From control to insight: the evolution of IT Audit w/ Tom Edwards & Maggie Tricot

There is a question IT auditors have been asking for decades: are the controls in place? Maggie Tricot thinks it is the wrong question.

Not wrong in the sense of irrelevant. Wrong in the sense of insufficient. Knowing a control exists tells you almost nothing about whether it is working, whether anyone is acting on it, or whether it even matters in the context of what the business is actually trying to do.

For this edition of Behind the Controls, I sat down with Maggie Tricot, Head of Internal Audit, Internal Controls and Enterprise Risk Management at Bull, an Atos Group brand. Her career has taken her from Big 4 (Deloitte) in the US and across Asia Pacific, then joining global organizations, including the largest fast fashion group in the world, Inditex, and the iconic, global food and beverage company, Kraft Heinz. Now, she's with Bull, a global leader in high-performance computing, artificial intelligence and quantum innovation, currently in process of significant transformation.

She has built and led audit functions across three continents. Her view of what IT audit is, and what it has the potential to become, is worth listening to.

"We are not the police. We are not there to tick a checklist. We are there to ask: does it matter? And does it make the organisation better?"

The myth that will not die

If you ask most people outside of internal audit what IT auditors actually do, the answer usually involves some version of checking that systems are locked down, passwords are set, and logging is switched on.

Maggie has heard this framing throughout her career. And she understands where it comes from. For a long time, IT audit was exactly that: a structured walkthrough of general controls, a checklist completed, a report filed.

But the world has moved on. The technology businesses now run on are not the same as it was ten, fifteen, or even three years ago. And yet the mental model of what IT audit looks like has been slower to change.

"People still think we are pushing through a checklist. Are you using the system properly? That is not the question I want to ask."

The question she wants to ask is different. Not whether logging is switched on, but whether the logging is meaningful. Not whether monitoring is in place, but whether the organisation is acting on what the monitoring is telling it. Not whether a tool exists, but whether it is being used to its optimal capability, what its interdependencies are and impact to the systems across the organisation’s ecosystem.

That is the difference between an audit that confirms existence and an audit that generates insight. And according to Maggie, IT audit is still stuck on the former.

“So what?” The most powerful question in audit

Maggie uses a simple test to cut through the noise. Two words. So what?

It sounds blunt. She acknowledges that. But the intention is not to challenge the people doing the work. It is to challenge whether the work itself is producing the right value.

"It is not a criticism of the person. It is a question about whether what we are doing actually matters. Because if we cannot answer that, then what are we there for?"

She is direct about the stakes: an audit is not a life-saving activity, like surgery. But audit is trying to make organisations better. Which is precisely why the question we need to continually ask ourselves is "So what?", according to Maggie, and the answer should be: "if we do this, this is the expected outcome, which provides Awesome A, Awesome B, and maybe a little bit of Awesome C. Honestly, any amount of Awesome should be welcomed!" This mindset has to sit at the core of who we are, what we do, and what we bring to the table.

She gave a specific example around security logging. Many organisations log significant volumes of activity across their systems. That logging often exists because an auditor asked for it at some point, or because the tool was configured that way when it was first set up. But the question of whether anyone is looking at it, whether it is surfacing the right risks, or whether much of it could simply be turned off without consequence, rarely gets asked.

Maggie’s view is that less focused monitoring beats more unfocused monitoring every time.

• Are you monitoring the right things, or just monitoring everything?
• Is your logging surfacing genuine risk signals, or filling storage?
• When something is flagged, does it trigger a meaningful response?
• Has anyone reviewed whether the configuration is still fit-for-purpose for today, for tomorrow, etc.?

These are the questions Maggie wants her audit teams asking. Not because they make life harder for the business, but because asking them, well, makes the business more conscious about the WHAT they are doing and to ‘Do It Better!’ - more efficient and effective, not less.

Audit as a one-stop shop for business intelligence

One of the more striking ideas Maggie laid out is the notion of internal audit as a kind of intelligence aggregator for the organisation.

