Audit & Risk

The top 10 priorities for internal auditors

A new survey shows that internal auditors have IT issues on the brain.

in News.

Article Image

There are myriad controls and processes that organisations can include in their annual internal audit plans, but it seems that IT issues are at the top of the list. 

A yearly survey by consultancy Protiviti has found that the majority of the top ten priorities identified by internal auditors relate to information technology risks. 

Companies are trying to balance the security and effectiveness of existing IT systems with the introduction of new technologies, greater digitisation and mobilisation of internal and customer-facing systems. 

Ensuring the efficacy of old and new systems and the rising threat of cyber crime are pushing IT issues up the priority list for internal audit.  

Internal auditors’ top 10 priorities for 2016:

1. ISO 2700 (information security)
2. Mobile applications
3. NIST Cybersecurity Framework
4. GTAG 16 – Data Analysis Technologies
5. Internet of Things
6. Agile Risk and Compliance
7. ISO 14000 (environmental management)
8. Data Analysis Tools – Statistical Analysis
9. Country-Specific ERM Framework
10. Big Data/Business Intelligence

The survey also found that organisations are more likely than ever to evaluate cyber security risk as part of their annual audit plans. Nearly three out of four organisations (73 per cent) now include cyber security risk in their internal audits, a 20 per cent year-on-year increase. 

An organisation’s ability to defend itself from hacks has never been more important, regardless of sector, with the scale of the threat laid bare by recent high-profile data breaches at TalkTalk and JD Wetherspoon.

Protiviti found that 57 percent of companies surveyed have received enquiries from customers, clients or insurance providers about the organisation’s state of cyber security.

Furthermore, its findings show that board engagement and the inclusion of cyber security in the current current audit plan result in businesses being better prepared for cyber attacks. 

For example, 92 per cent of organisations with a high level of board engagement in information security risks have a cyber security risk strategy in place, compared to 77 per cent of other organisations. Similarly, 83 per cent of companies that include cyber security risk in the annual audit plan have a cyber security risk policy, versus 53 per cent that do not include this risk in their audit plans.

Download the full survey here

The IIA: find out more

Visit the main IIA site


Lead Auditor

£31,684 - £38,789
37 hours per week
Ref: 000000Z1

Careers advice

Chartered by Experience

There is a new route to becoming a chartered internal auditor: Chartered by Experience.

Room to grow

If you feel stuck in your role or sector, yet are keen to progress in an internal auditing career, what are your options? You could become a non-executive director or contribute your experience to higher education, suggests Ann Brook CFIIA.

Time to volunteer

Rachel Bowden, chair of the IIA’s Guidance Working Group, explains why she started volunteering and what she has gained from the experience.

Training & Development

CPD: work in progress

Staying up to date is essential if you want to have a successful career in internal audit – and the IIA’s CPD competency framework is designed to help.

Tap into a rich resource

The IIA's website has loads of useful and important resources for members and the institute is committed to improving services by putting digital at its heart. So what is available – and where can you find it?


Root Cause Analysis: a powerful tool for internal audit

Often internal audit will flag up the same issues time and again without getting to the crux, or root cause, of the issue. This is why Root Cause Analysis (RCA) is essential to improving audits, writes James Paterson, the founder of Risk & Assurance Insights.

Mapping the road to assurance

Assurance maps are a vital tool that guide internal audits and give audit committees peace of mind. Sandie Dawson, director at Dawson Corporate Advisory, offers insight into effective assurance mapping.

Practical approaches to auditing culture

Corporate culture is high on audit committees' agendas, but few understand what to look for and how to measure something as nebulous and intangible as culture. Alexander Glebovskiy, internal auditor at an FCA-regulated firm, shares his advice.