Although organisations have made strides in establishing best practices for the IT audit function, many are struggling to keep pace with global IT risks amid rapidly changing technology environments, according to a joint survey from global consulting firm Protiviti (www.protiviti.com) and global IT association ISACA (www.isaca.org). The fourth annual IT Audit Benchmarking Survey examines how organisations are assessing and mitigating critical business and technology risks. The global survey reflects the sentiments of more than 1,300 IT audit executives and professionals worldwide.
“Concerns over cybersecurity, industry disruptors and regulatory compliance have moved many organisations, and audit committees in particular, to become more engaged in the IT audit function,” said Mark Peters, a Protiviti managing director in the firm’s London practice. “We see some positive trends in our results, notably in the number of designated IT audit directors and their regular attendance at audit committee meetings. However, we also see significant gaps to be addressed, including the frequency with which IT audit risk assessments are conducted.”
Top Technology Challenges
In the survey, respondents provided their views on the top technology challenges faced by their organisations today. These challenges serve as an undercurrent for most of the findings in the study. The top ten global IT challenges are:
1) IT security and privacy/cybersecurity
2) Resource/staffing/skills challenges3. Emerging technology and infrastructure changes: transformation, innovation, disruption
3) Regulatory compliance
4) Budgets and controlling costs
5) IT governance and risk management
6) Big data and analytics
7) Vendor, third-party and outsourcing risks
8) Cloud computing/ virtualisation
9) Bridging IT and the business
“Companies cannot ignore the significant security and privacy risks that face their business today,” said Peters. “Based on the survey results, more organisations are recognising the mission-critical nature of IT internal audit in combating these risks, yet many companies are simply not institutionalising the processes needed to support this function.”
Establishing Organisation-Wide Support for IT Audit
According to the survey, more than half of the largest public companies surveyed have a designated IT Audit Director or equivalent position within their organisations, and 48 per cent reported that these individuals regularly attend audit committee meetings – a number that has doubled over the past three years. Additionally, respondents indicated that their audit committees have increased their involvement in the IT risk assessment process, with 20 per cent reporting significant involvement as compared to 14 per cent in 2013.
“The increased resources and attention to IT audit is a positive sign that companies of all sizes around the world are recognising the significant benefits of this critical function,” said Robert E. Stroud, CGEIT, CRISC, international president of ISACA and vice president of strategy and innovation at CA Technologies. “Even though organisations have different goals and operate in different marketplaces, there are many common pain points and risks, such as fraud, cybersecurity incidents, rising costs, project success/failure, outsourcing issues and regulatory requirements that can be addressed with effective IT audit management.”
Small Gains in IT Audit Risk Assessments
The ISACA/Protiviti survey reveals a modest uptick in the number of organisations that update their IT audit risk assessment on a continual basis. However, this number still remains low – around 15 per cent – for even the largest companies.
“Most of these organisations are updating their IT audit risk assessments only once a year,” added Peters. “Leading companies are tackling this project once a quarter, and although we expected more companies to follow suit, it has not been the case. Consider that new IT risks are emerging constantly. The most streamlined way to anticipate and counter these risks is through a formal update of the IT audit risk assessment.”
Other research findings of note include:
– Globally, respondents cited COBIT as the most accepted industry framework on which the IT audit risk assessment is based, followed by COSO, ISO and SOGP. In practice, organisations may utilise a combination of these frameworks to complete their risk assessments.
– Across every region and size of respondent organisation, lack of resources ranks as the top reason why companies are using outside resources to augment their IT audit skills – and in fact, the percentages are very consistent. These findings are also in line with the top technology challenges outlined above.
“Leveraging the right skills and IT audit specialists is imperative to ensure a truly risk-based approach that’s relevant to the IT challenges facing organisations today,” said Brand. “The lack of necessary skills can often predispose internal audit functions to focus on traditional areas where they have the capability to deliver, rather than the most critical, value-adding areas.”
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 per cent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
With more than 115,000 constituents in 180 countries, ISACA® (www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus™, a comprehensive set of resources for cybersecurity professionals, and COBIT®, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) credentials. The association has more than 200 chapters worldwide.