Posted by David Brand on Wednesday, April 8, 2015 - 09:28
Companies — large and small — leverage technology today to tackle virtually every process and function. But such dependence increases vulnerability to a host of risks: security, cyberattacks, privacy issues, data breaches, governance, asset management and much more.
Which leads to a critical question: Are IT audit practices keeping pace so that businesses are able to assess, monitor and mitigate these risks?
The answer will vary by organization, but important trends and deficiencies are highlighted in the fourth annual IT Audit Benchmarking Survey published jointly by Protiviti and ISACA, and discussed in detail in a recent webinar. The report identifies progress in establishing IT audit best practices, but also shows worrisome gaps and areas that need significant improvement.
More than 1,300 executives and professionals worldwide, including chief audit executives, IT audit vice presidents and directors, answered queries about topics such as top technology challenges, assessing IT risks, and gauging skills and capabilities. One in three participants are from organizations with US$5 billion or more in annual revenue. More than half of all respondents represent organizations with greater than US$1 billion in annual revenue.
The following survey findings underscore key IT audit challenges — as well as the personnel and skills required to address them:
There are many current challenges, but the survey reveals that these are the critical issues that keep IT auditors awake at night: security and privacy, cybersecurity, staffing shortcomings, regulatory compliance, and budgets and controlling costs.
The underlying theme linking these topics is the changing nature of technology and the difficulty of managing it in a timely and effective manner. High-profile data breaches that make headlines routinely these days are raising expectations — from the board, executives and other stakeholders — for sound security measures involving IT audit.
It is imperative for auditors to sharpen their skills in areas such as IT security, cloud computing and storage, outsourcing and vendor assurance, data analytics and computer-assisted auditing tools. This knowledge establishes the foundation to develop a comprehensive cybersecurity framework capable of driving compliance efforts.
Even in the current IT environment in which change is the norm, a majority of companies surveyed, regardless of size or geographic location, still reported that they only update their IT audit risk assessments annually — or even less frequently. By comparison, leading organizations are updating their IT audit risk assessments on a quarterly basis, and sometimes, more frequently.
Bottom line: IT audit leaders need to ask whether they have the ability to consider new IT risks that are emerging throughout the year if they’re not reviewing and updating their assessments in a more timely fashion.
Technical skills are coveted and essential for IT audit staff, and none is deemed more important by survey respondents than control analysis. Nearly two-thirds of respondents described that skill as “significant.” The only other skills rated as significant by more than a majority of the survey participants are risk analysis (57 percent) and process assessment (52 percent).
At a time, however, when meaningful collaboration is vital for internal auditors to achieve success across the enterprise, the most important skill arguably is a soft skill. Organizations of every size characterized relationship building as the top-rated interpersonal skill, with 69 percent of survey participants describing it as significant.
Playing a key role
More than 50 percent of the largest public companies surveyed have a designated IT audit director or equivalent position within their organizations, and 48 percent reported that these individuals regularly attend audit committee meetings — a number that has doubled over the past three years.
IT audit is a critical function that will only become more essential over time. Organizations that don’t keep up with the pace of change are exposing their stakeholders to unnecessary risks.