As he approaches his retirement, we sat down with Roland Bastin, a retiring Partner at Deloitte, to discuss his remarkable career journey in IT Audit, technology risk management and IT security. Roland shared how these foundational years influenced his approach to IT risk management and led him to leadership roles in the field. Roland’s story provides a unique look into the evolution of IT audit and risk advisory services at Deloitte and offers valuable insights for those seeking a career in this ever-evolving space.
Starting my career at Deloitte in 1990 as both a financial and IT auditor offered me a unique dual perspective that has been invaluable throughout my journey. Even back then, we utilized computer tools to analyze financial and accounting data extracted from mainframe systems, significantly enhancing the quality of our financial audits. This allowed us to address both financial and IT queries efficiently as an integrated team. By 1992, IT audit reviews had become an integral part of the Deloitte Audit methodology, focusing on understanding the design and effectiveness of IT general controls implemented by clients.
This early experience of working closely with finance, data, and systems provided me with a strong foundation and adaptability in addressing both finance and IT from a risk management perspective. The combination of IT and financial expertise opened up new opportunities for me. In 1994, I was appointed as the Financial Systems Manager for a natural resources company based in Luxembourg with operations conducted in Europe, North and South America and South East Asia. In 2001, after the reorganization of that Group and its decision to relocate to the UK, I seized the prime opportunity to return to Deloitte Luxembourg. By this time, I had gained practical operational experience in managing IT risks and financial systems, which I brought with me to further contribute to Deloitte's success.
The decision to join Deloitte was somewhat serendipitous. After completing my studies in economics and IT science in 1988, I spent a year as a research assistant in econometrics at the University of Liège while waiting to fulfill my military service in Belgium. A university friend, who had joined Deloitte’s Luxembourg office, spoke highly of the firm’s dynamic, fast-growing environment and the unique opportunities it offered to learn about various industry sectors and develop diverse skills, all while being surrounded by subject matter experts. Inspired by his experience and the prospect of working on compelling projects, I decided to apply.
Deloitte Luxembourg responded swiftly and offered me a role. From the start, I appreciated the positive environment filled with young colleagues like myself. On just the second day of my job, I found myself at a client's premises, performing a financial audit with a hands-on approach to IT data analysis. This responsiveness and emphasis on technology were precisely what I was seeking, making it clear that joining Deloitte was the right move.
When I returned to Deloitte in 2001, my inspiration to pursue a career in IT risk management was driven by the clear necessity of efficiently managing IT-related risks. My academic background and previous experience played a significant role in this decision. I maintained strong relationships with my former Deloitte managers, who had become partners in the meantime, and encouraged my return by highlighting the growing impact and importance of IT in the financial sector. Furthermore, the evolving landscape of cybersecurity and its critical role in safeguarding organizational integrity fueled my passion for this field.
The best advice I can share is to choose a career that genuinely excites and inspires you. Find a path where you feel completely at ease, like a fish in water. Don’t settle for a job just because of the paycheck; seek out something that fuels your energy and passion, setting ambitious goals that ignite your dreams. When you are truly engaged, work doesn’t feel like work. Even in moments of fatigue, your motivation will carry you through, pushing your limits just like an athlete. This passion will sustain you through inevitable challenges, setbacks, and the need to rise after a fall. Pursue what drives you and keep moving forward, for this dedication will make all the difference over the course of your career. As a famous U.S. president once said, "The only thing we have to fear is fear itself."
As part of the development of IT risk services, we advanced our IT Forensic and eDiscovery services starting especially in 2010. This was a time when several international banks faced the threat of OFAC country sanctions and later, European banks came under scrutiny from the U.S. tax authorities. One of the most challenging yet rewarding projects involved collaborating with a bank to review a vast number of bank instructions, encompassing hundreds of millions of Swift messages, to build a case before U.S. authorities and prosecutors, including data scientists from the FBI. The effort required years of preparation and collaboration with legal teams. It was an intense project, but successfully resolving it taught me the value of persistence, adapting to demands, and striving for impactful outcomes, no matter how complex. The success of this project not only strengthened the institution’s defenses but also demonstrated the effectiveness of our strategies, earning the client’s trust and respect.
