Guest Editorial: ISACA—50 Years of Keeping Pace With Changing Technology

Anniversaries always spark the desire to revisit the events that have taken us from “then” to “now.” ISACA’s 50^th anniversary is no exception. I have spent quite a bit of time recently pondering the history of our professional association, which I have been honored to serve for many years, in many capacities.

Of course, auditing as a profession began well before ISACA existed. In audit’s long and rich history, perhaps two events are most relevant to ISACA’s formation. First is William Welch Deloitte’s audit of England’s Great Western Railway in the 1850s, which proved so valuable that the company’s directors recommended continued compulsory independent oversight. Second is Herman Hollerith’s 1895 invention of the punched card system, which took record keeping from a manual process to an automated one.

Fast-forward to the 1960s, and mainframe computers were in wide use in major enterprises, creating a need for a new type of audit—and auditor. Enter the Electronic Data Processing Auditors Association (EDPAA) in 1969, heralding the arrival of the IT audit profession.

1970s—Gaining Traction

As computers became faster and more versatile, the IT audit profession grew as well. By the middle of the decade, auditors had gained enough experience working in an electronic environment that they were able to identify good IT control practices. To capture and standardize those practices, EDPAA published Control Objectives, a precursor of COBIT. It enabled IT auditors worldwide to identify and apply these tested practices, not only for control purposes, but also to help address enterprises’ growing interest in risk management.

But good practices were not enough for this still relatively new profession. Increased knowledge and credibility were also required. EDPAA’s experienced leaders and members began to generate practical information, available via books, tapes, and chapter presentations and regional conferences for those wishing to expand their skills. In addition, the EDP Auditor (now the ISACA Journal) began publication.

Those activities addressed the need for knowledge, but what about credibility? A designation that attested to an individual’s skills and knowledge would fill that need. Accordingly, EDPAA began work on the association’s first certification: Certified Information Systems Auditor (CISA)—a certification I am proud to hold.

1980s—Picking Up Speed

In the 1980s, IT auditors shifted their focus to systems-based auditing. Auditors would assess a system (often selected based on risk), identify key processes and controls, then perform tests to ensure it was working effectively. They began to rely on audit software such as ACL, CaseWare and Structured Query Language (SQL) to perform audit activities.

Another advancement was the use of minicomputers, smaller versions of mainframe computers. While requiring less infrastructure, they still presented a risk environment and required the same attention to security and controls. Other security issues emerged as well: Hacking began to surface and ARPANET, the forerunner of the Internet, offered connectivity—and related vulnerability. EDPAA began incorporating security into its activities with the acquisition of the Computer Audit, Control and Security (CACS) conference.

To help members deal with the speed and complexity of change, EDPAA continued to generate knowledge offerings, formally establishing the bookstore, producing a CISA study guide and issuing two updates of Control Objectives. A volunteer board was established to create standards for information systems auditing, underscoring the growth of the profession.

1990—Overcoming Obstacles

The decade that saw the 25^th anniversary of the association, and its name change to Information Systems Audit and Control Association (ISACA), also presented a significant challenge: Year 2000 (Y2K).

ISACA members spent countless hours reviewing processing procedures and controls to ensure that enterprises functioned normally at 12:01 a.m. on 1 January 2000. With only minor exceptions, they did. Members and nonmembers alike looked to ISACA’s Y2K conference and related publications and articles for guidance from experts.

Technology became smaller and more mobile in the 1990s, as laptop computers were increasingly adopted by organizations. At the same time, auditing became more automated and risk-based. Less reliance was placed on sampling large databases to find out what did happen; instead, reliance shifted to what could happen and the controls needed to prevent the risk from occurring.

Each technological advancement brought new challenges for members, resulting in ISACA broadening its perspective beyond IT audit, security and control, to include governance, privacy and risk management. This is exemplified by ISACA’s release of the first edition of COBIT in 1996, reflecting a more comprehensive view—a perspective that expanded with each new edition.

A further example of ISACA’s broadened perspective was the establishment of the IT Governance Institute (ITGI), which took the place of the association’s foundation and concentrated on publications dealing with auditors’ responsibilities related to governance.

2000—Shifting Into High Gear

Having dodged Y2K disasters, ISACA focused in the 2000s on critical issues facing its members. In the wake of enterprise scandals such as Enron and WorldCom, the US Congress passed the Sarbanes-Oxley Act in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. Responsibility for assessing compliance with the law fell on auditors, and ISACA offered support by issuing one of its most popular publications, IT Control Objectives for Sarbanes-Oxley Using COBIT. The book is now in its third edition. Information security gained prominence as hacking became more prevalent and more sophisticated. Prominent businesses such as Microsoft, eBay, Yahoo! and Amazon were taken down in massive denial-of-service (DoS) attacks. Individual hackers were still at work, but they were joined by large-scale, industrial, state-sponsored espionage.

ISACA went into high gear to help its members protect organizations. Many of the ISACA-issued publications in the 2000s reflect the focus on security, including Virtual Private Networks and Managing Risks in Wireless Enterprises. In addition, ISACA introduced the Certified Information Security Manager (CISM) certification.

Governance and risk were addressed through new credentials specific to these areas: Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC). In addition, two new editions of COBIT were issued during the decade, each increasingly focused on enabling the business through effective governance and management of IT. In 2006, ITGI published Val IT, which applied COBIT concepts to the implementation and assessment of processes to derive value from IT investments. A similarly structured publication, Risk IT, which focused on governing and managing risk, followed soon after.

2010—Reaching New Heights

By the second decade of the 2000s, every emerging trend and technology seemed to open doors to new cybersecurity vulnerabilities for enterprises and individuals.

The bring-your-own-device (BYOD) trend boomed, with smartphones and tablets dotting the landscape. Seemingly everyone participated in at least one, and often more, social networks. The Internet of Things (IoT) connected appliances and devices through the Internet to enable business operations and provide consumer conveniences. Enterprise use of the cloud and the provision of cloud-based services by major software companies and service providers became the norm.

The vulnerabilities these new technologies introduced were exacerbated by the global shortage of information security professionals. ISACA responded by launching its dedicated web presence, Cybersecurity Nexus (CSX), which sponsors conferences and webinars, publishes research content, and offers designations, all specific to cybersecurity.

In 2016, ISACA strengthened its core by acquiring the CMMI^® Institute, a collaboration intended to create business solutions to help organizations deliver a faster return on investment with better quality, improve performance, reduce time to market, achieve greater customer satisfaction and reduce IT waste.

2019—Looking Ahead

In the years ahead, auditors will face challenges involving artificial intelligence (AI), robotics, ethics and their interfaces with new technologies. No longer faced with auditing “around the computer,” ISACA’s current members contribute significantly to their enterprises’ ability to leverage technology for competitive advantage.

I have been proud to play an active role in EDPAA/ISACA, an organization that is dedicated to helping its members capitalize on change, thanks in large part to a holistic view of IT auditing and controls, governance, risk, and security. I have been both amazed and gratified by its consistent growth and increased international clout. With 140,000 members in 180 countries, a thriving chapter structure, expert leadership, a portfolio of certifications, and a professional staff, we members should feel assured that ISACA faces its next half-century with confidence.