“Collaboration is a key ingredient to success in today’s changing world”, said Mr Patrick Tay Teck Guan (Member of Parliament, West Coast GRC and Assistant Secretary-General, NTUC), the Guest-of-Honor at ISACA Singapore Chapter’s annual conference – Governance, Technology, Audit, Control, Security (GTACS) 2019.
Addressing GTACS 2019 theme of “Managing Change, Embracing Uncertainty”, it is crucial to “stay ready, relevant and ahead of the curve”, Mr. Tay said.
With rapid changes driven by the “ABCDEF” (acronym for “Artificial Intelligence, Blockchain, Cloud, Data, E-Commerce and Fintech), “expertise is no longer gained in a traditional 3-year program”, he explained.
Instead, collaboration is key to promote the exchange of ideas, critical to the learning and upskilling process. “Speed to market” – the ability to respond and adapt to market changes – together with collaboration and skills are all the three essentials to “mange change and embrace uncertainty,” he added. “And ISACA Singapore will continue to partner U Associate to promote and advance the education and professional development of technology audit and cyber security,” he elaborated.
Indeed, “uncertainty is constant in this world”, Mr Phoram Mehta (President, ISACA Singapore Chapter) noted at GTACS Opening address.
Economic crisis and corporate scandals, innovations and new information systems infrastructure have always raised expectations for improved standards, methods and techniques for controls and audits.
What is different today is the exponential rate of change: rise of automation, proliferation of devices, increased frequency of breaches such as the recent SingHealth incident, amongst many others.
Exchanging views on these tropical themes over networking breaks, ISACA members and industry thought leaders at GTACS 2019 also participated and shared through two dedicated tracks on topics of “Governance & Security + Compliance, Audit” and “Talent and HR”.
GTACS theme “Managing Change, Embracing Uncertainty” was further expanded through industry talks ** which highlighted the need for proactive preparation and planning, and reflected the convergence of Cyber-Physical systems and an increasingly networked society.
** Anticipating the Unknowns – Preparing for the Unexpected” by Victor Keong (Sr CISO Advisor, Asia Pacific, Cisco Systems), “Operational Resilience” by Andrew Bissett (Head of Advisory, APAC, SAI Global),
(“Modelling Threats & Assets for OT Risk Management” by Jad Elsohemy (Cyber Security Lead, Thales), “3rd Generation Cybersecurity: Security Driven Networking” by Anthony Lim (Principal Consultant, Asia-Pacific, Fortinet).
“Can you audit AI in the same way?”
As a community of “networking, learning and mentoring” said Mr Leonard Ong (ISACA International VP, Director, ISACA International Board) at his opening address, ISACA equips its members in in navigating today’s sea of change.
One such transformation is Artificial Intelligence (“AI”). “Can you audit AI in the same way?” he asked.
There had been no shortage of regulatory, government agencies, and industry responses to transformational events, such as the Sarbanes Oxley Act, NIST publications, ISO standards. The Three Lines of Defence also gained prominence as risk control framework post the Great Financial Crisis. These developments played a part in evolving the audit profession: under the Sarbanes Oxley Act, audit of controls such as logging of network activities are mandatory; under the Three Lines of Defence, the auditors (third line) provides independent assurance to the risk-owner (first line) and risk manager (second line).
The underlying common theme is “governance”, characterized by accountability and transparency through robust roles, responsibilities and policies.
In fact, the annual gathering “GTACS” on-going since 1990s, was originally named “TACS” (Technology, Audit, Control, Security); “G” – governance was added to the official conference name in 1994.
With AI, regulatory responses included Singapore’s proposed Model AI Governance Framework to address AI ethics concerns (e.g. data and algorithm biases). To be sure, such frameworks will guide future audit requirements and approaches. However, AI itself opens up opportunities for auditors, such as use cases that spot potential fraudulent activities from transactions and behavourial data fed through a machine-learning process. With more and more modern activities taking place online, leveraging digital data with AI to extract hidden insights can strengthen the organisation’s competitive positioning. No doubt, additional strategic inputs with predictive views that auditors offer will be invaluable. This, and many more opportunities can certainly be transformational for the profession, made possible with today’s innovations.
Celebrating the 50th anniversary of ISACA
Half a century ago, a significant milestone in human history was marked when Apollo 11 landed two men on the moon.
The remarkable achievement reflected the decades of dedicated research following ENIAC (Electronic Numerical Integrator And Computer) – the first programmable general-purpose electronic digital computer built during World War II.
Compared to the ENIAC which occupied a space equivalent to a standard two-room flat, the Apollo Guidance Computer was considerably more portable.
The exponential scaling of computing efficiency during those decades of innovation sent two men to the moon; it also led to the development of applications for commercial use.
Adoption rate of computers rose and in the same year as the moon mission, The Electronic Data Processing Auditors Association (EDPAA) – the former name of ISACA – was born in Los Angeles, United States (US).
As computers became more widely used, urgency for know-how and good practices in computer system audits and controls grew, adding further impetus to EDPAA’s aim to meet the demands for exchange of tools, knowledge and experience.
Watershed events such as The Equity Funding Fraud scandal, in which a computer program generated fictitious policies in hundreds of millions that led to the collapse, further propelled EDPAA’s growth.
International expansion followed in the mid-1970s (Mexico City, Mexico, and Sydney, Australia in 1976; Israel and Milan, Italy in 1979); and in the 80s in Asia with China Hong Kong (1982), and Singapore a year later in 1983.
