Study on IT Auditor Competency, Audit Quality, and Data Security
Project Summary
In a groundbreaking study on IT auditor competency, audit quality, and data security, Dr. Blake Curtis discovered a significant technical competency gap among Big Four IT auditors and Subject Matter Experts (SMEs). His findings led him to become a published author and join several advisory boards, but he credits a significant part of his success to Citavi.
Dr. Curtis leveraged Citavi 6 to create a 300-page literature review, analyze literature from a systems thinking perspective, and create the outline for his 600-page dissertation. His dissertation is one of the largest in his field, and Citavi played a crucial role in helping him manage the enormous amount of research required.
Not only did Dr. Curtis use Citavi as a project management platform to organize, schedule, read, and synthesize content from various sources into his study, but he also found Citavi to be a game-changer for his research process. By using Citavi to streamline his research, Dr. Curtis was able to focus on the critical aspects of his study and make groundbreaking discoveries.
Overall, Dr. Curtis's research offers fascinating insights into the IT auditing profession and its impact on critical technology infrastructure. And with the help of Citavi, he was able to make a significant contribution to the IT field.
Key Findings
- IT auditors' lack of hands-on skills in implementing technologies significantly influenced their ability to interpret technical evidence and reduce the likelihood of a data breach.
- Technology subject matter experts (SMEs) and IT audit professions have struggled to keep up with technology and have typically adopted an "implement first, think later" philosophy.
- A quantitative correlational research method debunked the "10,000-hour rule" and "years of experience" fallacies.
- Task-based experience proved to be more objective than time-based experience.
- Higher academic degrees do not significantly influence IT auditors' performance.
- Additional years of experience do not directly correlate to knowledge
- The nation's critical technology infrastructure (power, water, communications, and banking) is potentially at risk.
- The IT audit and information technology professions are not regulated and do not have state or federally "licensed" professionals.
RESEARCHER
BLAKE CURTIS, Sc.D.
Capital Technology University
Global Cybersecurity Optimization Manager at Deloitte
DISSERTATION TITLE
Creating the Next Generation Cybersecurity Auditor: Examining the Relationship between IT Auditors' Competency, Audit Quality, & Data Breaches
"I don't think I would be as successful as I am both academically and in the industry without Citavi."- Dr. Blake Curtis
Citavi in Action
Click on the links below and learn how Citavi was used throughout the research and writing process in this research project.
Organizing the literature
To optimize the dissertation writing process, Dr. Curtis made ample use of the organizational tools in Citavi. In the Reference Editor, Dr. Curtis tagged references by keywords to organize the literature by topic to make sources easier to find later. By assigning a custom keyword (e.g., star article) to different types of information, he could filter out the most critical sources by searching for specific keywords.
Figure 1. Using custom keywords to quickly locate important literature
Dr. Curtis also used the blue and red labels to quickly mark references. The blue label was applied to references already included in the dissertation. In contrast, the red label highlighted the next sources he wanted to incorporate.
Figure 2. Using labels to identify and filter important references
He also utilized Citavi's custom fields feature –"a researcher's dream" – to track additional information for a source, such as citation counts.
Figure 3. Leveraging custom fields to identify and track critical attributes for literature
Keeping track of tasks
With Citavi's Task Planner, Dr. Curtis could pick up where he left off in a previous article. To track the current stage of an article, he created his own custom reading task called RAW, which stands for "Read, Annotate, and Write."
For instance, when adding references to his project (e.g., when importing twenty articles from a database), he would assign them all to the RAW task group. The status slider would identify the current stage the source was at within the RAW task.
- First, when he moved the status slider to the right for a particular article, it meant he was currently reading it (Read).
- Next, he moved the slider to the right again when annotating the article (Annotate).
- Lastly, moving the slider all the way to the right meant that the article was in the writing stage and being added to the dissertation (Write).
This method kept Dr. Curtis's thoughts and sources organized throughout the lengthy writing process.
Figure 4. Using Citavi as a project/task management platform
Reading and annotating
At first, Dr. Curtis frequently used Citavi's native features to read and annotate research articles directly in Citavi. However, to make reading and annotating hundreds of references while traveling easier, he saved articles in a shared drive (e.g., cloud storage). Interestingly, this drive could be accessed by both his e-reader and Citavi. This meant that all annotations in the e-reader could also be viewed and managed in Citavi and vice versa.
 Figure 5. Annotating articles and syncing them between Citavi and eReader (e.g., Kobo, Onyx Boox…etc.).
Additionally, Dr. Curtis discovered that Citavi's ability to create custom labels and define different types of annotations was instrumental. For example, he'd asked himself if the text was an idea, something he wanted to comment on, if it should be paraphrased, or if it should be saved word-for-word as a direct quotation. Afterward, he organized the annotations by creating unique categories and naming them based on chapter themes and argument types in his dissertation (e.g., purpose, problem, assumption…etc.).
Figure 6. Creating categories to develop arguments and organize evidence
Writing and citing
Figure 7. Citavi Word-Add in. Making Writing Seamless!
Common barriers like writer's block became a thing of the past as Dr. Curtis's used annotated texts in Citavi to simply insert his knowledge items into the dissertation. This strategy enabled him to quickly paraphrase key arguments, synthesize unique perspectives, and filter through unnecessary information in the writing process. Subsequently, the ability to quickly insert citations while writing saved valuable time and energy. Finally, one of the most beneficial features for Dr. Curtis was the ease of automatically switching the formatting from one citation style to another, such as from APA to Chicago. This allowed him to write several notable articles for organizations like ISACA while completing his dissertation. In addition, this strategy helped add credibility to his study.
With Citavi, Dr. Curtis could organize, track, and write all in one solution – streamlining the entire dissertation writing experience. Citavi helped Dr. Curtis complete his 600-page dissertation in two years and three months. In addition, developing a category system for creating annotations and using the Microsoft Word Add-In helped him access information and quickly synthesize findings into his study.
In sum, Citavi's unique features supported Dr. Curtis throughout the entire writing process and created several career opportunities in his industry. As a result, Dr. Curtis is now known as an industry leader in measuring and improving cybersecurity competency and developing skills required for the next generation of cybersecurity auditors. For example, Dr. Curtis is the co-author and technical editor of ISACA's Digital Trust Ecosystem Framework. Additionally, he recently co-authored ISACA's latest technology certification called the "Cybersecurity Auditor" certificate. This certification incorporates numerous suggestions and innovations from his study. It leverages two competency frameworks: the Skills Framework for Information Age (SFIA) and the National Initiative for Cybersecurity Education (NICE).