The ever-changing nature of complex emerging technology and infrastructure changes, including transformation, innovation and disruption, is the top challenge faced by IT audit executives and professionals around the world, according to a new survey from global consulting firm Protiviti and ISACA.
The fifth annual IT Audit Benchmarking Survey, titled A Global Look at IT Audit Best Practices, examines where IT audit functions stand in their ability to address complex challenges. More than 1,200 respondents shared their perceptions of top technology challenges currently facing their organizations
Top 10 Challenges
According to the survey, the top 10 global technology challenges facing IT audit professionals are:
- Emerging technology and infrastructure changes: transformation, innovation, disruption
- IT security and privacy/cybersecurity
- Resource/staffing/skills challenges
- Infrastructure management
- Cloud computing/virtualization
- Bridging IT and the business
- Big data and analytics
- Project management and change management
- Regulatory compliance
- Budgets and controlling costs
Interestingly, regulatory compliance and budgets/controlling costs have moved down significantly on the list compared to last year, indicating that IT departments are getting better at managing compliance costs.
This year’s study indicated that audit professionals have significant concerns about finding qualified resources and skills. Not only was this noted by respondents as a top-three IT challenge, but numerous results suggest that finding the right people with the right knowledge/skills for the right job remains a significant challenge.
The study also serves as a reminder that IT audit risk assessments are an absolute must.There are small but meaningful numbers of companies that are not conducting any type of IT audit risk assessment. For these organizations, this is a significant risk given the cybersecurity threat environment. Other organizations are adhering to best practices by conducting these risk assessments more frequently.
IT Audit Reporting Structures Still Off the Mark
According to the survey, 60 percent of the largest public companies have a designated IT audit director or equivalent position within their organizations, and yet, in half of all companies, these individuals do not attend audit committee meetings. Furthermore, many companies still have established reporting structures that are less than optimal. Having the IT audit director report to the CAE or equivalent is a best practice, yet 28 percent of companies in North America and Asia use another, less ideal reporting line. This number is as high as 33 percent in Latin America and 41 percent in Europe.
Organizations need to address effective IT audit management through a number of controls, including treating IT and cybersecurity risks as strategic-level risks, operating as a truly independent and impartial function, and allotting the necessary resources and expertise, whether internal or external, to help the organization identify and manage its IT risks effectively.
COBIT Is the Go-to Framework
Respondents cited COBIT as the most accepted industry framework on which the IT audit risk assessment is based, followed by COSO, ISO and ITIL. Organizations may use a combination of frameworks to complete risk assessments.
ISACA is committed to helping you face the challenges identified in this survey. From recent reports on emerging technology, to more cybersecurity guidance, to audit and assurance career tools coming in 2016, we aim to help you face these issues head-on and succeed.
Christos Dimitriadis, Ph.D., CISA, CISM, CRISC
ISACA International President
[ISACA Now Blog]