IT risk is everyone’s problem. By “everyone,” we mean the board of directors, senior management, process owners and internal auditors. Internal audit departments play a critical role in ensuring that mitigating processes and procedures are in place and working effectively to manage the organization’s risks. An alarming number of organizations, however, are not maximizing the input internal audit can have in helping to manage their IT risks. This neglect results in embarrassing incidents to the top of the organization, CIO organization and the owners of affected processes.
With the rapid evolution and propagation of social media, cloud and mobile technologies, IT departments are often stretched to their limits. Under pressure to implement, it’s easy to miss vulnerabilities and potential security breaches.
Examples – such as the HealthCare.gov website launch debacle and any number of corporate mea culpas regarding security breaches exposing customer financial data – illustrate vividly how quickly a glitch or vulnerability can escalate from an IT problem to a critical business problem and a huge reputational risk.
When it comes to IT audit programs and practices, our annual IT Audit Benchmarking Survey consistently reveals that organizations leave themselves significant room for improvement. Too many fail to plan and institute the IT audit coverage necessary to ensure an available, secure and efficient IT environment.
Furthermore, some organizations don’t house their IT audit resources in their internal audit departments, and others lack such resources entirely. We have found that just 1 in 4 companies have an IT audit director or someone in an equivalent role focused on technology risks.
I could say a lot on this topic, but our benchmarking survey provides a much more thorough and detailed analysis. I encourage you to read it. For now, let me close with five key questions that every CEO and audit committee member should be asking about their organization’s IT audit capabilities:
- Is our internal audit function performing an effective IT risk assessment at least once a year, and are people who are knowledgeable of infrastructure, applications and IT involved in the process?
- Has our internal audit team reviewed the COSO (2013 update) and COBIT 5 frameworks, and are our audit plans based on those recognized policies and practices?
- Does our IT audit team have a clear understanding of our organization’s short- and long-term IT objectives?
- How do we quantify our IT risks? What industry benchmarks and best practices are used?
- Does our IT audit risk assessment process coordinate with other risk assessment areas, including financial, operational and compliance?
As with any growing or rapidly changing risk, it is important for organizations to stay ahead of the risk management curve – and make this a sustainable effort.