New IT audit study analyzes gaps in companies’ IT audit function and risk assessments rnrn
Although companies continue to increase their investments in and dependency on IT resources, many aren’t doing enough to protect themselves, according to a new survey from global consulting firm Protiviti.
The firm’s 2012 IT Audit Benchmarking Survey revealed the top 10 technology challenges businesses face today and found that a significant number of organizations do not conduct any type of IT audit risk assessment, and a considerable number of companies that do conduct assessments have critical gaps in their IT audit capabilities.
Protiviti’s second edition of the IT Audit Benchmarking Survey analyzes some of the underlying IT audit trends and gaps evident in organizations today. In addition to data and analysis, the survey report also includes key questions for audit professionals to consider as they evaluate their own IT audit functions and capabilities.
Brian Christensen, Protiviti’s executive vice president of global internal audit, said there’s no question that IT risks can affect the bottom line. To succeed in today’s business environment, it’s absolutely critical for organizations to understand and manage IT risks that emerge with the rapidly escalating use of technology, and the best way to do that is with well-planned IT audit strategies and activities.
The Top 10 Technology Challenges
The IT Audit Benchmarking Survey asked participants to weigh-in – through an open-ended question that required a write-in response – on the top technology challenges that organizations face today. The top issues from the perspective of IT audit, including information security, cloud computing, social media, and risk management and governance, are consistent with those commonly cited by C-level executives and IT organizations.
1.Information security (including data privacy, storage, and management)
4.Risk management and governance
6.Technology integration and upgradation
10.Business continuity/disaster recovery
While this year’s survey shows some improvement in regard to the number of companies conducting IT audit risk assessments particularly among organizations with revenues of $100 million – $999 million, there is still much room for improvement, Protiviti said. Most notably, more than 30 per cent of organizations with less than $100 million in annual revenues do not conduct any type of IT audit risk assessment.
David Brand, a Protiviti managing director and the firm’s national IT audit leader, said the findings also show that even when organizations do conduct IT audit risk assessments, they have some considerable gaps in their capabilities. Those gaps can be just as damaging as skipping an assessment. For example, a majority of the respondents are understaffed, meaning less than 20 per cent of their internal audit department is made up of IT audit staff.
Seventy-eight per cent of survey respondents from companies with revenues greater than $1 billion see those gaps and have concerns that they may lack the necessary resources and skills to sufficiently address all areas of their IT audit plans. Examples of common gaps cited in the survey include limited ability to provide training for the IT audit team; not using outside resources to provide or augment IT audit capabilities; and lack of qualified IT audit professionals.
The study also found that 65 per cent of organizations conduct their IT audit risk assessments on an annual basis, which may not be adequate to keep pace with the current rate of technology change and innovation.
Evaluating and assessing the IT governance process, as called for under The Institute of Internal Auditors Standard 2110.A2, is not a priority for organizations, regardless of size or region. On average, less than 30 per cent of companies have complied with this standard, and less than one in three plans to do so within the next year.