Episode 30 | John Moore – CTO of Queensland Audit Office

The Assurance Show
Episode 30 | John Moore - CTO of Queensland Audit Office
/

 

Show Notes

John talks to us about what audit offices (a.k.a. supreme audit institutions) do and the role of the CTO in an audit focused organization.

He shares his views on a range of issues including:

  • His positive experience with their (outsourced) internal auditors
  • How he supports an audit focused organization
  • Cyber and data governance frameworks; evolving IT practices that auditors need to keep a close eye on.

John is open to connecting with like-minded professionals.
You can reach out to him on LinkedIn.

Links

 

Transcript

Narrator: 

Welcome to the assurance show. This podcast is for internal auditors and performance auditors. We discuss risk and data focused ideas that are relevant to assurance professionals. Your hosts are Conor McGarrity and Yusuf Moolla.

Conor: 

Today we’ve got a special guest. John Moore is the chief technology officer at the state auditor general’s office in Queensland. Welcome John.

John: 

Thank you gentlemen. Nice to be here.

Conor: 

Looking forward to a really useful discussion. As always, my partner in crime, Yusuf is here with us today. G’day Yusuf.

Yusuf: 

Hey, Conor, Hey, John. Thanks for joining us today, John. Do you want to give us a feel for what your background is?

John: 

As you can probably guess from my accent, I’m not from Australia. Originally from London, emigrated here in 2013. Came over with me wife and young daughter. My wife’s a Kiwi, but, she lived in Australia and grew up here. So that’s why we came here. Had a second daughter here. So we’re now a family of four and a dog. My background, I’m actually an engineer by trade, a mechanical engineer. I studied at Loughborough university in England. The main thing, my main takeaway sadly from my university degree was that I didn’t really want to go into engineering for my career. So when I left university, I stumbled into IT through a help desk role, which I was using to pay off my debts. And progression there, really enjoyed the technology. It was just before the.com bubble burst. So it was quite an exciting time to be in IT. I went into IT infrastructure, all the windows platforms, Microsoft platforms, worked for banks and the financial sector in London, which was really interesting. And then when I came to Australia in 2013, my first role was for a professional services consultancy, and my first gig for them was at the Queensland police service. That was my first foray into public sector. Spent two years at QPS, during the Comm Games planning, so that was quite an interesting time. I learned a lot from there. When I left QPS, I did a couple of small gigs around Queensland also in public sector. And then applied for a role as an information solutions architect at QAO. When the chief technology officer left, I was offered the role, and three and a half years I’ve been in the role now. My role now is quite varied, but essentially I run the IT department at QAO responsible for all the IT systems security, IT governance, facilities, infrastructure, all of that.

Yusuf: 

What is it that made you stay within IT?

John: 

In the early days, before I even went into IT, I temped in a bank when I was studying my engineering degree. So I’d come home for the holidays, live with my folks, and I got temp jobs working in London .And I worked in a Russian bank this would have been 97. And I just remember the IT guys strutting around the office, like they owned the place. And they really did. You know, they are all earning extravagant wages, it seemed like everybody worshipped the ground they walked on and I just thought that looks like a really cool job. And I wasn’t enjoying my degree at the time so that’s what got me interested in it. What kept me in it. I’ve always liked technology. I like mechanical things, anything that’s technical, which is why I went into engineering. Windows was really big growth area at the time. And I was just interested in anything, mainframes, storage arrays, all the really big, interesting, pieces of technology, which people don’t really use very much anymore because of cloud. But at the time, that was the big thing for me. That was the big draw. And that’s what kept me there.

Yusuf: 

Do you want to give our listeners some idea as to what the QAO do for those people that may be outside of Queensland or outside Australia or, haven’t come across audit offices.

John: 

QAO is responsible for auditing two aspects of Queensland Government. Financial audit, so it’s financial statements for the 450 or so Queensland government entities, all around Queensland. Very varied from your Queensland Health and Queensland Police and Department of Education all the way down to very small regional councils in far Northern Queensland. So we have a very mobile workforce who travel a lot. And then the other side of things that we do, our performance audit , so essentially, performance and value for money that Queensland government offers to the public. That’s very varied. We’ve run performance audits on the state of the Great Barrier Reef, the efficacy of traffic cameras, cybersecurity around Queensland government. Anything anyone in parliament could think of as a subject to be audited, we can audit it.

