From Cybersecurity to IT Governance – Is Your IT Audit Program Up to Speed?

Whether it’s accounting and finance, supply chain, manufacturing, marketing, or sales, technology has transformed virtually every business function. Without question, companies have become highly dependent on their information and communications technologies.

But the results of Protiviti’s latest IT Audit Benchmarking Study show that in this increasingly technology-oriented business environment, organizations have significant room for improvement in their IT audit programs and practices, which potentially leaves them vulnerable to significant risk.

Among the key findings from the study:

Organizations don't have the audit coverage they need – We found that many lack adequate IT audit resources, and just as notable, these resources are not always a formal part of the audit group. Why are limited IT audit resources a significant problem? Because, as we just noted, nearly every function in organizations today is technology-enabled. This indicates many organizations are leveraging technology heavily without a balance of strong audit coverage to help identify, address, mitigate and monitor IT risks.

Data security is a critical concern – There is more scrutiny than ever on cybersecurity and threats from an unimaginable number of sources. Based on the findings of our survey, it's clear that organizations, as part of a broad range of audit and assurance efforts, should expand their IT audits to assurance over the IT security function.

There are major shortcomings in IT audit risk assessments – We've conducted our IT Audit Benchmarking Study for three years, and this has been a consistent finding. Too many companies are failing to perform IT audit risk assessments on a regular basis. In addition, they fail to update these assessments as frequently as they should based on changes that their IT audit infrastructure and environments are undergoing.

But there is positive news: More organizations are reviewing their IT governance programs and practices – This is great to see. The new COSO Internal Control – Integrated Framework (released earlier this year) emphasizes the importance of strong IT governance and controls, which underscore the dynamic nature of technology in business today.

The bottom line is that for most organizations, the growth and prevalence of technology currently is outpacing their ability to audit the business risks impacted by these technology changes effectively.

You can learn more about Protiviti's benchmarking study and download a copy of our full report by visiting