Episode 5: Aaron Brewer, Chief Security Architect

(: 00:02

Today I just really wanted to have a chat with you because I find that this is quite interesting as you've actually used to be within internal audit and was a career auditor and now you've moved into other areas. Can you just tell me a little bit about your career?

(: 00:20

Sure. Hi Hazel. Yeah, I've been what you would call a career auditor. Most of my career actually, I started as an accountant, which was probably largely driven by listening to my father on career advice. Make sure you get accountancy as a qualification, it'll suit you the rest for the rest of your career. But quickly, I exited out of accountancy or finished training accountancy and went into IT audit pretty rapidly, more from a passion perspective, technology being something I've done and loved all of my school life and growing up. So I wanted to get into using technology rather than just doing number crunching all the time, which I was in some of the accountancy work I was doing. And then went on a career of a learning IT audit as it was quite nascent at the time. And then going on and looking at, okay, where do I apply those IT audit skills?

(: 01:13

So I went through British Telecom more from an experience perspective actually in Bridge Telecom. They had every type of technology going, great place to learn. And then into JP Morgan in investment banking, bigger organization, much more complex, the use of technology, much more complex as well, particularly on the trading side. And then after that, moving into Barclays, spent a period of time there including a stint in Singapore where I now live and I've lived for 13 years. And then after Barclays, I went into Standard Chartered, headed up technology and operations audit for five years and then eventually took the plunge and went into first-line cybersecurity. And I've spent the last five years there.

(: 01:58

And in terms of, did you do any training to go into being an IT auditor?

(: 02:07

Yeah, it's an interesting question. When I was training, so I was doing my accountancy qualifications at the time and I also was trained to be an IT auditor. So things like CSA were there, certified information system auditor, and that was kind of one of the main training certifications you could go and do at the time. And obviously there was technical training you could go and do in learning Munich security for example. And some of them were technical, but actual IT audit practice and methodology in reality, most of it was learned on the job. So I had a good line manager who was teaching us IT audit almost day in, day out on every single job we did. And the practice was growing in terms of how many IT auditors were out there in the industry and the sharing and the knowledge of what we were doing and how we were doing it, it wasn't as widely shared as it is now.

(: 03:04

And we certainly didn't have the same platforms that people use today to share the knowledge, but there was always a lot of people getting together just to talk about what they were doing and how they were doing it and trying to learn by word of mouth, sometimes even what other companies were doing in IT. Audit and data analytics particularly had just started and was just starting to be used in anger. So a lot of networking, meeting other people from other teams, other organizations, but a lot of it on the job and succeeding in some parts and failing in others and learning from your mistakes and applying those practices for the subsequent orders that you did. They were kind of the ways we generally learn.

(: 03:45

And in terms, when you first started within an IT audit, am I right to say that you was concentrating more on the application side and then you went into infrastructure? How did that work?

(: 04:00

Yeah, well yeah, I did a bit of both actually. When I actually first started IT audit and I was in external audit, it was more general controls testing and we were spending at maximum two weeks with a client, normally only one because the volume of IT audits that needed to be done to support business audits was quite high. The number of IT auditors available was quite low. So generally we would do one week at a time in each client, and more often than not looking at general, IT controls performance capacity, change management, resilience, redundancy, incident management, all the kind of ITIL type disciplines. Then when I went into British Telecom, it was a mix between infrastructure audit and application audit, more blended between those two. It was only really when I got to JP Morgan that I then specialized purely into infrastructure audit for quite a while and did a couple of years of infrastructure audit and then went and did pure application audit.

(: 05:05

And the teams were structured differently because the size of the organization was different. It was able to cater for more teams, particularly so you could move around dedicated teams not only from an application versus infrastructure or side, but also different line of business as well that you're supporting. So I flip-flopped between those two quite often. And when I got to Barclay's as part of the career plan that I was putting in place for myself around, well, looking forward, what are the skill sets you need? I started to expand out of application infrastructure audit and bring in things like third parties, audit understanding projects better and understanding how change audits would work. So you can aggregate those skill sets into later looking for a regional head of IT audit or a regional head of IT audit with change and third parties in which is actually what I went to do later on in Barclays in Asia.

(: 05:59

And so with regards to, I've always thought that infrastructure is a lot more technical than IT applications. Would you agree with that?