Conor: 

Those 2 main areas the financial audit side and the performance audit side do their demands on you and your team differ?

John: 

Yes, the financial audit side is much bigger. 70 to 80% of the organization staff wise and work wise. Financial audit is very well-defined, very strict and well understood methodology, the process year on year doesn’t change too much. Although we’re bringing in more data and analytics into the work we do, it’s a well understood domain. Whereas performance audit, because it’s so many varied subjects, the work is very varied. Obviously security is important for all aspects of our work.

Conor: 

What sort of challenges did COVID pose for your organization, and how well placed were you guys to deal with those challenges?

John: 

As with all organizations out there, it hit us hard. But fortunately we were well-placed to deal with it because we’re a very mobile organization, and we’ve embraced cloud. Several years ago we moved many of our workloads, we have a really robust and reliable VPN. Our staff are used to being mobile. They’re used to connecting and tethering to their mobile devices. So when we moved to working from home, which we did fairly quickly, the challenges were along the lines of I don’t have a second monitor at home, I don’t have an ergonomic chair at home. It really wasn’t a technology challenge for us, which was an excellent result for my team. We were dealing with some fairly minor requests and problems and staff just shifted into that mindset of working from home really, really easily. And we still have a good proportion of the office working from home regularly at the moment. And, hopefully, I think it may well continue that way for a while.

Conor: 

Can you tell us a little bit about your organization or the state more broadly, what they’re doing to deal with cybersecurity, and the other matter that goes hand in hand with that is obviously data governance?

John: 

Queensland Government as a whole has various policies and mandated frameworks that government agencies have to adhere to. And one of the main ones is the IS18 information security policy. So that was overhauled in 2018 and it’s based on the ISO 27001 standard, which is a globally accepted information security standard. We’ve been implementing that over the last couple of years, widening the scope from some of our critical systems initially to now all of our systems and all of our information assets. ISO 27001 is a well-recognized standard and it takes a risk-based approach. And I find it really, really useful. It’s a lot of work to implement initially. You have to individually identify every single information asset, every single network, physical asset, technology asset that you have within the organization. That takes time. You can imagine for Queensland Health it’s a huge undertaking. it was for us and we’re small. But once you do that, once you do the threat and risk assessments, once you have a process and procedures in place, it’s really easy. Anytime a new system comes online or you’re planning a new system, or you’re thinking about receiving new information assets or generating them. It’s really easy to drop them into the process. Run them through the threat and risk assessments and understand the inherent risks. and that just makes it so much easier to then manage those risks. We drafted a data governance framework about a year ago, which has kind of tied together many of the policies and procedures we already had. And just put them within a single framework to make it easier for our auditors to understand their responsibilities, and what they need to do. Whether they’re planning to receive data, requesting data, handling that data, all throughout his lifecycle from inception to disposal. The biggest challenge is understanding the confidentiality of the data. Once you know how sensitive the data set is, it’s a lot easier then for the auditors to work with my team and others within QAO to control the access to it, how we handle it how we record it and how we dispose of it and store it. That framework has been extremely helpful.

Yusuf: 

What else are there that are big ticket items that adoption of cloud and new technologies mean for auditors and the work that they do?

John: 

I think it’s important to have a healthy skepticism. I think that’s probably the biggest thing for me. Practices are evolving very rapidly. Even Microsoft recently have changed their stance on passwords and complexities. Typically historically you would have a password that would expire every 30 days. And the thinking was that it was good to change it. But actually that led to some really poor practices because people are forced to change passwords that may be perfectly fine. And by asking humans to change things regularly they find patterns themselves to follow, to make it easier for themselves. And that’s that’s why it makes it a lot easier to brute force and, hack passwords. So these days Microsoft recommend, to give an example, they recommend keeping passwords for as long as a year, maybe longer, but using better, analysis techniques and better detection techniques to understand if passwords are being compromised with brute force, and then that way the passwords are only changed when you see they’re being attacked or there’s a vulnerability to them. And that’s something we’ve implemented along with some other controls at our organization, and it’s been really successful for us. multifactor authentication is an absolute given nowadays and that second and third factor of authentication. assuming zero trust, none of your staff, none of your devices, are trusted until they can provide multiple levels of authentication. very, very strong controls in themselves. Quite hard to implement, especially with legacy systems, but there are solutions out there that can help with that. my biggest piece of advice is, to be skeptical and not to assume that, Even technologies and advice from a year or two ago are valid still. constantly have to be questioning and pushing, and checking whether your security stance is relevant and up-to-date all the time.

