costly
due to training. Additionally, as ERPs are offered by a single vendor, risks associated with
having a single supplier apply (e.g., depending on a single supplier for maintenance and
support, specific hardware, or software requirements, etc.).
Cloud Computing

Cloud computing continues to have an increasing impact on the IT environment.

According to ISACA (formerly known as the Information Systems Audit and Control
Association), the cloud computing’s exponential growth should no longer be considered
an emerging technology. Cloud computing has shaped business across the globe, with
some organizations utilizing it to perform business critical processes. Based on the July
2015’s ISACA Innovation Insights report, cloud computing is considered one of the key
trends driving business strategy. The International Data Corporation, in its 2015
publication, also predicts that cloud computing will grow at 19.4% annually over the next
5 years. Moreover, Deloitte’s 2016 Perspective’s Cloud Computing report (report)
indicates that for private companies, cloud computing will continue to be a dominant
factor.

Cloud computing, as defined by PC Magazine, refers to the use of the Internet (versus
one’s computer’s hard drive) to store and access data and programs. In a more formal
way, the National Institute of Standards and Technology (NIST) defines cloud computing
as a “model for enabling ubiquitous, convenient, on-demand network access to a shared
pool of configurable computing resources (e.g., networks, servers, storage, applications,
and services) that can be rapidly provisioned and released with minimal management
effort or service provider interaction.” NIST also stress that availability is significantly
promoted by this particular (cloud) model.

The highly flexible services that can be managed in the virtual environment makes cloud
computing very attractive for business organizations. Nonetheless, organizations do not
yet feel fully comfortable when storing their information and applications on systems
residing outside of their on-site premises. Migrating information into a shared
infrastructure (such as a cloud environment) exposes organizations’ sensitive/critical
information to risks of potential unauthorized access and exposure, among others.
Deloitte, one of the major global accounting and auditing firms, also supports the
significance of security and privacy above, and added, based in its report, that cloud-
stored information related to patient data, banking details, and personnel records, to
name a few, is vulnerable and susceptible to misuse if fallen into the wrong hands.
Mobile Device Management (MDM)

MDM, also known as Enterprise Mobility Management, is a relatively new term, but
already shaping the IT environment in organizations. MDM is responsible for managing
and administering mobile devices (e.g., smartphones, laptops, tablets, mobile printers,
etc.) provided to employees as part of their work responsibilities. Specifically, and
according to PC Magazine, MDM ensures these mobile devices:

• integrate well within the organization and are implemented to comply with
organization policies and procedures
• protect corporate information (e.g., emails, corporate documents, etc.) and
configuration settings for all mobile devices within the organization

Mobile devices are also used by employees for personal reasons. That is, employees
bring their own mobile (personal) device to the organization (also referred to as bring-
your-own-device or BYOD) to perform their work. Allowing employees to use
organization-provided mobile devices for work and personal reasons has proved to
appeal to the average employee. Nevertheless, organizations should monitor and control
the tasks performed by employees when using mobile devices, and ensure employees
remain focused and productive. It does represent a risk to the organization’s security and
a distraction to employees when mobile devices are used for personal and work
purposes. Additionally, allowing direct access to corporate information always represents
an ongoing risk, as well as raises security and complianceconcerns to the organization.

Other Technology Systems Impacting the IT Environment

The Internet of Things (IoT) has a potential transformational effect on IT environments,

data centers, technology providers, etc. Gartner, Inc. estimates that by the year 2020,
IoT will include 26 billion units installed and revenues will exceed $300 billion generated
mostly by IoT product and service suppliers.

IoT, as defined by Gartner, Inc., is a system that allows remote assets from “things” (e.g.,
devices, sensors, objects, etc.) to interact and communicate among them and with other
network systems. Assets, for example, communicate information on their actual status,
location, and functionality, among others. This information not only provides a more
accurate understanding of the assets, but also maximizes their utilization and
productivity, resulting in an enhanced decision-making process.
The huge volumes of raw data or data sets (also referred to as Big Data) generated as a
result of these massive interactions between devices and systems need to be processed
and analyzed effectively in order to generate information that is meaningful and useful in
the decision-making process.

Big Data, as defined by the TechAmerica Foundation’s Federal Big Data Commission
(2012), “describes large volumes of high velocity, complex and variable data that require
advanced techniques and technologies to enable the capture, storage, distribution,
management, and analysis of the information.” Gartner, Inc. further defines it as “… high-
volume, high-velocity and/or high-variety information assets that demand cost-effective,
innovative forms of information processing that enable enhanced insight, decision
making, and process automation.”

Even though accurate Big Data may lead to more confident decision-making process,
and better decisions often result in greater operational efficiency, cost reduction, and
reduced risk, many challenges currently exist and must be addressed.

Challenges of Big Data include, for instance, analysis, capture, data curation, search,
sharing, storage, transfer, visualization, querying, as well as updating. Ernst & Young, on
its EY Center for Board Matters’ September 2015 publication, states that challenges for
auditors include the limited access to audit relevant data, the scarcity of available and
qualified personnel to process and analyze such particular data, and the timely
integration of analytics into the audit. The IoT also delivers fast-moving data from
sensors and devices around the world, and therefore results in similar challenges for
many organizations when making sense of all that data.

Other recent technologies listed on the Gartner’s 2015 Hype Cycle for Emerging
Technologies Report that are currently impacting IT environments include wearables
(e.g., smartwatches, etc.), autonomous vehicles, cryptocurrencies, consumer 3D printing,
and speech-to-speech translation, among others.

IT Environment as Part of the Organization Strategy

In today’s environment, organizations must integrate their IT with business strategies to

attain their overall objectives, get the most value out of their information, and capitalize
on the technologies available to them.
Where IT was formerly viewed as an enabler of an organization’s strategy, it is now
regarded as an integral part of that strategy to attain profitability and service. At the
same time, issues such as IT governance, international information infrastructure,
security, and privacy and control of public and organization information have driven the
need for self-review and self-assurance.

For the IT manager, the words “audit” and “auditor” send chills up and down the spine.
Yes, the auditor or the audit has been considered an evil that has to be dealt with by all
managers. In the IT field, auditors in the past had to be trained or provided orientation in
system concepts and operations to evaluate IT practices and applications. IT managers
cringe at the auditor’s ability to evaluate the complexities and grasp the issues
effectively and efficiently. Nowadays, IT auditors are expected to be well aware of the
organization’s IT infrastructure, policies, and operations before embarking in their
reviews and examinations. More importantly, IT auditors must be capable of determining
whether the IT controls in place by the organization ensure data protection and
adequately align with the overall organization goals.

Professional associations and organizations such as ISACA, the American Institute of

Certified Public Accountants (AICPA), the Canadian Institute of Chartered Accountants
(CICA), Institute of Internal Auditors (IIA), Association of Certified Fraud Examiners
(ACFE), and others have issued guidance, instructions, and supported studies and
research in audit areas.