Technology Use and Risks Outpacing IT Audit Capabilities in Most Organisations

Despite ongoing efforts to address information technology issues, companies continue to come up short in their IT audit functions, according to a new survey from global consulting firm Protiviti.


Titled "From Cybersecurity to IT Governance – Preparing Your 2014 Audit Plan," the study reveals that a large percentage of organisations are not planning and instituting the IT audit coverage necessary to assure critical IT operations, evaluate risk and provide a secure, available IT environment.


“In today’s organisations, virtually every function is technology-dependent, which means companies face a greater number of challenges to ensure an efficient, secure IT environment,” says Brian Christensen, Protiviti executive vice president of global internal audit. “Based on the study, it’s apparent that there is a tremendous gap between where most companies are and where they should be in terms of managing IT risk and strengthening governance and controls. As audit plans are developed, these technology challenges should also be top-of-mind for internal audit.”


Top Technology Challenges
According to the 469 respondents who participated in Protiviti’s 2014 IT Audit Benchmarking Survey, including chief audit executives, IT audit directors, IT audit managers, and other auditing professionals, the top technology-related challenges facing organisations are:


- IT security (including data security, cyber security, and mobile security; this result was the number one challenge for the second consecutive year)
- IT governance
- Lack of ERP implementations, development, and knowledge
- Social media
- Vendor management
- Cloud computing
- Emerging technology and infrastructure changes
- Big data and analytics
- PCI compliance


The recurring challenge of IT security points to the need for security teams to tap their organisation’s internal audit team’s expertise to develop more efficient, sustainable compliance programs. In a report titled "Engage Audit Professionals for Better Security Assessment Outcomes," Forrester Research, Inc. writes about the  benefits of audit and security working together to address security compliance. 


“There are simple ways for security and audit professionals to coordinate more closely in ways that will help both sides achieve their goals. When done correctly, the audit function becomes a powerful advocate for the security team, helping highlight the strength of the program when appropriate and helping justify more investments when there are gaps to fill,” says Forrester Research, Inc.


A large number of companies fail to devote adequate resources to IT audit and, as a result, are not able to fully assess potential risks. Also, 42 percent of organisations reported that they rely on outside resources to augment their IT audit departments because they lack the appropriate internal resources.


Many internal audit functions are not performing IT audit risk assessments regularly, and even many of the companies that do perform these assessments need to do so more frequently.  Of concern, one-third of companies with less than $100 million in revenue do not conduct any type of IT audit risk assessment, which presents countless potential hazards for their respective businesses.


Also a cause for concern is the increase from 2012 to 2013 in the number of IT audit directors who report to the CIO. Even though the overall number of organisations with this reporting relationship is relatively low, allowing the IT department to audit itself is a potential recipe for disaster because independence and objectivity of assessments are lost.


“Although there are areas that clearly need attention, it’s a good sign that more companies are working to implement IT governance policies and procedures,” says David Brand, a Protiviti managing director and leader of the firm’s IT Audit practice. “We have seen an uptick in the number of companies that are evaluating IT governance as part of their audit process.”


Suggested Articles

Some of you might have already been aware of the news that Questex—with the aim to focus on event business—will shut down permanently all media brands in Asia…

Some advice for transitioning into an advisory role

Global risks are intensifying but the collective will to tackle them appears to be lacking. Check out this report for areas of concern