More IT audit functions becoming involved in major technology projects; more IT audit leaders are attending audit committee meetings
Rolling Meadows, IL, USA (2 February 2017)—Cybersecurity and privacy issues, along with infrastructure management and emerging technologies, rank as the top technology challenges organizations face today, according to a just-released survey report from global consulting firm Protiviti and ISACA, a global business technology professional association for IT audit/assurance, governance, risk and information security professionals. The survey of 1,062 IT audit and internal audit leaders and professionals found that IT audit is also becoming more involved in major technology implementation projects within organizations.
In the survey, respondents were asked to name the top technology or business challenges their organizations face today. The top 10 responses:
- IT security and privacy/cybersecurity
- Infrastructure management
- Emerging technology and infrastructure changes – transformation, innovation, disruption
- Resource/staffing/skills challenges
- Regulatory compliance
- Budgets and controlling costs
- Cloud computing/virtualization
- Bridging IT and the business
- Project management and change management
- Third-party/vendor management
“It is no surprise to find security, technology infrastructure and emerging technologies atop the list of challenges that IT auditors see in their organizations,” said Gordon Braun, a managing director with Protiviti and global leader of the firm’s IT Audit practice. “Yet, we find the other challenges listed to be just as critical to companies, from resource and skills gaps to ongoing transitions to cloud and virtual networks. Additionally, as more and more organizations rely on third parties to support critical applications and infrastructure, the need to excel at managing vendor relationships has increased dramatically. Many organizations have not sufficiently addressed maturing their vendor management practices, and the resulting business risks can be significant.”
According to the ISACA/Protiviti survey, titled A Global Look at IT Audit Best Practices, in large companies (greater than US$5 billion in revenue), 26 percent of IT audit functions have a significant level of involvement in major technology projects, while 45 percent have a moderate level of involvement. IT audit is most frequently involved in the post-implementation stages (65 percent).
“Seeing greater involvement by IT audit in significant technology projects is a positive trend, especially considering the dynamic nature of technology and critical risks related to security and privacy,” said Christos Dimitriadis, Ph.D, CISA, CISM, CRISC, chair of ISACA’s board of directors and group director of information security for INTRALOT. “This is also notable because a substantial percentage of IT projects tend to run over budget and behind schedule and fail to achieve the desired objectives. Having IT audit bring a mindset of risk and control to these projects can be highly advantageous.”
Dimitriadis continued, “However, our results show that IT audit is more involved in the post-implementation stages of these projects versus earlier planning and design stages. We believe there is an opportunity for organizations to derive the most value from their major IT projects by engaging IT audit earlier rather than downstream in the projects. With a solid foundation of assurance on the front end, organizations can have the confidence they need to be innovative and fast-paced in pursuit of their business goals.”
Greater Audit Committee and Executive Engagement
In a majority of organizations (55 percent), the IT audit director regularly attends audit committee meetings. This represents a 6 point jump from the prior survey results (published in late 2015) and reflects a long-term trend in the survey findings since 2012, when less than one in three IT audit directors attended audit committee meetings regularly.
“There’s no question that cybersecurity and emerging technologies are now a regular topic at the board level,” said Braun. “Audit committee members, in particular, are seeking greater assurance around critical IT risks and controls – internal audit and IT audit leaders must be prepared to demonstrate audit coverage of key areas and articulate where the highest risks remain.”
Another notable trend is the growing number of IT audit leaders who are reporting directly to the CEO. While still not a large number (for example, 13 percent in North America, 26 percent in Europe), these figures, as well as those from other regions, represent notable jumps from the 2015 survey results. “It’s possible that in at least some of these instances, the chief audit executive is serving as the IT audit director, which is positive to see in that it provides the IT audit function with greater executive and board visibility,” said Dimitriadis. “This also is a logical development considering the increasing technology-dependence of organizations and the integral role the IT audit function plays in helping management identify key risks and ensure the proper controls are in place.”
Risk Assessment Frequency
The Protiviti/ISACA study also found that among large companies, 90 percent conduct an IT audit risk assessment. However, a majority (55 percent) only do so on an annual or less-frequent basis. Considering the growing risk landscape resulting from cybersecurity threats and emerging technologies, ISACA and Protiviti suggest that more organizations consider an approach that includes continually reviewing the IT risk landscape and adjusting IT audit plans accordingly.
About the Survey Report and Resources Available
The sixth annual IT Audit Benchmarking Survey consisted of a series of questions grouped into six categories: Emerging Technology and Business Challenges; IT Implementation Project Involvement; IT Audit in Relation to the Overall Audit Department; Risk Assessment; Audit Plan; and Skills, Capabilities and Hiring. The survey report, along with an infographic and a short video, is available for complimentary download at www.isaca.org/2017itauditstudy and www.protiviti.com/ITauditsurvey.
Protiviti (www.protiviti.com) is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Through its network of more than 70 offices in over 20 countries, Protiviti and its independently owned Member Firms provide clients with consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit.
Protiviti has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
ISACA (isaca.org) helps professionals around the globe realize the positive potential of technology in an evolving digital world. By offering industry-leading knowledge, standards, credentialing and education, ISACA enables professionals to apply technology in ways that instill confidence, address threats, drive innovation and create positive momentum for their organizations. Established in 1969, ISACA is a global association with more than 140,000 members and certification holders in 187 countries. ISACA is the creator of the COBIT framework, which helps organizations effectively govern and manage their information and technology. Through its Cybersecurity Nexus (CSX), ISACA helps organizations develop skilled cyber workforces and enables individuals to grow and advance their cyber careers.
Kathy Keller, +1.650.234.6252, [email protected]
John Julitz, +1.847.660.5769, [email protected]
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
Editor's Note: Infographic (in JPEG and PDF) and photos available upon request.