(: 06:12

I think it might offend either one of the applications the answer. I think it really depends. I think the lines of infrastructure and application audit are they were once quite defined. And now if you look at things like cloud technology, where do you draw the line between the two? When you're looking at how you're going to audit an application that sits on AWS, for example, you need to understand both components pretty much as an IT auditor these days. So the old kind of monolithic view of here's the mainframe, the infrastructure team, go and audit the mainframe and here are the applications sitting on top of it, and it's more business process driven. And looking from that lens now, it's much more complicated I think. And you've got to at least have skillset in both areas to go and do the work effectively, or you've got to take a multidisciplined team into do the actual audit and go and look at what you're trying to get out of the piece of work. So is it more complicated or difficult? I don't think so. I think the complication now comes in, if you look at some of the newer technologies coming in and use of things like AI and machine learning, where do you put that between application and infrastructure audit? You don't really, the technologies themselves are changing so much that the audit function and the auditors within that function, you have to be able to know the technology that you're looking at. But also the change in technology products and what's actually being used is probably much more significant now.

(: 07:51

And so therefore then in quite big banks that you've worked in, they're very siloed in. You've got your IT audit applications, you've got your IT inference cyber now. Do you think eventually then it would be better that they're put together and more technical teams being more, how would you have that department now if you was to run that?

(: 08:22

Yeah, that's an interesting question. I was just pondering that earlier on today actually, because I think depending on organization, sometimes teams are structured. The infrastructure audit team, the cybersecurity audit team, the application audit team who are maybe more application businesses and lines of business. And I think that has historically worked quite well. But within that construct, you have to be able to then leverage different skill sets that come out of the other teams because a pure infrastructure audit will discover control weaknesses that actually then you need to start delving into the application to see how far it goes in terms of the risk that you might be raising and even to the point of bringing business auditors in as well. So there's pros and cons of doing structured teams like that or doing maybe more horizontal teams where you bring all the skillset together. I think the reality is probably depending on the kind of work that you need to do in terms of what the audit is, being able to flex and bring the relevant skill sets to that piece of work.

(: 09:27

And so I'll use an example of something like if you're going to do a payment audit as an example, actually when you are finding issues in the infrastructure layer or you've got a cybersecurity expert who's looking at the threats there and you really want to know what the risk is around can the money move and if the money does move, what's the consequence and what are the T and controls around that? So you want to have application people in that piece of work, but also to a degree you may even need the business auditors in because you want to look at compensated controls downstream and whether the bank or whatever organization it is, whether they're really genuinely going to lose money or whether there's a risk, but actually it won't materialize into an operational loss for the organization. So you've got to I think flex a lot more than maybe we did previously in looking back in the way we were structured historically.

(: 10:20

Okay. And because as a recruiter now IT audit is becoming increasingly in high demand. It has been for quite some time and for us that we are seeing quite looking for more technical people, maybe even more security engineering. And how does that work for you? Is it something, do you believe it is becoming more technical?

(: 10:54

I think the organizations that have maybe changed the balance of skillset within their audit team are probably more progressive in how they're doing the actual audit work and bringing real technologists into it audit is really valuable. The lesson that I think has got to be taken, and I'll put my kind of first line hat on here from what I've been doing for the last five years in cybersecurity, when the auditors turn up, it's quite difficult actually for them to really understand what your stakeholders are doing, all of the work that's going on, the complexity of the work, the technical aspects of the work. And to expect to get into an audit and really understand that in depth in a short period of time is very difficult. If you have engineers with you or you have proper data scientists with you or you have specialist skillset with you on the audit team who have spent most of their career in technology and actually only now switching into risk and control like an audit function, those people are really helpful.

(: 12:02

And the real litmus test is the reality on a lot of things we're doing in IT audit particularly at the moment is you need to go and read the code. So you also want people who have coding skills and can actually read the respective languages. And that's a really helpful skillset to have because particularly from a first line perspective, questions around controls and processes and the normal line of questioning that you can get sometimes from audit teams is fine. When auditors turn up and say, give me a copy of your code, I'm going to read it and find out whether you've got problems or not, you have a different level of a understanding that they probably know what they're doing because now they're starting to look at the code and really understand where the issues are. And B, there's a transparency that comes with that code is code and the configuration, the issues, the way it's structured, the way it's set up, static passwords locked into code, all of those things are pretty transparent for an auditor who understands how to read it. So that skillset is really coming into it before.

