Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CPA
Risk management has become an area of increased focus over the last decade or so. Practically all types of audits begin with a risk assessment and take a risk-based approach. IT managers are equally more focused on IT risk. With the major role that IT risk plays in the current business environment, it is beneficial to understand as much about IT risk as possible. Two recent surveys provide valuable information about IT risks today and in the near future.
In 2011, the AICPA conducted its 22nd Top Technology Initiatives (TTI) Survey. Certified Information Technology Professionals (CITPs) and select Certified Public Accountants (CPAs) were asked to rank the technology issues of greatest importance today. The results were divided into those related to public accounting and those related to business and industry. The final composite rankings are included in figure 1.
This list provides insight to IT auditors as to some of the major issues most likely to be relevant in today’s IT audit environment.
In 2010, IBM conducted a global risk survey of people in various roles to understand how IT managers are working to better understand and mitigate IT risk.
The results show that 66 percent of respondents rate their entity’s overall approach to mitigating IT risk as “good to expert.” Results also reveal that IT professionals are involved in a number of risk-related issues and feel strongly that they should be even more involved in the future. Current IT risk budgets have not fallen over the last year, but, rather, have remained steady or have increased. Organizations and senior executives recognize the need for and business benefits of risk mitigation. All of these results fall under “good news.” The results were also consistent across geographies, industries, size and participant role.
However, there are some areas for improvement and indicators of what the future might hold for IT risks.
Present: IT Risk IssuesThe survey results included a rating of current IT risk issues. When respondents were asked to identify risk issues of the last year, efforts were focused in a few areas (responding “yes” to the IT risk as a top-of-mind issue):
Present: IT Risk MaturityOne outcome of the survey was the conclusion that the examination and assessment of an entity’s IT risk maturity is foundational to effective risk management. According to the survey, there is a need for an objective assessment of IT risk maturity now. Recommendations included:
Areas the survey identified as major ones for improvement in IT risk maturity include:
Future: Emerging IT RisksThe survey results show several emerging technologies that represent significant IT risks. Those with the most concerns were (rating the IT as “extremely risky/risky”):
There were some common threads across these risky technologies. One is the security control of the flow of data to and from these technologies. Another was the fact that entities are still struggling with securing their own networks while considering moving to cloud computing; that is, professionals were not sure they were ready internally to extend the IT risks to cloud computing since they were not yet effectively managing IT risks locally. Cutting costs was an attraction for cloud computing in particular, but many consider the risk to be very high.
Social networking and mobile computing concerns were primarily in loss of control of data and threats of unauthorized access to confidential, proprietary data. Overall, social networking and mobile computing were considered very risky.
Future: Shift in InvolvementThe survey looked at the current and future involvement of IT managers and professionals in IT risk management. There was a shift predicted three years out—increases in the area of branding (customer service, marketing), business strategy and financials. The decline side of the shift was infrastructure. Perhaps the decline shift is either because infrastructure is being successfully hardened or because entities are moving to cloud computing, Software as a Service (SaaS) and Infrastructure as a Service (IaaS) and, therefore, are able to focus more attention on other areas.
Sixty-five percent of the respondents said that risk mitigation is becoming a more integral part of their job, and 83 percent agree that IT managers should be more involved.
First, these surveys provide information to better assess IT risks for any current IT audit activities. In particular, they provide information on emerging issues such as cloud computing and mobile computing. For instance, the IT risk maturity assessment (IBM) would be beneficial information to have for an IT audit. There are areas identified for IT auditors to seek evidence of IT risks and mitigating controls.
The surveys also help focus IT auditors on key issues in performing IT risk assessments. For instance, it is beneficial to compare these two lists and note that mobile computing and information security are prominent on both lists. Risks associated with data are also prominent in both surveys.
The IBM survey also provides forward-looking information to see where IT audits might be moving in the future. Clearly, social networking, mobile computing, cloud computing, SaaS and IaaS (data centers) are areas in which IT auditors will be asked to do more The IBM survey shows the future parties of interest for potential interviews and sources of information for the IT auditor. For instance, IT managers will apparently become even more involved with IT risk assessment and management in the future, at the enterprise level. It is particularly interesting to note that there will be a shift to more involvement by IT managers in financial-related IT risks.
Because of the nature of IT, IT auditors have to stay abreast of the ever-changing IT environment. The AICPA TTI and the IBM Global Risk surveys provide valuable information to help keep the IT auditor up to date.
Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CPAis an associate professor of information systems (IS) at the University of Alabama at Birmingham (USA), a Marshall IS Scholar and a director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value-added dealer of accounting IS using microcomputers. Singleton is also a scholar-in- residence for IT audit and forensic accounting at Carr Riggs Ingram, a large regional public accounting firm in the southeastern US. In 1999, the Alabama Society of CPAs awarded Singleton the 1998–1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His articles on fraud, IT/IS, IT auditing and IT governance have appeared in numerous publications, including the ISACA Journal.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.