IS Audit in Practice: Disruptive Technology—An ESG Enabler

Technological progress has not always been universally embraced. Indeed, environmental, social, and governance (ESG) factors are top of mind for many practitioners as the pace of technological change accelerates. As one generation builds upon the learnings of the prior generation, can the technology that brings convenience, fast problem solving, and better outcomes across a number of industries innovate fast enough to address looming ESG-related concerns?

Opportunity Abounds

Technology is already an important enabler in the ESG space. Data lakes and analytics are indispensable to corroborating global research efforts. Social media enables an online forum where organizations and agencies can network and brainstorm about important issues. There are a multitude of applications that enable sustainable lifestyles.

The same disciplines that are hallmarks for information systems audit and risk professionals apply to ESG solutions.

All of this brings opportunities for information systems auditors to verify technology and confirm trusted resources, from testing eco-software to monitoring equipment that supports renewable energy sources. Technology also allows those focused on regulatory compliance to quickly parse through data and propose updated policies that will encourage and even enforce better environmental outcomes. Now more than ever, attention regarding ESG concerns and technology-enabled research gives risk managers and technology inspectors, whether through the first line of defense (FLOD) or audit, the ability to fast-track ideas into production.

Addressing Challenges

Emerging technologies often face many challenges on their way to becoming mainstream products. Aligning organizational priorities and developing a proper framework and operating model are essential to successful implementation. Environmental technology deployment faces several hurdles including the following:

• Enacting change necessitates knowledge of more than a single regulatory body, especially given that land resources set aside for public benefit and use are often held by government agencies. When innovative science and technology move faster than updates to policy, collaboration between agencies, environmental companies, and nonprofit advocates can be a stumbling block.
• Building economies of scale is critical. Adopting new technology comes with a multitude of risk, which may deter an organization from using it. Timely and widespread adoption, however, is needed to reach economies of scale while interest is high and focused on the common goal of environmental remediation. Otherwise, the benefit of today’s environmental technology may be lost to the whim of a short-term profit business model.
• Funding is always key, and benefits must be measurable to secure money to complete the work. The profit model of environmental projects is easier to prove than in the past as advancements in technology have made solutioning more economically feasible, but many of the outcomes are not immediately tangible or easily measured to show funders. For example, mitigating greenhouse gas concentrations can be positively impacted by even small improvements in natural resource areas, such as diversely restored rain forests and preserved salt marshes, where carbon sequestration is high. Yet, presenting conclusions to businesses and municipalities for funding approval can be difficult, given that environmental benefits are often ubiquitous, and data does not always attribute benefit to a specific marsh or several hectares of rain forest.

Rapid Innovation for Lasting Results

Field research is essential for the timely advancement of environmental technologies. Unlike healthcare where trials are perceived to have higher stakes, environmental risk assessment is focused on speed to delivery, seeing what works, adjusting, and moving forward. Innovative testing is welcome, and researchers are asked to put their work into action. The opportunities presented to researchers mean opportunities for ISACA professionals as well. What group of professionals is better prepared to legitimize both corporate and government actions with a framework to implement environmental solutions, and a monitoring discipline that will enable timely course correction that fosters positive results? If framework and monitoring can help, how does one get from research to reality? The promise is all about making people feel good about innovative environmental technology by trusting that research is ready to deploy.

Barriers to moving technology into the field are no longer insurmountable. The same disciplines that are hallmarks for information systems audit and risk professionals apply to ESG solutions. Compelling science needs a spokesperson, and savvy risk assessment and auditing provide the necessary validation to disrupt the status quo. Disruptive technology is successful when trust is built on clear expectations. The steps to building the change model are familiar ones:

1. Updating applicable regulations is important to avoid rework or unusable solutions. New and innovative technologies often recommend actions that were previously considered harmful. Science need to be explained and modified regulation enacted to govern technology that now corrects past understandings and encourages operationalizing better science.
2. It is important to understand how regulation is being enforced and if regulatory compliance is even being monitored. If policies are in place, but not enforced, promoting new regulation without taking advantage of what is in place only complicates the ability to implement solutions.
3. One must examine the existing frameworks to inspect and move technology forward. Like risk or governance models, environmental frameworks must be examined and documentation updated to avoid technology outpacing operations.
4. Collaboration is key to setting expectations that people buy into. ISACA professionals must always consider the audience when outlining expectations and planned deliverables. Buy-in and critical decision points should be agreed upon before initiating action to make sure stakeholders stay aligned with funding, research resources, policy concurrence, and implementation.
5. Testing and inspecting must be visible and documented. This is especially important in building trust where innovation is expected to disrupt the status quo. Proof is needed at key milestones that have been agreed upon and are understood by all involved.
6. Continuous monitoring ensures continuous improvement, encouraging accelerated change. Reports must be clear and accurate to allow intervention that keeps the technology moving in the anticipated direction.
7. Small successes must be acknowledged. Disruptive change feels positive when enthusiasm is front and center. It is important to acknowledge success as it occurs and not wait for a big result. Failure to recognize even the small successes can lead to waning enthusiasm. This can cause fear and doubt to develop, which can put innovation at risk.
8. Enforcement of updated regulations and adherence to resolving findings quickly are important ancillaries to launching new technology. Enforcement demonstrates that the framework of governance is taken seriously, and that the innovation being deployed is based upon a foundation of structure and consistency.

There has never been such a promising time for technology and environmental change. In a field where decades ago, court action was required to gain adherence regarding clean air and water legislation, green industries are thriving with government agencies and building developers making changes that count. There are challenges, but the excitement of applying due diligence and discipline—the core of the IT risk and compliance profession—is everywhere. The opportunity to make a difference is often right outside our own back doors.

CINDY BAXTER | CISA, ITIL FOUNDATION

Is Conservation Manager for Friends of Belle Isle Marsh. She works with environmental organizations, the community, and with developers to promote compliance for a green and resilient environment for the only remaining salt marsh in the city of Boston, Massachusetts. Her work also involves collaboration with municipal and state officials to move legislation forward with the innovation that green technology provides. Baxter is pleased that technology has allowed her to reinvent her career and continue learning at every step. She had the privilege of learning technology and managing Fortune 100 client relationships at AT&T. Baxter then applied her expertise as an IT operations director at Johnson & Johnson before moving to compliance and risk management roles at AIG and State Street Corporation. Baxter continues to accept select consulting assignments through her business What’s the Risk LLC, focusing on environmental risk management, inspection, and compliance enforcement. Baxter is pleased to serve as Operations Officer on the ISACA New England Chapter and is a board member on the Nantucket Lightship LV-112 Museum.