Most large businesses have multiple functions monitoring their own slices of risk. Security is watching vulnerabilities and device activity. Procurement is tracking supplier performance. Finance is monitoring controls over financial reporting. Each function has its dashboards, its KPIs, its view of the world.

The problem, as Maggie sees it, is that everyone is working with blinkers on. This is not a negative point, as they each are fulfilling their mission and purpose. However, Security is not necessarily sharing what it sees with Procurement. Procurement is not cross-referencing what Finance is flagging. And each function is optimising for its own priorities, often unaware that adjacent data might change the picture entirely.

"We are in a genuinely unique position. We see everything. We have access to everything. And we can bring that broader view to the organisation in a way that individual functions simply cannot."

She argues that Internal Audit should lean into this. Rather than creating its own parallel monitoring infrastructure, it should plug into what already exists. Use the dashboards that Security has built. Leverage the metrics Procurement is already tracking. Compile it into a central picture that no single function has.

She calls it, with some self-deprecating humour, lazy auditing. Not lazy in the sense of cutting corners, but lazy in the sense of not reinventing the wheel unnecessarily. If Procurement has already invested in tooling that tracks what Maggie cares about, why would she spend budget replicating it?

The value Internal Audit adds is not in building new data sources. It is in connecting what already exists and asking what it means when you look at it all together.

How you calibrate all of this is, as Maggie readily admits, not something a formula can solve. A mentor gave her the answer early in her career, and it has stayed with her.

"She said: the answer to everything is: “it depends”. And it’s absolutely true, it is the end-all answer. Case by case, every time."

Continuous monitoring: what it actually means in practice

Continuous auditing is one of those phrases that sounds straightforward until you try to define what it looks like on a Tuesday morning in a real organisation.

Maggie is careful with her language here. Continuous and real-time are not the same thing. Treating them as synonymous leads to unrealistic expectations and a lot of wasted effort.

"Technology can do the real-time work. My job is to use what it tells me periodically and focus my actual audit time where it genuinely matters."

Her model is more nuanced. Technology captures a continuous stream of data. Audit uses that data as a standing feed, watching for trends and anomalies without necessarily having to request information fresh each time. And when something in that feed warrants deeper attention, that is when an audit engagement may be warranted.

The result is that periodic audit work becomes more focused, better informed, and significantly more efficient. Instead of walking into an engagement cold and spending weeks gathering baseline information, the audit team already has context. The conversation with management is richer, more forward-looking, and less about re-establishing what is already known.

She is also honest about the limitations. Plugging into existing data sources does not mean trusting them unconditionally. Data quality issues are almost universal. A dashboard that looks authoritative may be built on incomplete inputs, legacy configuration, or assumptions that no longer hold.

Maggie’s advice?

• Start by auditing the data source itself, not just what it produces
• Validate outputs against what experienced judgment would expect
• Watch for false positives that indicate the model is learning the wrong patterns
• Treat it as a proof of concept first, not a finished solution

The goal is not perfection from day one. It is building a feedback loop that gets sharper over time. If something works, keep it. If it does not, drop it and try something else.

"If you try, and it doesn't work, at least you know it doesn't work. So don't do that again. That is just logic. And then you do it differently and possibly better. That’s progress."

AI in IT audit: supplement, not substitute

Anyone who has spent time in audit circles recently will have noticed the volume of conversation about AI and whether it will eventually replace large portions of the function. Maggie has a clear position on this, and it is more measured than much of what is being said.

"AI will supplement and complement. Not replace. And we need to find the right use cases to achieve that, not just assume the technology will figure it out for us."

Her reasoning is practical rather than philosophical. AI is exceptional at processing large volumes of data at speed, identifying patterns, and performing calculations that no human team could match. These are genuine capabilities that IT audit should be using.

But audit also involves something that data processing cannot replicate. She talked about the conversations she has with procurement, with security, with governance leads. The insights that come from those conversations do not sit in a database. They exist in the interpretation of what one person said in the context of what another person said last week, filtered through years of experience and organisational understanding.

"AI is not going to know that I talked to procurement, then I talked to security, then I talked to governance. They don't naturally mix in a data point. But what one said to the other is something I need to consider."

