Dr John Mitchell FBCS, Chair of the BCS Information Risk Management and Assurance Specialist Group, outlines the group’s foundations, formation and early days. He also reflects on what the future might hold for auditors.
This year marks the diamond anniversary of the Information Risk Management and Assurance (IRMA) Specialist Group. As one of the oldest continuously operating groups in its field, its history intertwines deeply with the evolution of computing and IT governance and the growth of the BCS.
Origins of IRMA
IRMA's roots date back to 1965 when the Auditing by Computer (ABC) group was formed under the British Computer Society (BCS). Over the decades, IRMA evolved through the Computer Audit Specialist Group (CASG), championing computer auditing and IT risk management advances. Several founding members profoundly impacted IT governance, such as John Ivinson, who later became a BCS president, and Paul Williams, who served as the International President of Information Systems Audit and Control Association (ISACA). The group's early contributions, such as Fred Thomas' development of the UK's first computer audit course at Kingston University, laid a strong foundation for the discipline.
The birth of computer auditing
Computer auditing in the 1970s and 1980s was an emerging field. As a newly appointed assistant audit manager for British Gas in the late 1970s, I experienced the novelty and challenges of this discipline firsthand. Computer audit methodologies were still developing at the time, and tools like the Certified Information Systems Auditor qualification (CISA) were years away. However, British Gas was ahead of its time, employing innovative practices such as creating and regularly updating its Computer Audit Guidelines. These internal standards became a precursor to industry-wide frameworks, influencing bodies like CIPFA and predating Control Objectives for IT (COBIT).
My journey through computing evolution
My journey into computing began in the late 1960s, during the mainframe era. The first computer I encountered was an Elliot 803, an introduction that sparked a lifelong passion. Mainframes like the CDC 3200 and CDC 6400 dominated the early years of my career. These machines required a deep understanding of memory constraints and programming efficiency, shaping my system auditing approach. Their limitations also highlighted the importance of control mechanisms, setting the stage for my transition into computer auditing.
In those early years, computing environments were characterised by complexity and the need for meticulous oversight. For example, sorting data across eight tape drives in a darkened room felt like being part of a futuristic world. However, it also underscored the necessity of robust control processes, an insight that became central to my later work.
The shift to personal computing
By the late 1970s, microcomputers from companies like Commodore and Apricot began challenging the dominance of mainframes. The emergence of the IBM PC and operating systems like MS-DOS marked a paradigm shift. These smaller systems, while less influential, offered unprecedented accessibility and flexibility. The transition from hierarchical databases to relational systems such as dB2 and Oracle further revolutionised data management. I adapted to these changes, applying my mainframe expertise to audit emerging technologies and contributing to their controlled adoption.
Advancing audit practices
Throughout the 1980s and 1990s, the field of computer auditing matured. I was among the first in the UK to achieve the CISA certification, a milestone that underscored the profession's growing recognition. My work increasingly focused on innovative approaches, such as data driven audits. I identified control deficiencies more efficiently by analysing data patterns, rather than using traditional system-based methods. This shift was informed by principles from physics, such as the second law of thermodynamics, which was applied metaphorically to data integrity.
I also explored emerging technologies like expert systems, which predated modern artificial intelligence. One project involved creating an audit program to guide practitioners through database controls, laying the groundwork for future developments in automated assurance.
The need for continual development
Academic qualifications are all excellent and probably essential for that first job, but as technology advances, it is necessary to keep pace with it by obtaining further professional certifications and continuous professional development.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
Most modern certifications, such as the BCS’ own Chartered IT Professional (CITP), require several hours of proven professional development each year. BCS provides a framework for recording these, and most BCS events provide permissible CPD hours. Attending IRMA events provides for a minimum of 11 CPD hours each year, and BCS has over 60 such groups, plus its branch network.
For my professional advancement, I needed to become CEng, CITP, MIIA, CISA, CGEIT, QiCA and CPE, all of which required CPD hours to maintain the relevant designation. I also became FBCS to show that I was recognised as being at the pinnacle of my chosen profession. I urge all BCS members to get involved with its running, from member group committees to council. The networking is great, and your contacts will stand you in good stead throughout your career.
The role of IRMA
IRMA grew in parallel with the technology it sought to regulate. At its peak, the group possessed over 2,500 members, fostering professional collaboration and knowledge sharing. From publishing guidelines to hosting conferences, IRMA played a vital role in advancing computer auditing as both an art and a science. Its members contributed to key frameworks and methodologies that continue to shape IT risk management. We continue to have strong links with academia through our university collaborations, in which we introduce control techniques to undergraduate and postgraduate students. On a personal basis, I have mentored several doctoral students via the BCS mentoring programme.
Teaching and sharing knowledge
Education and mentorship have been central to my career. I’ve had the privilege of teaching and speaking at international conferences and sharing insights from my experiences. By doing so, I’ve sought to demystify the complexities of IT governance and inspire the next generation of practitioners.
I also developed new methods for evaluating control effectiveness, challenging assumptions about the reliability of traditional measures. These innovations demonstrated that governance is not merely about implementing controls but about ensuring they effectively address real risks.
Challenges and reflections
IRMA has faced challenges despite its achievements, notably lacking dedicated professional qualifications. Competing organisations, such as ISACA, have filled this gap, offering certifications that dominate the market. However, the group’s legacy remains significant, providing a platform for professionals to engage with the evolving landscape of IT governance.
Looking back, the history of computing is a story of rapid innovation and adaptation. From the punch cards of mainframes to the relational databases of the modern era, each technological leap has brought new challenges and opportunities. Similarly, the computer auditing field has transformed from a niche discipline into a cornerstone of IT governance.
Conclusion
As IRMA celebrates its 60th anniversary, it is worth reflecting on the contributions of those who have shaped the group and the field it represents. The journey from mainframes to microcomputers, from COBOL to AI, underscores the importance of adaptability and continuous learning. IRMA’s history is a testament to technological progress and a reminder of the enduring need for thoughtful oversight in an ever-evolving digital world.