(: 13:11

o do start your career now in: 2023

(: 13:26

That's a good question. I think I would still do a, let's call it a more general IT audit qualification like a csa. Because A, you need to know the basics and the foundational aspects of it, but you really have to compliment it with a series of other skill sets that you want. So you looking into what people need now and what they're going to need in the future. And even now though, it's been going for several years. You look at skill sets around ai for example, you need the basics of technology. You need the basics of something like Cs A to understand foundational stuff. And without it, you don't want to dive too far into the technical stuff without understanding some of the other controls that are out there. But then you really quickly need to dive into the technical aspects and things like AI skillset around you understand how the models are set up, how they're validated, are you checking for data poisoning?

(: 14:27

Are you looking for things like hallucination? You need auditors who've got a complex set of skill sets to be really effective. And that's not easy because those skills are super in demand, not just in audit, but in all other parts of the organization as well. And particularly ai, which is maybe it's come, let's put it more in the popular category now. It's been there for quite some time. It's been definitely publicized and popularized quite recently. And so it's top of mind for everybody and it's likely to be, I think it's the disruptive nature of it, it's likely to be something that auditors are going to spend a lot of time on because you look at things like intellectual property rights and how people are using tools like ai, are they using it in their workflow? Are they generating work from it? There's a whole series of skillset you need to build out. And one of the things we found, particularly in the work we've been doing within the security architecture team is the depth of those skills is really important. And when you get really good people who really understand ai, they are very, very valuable, number one. Number two, they're able to help and teach and educate and collaborate not only inside your own organization but with other parties as well to help them get better at how they manage ai.

(: 15:49

And do you think then with an internal audit at the moment that they have the capabilities to just generally to audit AI or is it just sort of another buzzword that's floating around?

(: 16:07

I'm not sure. My experience from a technology side is there are a number of people who have a grounding in the basics, let's call it, of things like ai. There are some people who are good at it and have got a really decent skillset around AI ml and then there are a very small population of people who really understand it and really have the expertise in the topic, and that's in the technology side. So then when you translate into an internal audit function, being able to find those kind of people with that kind of skillset is really difficult. It's difficult inside the technology teams to find people with that skillset and the explosion of use of generative ai for example. Getting that skillset quickly is very hard in all of the tech teams where everyone's looking for those skills and that skillset, trying to attract those same people into an internal audit function is even harder.

(: 17:15

I think the better way is probably you generate and do the development of the people within the function to grow their skillset and really have some deep, deep specialists in particular topics, blockchain, ai, ml, those kind of topics where you think these are the areas we really need some specialist skillset, but also more general training and awareness across the whole audit population around artificial intelligence is super useful at least so people have a good understanding and then they can use that understanding to then call in if they need to. Very specialist skillset, but it's very, very hard to get them.

(: 17:59

Okay. And then so if you are internally training staff within AI though, they're then you're training them up to get headhunted basically as well, aren't you?

(: 18:14

Well, look, I think this is the way I've ran most of my, whenever I've been in internal audit, you have to run your team and I think the wider function as well as a place where people are going to come in and out of on a reasonably regular basis, whether that's rotation, that's a formal rotation, whether it's you have a structured secondment process with first and second line and you rotate people in and out. Or the flip side is as you build people and you give them the skills and experience and they've got their own career plans and they're looking at some of their medium-term and long-term goals and objectives, there aren't necessarily always the jobs that they want to move into from a promotion perspective particularly that exists within your team. So you have to be prepared that they're going to move within the wider market.

(: 19:10

The good thing though is if you are a supportive leader and you help them and coach them and give them the right opportunities internally where you can, and ideally you want to retain them internally, that's obviously the best outcome, but also at the same time, allow them to be open and transparent about opportunities they're going to take externally. Sometimes those people in a small industry like audit, they come back round pretty quickly actually in a year or two's time after they've gone and got their experience or they've developed or they've had another opportunity, then they're looking to come back into organizations and good audit teams. They will generally rotate background into those same audit teams again. So my philosophy has always been help them, encourage them wherever they want to go, help them get there and if they're good enough and you are good enough and you're providing the right environment, those people may come back as well. So don't try and hold 'em too hard sometimes.

(: 20:09

So I'm keen to understand then, obviously you've not been in internal audit for five years now. What skills do you think or do you believe that the jobs that you've been doing since then would make you a better auditor now?