Maggie connected this to a broader point about what gets lost when remote working replaces physical presence. She was not making an argument for everyone to be back in the office five days a week. But she was clear that the informal interactions, the coffee conversations, the lunches, the accidental corridor conversations, are where a significant amount of knowledge transfer and creative thinking actually happens.

For audit teams specifically, this matters. Sceptical thinking, the ability to sense when something feels off before you can fully articulate why, is developed through exposure and experience, not through tools. And that kind of judgment cannot be automated.

What the next five to ten years actually look like

Maggie’s view of where IT audit is heading is optimistic but grounded in what needs to change first.

The shift she expects to see is a rebalancing of the ratio between assurance, advisory, and anticipatory work. For most of audit history, the function has been overwhelmingly weighted towards assurance: confirming that controls exist and that past activity was compliant. Advisory work, which looks at what management should be thinking about now to be better positioned tomorrow, has always been present but often treated with suspicion. Anticipatory thinking, genuinely trying to identify emerging risks before they crystallise, has been even rarer.

"We used to be 90% assurance. The future is a different mix entirely. Assurance will always be the core, but advisory and anticipatory work needs to grow as they should."

She is not predicting the death of assurance. That is the function’s foundation, and it is not going anywhere. But she believes the work that sits alongside it will shift, and the profile of skills needed to do it well will shift with it.

When asked what skills matter most for the next generation of IT auditors, she did not list technical certifications or programming languages. She talked about sceptical thinking, being curious, and the ability to ask meaningful questions rather than just following a programme of work. The capacity to be genuinely interested in how the business operates. The confidence to say “so what” when something does not make sense, and also the courage to say, "I don’t know", but following that up with a "I’ll get back to you". And then, going to get that needed certificate, training, etc., or the right subject matter expert to answer the question. This is the critical skill, she says, "know what you don’t know and then go find the answer!"

And Maggie was emphatic that experience is not just about seniority. A graduate fresh out of university and a senior leader with four decades in the field both bring something irreplaceable.

"I don't care if you just came out of university or you've been doing something for 40 years. Everyone has a different perspective. Some are fresher than others. But all of it is invaluable."

She also made the point that audit as a "brand", her word, needs to evolve. Not to become something it is not, but to make clearer what it actually is. Every organisation needs something slightly different from its internal audit function. The best audit leaders understand that and shape the function accordingly, rather than importing a generic model and hoping it fits.

"There needs to be a new brand. And it is not a single brand, every organisation's internal audit needs to be its own unique brand, because everyone's needs are different. That brand will drive its purpose."

Baby steps, big picture

There is a thread running through everything Maggie talked about, and it is essentially a philosophy of incremental progress over grand ambition.

She has seen too many audit functions try to go from zero to everything at once and stall. The roadmap matters. The destination matters. But what actually moves things forward is taking a step, seeing what works, adjusting what does not, and then taking another step.

"We are overachievers by nature. We want to solve everything at once. But the cumulative effect of small progress, consistently applied, is what actually gets you somewhere."

She is living this at Bull right now. A business carving out its own identity from a larger group creates both constraints and opportunities. The audit function does not get to start from a blank sheet. But it does get to look at what it has inherited, ask which parts of it still make sense, and build something more fit-for-purpose from there.

It is, in miniature, the same challenge facing IT audit functions across every sector. The tools are changing. The risks are changing. The expectations of the board and the business are changing. The question is whether audit is willing to change with them, or whether it will keep reaching for the checklist because it exists and is familiar, traditional.

Maggie’s answer is clear. The checklist is not the destination. It is the floor. And the function has a much higher ceiling than most organisations are currently using; it’s unlimited – past the horizon.

Over to you

Is your audit function still asking whether controls exist, or has it moved on to asking whether they matter? And what does the shift from assurance to advisory actually look like in your organisation?

Drop your thoughts in the comments. I would love to hear how teams are navigating this in practice.

Want more conversations like this?

Subscribe to Behind the Controls to stay ahead of what’s shaping Audit, Risk and Compliance leadership, and how top professionals are navigating it.