Audit & Risk

Cybersecurity and infrastructure management are “top technology challenges”

More IT audit functions becoming involved in major technology projects and more IT audit leaders are attending audit committee meetings, according to a new report by Protiviti and ISACA

in News.

Article Image

Cybersecurity and privacy issues, along with infrastructure management and emerging technologies, rank as the top technology challenges organisations face today, according to a survey report by consultancy Protiviti and ISACA, a global business technology professional association for IT audit/assurance, governance, risk and information security professionals. The survey of 1,062 IT audit and internal audit leaders and professionals found that IT audit is also becoming more involved in major technology implementation projects within organisations.

Researchers asked respondents to name the top technology or business challenges their organisations face today. The top ten responses were:

  1. IT security and privacy/cybersecurity.
  2. Infrastructure management.
  3. Emerging technology and infrastructure changes – transformation, innovation, disruption.
  4. Resource/staffing/skills challenges.
  5. Regulatory compliance.
  6. Budgets and controlling costs.
  7. Cloud computing/virtualisation.
  8. Bridging IT and the business.
  9. Project management and change management.
  10. Third-party/vendor management.
 

“It is no surprise to find cybersecurity, technology infrastructure and emerging technologies at the top of the list of challenges that IT auditors see in their organisations and this is consistent with previous years," said Mark Peters, leader of Protiviti's IT audit practice in the UK. “Executives and internal audit management continue to operate in an environment of evolving technology risk and increasing stakeholder expectations, increasing the interest in IT audit activity and its view of risk facing the organisation. Core areas such as cloud, IT skills gaps, IT costs and compliance will still form the backbone of IT audit plans in 2017, However, the business risks associated with vendor management and change projects are increasing and many organisations have room for improvement in sufficiently addressing these areas within their IT audit plans.”

According to the the survey, entitled "A Global Look at IT Audit Best Practices", in large companies (those with revenue greater than US$5bn), 26 per cent of IT audit functions have a significant level of involvement in major technology projects, while 45 per cent have a moderate level of involvement. IT audit is most frequently involved in the post-implementation stages (65 per cent).

“Seeing greater involvement by IT audit in significant technology projects is a positive trend, especially considering the dynamic nature of technology and critical risks related to security and privacy,” said Christos Dimitriadis, chair of ISACA’s board of directors. “This is also notable because a substantial percentage of IT projects tend to run over budget and behind schedule and fail to achieve the desired objectives. Having IT audit bring a mindset of risk and control to these projects can be highly advantageous.”

However he pointed out that the survey results show that IT audit is more involved in the post-implementation stages of these projects than in the earlier planning and design stages. He identified an opportunity for organisations to derive more value from major IT projects by engaging IT audit earlier. “With a solid foundation of assurance on the front end, organisations can have the confidence they need to be innovative and fast-paced in pursuit of their business goals,” he said.

The survey found that in most organisations (55 per cent) the IT audit director regularly attends audit committee meetings. This represents a 6 point rise from previous survey results (published in late 2015) and reflects a long-term trend – in 2012 fewer than one in three IT audit directors attended audit committee meetings regularly.

“There’s no question that cybersecurity and emerging technologies are now a regular topic at the board level,” said Peters. “Audit committee members, in particular, are seeking greater assurance around critical IT risks and controls – internal audit and IT audit leaders must be prepared to demonstrate audit coverage of key areas and articulate where the highest risks remain.”

Another trend is the growing number of IT audit leaders who report directly to the CEO. While still not a large number (13 per cent in North America and 26 per cent in Europe), it’s more than in previous surveys. “It’s possible that in at least some of these instances, the chief audit executive is serving as the IT audit director, which is positive to see in that it provides the IT audit function with greater executive and board visibility,” said Dimitriadis. “This is a logical development considering the increasing technology-dependence of organisations and the integral role the IT audit function plays in helping management to identify key risks and ensure the proper controls are in place.”

Among the large companies that responded, 90 per cent conduct an IT audit risk assessment. However, just over half (55 per cent) do so only annually or less frequently than that. The reports authors argue that organisations should consider an approach that includes continually reviewing the IT risk landscape and adjusting IT audit plans accordingly to meet changing cybersecurity threats and emerging technologies.

The survey report, along with an infographic and a short video, is available to download free.

The IIA: find out more

Visit the main IIA site

Jobs

Auditor

Post Number: FSA02
Grade: 7- SO2 Salary: £23,166 - £29,854
Hours: 37 per week

Audit Manager

£38,789 - £42,474 pa
37 hpw, permanent.

Senior Internal Auditor

Sector: Not For Profit
Salary: £41,000 (raising to £46,000 after probation)
Location: London
Job Ref: SD/148943

Careers advice

Destination designation

The Chartered IIA is keen to work with organisations that want to ensure all their internal auditors have the right skills to succeed in today’s industry. One of these is Citigroup, which recently launched a training scheme accredited by the institute and put 20 senior internal auditors through the Chartered by Experience route to achieve CMIIA. So what does this look like in practice?
Words: Ruth Prickett

Gold standard – the value of recognition

Being chartered demonstrates your skills and competence and gives you influence within both your organisation and the wider profession. All dedicated internal auditors should aspire to it, writes Ian Peters, chief executive of the IIA.

Chartered by Experience

There is a new route to becoming a chartered internal auditor: Chartered by Experience.

Training & Development

CPE: Solid foundations

Continuing professional education is an important tool for developing your skills, progressing through your career and ensuring that the qualification and the profession are respected. The Chartered IIA’s CPE requirements will be changing in April to bring them into line with those of IIA Global. So what do you need to know to stay ahead?
Words: Ruth Prickett

Destination designation

The Chartered IIA is keen to work with organisations that want to ensure all their internal auditors have the right skills to succeed in today’s industry. One of these is Citigroup, which recently launched a training scheme accredited by the institute and put 20 senior internal auditors through the Chartered by Experience route to achieve CMIIA. So what does this look like in practice?
Words: Ruth Prickett

Gold standard – the value of recognition

Being chartered demonstrates your skills and competence and gives you influence within both your organisation and the wider profession. All dedicated internal auditors should aspire to it, writes Ian Peters, chief executive of the IIA.

Tools

You asked us

Our technical helpline provides valuable advice to members on a host of professional issues. Here are some of the questions you’ve recently asked.

Early warning systems

New regulatory demands for whistleblowing – or “speak up” – policies are raising the bar on best practice. Internal auditors need to take note.
Words: Alexander Glebovskiy

CPE: Solid foundations

Continuing professional education is an important tool for developing your skills, progressing through your career and ensuring that the qualification and the profession are respected. The Chartered IIA’s CPE requirements will be changing in April to bring them into line with those of IIA Global. So what do you need to know to stay ahead?
Words: Ruth Prickett