To all our readers and clients celebrating Chinese New Year,
May the good health, good luck and great success be with you always. For those who are travelling, wishing you a safe and peaceful journey!
Category: PKF Avant Edge (Page 17 of 18)
Years ago, when I was starting out, I was given a book by my eventual father-in-law (though I didn’t know it at that time) called “Who Moved My Cheese?”. It’s a fascinating look at change management and pre-set my mind into what I am now in some respects: that change is Good. That change is Needed. That change should be Anticipated. I was a young rat then, entering into the race, and now a dozen years after reading that book, it still resonates somewhat in me. That change is great.
You can change a situation and not change a person. For instance, you might know someone who got retrenched. His situation changed. His cheese was taken away. But like some of the characters in the story, he sat down and mooned over his situation. Or you can change a situation and change a person. Someone else adapted to the situation and changed his mindset to address the new situation. Better yet, if you anticipate the change, and start moving before even your cheese is finished. The last part is certainly the hardest. This is mainly not due to our resistance to change, but to our comfort of the status quo.
Imagine we go to work everyday, with a set routine and do things from 9 to 6. When we’ve gone home, we spend time with family, watch our favourite show and crash for the night. Deep in our thoughts we have made up our mind to study a new system, or new language or develop a new methodology for IT risks, or even to diversify our income channels by going into investments. But we always say, well, not this day. And as the famous phrase from Scarlett O’Hara goes: “After all, tomorrow is another day.” The phrase of optimism and hope has turned the next generation into a generation of procrastinators, because ‘tomorrow’ is only a day away and we can do it tomorrow.
For an organisation such as ours, the inability to change is to die. The inability to anticipate is to be stagnant. The inability to innovate is to be left behind. The absence of evolution is the certainty of extinction. It might sound melodramatic, but it’s never so prominent in our case, in IT services.
We need to anticipate in two dimensions: The first is in the current product: the service, the input, the output of our sweat, our efforts, our WORK. How do we do the things we are doing better? How do we improve on the things we are currently selling? The second dimension is in the future ideas. I personally don’t believe in a Blue Ocean. I believe that whatever we do, there is no such thing as an impregnable barriers of entry. With that in mind, I do believe in not just doing things differently, but doing different things. Especially in IT, what are some of the future services we can anticipate? What happens when our IT audits and compliance cheese are finished? Which direction do we move in?
2013 will be in a lot of aspects a year of anticipated change. With more focus on security, we are looking at areas that previously has been ignored: the understanding of big data, the movement into mobility, the virtualisation of workspace.
Are we ready to move from our cheese station this year?
Company Memo from the Director:
All,
I suppose it is best that the first email of the year in your inbox should be coming from me. Ahead of us lies a challenging goal, hitting our targeted revenue, which is close to a 100% growth from our 2012. The only way we can do this is for us all to pitch in not just in our own service towers, but to do anything we can to bring in the business. It can be starting small, or it can be big, it doesn’t really matter.
It’s important also to know a little about our history, now that we’re past 2 and half years. PKF Avant Edge started in mid 2010. From there, we went the first few months just marketing and getting in business. We started from almost scratch, without much pipeline and built up our marketing and branding as we went along. All the marketing work/brochure/whitepaper/writeups you see today are results from our own efforts. The websites and blogs are also from us. We have gained a measure of respectability in the industry, and now looking forward to strengthen this brand.
I think it’s important to know where we came from, and our roots. Once the ball got rolling, we worked very hard to get our first few jobs. 2011 was our first full year, and we hit around a modest revenue. 2012 last year, we actually had 30% growth. We’re asking a lot for 2013, but I believe we can do it. Because the we’re a team that has gone through the lean times. We don’t forget the many hours spent calling, visiting clients, talking to customers, working on proposals, reports. In many ways, we’re starting the year like how we start 2011: defining our jobs and creating opportunities and we’ll need to depend on each other and trust one another to do what’s best for the company.
New markets and a progressive industry mean more opportunities for us, who really care about our service and delivery quality. I know working out audit plans over weekends and reports are not easy, but we ask all of us to dig in and sacrifice. I can guarantee you that once we hit the stable years from now, we’ll look back and we’ll be glad for the tough moments, because it makes the journey more memorable.
I will need fellow journeymen (and women). In a few years, we could be industry leaders and experts in specialised technology fields. I can only say that this company will be what you make it to be, and as all of you have help built it, part of it has your DNA. It is not loyalty I ask, but belief. Loyalty centres on what we’ve done in the past. Belief focuses on what we can achieve in the future. The promise of the future is stronger, and more powerful. I hope I can have all of you, in a few years time, looking back with me to see what you all have built. We’ll need everyone to work hard to reach there.
I do not judge our work by the quality expected from our different clients, but by our own standards. If the client expects 1 and 2, and I expect 1,2 and 3; we’ll do what we can to meet the higher expectations. Quality is not defined by the amount of money paid to us. Our scope is.
PKF Avant Edge culture is for you to define. Plant your DNA in it, and leave your impression in it, because we plan to grow this company and all of you to be cornerstones and foundations of that growth.
So here’s to our 2013, may it be successful, and filled with challenges that we will surmount together to reach our corporate and personal goals. Happy New Year!
I remember, almost 20 years ago, a movie called “The Net” came out, starring Sandra Bullock. It was one of the first few movies dealing with information security and theft, and invalidation back in the heydays, when we thought the internet was a new brand of spandex.
