IT audit leaders and functions are at the forefront of providing confidence over the technological change revolution occurring across all industries, which is continuing to gather steam. Cybersecurity issues, digitisation, the global proliferation of mobile devices and the rapidly maturing Internet of Things are succeeding in connecting more people but bring with them a horde of related business and technology risks. IT auditors have the unenviable task of helping organisations to steer their business through this period of intense technical change, while also helping to oversee the IT risks that could cripple the enterprise.
Mark Peters, Managing Director in Protiviti’s Internal Audit and Financial Advisory practice and leader of the UK IT Audit practice, shares his thoughts on the results from Protiviti’s 5 th Annual IT Audit Benchmarking Survey.
- The survey results show that half of all IT audit departments “have a significant or moderate level of involvement in major technology projects for their organisations, and many get involved in the early planning and design stages” but this leaves many with little or no involvement. How can the IT audit department ensure it is involved and are there specific areas that need IT audit input from the outset?
There are a number of areas the IT audit function needs to focus on: early and on-going engagement; helping to provide clarity over the assurance map, which applies to a certain project; employing a multi-faceted and flexible approach; and bringing the necessary skills and capabilities that can provide insight into key risks and support the project to succeed.
The first thing the IT audit function can do is ensure its early engagement in technology projects. IT auditors need to have a multi-faceted, risk-based approach to auditing IT, which includes being involved at all stages of major technology change programme – from the planning and design phase through to implementation, testing and go-live. Early engagement with key stakeholders ensures there is an appropriate awareness of the interdependent change and transformation risks being endured by the organisation, which helps to highlight some of the risks and early warning signs that the change programmes or technology projects may need to consider. Additionally, IT auditors can provide clarity; they can help the project and its key stakeholders understand the various avenues they can use to attain assurance over risks and the successful delivery of the intended outcome of the project. Appropriate assurance should be present throughout the first and second lines of defence ensuring controls and mechanisms put in place to deliver intended benefits are being designed correctly and that effective management oversight of risk is embedded and functioning properly. Internal audit can help to provide that sort of clarity before determining where it needs to focus its independent assurance efforts.
The survey results for Europe show IT internal audit functions remain focused principally on planning (30%) and post-implementation review (28%), rather than project design and the actual implementation, leaving IT audit without significant involvement in large-scale technology-enabled projects. The more progressive functions, however, have realised the value in providing ongoing advice and assurance at different stages of projects, specifically at certain stage gates, when key decisions are being made to providing a critical sounding board.
To provide such assurance effectively, IT auditors need to demonstrate they bring the required necessary skills, capability and experience that would not impact the project’s implementation timeframe, which can concern some project sponsors.
- Survey respondents ranked “emerging technology and infrastructure changes” and IT security & privacy/cybersecurity” as the top two technology challenges for their organisations for the coming year. What are the top challenges facing UK firms and which are their main areas for concern?
The key challenges, which are relevant regardless of geography, include: effectively managing change through technology innovation and transformation; cybersecurity and effectively protecting the ‘crown jewels’ of the organisation; making better use of the proliferation of data, software and hardware to generate business value and support collaboration across the organisation; and ensuring the right balance of skills and capabilities are in place within the IT department to deliver on the organisation’s priorities.
It is important for IT auditors to focus on the general business challenges facing organisations and therefore what the IT departments’ priorities are in support of those challenges. By doing so, the IT audit function can consider areas it needs to prioritise as part of its internal audit activity.
Most organisations remain focused on their core business while attempting to drive growth. Firms are trying to: maintain customer loyalty; deal with transformation, change and increased regulation; and stay ahead of the economy in terms of broader economic performance and their competitors, as well as dealing with mobile and digitisation challenges and cybersecurity issues. The IT department’s priorities are centred on underpinning those business challenges. IT functions need to ensure that business-as-usual systems are secure and effective as well as working to drive change through greater digitisation and mobilisation of internal and customer-facing systems. They also need to ensure appropriate security controls are implemented within the organisation to maintain the integrity of data and protect its information.
