ARC (trade) talks with... Anita van der Leeuw, Senior Manager IT Audit & Risk

To keep close track of developments in our field, every month we interview an expert in the field. In a series of interviews with (ultimately) responsible persons for audit, risk and/or compliance and we ask the question: what developments do you see and how do you deal with them? This month we talk to our own colleague Anita van der Leeuw, Senior Manager IT Audit & Risk, about developments and challenges in the field.

In 2007, I joined PwC Accountants on the SOx (Sarbanes-Oxley) traineeship. From there I progressed naturally into the IT audit field. Over the past 14 years, I have gained very broad knowledge and experience in this field. I have performed external audits where I managed teams ranging from 3 to 10 less experienced employees. These audits consisted of IT audits as part of the financial statement audit but also Third Party Assurance and other statements (SOC, ISAE3402, COS3000, AUP). Besides the external audits, I performed a wide range of other assignments such as internal audits, risk assessments, DigiD assessments and cyber security investigations. In the area of risk management, I helped clients mitigate IT risks and establish internal control frameworks. My clients varied in different industries and size, with an emphasis on large multinationals. 

Because I really want to help companies move forward - instead of mainly auditing - I made the switch to ARC People. I am still fully behind this move, because I have already achieved great results with my current client in making internal control more mature through an audit. From the conversations I have within this audit, both the client and I learn a lot. My role is now more focused on advising organizations so that we can take concrete steps for improvement.  

In my opinion, the most important task of an IT auditor is to think along with management about IT (and broader) risks so that management can take appropriate measures. An important part of this is that the IT auditor is also well informed about recent developments. I therefore always include these in my advice. These may include topics such as ransomware, cyber security and Internet of Things. By highlighting current developments and observations, I keep management on their toes and critical. Sometimes these observations even develop into a separate audit.

The field of IT audit is constantly evolving. Currently, the IT audit statement by professional association NOREA is an important topic, but it is still unclear when this will be implemented. There is also a lot going on in the areas of cyber security, ransomeware and continuous monitoring, as well as data analysis, robotization and AI. Because ARC People is active with various clients in all kinds of industries, I come into contact with these developments a lot. As an organization, we specialize in audit, risk and compliance and everyone is involved in the field day-in and day-out. My colleagues and I work closely together and share our knowledge with each other so that everyone is up to date with the latest developments and innovations.

There is currently a huge shortage of good professionals. The demand for specialized IT auditors, cyber security experts and data analytics specialists is incredibly high and good professionals are scarce. I also see that many Big4 auditors are leaving the profession and that there is insufficient new recruitment. Fortunately, there are many initiatives to make the profession more attractive to starters. Within the ARC Talent Program I guide trainees by coaching them and making them enthusiastic for the technical part of the profession. I provide training myself, but we also organize many substantive activities such as master classes and sessions with guest speakers to actively involve the trainees in everything the profession has to offer. 

In my opinion, audit and risk management should always go together. IT audits can be performed better and more effectively by adding knowledge of risk management, but vice versa there is also this cooperation. By performing audits you learn to recognize the pain points in the processes with which you can then help an organization solve them and take advantage of opportunities. Through risk management you help organizations to mitigate risks as much as possible by setting up control measures. By combining these disciplines, you can better help implement internal control measures and robust internal control. This, in turn, helps you get through external audits more easily. It both goes hand-in-hand.

What make these fields interesting and fun for you?I get a lot of energy from the conversations I have with clients, vendors and assignment teams. Showing genuine interest creates valuable conversations and outcomes. The field is challenging and evolving. It is important to continuously keep abreast of developments in the field and changes in regulations. For as long as I can remember, I have loved acquiring new knowledge. This field stimulates me to keep developing continuously, both professionally and personally.