(: 20:25

Yeah, my transition out of audit was really interesting. So in the runup to me moving into the first line, and I've been looking several times at first line opportunities throughout my career, probably as early as when I first joined JP Morgan actually, which is got now nearly years ago, looking at things like, do I want to go into the Unix team and be cis admin? Do I want to go into the database team become ADBA? I looked at some of those opportunities all the way through my career and if you've been in the audit function and particularly really good audit functions, there is a huge amount of variety of work to do. There is a huge opportunity in your engaging with certain parts of the organization at very senior levels. You're getting involved in some sometimes quite difficult or sensitive or quite impactful areas from a outcome of an audit, but also some of the conversations you have to have subsequent to those audits, you get a real exposure across an organization both in seniority but also breadth of the organization quite quickly.

(: 21:39

You don't always get those same opportunities from a frontline technology perspective. So I was always lured by the opportunity, but never quite made the jump until I'd been running technology and operations audit team in standard chartered here for just over just under five years actually, and built the team and got it to a point where the team was working well, we'd been really hitting some of the positive points we wanted to as a team and really structured ourselves well and does progression opportunities coming for people. And I got given the opportunity to go into identity and access management ironically, to then take accountability and own identity and access management for the group globally, but inherit most of the audit issues that my team had previously written and the audit reports and particularly some recent adverse audit reports. I then subsequently picked up immediately in my new role and had to fix them all.

(: 22:39

And two things happened during that journey, and I think this is some of the skillset you pick up as you go into first line and having been in audit and I recommend every single audit goes and does it because your journey is very, very different. One, reading back some of my audit reports from my team and some of the audit issues, reading them and thinking, what do they really mean here? What was the real point they were getting to? How do we solve for that actual audit issue in the way it's been written and the translation of audit issue into practical remediation effort and projects and programs and how you can solve some of the risks that have been raised in an audit. That translation actually is not as straightforward as it may seem when you write an audit report, particularly if you are sitting with your team trying to figure out how to fix things.

(: 23:32

That was number one. Number two was I had a much larger degree of empathy for the people that I'd been previously auditing. Now sitting in the frontline, not only looking at here's all the audit issues I've got to deal with, but the regulatory issues as well, running projects at the same time, running your BAU activities and operational activities and on top of it, if you're in a technology first line team dealing with production incidents that come along and if you're in a cybersecurity team as well, and then taking part in some of the security that also come, the volume of areas of focus that the clients have only looking from an audit lens and the level of prioritization they're having to do on a regular basis. I got a massive insight into that, becoming a first line owner of all those processes and BAU activities overnight and having to do all the remediation efforts in the background as well. My empathy levels for the people I'd been previously auditing for the past five years were very different.

(: 24:38

And as a manager going from internal into the first line, how did you feel that you were received from your staff from the business in terms of making that transition?

(: 24:55

Yeah, great question. I think the reality is, and I would say it was probably the first 12 months, you're still an auditor to everybody around you in the function. You've just joined, you're still the auditor. You've been the auditor, particularly if you've been in the organization that you've just moved into the first line, you almost have to, it's about 12 to 18 month period before people start recognizing that you are having to lift the same workload, deal with the same issues, go through the same pain points, same experiences, and almost earn your stripes so to speak, with your teammates, your peers around you and other people within the wider functions that you are working. And one of the reasons you should go and do first line opportunities like this is to have that experience and get that credibility and insight of what is it actually like to really run one of these functions, large teams of people, lots of processes, the opportunity to impact the whole bank at times in terms of depending on what team you run, there's a lot of accountability that comes with it and the pressure with that accountability and the management of the team at the same time, you've got to spend, I would say at least it's at least 12 to 18 months to start to transform from being known as the auditor to being known as one of the people who have actually had to deal with the same problems and the same experience maybe.

(: 26:27

So

(: 26:27

Would you say

(: 26:29

I'm probably still known, I still, you've never lose the audit badge I think is one of those things. You've always got it somewhere on your sleeve, but yeah, maybe it's just a bit more hidden now,

(: 26:39

But do you think though, but coming from internal audit and doing that job actually made you do that job more efficiently or

(: 26:53

You definitely bring a different skillset to the table and I remember thinking as I was going through and particularly looking at some of the opportunities in the first line, there's always I think an inherent fear in when you've been in audit for a long time or you've been in it for a reasonable period of time, are you really equipped to go into the first line and deal with running a functional deal with heading a team or running a series of processes or the technology itself? There's always an underlying almost a rational fear about are you technical enough? Do you have the skillset? I think now with some of the much more technical skilled auditors who have been technologists first and then become an auditor, I think it's a lot easier for those people to transition. But for people who have been career auditors like I had, there is a worry that you have around, well, if I'm running those processes, can I deal with the issues?

