What are the biggest lessons in your career so far?
One is the importance of communication. Communication is essential for building trust, understanding the needs and expectations of the stakeholders, and delivering high-quality reports. Another is the value of sustainable learning. Technology is continuously evolving, and so are the risks and controls associated with it. To be an effective IT auditor, I need to keep up with the latest trends, standards, and best practices in the field. Finally, I have learned to be adaptable and flexible. IT audit projects can vary in scope, complexity, and duration, and sometimes unexpected challenges or changes may arise. I need to adjust my plan, timeline, and strategy accordingly, and work well with different teams and stakeholders.
How did you get into IT audit?
I developed a strong interest in business process automation when I started my career at Hong Kong Polytechnic University as an accountant. After transitioning to the professional service field in 2007, I was assigned to provide IT audit service for a telecommunications company. I enjoyed the challenge of evaluating the effectiveness and security of IT systems and controls, as well as gaining knowledge about business processes in different industries and IT regulations. I have been an IT auditor for more than 15 years now, and I find it very rewarding and stimulating. IT audit is a dynamic and challenging field that requires continuous adaptation and innovation. It is not only about finding problems, but about providing solutions that add value to the business.
In what ways has your CPA qualification helped you in your career?
It has been invaluable for my career as an IT auditor. It has given me the knowledge and skills to understand the accounting principles, standards and regulations that apply to the IT systems and processes of various organizations. It has also helped me to communicate effectively with the management and stakeholders of the audit clients, as well as to prepare clear and accurate audit reports and recommendations.
What should companies do to keep their business systems and data secure?
There are some key steps that companies can take. One is to conduct regular security audits and risk assessments to evaluate the effectiveness of their existing security policies, procedures, and tools, and to identify any weaknesses. Another is to develop and enforce a clear and consistent security strategy and framework that aligns with their business objectives, regulatory requirements, and industry best practices, and that covers all aspects of their digital operations, from infrastructure and applications to data and users. They should also educate and train their employees and stakeholders on cybersecurity awareness and the best practices for protecting their systems and data, such as using strong passwords and reporting suspicious activities.
What advice do you have for CPAs interested in specializing in IT audit?
IT or cybersecurity audit is a growing and rewarding field for CPAs who want to leverage their accounting skills and knowledge in a technology-driven environment. They should get familiar with the IT or cybersecurity frameworks and standards that are relevant to their industry and clients, such as NIST, ISO, COBIT, etc., as well as pursue certifications that demonstrate their competence and credibility in IT or cybersecurity audit, such as CISA and CISSP. Also, stay updated on the latest developments in IT or cybersecurity.