John O'Brien talks with the Association of College and University Auditors about how to work effectively with CIOs and some high-risk IT areas to watch out for.
This interview was originally published in College & University Auditor 63, no. 1 (Winter 2021).
In May 2019, John O'Brien interviewed ACUA Past-President, Justin Noble and published "The Internal Auditor as a Trusted Resource: An Interview with Justin Noble" in EDUCAUSE Review, and discussed how Information Technology (IT) leaders can partner with internal auditors. Now, ACUA interviewed John to understand how to work effectively with Chief Information Officers (CIOs), gain insight on some high-risk IT areas to watch out for, as well as information and resources available to member institutions. ACUA's questions are in bold and John's answers are below.
Internal auditors base our audits on risk. Based on your research and input from CIOs, what do you see as the high-risk IT areas over the next few years?
For anyone tracking EDUCAUSE's top 10 IT issues over the years, it will come to no surprise that the first words out of my mouth are "cybersecurity." This is an ongoing, dynamically changing threat for colleges and universities. The pandemic seems to accelerate so many trends we are seeing, including more nefarious activities and more sophisticated threats, such as nation states targeting intellectual property.
There are, of course, many other risks on the radar of higher education CIOs, and because of the complexity of the risk landscape we strongly encourage campuses to consult resources on our IT Governance, Risk, and Compliance site, which includes risk management resources and a very useful IT risk register tool. With all the existing and changing risks, collaboration across an institution is necessary.
In addition, our October 2020 EDUCAUSE QuickPoll data suggests that around two-thirds of campuses are experiencing IT budget cuts, with 10% as the median reduction—and over 40% expect more to come. Navigating decreased investments in IT at a time when technology has been the linchpin of strategic campus pandemic responses will be a big challenge this year and perhaps for many to years to come. With inevitable declining budgets, institutions also may want to identify new efficiencies and other transformational approaches to risk, compliance, and privacy.
A significant shift to Cloud services is occurring across higher education. Are there EDUCAUSE resources auditors can leverage to keep up with Cloud developments?
The cloud can be a pretty risky place. In many cases you are handing institutional data over to third party providers, and it is important to go forward with a clear understanding of the risks involved in cloud vendor relationships. To help institutions measure vendor risks, we have developed (along with our member-led Higher Education Information Security Council) the Higher Education Community Vendor Assessment Toolkit (HECVAT). It is a questionnaire framework specifically designed for higher education solutions providers to confirm that information, data, and cybersecurity policies are in place that protect sensitive information. Preparing the IT Organization for the Cloud is a good resource for background information about the cloud. While not focused on cloud computing technology, it does include a wealth of information about what it takes to move services to the cloud and how an institution might prepare for that.
What skills and abilities would a typical higher education CIO hope that an IT auditor would possess (e.g., technical, interpersonal, communications)?
I think the dream auditor would be one who sees the engagement as an opportunity for collaborative discovery and who is willing to begin an audit with the goal of deep understanding, while resisting any rush to drive toward findings. In my opinion, what is true for great leaders is true for great auditors—a bias for "turning to wonder" rather than "turning to judgment." It is easier to judge than to wonder genuinely why something initially seems out of the norm. I do understand that you could make the case that turning to judgment is woven into the job description for an auditor—that is true, but one might also expect that tactics and operations are a core competency for a CIO; however, that has changed over the last decade. IT is far more than executing tactics, especially in a pandemic.
We hope for auditors who understand that IT is more than just operations. IT has become less a utility and more and more a strategic asset. Understanding the work IT does in this broader strategic context would improve the audit process and results.
What are the best ways that internal audit can partner with CIOs to improve IT people, processes, and technology?
I think it would be remarkable if IT auditors would dig into the priority work at EDUCAUSE over the last few years around digital transformation ("Dx") and bring this lens and thinking into play. Being a partner with IT in advancing digital transformation as an institutional differentiator has great promise connecting "people, processes, and technology." The difference between ad hoc technology innovation and Dx is exactly that, that it embraces major shifts that go far beyond technology alone. Technology can be cool, but transformational change embodies changes in workforce and culture as well.
What do CIOs most appreciate about the audit process?
CIOs most appreciate when an audit process is transparent and thoughtfully scoped so that focused resources can be directed at supporting meaningful exploration and helpful findings. Anything that can illuminate a pathway of authentic curiosity and discovery will make it less likely that the engagement will take on the "gotcha" aspect that benefits no one. Additionally, CIOs especially appreciate it when audit findings help her or him make the case for needed or overdue investments in technology or staffing.
When Board members (or CIOs) come from a corporate background, what should they know about higher education?
Folks moving from a corporate background to higher education should know that they may need to master another language. Some words and concepts that meant one thing in industry mean something else in higher education. For example, "customer" is inaccurate or even offensive to many in higher education circles, and even if it were generally accepted, it is more complex than for most businesses. IT's "customer" may be the faculty, while faculty's "customer" might be students or research funders, or both. And institutions don't just serve students; they serve their communities, their local government bodies, and so much more. Aside from the language challenges, of course those from a corporate background will need to adjust to the fact that it simply takes considerably longer to get things done in higher education.
What EDUCAUSE resources are the most popular for your members?
EDUCAUSE Review (ER), our digital flagship magazine, has a wide range of articles and content on many topics. ER has received numerous awards and continues to keep our members up-to-date at the crossroads of higher education and technology innovation. Of course, like ACUA, professional development is a big part of how we serve our members, and our conferences and events are very popular. In 2020, we added virtual conferences and institutes to the mix, with great results, and in early 2021 we will be launching a new mentoring initiative that I am really excited about. If your institution is an EDUCAUSE member, please let us know if you would like to become, or connect with, a mentor. Additionally, our research is very popular with our members, most notably the Top 10 IT Issues, as well as the Student Technologies and Horizon Reports.
Finally, as we reflect on the tremendous racial injustices last year, our members have appreciated our intentional effort to prioritize diversity, equity, and inclusion (DEI), including infusion of DEI themes in our professional development, publications, and research. In the second half of 2020, around 20% of our publications were related to DEI themes. Our CIO DEI Commitment statement has been signed by nearly 600 to date, and this year we are focusing on going beyond words and statements and prioritizing action.
What could future collaboration between ACUA and EDUCAUSE look like?
So many ACUA members are members of EDUCAUSE as well, and we could intentionally seek out and promote opportunities to point each other toward our resources. We have—thanks to the pandemic—been moving toward faster responsiveness to members through QuickPolls that launch and report on timely topics in days, not the months you would expect from more traditional research. QuickTalks (like this one) make it possible to spin up discussions on emerging topics for members. This agile programming would be useful to ACUA members, and we could explore areas of interest to both our members in these and other venues. I enjoyed the chance to be a keynote speaker at AuditCon 2019 and discuss digital ethics, and I think topics like these are the kind of thing that captures the imagination of auditors and IT professionals alike.
John O'Brien is President and CEO of EDUCAUSE.