More recently, in the Asia-Pacific region, the organisation was boosted by the opening of the Beijing office, its first international office outside of North America.
From a handful of passionate individuals gathering in a restaurant 50 years ago in 1969, today, it is a global organization with 135,000 members, 200 chapters across 188 countries.
At a gala dinner held on 31st May 2019 in Orchard Hotel to commemorate the 50th anniversary, Singapore Chapter’s founding past President, Mr Chew Teck Soon, took the stage to recap memories and the journey of the Singapore Chapter.
The Singapore Chapter Story
Barely 20 years after its independence in 1965, Singapore was then a relatively young country. However, the waves of computer innovations were sweeping across the world, and Singapore was no exception.
“Those days, computers were not that complex”, said Mr Chew Teck Soon (founding past President, Singapore Chapter), as he took to the stage at the gala dinner.
But the thirst for knowledge and practices prompted individuals including Mr. Steve Ross, to establish a local chapter.
“The CISA (Certified Information Systems Auditor) was introduced by the organization in 1978. Once I passed my CISA exam, I took up the presidency in 1983”, Mr Chew said.
“The biggest break came in 1989 when we held the first computer security conference in Singapore at the Pan Pacific hotel. Mr George Yeo, then the Senior Minister for Trade and Industry was our VIP. The event was a huge PR success, drawing 50 – 80 persons, a huge crowd in those days,” he reminisced.
In 1994, a significant moment happened in the history of the organization.
“That year, we moved to change the name from EDPAA to ISACA to ensure continuing relevance. ISACA – Information Systems, Audit and Controls Association. It incorporated all the critical keywords, and the full name was adopted in 1994. Today, it is known as “ISACA” in short,” he said.
In some ways, the change reflected societal and economic trends as the economy shifted gears from the Industrial Age to the Information Age.
The next challenge was to differentiate the objectives and unique skills in auditing computer systems versus a traditional (financial) audit.
“We faced the challenge of “competing” against the Big 8 audit firms.** To address this, we launched in 1996, The Control Objectives for Information and Related Technology (COBIT) framework to help the financial audit community better maneuver in IT-related environments” he said.
COBIT today has evolved through five iterations, with the latest known as COBIT 2019, a testament to its role as a go-to guidance for effective and strategic enterprise governance of information and technology.
Over time, certifications had also been introduced to reflect the changing audit and controls standards as computers grew more sophisticated – CISM (Certified Information Systems manager), CGEIT (Certified in the Governance of Enterprise IT, 2006), CRISC (Certified in Risk and Information Systems Control, 2010), and, most recently, CSXP (the Cybersecurity Nexus Practitioner).
** Arthur Andersen, Coopers and Lybrand, Deloitte Haskins and Sells, Ernst and Whinney, Peat Marwick Mitchell, Price Waterhouse, Touche Ross, Arthur Young.
“Today, with 2,000 members, the Singapore Chapter is firmly established as representing, promoting and developing the professional practice of IT Audit, Security Management, Risk Management and Governance,” but to continue growing, “developing a vibrant cybersecurity ecosystem” is important, Mr Chew emphasized.
Through partnerships with government agencies, vendor companies, and educational institutes (academic outreach), the Singapore Chapter plays a crucial role in building an ecosystem consisting of companies, professionals and communities of practice enabling active exchange of ideas.
Examples included the signing of the MOU (Memorandum of Understanding) with Cyber Security Agency (signed by Mr David Koh, Chief Executive of CSA and Ms Theres Granfenstine, Chair of the ISACA Board of Directors during the second edition of Singapore International Cyber Week (SICW) 2017), and the coordination of industry’s feedback to the Public Consultation of the Singapore’s CyberSecurity bill (passed on 5 Feb 2018, received the President’s assent on 2 Mar 2018 to become the Cybersecurity Act).
Workshops and seminars remain a focus for the Singapore Chapter to update members on regulations (e.g. Personal Data Protection, Amendments to the Computer Misuse And Cybersecurity Act) or market and technical developments (e.g. “Anatomy of Targeted Attacks”).
A multi-year winner (2014, 2011, 1998) of the K. Waynes Snipes Chapter Award for the very best large Chapter in Asia (established in 1989, the award recognizes ISACA chapters that meet or exceed service goals by actively supporting local members), the Singapore Chapter will co-host and support the ISACA International to deliver the next ISACA Global Leaders Meeting (GLS) 2020 next February.
The next 50 years
Much has changed since the moon landing, notably space flight is no longer a remote possibility for those who can afford it. Compared to the hardware powering the spacecraft, today’s chips are significantly lighter, Giga-folds denser and quicker; and power not only desktops, but also Smart phones, wearables, sensors and many more.
The last 50 years saw the standardization of computing designs (e.g. segregation of “trusted” versus “untrusted”), access controls (e.g. password), policies (e.g. “bring your own device”). Tomorrow, we face a “disappearing perimeter” as interconnectedness rise, we adopt new authentication tools such as biometrics, we work more with third parties as partnership models emerge.
How will standards, practices and polices evolve and what are the impacts on the audit profession?
Technology does not stop. In the world where uncertainty is the only constant, ISACA has maintained relevance to become an organisation synonymous with information systems, controls and audit. The Singapore Chapter, “… a place for meeting of minds, sharing of experiences, promoting thought leadership, and fostering professional growth for all members” has demonstrated the strength of its platform. It will take similar commitment from its members to ride the waves of innovations in the next 50 years.
Indeed, as “The ISACA50 Story” noted, “ISACA’s success has been—and always will be—dependent on the dedication of its people”.