Fast forward 20 years and here we are. The information highway was incorrectly named. It wasn’t a high way, or even a super highway. It is now an intergalactic, hyperspeed wormhole that every single imaginable information is being collected and stored, and waiting to be trawled.
Trawling is a term we often use when we want to find out more about certain people or things on the internet. We use specialised tools to help us create informational relationships, connecting the dots.
In Avant Edge, we do quite a bit of forensics work. Part of forensics is actually forming the context. If it is an individual, we’d like to know not just what’s in his laptop, but his online habits, the forums he has posted, whether he is active in the social network, who has he been in frequent touch with; and whether he eats green or red apples. So it has to be the CIA or FBI then, right?
Nope, because most information can be obtained freely on the net. It’s scary. You can basically vanity search your own name and you’ll be surprise what’s out there. Private investigators can now conjure up scenarios based on bits and pieces found on the internet.
Web Trawling could be another branch of information audit we will be including for 2013. With some customised tools, we can basically craft relationships of an entity as we trawl entirely through the internet.
Here’s a very scary proposition, illustrating our idea:
“Hi, I am your IT auditor,” says the young lady before me. She is well dressed with unassuming colors, pencilskirt shaping her just enough without looking too informal. Beside her is an equally well dressed man. Or boy, more precisely. With those fashionably tall hair, waved as if he had just came out of a nearby hair salon, with those slightly tight pants, ending with shiny shoes with tips sharp enough to stab someone.
“Just show us where is our place, and your IT group, and we’ll be on our way!” she chirps merrily. After introducing her to my bleary-eyed IT manager, I went back into my austere chambers, decorated minimally, with plenty of space for the stacks of ring-files that documented my entire career as an Head Internal Auditor of XXYY company. And I waited. Surely one of these well dressed, articulate, young IT auditors will be asking me for a sit-down session on some of the perceived challenges of IT aligning with our business, and how we can improve. Surely, once she’s done mapping out the technical areas with my IT manager, she would surely come and talk to me about how the IT audit will be done, and how as the Head of Internal Audit, I should be aware of the findings and recommendations, since I was the one who hired her firm in the first place.
One day passed. No sighting. Maybe IT was really complicated after all, although the company’s usage of IT would have been pretty minimal, seeing that we only used e-mail mainly. We only had 3 guys in the IT shop running everything.
Day two, day three passed and finally, I decided to go down to IT and see what the heck was going on. My IT manager was there, as usual, obsessively browser surfing 10 different windows on his large monitor.
“Where are the auditors?”
“They’ve already packed up and gone yesterday.”
Flabbergasted, I went back to my room. So 3 days was all it took to do an IT audit? Who did they interview? Who did they talk to in order to understand the business needs, risks and processes? How did they communicate with the business without me knowing? What were we measuring? How?
They must have bypassed me and went straight to the business owners. That must be it.
Tapping the phone in front of me, I got hold of several of the stakeholders of the IT applications running in our company. All of them denied seeing anyone in a pencilskirt accompanied by a wavy hair boy. Some of these stakeholders would definitely remember anyone in a pencilskirt, so I guess they were telling the truth.
So the IT auditors were almost like phantoms. Ghosting in, and in 3 days, ghosting out again, never talking to any of the key stakeholders. How on earth did they do their audits then?
The above is a fictionalised account of an experience that was shared to me, on IT auditing. Although somewhat humorous, I still find it alarming that IT audits are still being conducted in this way: go in, talk to IT, sit them down with a checklist and get them to implement the checklist. There’s no context of the audit, no risk analysis, no understanding of the business flows, or how it interacts with IT. No comprehension of critical processes, or the role that IT plays in the broader aspects of business. They carry with them a pen and paper and a checklist, and goes in to the poor IT manager’s room and shoots him when he answers, “Umm, what’s a BCP?”, and shaking their collective IT auditor heads until the manager feels like a donkey in front of this pair, young enough to be his kids.
Checklists and irrelevant benchmarking.
IT auditors who do not take time to understand the context of their audits are wasting their time. Worse, they are disrespecting the customer. If a client has 3 people in his IT and generally use IT only for automation of processes, without too much dependence on it, why do you insist to flag a red flag of non-compliance to COBIT by saying they need to come up with an IT Strategic Plan? Or have a IT Steering committee? And what on earth is a non-compliance to COBIT? COBIT isn’t even a compliance standard!
We’ve seen our share of these “quack auditors” we call them, in our landscape. Of course, for every quack, we also find very good, self-respecting ones. But the quacks are the ones that gives IT audit a bad name. Suddenly people want to know if we do COBIT compliance. I even saw a proposal as thick as the Bible, expostulating to the client that they need to have all 318 control objectives in place, and the audit will cover ALL control objectives in a unified regulatory software. Which is a glorified checklist on excel.
It’s tough, and sometimes we compare our adventures in IT audits to wild wild western movies, where law and order was non-existent. Until we start educating and creating awareness in our clients on how to apply COBIT as a framework or as a compliance to a standard, and not a standard in itself, we’ll be seeing these quack auditors all over the place. It’s like someone exalting the miraculous cure of radioactive medicines in the 1920s, only for the patient to die from these quackery.
Entering into 2013, we would love to see some regulation on how IT audits should be done. In fact, as I always say, remove the “Technology” and just call it Information Security Audit. Now, who would you talk to about “information”, not “Technology”?
© 2025 PKF AvantEdge
— Up ↑