February 4, 2017 by Canadian Underwriter
Cybersecurity and privacy issues, along with infrastructure management and emerging technologies, rank as the top technology challenges organizations face today, according to a survey report from global consulting firm Protiviti and ISACA, a global business technology professional association for IT audit/assurance, governance, risk and information security professionals.
Released on Thursday, the 6th annual IT audit benchmarking survey of 1,062 IT audit and internal audit leaders and professionals, titled A Global Look at IT Audit Best Practices, found that “IT audit is also becoming more involved in major technology implementation projects within organizations.” The survey consisted of a series of questions grouped into six categories: emerging technology and business challenges; IT implementation project involvement; IT audit in relation to the overall audit department; risk assessment; audit plan; and skills, capabilities and hiring.
Respondents were asked to name the top technology or business challenges their organizations face today. According to a press release from Protiviti, the top 10 responses were:
“It is no surprise to find security, technology infrastructure and emerging technologies atop the list of challenges that IT auditors see in their organizations,” said Gordon Braun, a managing director with Protiviti and global leader of the firm’s IT Audit practice. “Yet, we find the other challenges listed to be just as critical to companies, from resource and skills gaps to ongoing transitions to cloud and virtual networks. Additionally, as more and more organizations rely on third parties to support critical applications and infrastructure, the need to excel at managing vendor relationships has increased dramatically. Many organizations have not sufficiently addressed maturing their vendor management practices, and the resulting business risks can be significant.”
The survey found that for large companies (greater than US$5 billion in revenue), 26% of IT audit functions have a significant level of involvement in major technology projects, while 45% have a moderate level of involvement. IT audit is most frequently involved in the post-implementation stages (65%).
The Protiviti/ISACA study also found that among large companies, 90% conduct an IT audit risk assessment. However, a majority (55%) only do so on an annual or less-frequent basis. Considering the growing risk landscape resulting from cybersecurity threats and emerging technologies, the two companies suggest that more organizations consider an approach that includes continually reviewing the IT risk landscape and adjusting IT audit plans accordingly.
“Seeing greater involvement by IT audit in significant technology projects is a positive trend, especially considering the dynamic nature of technology and critical risks related to security and privacy,” said Christos Dimitriadis, chair of ISACA’s board of directors and group director of information security for INTRALOT. “This is also notable because a substantial percentage of IT projects tend to run over budget and behind schedule and fail to achieve the desired objectives. Having IT audit bring a mindset of risk and control to these projects can be highly advantageous.”
Braun added that “there’s no question that cybersecurity and emerging technologies are now a regular topic at the board level. Audit committee members, in particular, are seeking greater assurance around critical IT risks and controls – internal audit and IT audit leaders must be prepared to demonstrate audit coverage of key areas and articulate where the highest risks remain.”
Another notable trend is the growing number of IT audit leaders who are reporting directly to the CEO. While still not a large number (for example, 13% in North America, 26% in Europe), these figures, as well as those from other regions, represent notable jumps from the 2015 survey results, the release said. “It’s possible that in at least some of these instances, the chief audit executive is serving as the IT audit director, which is positive to see in that it provides the IT audit function with greater executive and board visibility,” said Dimitriadis.
To view the study, visit https://www.protiviti.com/US-en/insights/it-audit-benchmarking-survey.