This week, Protiviti and ISACA issued results of the fourth annual IT Audit Benchmarking Study. The organizations surveyed 1,330 IT audit leaders across the globe, including chief audit executives, IT audit vice presidents and directors, who answered questions in five categories:
- Today’s Top Technology Challenges
- IT Audit in Relation to the Internal Audit Department
- Assessing IT Risks
- Audit Plan
- Skills and Capabilities
The survey found that, although organizations have made strides in establishing best practices for the IT audit function, many are struggling to keep pace with global IT risks amid rapidly changing technology environments.
“Concerns over cybersecurity, industry disruptors and regulatory compliance have moved many organizations, and audit committees in particular, to become more engaged in the IT audit function,” said David Brand, a Protiviti managing director and the firm’s global IT audit leader. “We see some positive trends in our results, notably in the number of designated IT audit directors and their regular attendance at audit committee meetings. However, we also see significant gaps to be addressed, including the frequency with which IT audit risk assessments are conducted.”
Top Technology Challenges
The survey also revealed the top 10 technology challenges that respondents say their organizations face today:
- IT security and privacy/cybersecurity
- Resource/staffing/skills challenges
- Emerging technology and infrastructure changes: transformation, innovation, disruption
- Regulatory compliance
- Budgets and controlling costs
- IT governance and risk management
- Big data and analytics
- Vendor, third-party and outsourcing risks
- Cloud computing/ virtualization
- Bridging IT and the business
Establishing Organizationwide Support for IT Audit
The IT Audit Benchmarking Study found that more than half of the largest public companies surveyed have a designated IT audit director or equivalent position within their organizations, and 48 percent reported that these individuals regularly attend audit committee meetings – a number that has doubled over the past three years. Additionally, respondents indicated that their audit committees have increased their involvement in the IT risk assessment process, with 20 percent reporting significant involvement as compared to 14 percent in 2013.
The increased resources and attention to IT audit is a positive sign that companies of all sizes around the world are recognizing the significant benefits of this critical function.
Small Gains in IT Audit Risk Assessments
The ISACA/Protiviti survey also reveals a modest uptick in the number of organizations that update their IT audit risk assessment on a continual basis. However, this number still remains low—around 15 percent—for even the largest companies.
Other research findings of note include:
- Globally, respondents cited COBIT as the most accepted industry framework on which the IT audit risk assessment is based, followed by COSO, ISO and SOGP. In practice, organizations may utilize a combination of these frameworks to complete their risk assessments.
- Across every region and size of respondent organization, lack of resources ranks as the top reason why companies are using outside resources to augment their IT audit skills – and in fact, the percentages are very consistent. These findings are also in line with the top technology challenges outlined above.
I encourage you to view the full results at www.isaca.org/2014ITauditstudy.
Robert E Stroud, CGEIT, CRISC
2014-2015 ISACA International President