(: 27:55

Do I understand it properly? But what I found very quickly is the skillset you have in audit, the sense of looking for problems, looking for root cause, trying to figure out where something went wrong and trying to figure out how do we get it working in the right way, in the right manner, and in a controlled manner. Those skills that you pick up in order are invaluable and actually you can really help the people around you who've been technologists all their lives who may not have those kinds of skill sets. The other piece that really comes to the fore is in audit, you're used to dealing a with difficult conversations, particularly if you're having adverse audits and you're dealing with your clients and you're having to close out those audits, you're used to having some of those more difficult conversations and being able to hold a line and structure what you want to do in terms of how you push back against some of the outcomes that are happening.

(: 28:49

But you're also used to dealing and communicating with more senior people on a regular basis. One of the things that really helped me early on the network that I had from Audi of clients that I talked to, they were all the people I knew to talk to when I moved into the first line, and a lot of them are at least reasonably senior or very senior within the organization that you may move into. So you can go to get a problem solved actually quite quickly because your relationship is sometimes with the head of the other function and that relationship helps you solve the problem much quicker than maybe someone who's not had those relationships before, may not have the opportunity to go and solve them in the same way.

(: 29:32

So what I'm hearing is it is easier to go and learn some more of the technical skills, but in terms if you was doing cybersecurity, I don't know, engineer, let's say going into internal audit being quite a strong technologist, is it quite easy to teach more of the softer skills in terms of stakeholder engagement?

(: 30:01

I think it depends on the person and audit is actually quite a hard job to go and do, and I've seen several people who have been good technologists, very technical, and there is a large element of auditing where you are having to use a wide variety of soft skills. And most of the things you're dealing with after you've got your audit work done, a lot of it is stakeholder engagement, dealing with the difficult conversations, trying to bring some pragmatism and balance to how you're looking at issues, and particularly if you've been in technology and you become an auditor, that transition from hard technical skills into soft skills negotiation influence, working with people across a wide spectrum, but also working with people at some quite senior levels of the organization. Sometimes that can be challenging for people. And one of the skills you pick up if you've stayed in audit for a period of time, those soft skills and the ability to go and leverage some of those soft skills in the conversations that you've got to go and have with people across your organization that's not easy to replicate.

(: 31:16

And sometimes people who like technology don't like getting involved in those kind of conversations and actually spending time dealing with people they prefer dealing with technology, which is why most of them started in technology in the first place. So some people do transition, well, it can be a struggle for others, but likewise, you can have the same issue when you're moving from audit into the first line, particularly around technical skillset. And I would put into there, particularly if you've been a career auditor, it's very, very hard to catch up on the detailed technical skills that some of the people you will work with have got, and you just have to accept that as a fact. I have on my team, for example, right now, people who have been 20, 25 years in security, deep technical security knowledge, you are never going to catch them up. They've been doing it for a much longer period of time and you've just got to accept that's where you are because of the transition you've made, but you bring other skills to the table and make sure you leverage their skills and allow them to bring their skills to the table.

(: 32:24

And then you bring your skills to the table and you work as a collaborative to get things done, but don't think that you're going to catch some of these people up. Some of them are more general technology people and the more you train in, the more you do, absolutely. You'll catch some of those people up on technical skillset. But the really, really deep technical people, and particularly if they've stayed in their field and they're going to stay in their field and continue staying in their field, they have a wealth of experience, but great people to learn from. I have people in my team who I really enjoy working with on a day-to-day basis because I just learn from them almost constantly.

(: 33:04

So how do you think then, because this issue's not going to be going away, the world's becoming more technology based, as you say, ai, whatever, how do you think internal audit can bridge the gap there then in terms of their hiring? And

(: 33:27

I think a lot of the future from an audit perspective, and it depends on industry of course, but let's use banking as a barometer just because I've had more experience in banking than others. If you look at where a lot of banks are heading, and particularly from an aspiration perspective, a strategy perspective or either they're already there, they are moving towards or becoming fully digital banks and the understanding of technology is now something that isn't a, it's not really an area where you can have business auditors who don't understand technology relying on technology auditors. Every single person in an audit function today, particularly if you're in a either current digital bank or a bank, that's a bank to become more transitioning to become a digital bank. Everybody in that team needs to understand technology and that becomes the basics of what you need to know and how the bank will operate and work.