Our IT risk services also include advisory on IT regulatory compliance, primarily within the financial sector. One of the most fulfilling aspects of my career has been making a tangible impact by assisting organizations in efficiently executing their IT outsourcing projects, securing approvals from financial regulators, and protecting them from cyber threats. My advice to newcomers is to remain curious, continuously seek knowledge, and adapt to new challenges. Collaboration and a strong ethical foundation are also essential.
During my time with Minorco before its merger with Anglo American Corporation, I frequently visited the Latin American region, especially Brazil, where I formed strong connections that stood out. During my second time at Deloitte, I had a memorable experience working with a Luxembourg telecom company operating in Latin America and Africa. I had the opportunity to work on-site at one of their operations in Ghana. Visiting Accra was a highlight — I was deeply impressed by the warmth of the people and the country's democratic environment. Personally, Mexico holds a special place in my heart; my wife is from Guadalajara, and over the years, I’ve spent considerable time there. It's a country of contrasts with incredibly welcoming people, and each visit leaves a lasting impression.
The role of IT auditors and IT risk consultants has evolved dramatically since 2001, driven by the rapid advancement of technology and the increasing complexity of regulatory requirements. Initially focused on basic IT controls and compliance, these professionals now play a critical role in assessing and mitigating sophisticated cyber threats, ensuring data privacy, and navigating complex regulatory landscapes. The rise of big data, cloud computing, and artificial intelligence has further expanded their scope, requiring continuous learning and adaptation. Today, IT auditors and IT risk consultants are integral in guiding organizations through digital transformation, ensuring robust cybersecurity frameworks, and enhancing overall operational resilience.
To remain competitive in a fast-paced technological environment and a globalized economy, we don't rely solely on local teams. We leverage nearshoring and offshoring to deliver services, supported by virtual meetings instead of constant travel. This approach enables us to provide more consistent operational support to our clients worldwide. This challenge of rapid transformation is both motivating and essential — adapting to it is crucial for survival in today’s market.
My involvement with ISACA association has been instrumental in shaping my perspective on IT governance and risk management. It has provided a platform for knowledge exchange, networking and staying current with industry best practices, reinforcing the importance of robust IT governance frameworks and the continuous enhancement of risk management strategies.
At the University of Lorraine, I teach within the Institute of Digital Sciences, Management and Cognition (IDMC), which trains students in digital sciences, cognitive sciences, automatic language processing (ALP), innovation and IT audit. My course offers a comprehensive introduction to IT auditing, combining structured content with practical examples to help students grasp the role of an IT auditor and prepare for careers in the field. Since 2001, this course has been invaluable for students seeking insight into the profession, with several later joining Deloitte as trainees or full-time employees.
Balancing my professional responsibilities with academia is rewarding because it allows me to share real-world insights and experiences beyond the textbook, helping students envision themselves in IT auditing, risk, or security roles. It also demands effective time management and dedication. As Chairman of the IDMC board, my role involves aligning the curriculum to meet the evolving needs of the industry, ensuring students gain relevant skills. Encouraging them to stay curious and continuously explore new solutions is crucial for their development as IT auditors.
Unfortunately, the list of significant IT risks continues to expand. While not exhaustive, some of the prominent IT risks anticipated in the financial sector in the coming years include advanced cybercrime and fraud, where cyber criminals develop increasingly sophisticated techniques to infiltrate financial institutions, compromising sensitive customer data and financial assets. Additionally, third-party and supply chain attacks, as well as ransomware and malware attacks, remain significant risks. Regulatory compliance pressure, cloud security challenges, and artificial intelligence vulnerabilities are also critical components of this IT risk landscape. Workforce security awareness is particularly crucial with the rise in remote work, necessitating ongoing training in security best practices and vigilance against social engineering tactics.
Moreover, the rise of cryptocurrency and blockchain technologies introduces new risks, such as theft, fraud, and regulatory challenges, where securing digital wallets and exchanges against hacking attempts is a critical concern. Finally, the development of quantum computing poses a future risk to current encryption standards, which could be easily broken, potentially exposing sensitive financial data.
And some rapid fire:
Roland Bastin, Deloitte Luxembourg