Narrator: 

The assurance show is produced by Risk Insights. We provide data focused advice, training and coaching to internal audit teams and performance audit teams. You can find out more about our work at datainaudit.com. Now, back to the conversation.

Conor: 

Would you have any tips or advice or observations for any other audit offices that are thinking about bringing in new technology or new ways of doing business?

John: 

I speak to colleagues in other audit offices around Australia about these things from time to time. And my advice is always to prove and test before you do anything concrete, So we use the term proof of concept quite a lot in IT and technology. And essentially that’s looking at a service, a solution, a piece of technology, and trying before you buy essentially. You stand up a new service, you test it, you put dummy data in, desensitized data, and work with partners and providers to test whether you can get value from those services and solutions. Typically you do it fast, quick, and dirty. Agile is the buzzword now. It is a genuinely useful method Agile because you try quickly, fail fast and you learn very quickly and get results quickly. Doing big waterfall projects has been shown to be a no-no for a long while now. Smart sharp proofs of concept are great.

Conor: 

The proof of concept approach applies to auditing. Some of the other audit offices that we’ve seen are starting to move down that track as well. The benefits are clear and it just makes sense in terms of the return on your investment and mitigating your risk as you go along.

John: 

Are we talking financial or performance audit?

Yusuf: 

The thing with financial audit is, you know the risk that you’re looking for, it’s very clear. It’s defined. you know, what the outcome is going to be. It’s either qualified or unqualified opinion with regard to financial statement misstatement. While waterfall projects don’t make much sense for a lot of things anymore, if you know exactly what it is that you’re going to deliver, and there is no potential to waver from that then that old style is still okay. But most things we do nowadays, performance audit, internal audit, IT projects, you don’t know, you don’t have the answer.

John: 

Especially with performance audit because the reason you’re doing the audit is to find things that you aren’t unexpecting. So who knows where that’s going to lead you.

Conor: 

And that’s where the value add lies, because then you can pass that onto the client that through your proof of concept or discovery process, we’ve identified new risks, or we’ve seen things you’re doing well. The sooner you can bring that back to the client, because they are clients after all, whether it’d be internal audit or performance audit, the greater value they get from the process as well.

John: 

It’s interesting you say that, understanding the auditor is there to provide a service to the client. That’s something we’ve had good experience of this year with our own internal auditors who are a third party, they’re not sourced internally to QAO. But we’ve had several internal IT audits undertaken this year. And we’ve been lucky that with this particular group of internal auditors they really do see themselves as providing a service to us. So they’ve worked very collaboratively with myself and my team to identify areas of improvement, recommendations that we can really use, and make effective changes. Whereas I’ve been on the end of internal audits in other organizations that just seem like a gotcha. They’re there to prove how good they are at finding flaws and bugs and problems that either aren’t easy to fix aren’t realistically ever going to get fixed or aren’t major risks. But that approach that we’ve had this year has been very fruitful and very useful. We found some good improvements because of it.

Conor: 

What’s been the key determinant of that good relationship? Has it been because there’s been engagement with the internal auditors by you upfront, or it’s a transparent process or, when it comes to findings and recommendations, there’s good engagement again, or is that a mixture of all of the above?

John: 

Definitely a mixture of all of the above. So I was always involved from the very beginning of the engagement. I explained how we’d had bad experiences before. So the auditors were very cognizant of that right from the very beginning. We were clear of our expectations we articulated them very clearly. That it was a collaboration piece and that we were expecting good value from it. The auditors worked with as all the way through, their preliminary findings were communicated very early. And there was a lot of back and forth, you know, some things they found that we didn’t necessarily agree with, other things they found that we weren’t aware of. So yeah, very valuable process, very collaborative and quite a different way of doing things to what I’ve been accustomed to.

