Introduction

Edouard, an external PhD candidate at the Business University of Amsterdam, lives in Amsterdam. He holds a bachelor's degree in business IT and two master's degrees in information science. Additionally, he has completed a postdoctoral RE degree and is a registered IT auditor with a NOREA subscription. Edouard is also a senior lecturer at the University of Applied Sciences in Amsterdam. After years of experience in a controlling function at PwC, he's now leveraging his expertise as an internal advisor, adding value from the other side of the table for an indefinite period.

Summary:

Edouard van den Heuvel, an external PhD candidate at the Business University of Amsterdam, explores the evolving role of IT auditing in response to digital transformation, regulatory frameworks, and organizational demands. His PhD project consists of four interconnected research questions, each addressing a distinct dimension of IT auditing. Together, they provide a comprehensive perspective on how IT auditing is transforming to address new technological risks, compliance requirements, and strategic opportunities across industries.

The first research subject, “Evolution of IT Auditing in a Nutshell – Journey Towards a Dynamic Landscape”, examines the historical development of IT auditing and the key factors that have shaped its current form. This question focuses on how IT auditing has evolved from its inception to the present, driven by technological advancements, regulatory changes, and shifting organizational expectations. The research identifies eight primary drivers behind this evolution, including the growing complexity of IT environments, evolving compliance frameworks, and the expanding role of IT auditors in governance and strategic advisory. By tracing these developments, the research lays the groundwork for understanding IT auditing as a proactive discipline that not only ensures regulatory adherence but also contributes to business innovation and resilience.

Building on this historical foundation, the second research subject, “Outsourcing Risks of Cloud Computing: An Explorative Analysis of Evolving Trusted Clouds, the Role of the IT Auditor and Associated Responsibilities”, delves into the complexities of auditing cloud environments, particularly within the context of Software-as-a-Service (SaaS) and shared responsibility models (SRMs). This question investigates how SRMs influence the responsibilities and competencies of IT auditors. As organizations increasingly shift to cloud-based solutions, IT auditors must navigate decentralised IT systems, misconfigurations, and new layers of security risk. The research highlights the critical need for auditors to develop expertise in cloud architectures, identity management, and compliance across multilayered environments. Practical recommendations include the need for ongoing auditor training, stronger collaboration with cloud providers, and the establishment of clearer governance frameworks to address cloud-specific vulnerabilities.

The third research subject, “Importance and Implementation Priorities of Part Information Security (EASA)”, shifts the focus to a specific industry context – the European aviation sector. This question explores the implementation priorities and challenges associated with the European Union Aviation Safety Agency’s (EASA) Part Information Security (Part-IS) regulation, which mandates rigorous information security standards across the aviation industry. With the deadline for compliance set for February 2026, the research underscores the vital role IT auditors play in ensuring the integrity, availability, and confidentiality of aviation data. Through case studies and expert interviews with European airlines, the research highlights the critical nature of governance structures, incident reporting, and risk management in safeguarding passenger safety and operational continuity. Edouard collaborated with Dr. M. Papanikou on this research, drawing inspiration from an outstanding thesis by one of his students, Emmy Schipper, which formed the foundation for this study. The findings demonstrate that compliance with Part-IS is not merely a legal obligation but a strategic imperative for enhancing trust, protecting infrastructure, and ensuring seamless operational processes within aviation.

Edouard is currently working on the fourth research subject, “Navigating the Tightrope: Developing a Framework for IT Auditors to Balance Speed, Innovation, and Compliance in DevOps Environments”. This question addresses one of the most pressing contemporary challenges in IT auditing – the balance between compliance and innovation in DevOps environments. It investigates how IT auditors can maintain oversight without hindering the speed and agility that define DevOps practices. DevOps emphasises continuous development and deployment, which can create friction with traditional audit processes. The research employs a mixed-methods approach, beginning with qualitative interviews with IT auditors and DevOps engineers, followed by a structured survey to perform a gap analysis. The findings reveal practical strategies for integrating compliance measures into DevOps workflows, ensuring that innovation is not stifled while maintaining regulatory adherence. This research bridges the gap between IT auditors and development teams, offering actionable insights into harmonizing governance and rapid technological change.

Together, these four research questions form a cohesive narrative that reflects the dynamic nature of IT auditing in the digital age. The progression from historical evolution to cloud security, regulatory compliance, and DevOps environments highlights the multifaceted role IT auditors play in managing technological and organisational risks. This PhD project not only advances academic understanding of IT auditing but also provides practical guidance for professionals navigating the complexities of modern IT ecosystems. As digital transformation accelerates, IT auditors will continue to be essential in safeguarding compliance, enhancing governance, and driving strategic resilience across industries.