With the global proliferation of mobile devices and the Internet of Things connecting technologies and people like never before, IT audit leaders have an increasingly critical role to play. They need to work in collaboration with executive management, the board of directors, IT, HR, and numerous other departments to ensure their organizations identify, mitigate and monitor an escalating volume of IT risks that could cripple the enterprise if left unmanaged.
ISACA and Protiviti surveyed more than 1,200 chief audit executives (CAEs), IT audit vice presidents and directors in the third quarter of 2015 to determine where IT audit functions stand in their capabilities to address these key challenges. We published the results in the 5th Annual IT Audit Benchmarking Survey.
Notable takeaways include:
- IT changes and IT security are top of mind – Respondents cited emerging technology, transformation, innovation, disruption and cybersecurity as their top technology challenges.
- There are significant concerns about finding qualified resources and skills – Not only was this noted by respondents as one of today’s top IT challenges, but numerous results suggest that finding the right people with the right skills to do the job right remains a significant challenge.
- Many IT audit reporting lines are still off the mark – Having the IT audit director report to the CAE or an equivalent role is ideal, yet many organizations still have other reporting lines in place, raising questions of objectivity and independence.
- IT audit risk assessments are an absolute must – There is a small but meaningful number of companies that are not conducting any type of IT risk assessment. For these organizations, this represents a significant risk given the cybersecurity threat environment. Other organizations are adhering to best practices by conducting these risk assessments more frequently.
- IT audit departments should get involved early in major IT projects – The good news: Half of all IT audit departments do. The survey found a moderate level of involvement in major technology projects among organizations, with many getting involved in the early planning and design stages. On the other hand, many have little to no involvement in such projects.
- Effective communication is critical – A strong majority of IT audit leaders and professionals rate the ability to explain complex IT issues for a nontechnical audience as a critical part of their interpersonal skills.
With rapid change already the norm, and the future promising an even wilder ride, it is critical that organizations take the time now to establish a strong IT risk management and audit framework. When organizations do not know the risks they face, serious threats can go unaddressed and mushroom into major problems.
The 2015 survey is a fascinating study, and well worth your time. See results at a glance here and here. For a more in-depth discussion, listen to our recorded webinar, which I had the honor of hosting, along with Anthony Chalker, Internal Audit Managing Director at Protiviti, Nancy Cohen, Director of Privacy and Assurance Practices at ISACA, and Bob Kress, Managing Director of Global IT Audit at Accenture. I would be interested to read your reaction in the comment section below.