The IT Audit: Getting the Process Started

Rising cybersecurity concerns — and the fact that, according to research by Protiviti, almost two out of three organizations are undergoing a major IT transformation — help underscore the value of conducting an IT audit. But many organizations fail to perform these assessments as often or as thoroughly as they should — usually because they lack sufficient internal resources. The fourth annual IT Audit Benchmarking Survey from Protiviti and ISACA found staffing IT audits is a top challenge for organizations today.

Many businesses look to external services to help overcome gaps in IT audit resources. Firms value working with specialized consultants to help them with their program, including supporting and bringing more focus to specific types of IT audits, such as:

  • Technology audits: assessments of how key IT components are configured and used
  • IT process audits: audits of processes that are used to develop and maintain systems and services
  • IT project audits: assessments of risks that could undermine project success

“Leveraging the right skills and IT audit specialists is imperative to ensure a truly risk-based approach that’s relevant to the IT challenges facing organizations today,” said David Brand, a Protiviti managing director and the firm’s global IT audit leader.

Define the scope — and gather input from key stakeholders

As you determine your organization’s IT audit staffing needs, you must also decide on the scope of your audit. For example, do you need to evaluate risks and opportunities within your entire IT environment, or just one particular area?

Defining the project scope will also help you identify which departments and business units would be affected by the process. Involve all relevant personnel from those parts of the organization in the planning so they understand why an audit is to be conducted and to tap their firsthand knowledge of how their teams are using technology and what policies and regulatory compliance demands they must adhere to.

Be sure to reach out to senior management, as well as the board of directors, if appropriate, to discuss the plan and share key findings following the audit. You are likely to find an especially keen audience in the audit committee. The IT Audit Benchmarking Survey notes audit committees are becoming more engaged in the IT audit process because they want to better understand how technology risks are being assessed and managed.

“Concerns over cybersecurity, industry disruptors and regulatory compliance have moved many organizations, and audit committees in particular, to become more engaged in the IT audit function,” said Brand.

Look to industry resources for guidance

Businesses will only become more reliant on technology in the future. As a result, the IT audit will continue to grow in importance as a tool for ensuring an organization is aware of potential risks and able to reap the full benefits of its technology investments. The dynamic nature of technology change and risk further underscores the need to conduct regular IT audits.

Look to resources such as The Institute of Internal Auditors, ISACA, and Protiviti’s KnowledgeLeader for best practices, guides and tools that can help your business establish a successful program.

To learn more about how organizations are assessing and mitigating critical technology and business risks, download the IT Audit Benchmarking Survey.

Related post