There are myriad controls and processes that organisations can include in their annual internal audit plans, but it seems that IT issues are at the top of the list.
A yearly survey by consultancy Protiviti has found that the majority of the top ten priorities identified by internal auditors relate to information technology risks.
Companies are trying to balance the security and effectiveness of existing IT systems with the introduction of new technologies, greater digitisation and mobilisation of internal and customer-facing systems.
Ensuring the efficacy of old and new systems and the rising threat of cyber crime are pushing IT issues up the priority list for internal audit.
Internal auditors’ top 10 priorities for 2016:
1. ISO 2700 (information security)
2. Mobile applications
3. NIST Cybersecurity Framework
4. GTAG 16 – Data Analysis Technologies
5. Internet of Things
6. Agile Risk and Compliance
7. ISO 14000 (environmental management)
8. Data Analysis Tools – Statistical Analysis
9. Country-Specific ERM Framework
10. Big Data/Business Intelligence
The survey also found that organisations are more likely than ever to evaluate cyber security risk as part of their annual audit plans. Nearly three out of four organisations (73 per cent) now include cyber security risk in their internal audits, a 20 per cent year-on-year increase.
An organisation’s ability to defend itself from hacks has never been more important, regardless of sector, with the scale of the threat laid bare by recent high-profile data breaches at TalkTalk and JD Wetherspoon.
Protiviti found that 57 percent of companies surveyed have received enquiries from customers, clients or insurance providers about the organisation’s state of cyber security.
Furthermore, its findings show that board engagement and the inclusion of cyber security in the current current audit plan result in businesses being better prepared for cyber attacks.
For example, 92 per cent of organisations with a high level of board engagement in information security risks have a cyber security risk strategy in place, compared to 77 per cent of other organisations. Similarly, 83 per cent of companies that include cyber security risk in the annual audit plan have a cyber security risk policy, versus 53 per cent that do not include this risk in their audit plans.
Download the full survey here.