Yusuf: 

If you think about the next one to three years, what are your key priorities?

John: 

Cybersecurity is always there. That’s always an ongoing piece. That’s never going to go away. But one of the things I would like QAO to achieve is some level of ISO 27001 certification .So we’re going to be working initially for some external attestation on our controls, our adherence to the Essential Eight. Then once we’ve done that, probably over the next year to two years, we’ll look to get, certified, whether we do that on certain systems or we try for the entire organization, that’s a stretch, that’s a huge piece of work, but it’s definitely there as a target for us. Technology wise, Digital workplaces is one of my main projects, so we spoke about mobility earlier. And also another big thing for us , data quality is a struggle for us internally as an organization. So with some islands of disparate systems, our legacy ERP system, our audit tool set, having consistency of master data across those systems currently is done with data transformation and data loads that stitch together manually. I’d like one consistent master data management platform. That’s foundational, that’s key to our modern workplace. So that’s something we’re going to be looking to do over the next couple of years as well.

Conor: 

Do you ever get auditors approaching you or your team, with a wishlist or a new technology or something they’ve heard about or read about saying, Oh, we should get this for this office. Have you had that experience?

John: 

Definitely. Although it’s not usually our auditors, it’s normally the executives who come to me with that. Our auditors don’t do that very often compared to other organizations I’ve worked in, where people are very forthright in telling you what they want and need and showing you the latest phone that they want, because they’ve got it at home. Now our auditors, they’re actually a fairly content bunch with the technologies they have. Or at least as far as I’m aware.

Conor: 

Are you happy that they’re content or you’d like them to be more proactive?

John: 

That’s a double edged sword, isn’t it? Hopefully we’re doing something right and they’re content, but, I wouldn’t be doing my job properly if I wasn’t trying to understand the cutting edge and what else is out there. And, we don’t know everything, we’re technologists, but we’re not auditors okay. So, we don’t know all the best new methodologies and methods and, pieces of software and solutions that are out there. So it is good to have, some blue sky thinkers and we have a few of those at QAO. And so, yeah, I do get requests from time to time, but it’s, it’s usually the more senior staff members. Collaboration’s a big one. So we’ve recently purchased some Microsoft surface hubs. Which are the big, digital whiteboards that Microsoft have just refreshed. So we bought a couple of the new ones, the smaller ones. They were a wishlist item, and they’ve actually been really well-received. So we use them to host meetings. they’re mobile. They have uninterruptible power supplies in them, so you don’t have to have it plugged in. You can move around the office whilst having a meeting and collaborating with someone, which is a fairly niche requirement. But useful. Infogram was an interesting one. That one kind of came out of the blue. That’s an online visualization product. That’s been useful. But that’s not really revolutionary or a huge piece for us. What we’ll do more and more of is little point solutions . I think that’s the best way to go for us. And again that’s the whole agile thing. We’ll choose small projects that we can stand up quite quickly. We work with partners, we work with some really smart, small consultancies who help us with those kinds of things. We have a Board who is very open to new technologies. Very security conscious. Which makes my job much easier because convincing CEOs of security can be a difficult sell, but our Auditor General is our biggest advocate.

Yusuf: 

If anybody wants to get in touch with you to bounce ideas or find out about the latest tech that you’re using within audit offices, obviously there’s so much you can say in a public forum, what’s the best way to get hold of you?

John: 

LinkedIn. And I’m always, keen and willing to hear from anybody who’s interested in talking technology and security with me.

Yusuf: 

Fantastic. So we’ll put a link to that in our show notes.

Conor: 

Okay, John. It’s been a pleasure speaking with you. Some fascinating insights there.

John: 

Thanks gentlemen, it’s been a pleasure to be here.

Narrator: 

If you enjoyed this podcast, please share it with a friend and rate us in your podcast app. For immediate notification of new episodes, you can subscribe at assuranceshow.com. The link is in the show notes.