(: 34:29

But on top of that, and I think the demands on auditors now are probably more than they were when I first started auditing. When I first started, you could specialize in just one topic. You could just be an infrastructure auditor. You didn't have to learn the business too much, you had to be aware of banking as what products it had, but detailed knowledge about the business. You had business auditors to support you always. I think now you're getting to a point where the average internal auditor has to have a lot of skill sets to be effective, and those maybe the siloed teams of not having some understanding of different types of skillset. And now you're starting to layer in things like AI on top of that, you've got to have that multidimensional, otherwise they're really going to struggle.

(: 35:16

And that multidi dimension that you're speaking about, if you're somebody with that great skillset that can hold a conversation, how would you entice them into internal audit? Because surely every department would want somebody like that.

(: 35:36

I think. I mean, I've been out of internal audit particularly for the last four or five years, so maybe I haven't had the same exposure or the same challenges that some of the hiring managers are going through, but I would imagine it's quite difficult if you've got people who can communicate well and with auditors particularly, you want 'em to be able to communicate with generally senior levels of the organization, if not all the way up to the board and have technical skills at the same time. There's always a trade off. You can't have everything. You can't be the world's best deep technical expert, and at the same time the person who can go and sit in front of the board and present to them, there is a trade-off in there, but the skillset that those people need is now much more blended and the use of those people in different parts of different organizations, you competing for talent really against most of the organization.

(: 36:36

Business people want those kind of people, the technology team want those kind of people. Most of the functions in the organization probably want those kind of people. How do you temp them into internal audit? It's a tricky one, I think, and it's probably harder now than it was when I started auditing. When I started auditing, there were perks to the job that some people came into an audit for things like you got to travel pretty regularly actually. And now post pandemic actually a lot of it's done remotely. So the aspect of travel is not there and the style of work is very different.

(: 37:17

Can you elaborate on that though, why the style of work is so different now?

(: 37:23

Yeah, I think there's some of the audits I used to go and do when I first started out, we would fly to a location, we would work solidly for two weeks and all of the work would be started and finished almost within those two weeks with the expectation that at least you had got your draft audit report out by the end of the second Friday. If not, you'd done the closeout meeting and finished the report and it was bar being issued or being some tweaking that had to happen when you returned to your office, generally speaking, you were working in sprints. I think now, particularly when you bring data, data science, data analytics, the use of technology, actually what you're doing more is interrogating a lot of data points. And you may track data points across several months before you start picking up some of the issues you want to do.

(: 38:20

Some of the work can be much more drawn out and the travel aspect particularly, I mean during covid, nobody traveled and after covid the change in working pattern, more flexible work hours in both working in the office and working at home and because much more is data driven and you can do a lot more remotely by video calls. That style of work and the style of the technology around you that helps change how you do that work. That didn't exist when I started auditing. There was no video calls, no video conferencing. We'd only just got mobile phones with text message and SMS on it. So I think the pace and change of technology has really changed what the job is and what you can do. And if you look at things like we used to took a sample of 25, a sample of 30 and take physical paper copies and go and check physical documents and physical attributes, that doesn't need to be done necessarily so much now. And particularly in a very, very technology latent environment, you don't need to do it at all. And you should be doing full population coverage because you're, you're not sampling anymore, you're testing all of the population and it's much more insightful. So the style of work has changed dramatically and I think the expectation from a stakeholder perspective has also moved because of that.

(: 39:44

And sampling is a good example of the confidence levels and the theory and the academia around sampling is all true. However, when you are sitting in the first line and you are actually receiving that kind of information, you have much greater trust and credibility in the information. When an order to come through and says, I've tested every single transaction and these are the 17 that have got a problem, it's a very different conversation and actually starts you down a more practical discussion around how do you fix the problem and how do we solve it and is there a real underlying problem or are these 17 that we've just got specific issues with? Might be human error, could be something else. When it's sample driven, sometimes the conversation goes a bit too theoretical, a bit too quickly, and from a stakeholder perspective, you can lose a bit of the thread there.