Cybersecurity remains a hot topic, which has greater board awareness and increased focus from IT audit functions. Auditors need to engage with the board appropriately in this area and also ensure the audit plan is sufficiently focused on what the organisation is doing to counter the cyber threat. IT auditors need to have a strategic and risk-based approach, to focus on the actual risks facing the organisation, which can be translated into what it all means for the business.
The top ten technology challenges are identified in the survey, which include the proliferation of big data and data analytics. Data analytics are increasingly being utilised to help drive decision making, both in the first and second lines of defence as well as within the audit function. By utilising data analytics techniques, IT audit identify areas of real risk to the organisation. They can help adjust the focus on previously unidentified risks by reviewing a range of key performance indicators (KPIs) or by analysing data that has not previously been looked at.
What we are seeing, which is supported by the survey results, is that there is a significant opportunity to expand data analytics activities within audit functions to areas that may not currently be monitored as effectively by first and second lines of defence. Many audit functions are initially developing the required techniques and tools, identifying key areas of interest and are providing the guidance to first and second line management to undertake such analysis in the future.
- Most survey respondents agree that IT audit risk assessments are an “absolute must” but some firms aren’t conducting these at all. Why are they so important and what are the best practices that all firms need to adhere to?
IT audit risk assessments allow the alignment of IT audit objectives to the firm’s overall business strategy. Regular assessments enable IT audit to align key risks with enterprise risks to ensure they are focusing on assisting the organisation with key challenges and projects. IT auditors need to ensure throughout the year that they are adopting a risk-based approach; they need to focus on key risks and controls as well as enablement, using technology to support and drive the strategic priorities of the firm.
More regular risk assessments allow auditors to adopt a more dynamic approach to the audit plan. This is critical during this period of such fast-paced technological change, where organisations are adopting new technology in all aspects of the business at breakneck speed.
IT auditors need to have a more flexible, risk-based approach to understanding the organisation’s priority risks to tailor the audit plan. The more progressive IT audit functions are now monitoring risks on an ongoing basis by deploying data analytics tools, and are revisiting those risks with stakeholders on almost a quarterly basis to ensure their work is covering the right areas.
The IT audit function needs to ensure it is communicating with the audit committee, senior executives and the IT function regularly as part of its risk assessment approach. Maintaining an ongoing dialogue ensures auditors understand the key areas of concern.
- Skilled IT auditors remain in scarce supply. How deep is this problem in the UK and what are firms doing – or what should they be doing – to counter this challenge?
Skilled auditors are in short supply in the UK. One principle driver, which is highlighted by the survey, centres on the scarcity of interpersonal skills. It is no longer sufficient for auditors to have extensive technical capabilities; they also need to have experience and possess the requisite communication skills.
When asked what makes IT internal auditors successful, the main skill key stakeholders refer to is communication and an advanced understanding of the business. IT auditors need to have a comprehensive understanding of the dynamics of the organisation to visualise the issues and communicate solutions effectively. Getting involved in business initiatives during the early stages would help significantly. Likewise, the ability to address a non-technical audience at all levels of the business, allowing them to understand the implications of audit’s work on strategic level risks, is an essential skill for IT auditors.
In the UK, the demand for skilled IT auditors is growing. Given the restricted talent pool, there is increasing demand for “guest auditors”, internal and external training at all levels of the business and across the audit function, as well as a greater use of specialists – from external firms or third parties – that can provide insight and experience on some of the key challenge areas.
Firms are also tapping peer-to-peer knowledge sharing avenues to increase their understanding, which includes sharing tools, techniques and approaches to IT audits, and or ways of communication on the key issues and challenges – be it from an industry specific perspective or across industries.
- IT audit reporting lines are varied, what is the ideal reporting line for IT audit personnel and why?
The key thing here is independence. If auditors are reporting to the CIO or the CEO, it calls into question the level of independence they can provide on the areas they are auditing. It is good practise to ensure that the reporting line remains in the third line of defence – reporting up to the head of internal audit. In Europe, more than half of respondents to our survey stated that the head of internal audit regular attends audit committee meetings. This depends on a number of factors not least whether the head of internal audit sufficiently understands the key issues in order to articulate those at the senior level. The key point is whether or not strategic technology risk, which may impact those top business challenges, is being appropriately discussed, audited and addressed at senior levels of the firm.