University at Buffalo - The State University of New York
Skip to Content

Internal Audits and Information Technology

Published December 13, 2016

My Technology and Innovation class with UB's School of Management recently had the pleasure of seeing a presentation by UB’s Director of Internal Audit, Kara Kearny-Saylor. Before the lecture, she cleared up a few basic yet common, questions about her work, specifically: what is an internal auditor, and what do they do?

"They think it has to do with taxes," Saylor joked. "But auditors are uniquely positioned to understand risk," noting understanding risk is becoming more important to senior leadership.

"[Risk] is not a necessarily bad thing," she added. "Sometimes it can be a really good thing."

When it comes to IT, Saylor noted the biggest challenge is getting attention and funding for IT concerns and projects.

"It's making sure cyber-security is a priority for senior leadership. I go to so many IT conferences and many people are frustrated when senior leadership doesn't want to spend money on IT," Saylor said. "This is what happened with Sony. Emails get splashed on the front page of the news and a lot of people are embarrassed."

Saylor made it apparent that IT threats go beyond a hacker attack. There are, in fact, threats much closer to home, sometimes referred to as "silent threats."

"Another area of hidden risk is how many of us are reliant on cell phones and iPads," Saylor said. "There's proprietary information on these. It's a silent threat because people can just walk out with it, and if it gets stolen and you have a weak password, the information is at risk."

Saylor is incredibly knowledgeable about the specific pitfalls large institutions face in the area of IT. She shared a personal experience about working as an internal auditor for one of her initial employers.

"Our entire system was shut down by ransomware and our CIO was furious," she said. "Thankfully we had a business continuity plan and we backed everything up, so we were able to have everything back within 24 hours."

Assessing risk—and having a plan to face it—is becoming more crucial, especially in the ever-evolving world of information technology. It’s like the old adage says: "It’s better to be prepared for an opportunity and not have one than to have one and not be prepared."

Join the conversation!

Tell us what you think on our Facebook or Twitter page.