(: 40:38

And sometimes that credibility, the style of working can impact what you're trying to get out of the work you are doing. So I think auditors have had to change and adapt dramatically. I think the flip side of that though is it feels like we don't see the auditors as much and actually face-to-face time and relationship building and being there with some of the first line teams to actually understand what they're doing, what they're working on, the challenges they're working on, the timescales, some of the pressures they're dealing with. And some of the third line, the first line also has talent challenges around hiring the right people, keeping the right skillset, being on the ground and seeing that and having exposure to what your first line clients are actually doing rather than doing a lot of work remotely is something that I think we've seemed to have drifted away from I think in recent years.

(: 41:36

I rarely see auditors these days, and I know that's probably every first line person's dream, but I mean that from a perspective of you still get the same number of audits on audit issues. They just come electronically and remotely more than they come, more than they come through face-to-face interaction. And I think that's something that has got to change back to, you've got to use the data, you've got to use the technology, you get much more insight and you get to test in a much better, much more practical way. But the engagement with the people is still really, really important. And that's where the soft skills have got to come back in for most of the auditors. Now,

(: 42:15

Do you think Covid Hass done that more than anything?

(: 42:19

I think it accelerated it. I think there was already a slow trend of I, I'll call it auditing by email or auditing just by sending people documents and expecting them to have read it. It doesn't qualify as communication, just sending an email to someone and not knowing whether they've read it or not with the expectation that you have. There was already that style of work happening. I think pre covid, I think all that Covid did was just accelerate that everybody was remote and that style of work came in. But I think it doesn't quite hit the mark in terms of what you really want to get out of an audit, both from an auditor perspective, but also from a client perspective because sometimes it gets a bit too black and white. This is the result, therefore the outcome is this. Whereas when you actually go and sit down with your clients and really talk to them, you'll understand.

(: 43:25

And I found this very quickly when I joined the first line, my expectation was coming from an audit function that audit issues and the priority of audits were very high on the agenda for all stakeholders in the first line. The reality is they have a large number of priorities to deal with and sometimes all it might be near the top of priorities that they've got to deal with, but at other times it may be quite low down in their list of things that they've got to get on with. And that human factor around understanding what else is going on and what they're thinking about and building the relationship to actually find, okay, this is where they are today, but where are they heading so that you can have some insight into what you're going to test either next year or in the future on their roadmap. Sitting behind a screen all the time and not interfacing with real people I think is detrimental to building that relationship.

(: 44:19

So if you move back to, I suppose number one, would you ever move your career back to internal all debt?

(: 44:27

Yeah, of course. I think you've to look at, and this is one of the things I looked at when I made the move into the first line, you've got to look at some of the career steps that you take from a growth and a learning perspective. Also, I think once you've been in the first line, you develop a credibility that you didn't have if you've been in audit all the time. And when you go back into even a second line function or a third line function and you've been on that side and you've got the scars, you've got the experience, you've been through the highs and the lows, the way you can interact and talk with your clients and the way you can relate to and understand and bring. And I thought I was a reasonably balanced auditor when I was previously auditing. I think you bring a much better level of balance and pragmatism to the audit function when you do that.

(: 45:26

And that's where the constant worry is when you have audit results that are quite siloed or quite isolated in terms of thinking about the end-to-end picture and how the business audit process or the whole end-to-end construct works and how risk is really managed and how losses really happen and when they do happen when you've been in the first line and you can bring that experience back into the third line. I think your position and the way you would create audits and the way you write issues and the way you would write your reports even would have a very different, different output to what you've done maybe if you've been a career all your life. So absolutely, I'd go back and do audit and second line technology risk, those kinds of roles again, and depending on your own career plan of course, but mine involves roles like I'd like to be ACRO maybe at one point in my longer term career plan. So going back and doing those risk roles is vital to that, and at some point I want to widen some of my exposure and maybe it's second line or maybe it's different topics, but I think the breadth of having those experiences is really important if you want to take on some of those more senior roles later on in your career.

(: 46:44

Sure. And tell me, because you are working around security now, where do you see everybody says technology, a risk data analytics actually working in a first line now. Where do you actually really see those risks where you think we should be paying more attention to?

(: 47:09

Yeah, it's an interesting question and I think it really depends on, let's look at cybersecurity as an example. If you've got a really good set of cybersecurity capabilities and a very strong cyber team operating those capabilities, there's a degree of threat that you can never deal with. Nation states, for example, and you just have to have a risk appetite and a tolerance around. You've got to expect that you're never going to be impenetrable and you have to expect that you're going to have those from time to time. But you quickly get to a point, I think, where the bulk of the work actually with good capability and good people and good process. And I think now organizations are much, much more advanced in their defense capabilities against cyber tanks. You deal with most of that as BAU and the process of triage, dealing with incidents and responding to those, but you can't stop people clicking on links and you can put tools in place, and we have them in our organization to filter out what people click on and what happens when they click on it and have to segregate those and stop them impacting the organization.

(: 48:26

But people are always a factor. And it may be people are making errors when they're carrying out a change on the technology platform. Those things, you can't stop and people are always part of the organization, they're always part of the process. So there's always that link in there that you've just got to accept is just a fact of life, and that's how you have to operate and just expect that people are going to do those things from time to time. So I think now it's a lot different. I think the real challenge we've got are things like ai, but also in the sense of AI is going to impact how the people work within the organization, and that may cause some issues, whether it's intellectual property rights or data leakage, or even they're starting to use it to help generate code or they're starting to use it to help take over some of the things that they were doing in terms of how they were configuring systems and how much validation did they put on top of that to check that if they're using say, Genive ai, how accurate is the output in terms of where they're then going to put it into something that maybe you'd rather they had a greater degree of diligence over, but also how the threat actors that you have to face off to going to use the tools, the tools, the tools, the technology and the capabilities are the same to everyone.

(: 49:47

There's going to become an explosion pretty soon about some of the ways that new technology is going to be used for new attack vectors is really going to change the game a little bit. The other one that's something that we're worried about is if you look at quantum computing and the effects it may have on encryption and some of the protocols that we rely on today, that might change the game quite significantly. And we should be thinking about how does that come to bear and how do we deal with that? I dunno where that'll end. And on one hand you may have a philosophical point where you think, well, hopefully governments would prevent some of that technology reach the marketplace, but at the same time, not everybody in the world thinks alike. And there are always different groups out there who've got different agendas. So can be quite challenging quite quickly, I think. And look,

(: 50:41

I'm sure

(: 50:41

New technologies are going to come soon after those and create a whole new set of challenges, but I think the reality is very clear for most people. Most of the problems that we're going to face are going to be either technology driven or geopolitical driven at the moment. And a combination sometimes of the two may occur obviously. So yeah, changing.

(: 51:07

Okay. Well, I'm conscious I had you for some time, so maybe I can ask you a quick fire questions unless you've got anything else that you'd like to sort of input at all.

(: 51:22

No, shoot. Go for it.

(: 51:24

Okay. So what's one piece of technology you can't live without?

(: 51:30

Oh, iPhone.

(: 51:35

What book are you reading right now?

(: 51:39

I'm really bad at reading my books. I've got a long list of books that I keep buying. Elantras is what I'm reading at the moment, which is a fantasy novel, but I've got a stack of nonfiction books that I'm meant to be reading, but it just seems to grow by the side of my desk for some reason. I need more reading time.

(: 51:58

It doesn't have to be. Is there a company that you admire a lot?

(: 52:06

st started out. But hindsight: 2020

(: 52:42

And tell me what's the best thing about working in internal audit?

(: 52:47

I think the exposure that you get, you just get to deal with some really interesting situations, problems, people, senior leadership. When I remember one of the great things we had when I was in the internal audit functions, standard charters, you get to talk to the CEO fairly regularly and you get to talk to them from a position of hearing their views directly and understanding what's going on, but also a bit of check and challenge and asking them some probing questions. Sometimes that's a real luxury.

(: 53:21

And if he wasn't, well, I know you're not doing internal wall now, but I said if he wasn't working in the jobs that you've done, what sort of role would you do?

(: 53:35

I'd like to do a second line risk role at some point in my career, just because I've done first line, I've done third line. I think if you want to go into something like ACRO type role, ultimately I think that balance is good to have exposure across all three. So I would do one of those type of roles. Audit is still in there as something that you get to help shape and influence and have real direct input into senior parts of the organizations conversations. And if I was outside of the industry completely, I'd run a bicycle shop.

(: 54:10

Well, Aaron, look, it's been great to speak to you today. Thank you very much for your time.

(: 54:16

Thank you. Take care. Hazel