May is International Internal Audit Awareness Month. We are celebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.
We issued our IT Audit Benchmarking Survey Report at the end of last year, and we discussed IT audit best practices in a December 9 webinar with our own IT audit practice leader, David Brand, as well as Nancy Cohen of ISACA, with whom we jointly developed the survey, and Bob Kress, Managing Director and Chief Audit Executive at Accenture.
I had the honor to present as a guest speaker on a topic I feel strongly about: the way organizations approach their IT risk assessment. I invite you to comment in the space below, as I highlight some of the ideas and insights in more depth here. Because this is Internal Audit Awareness Month, I believe that this discussion is both timely and welcome.
What do you imagine when you hear the term “technology risk”? Is it something that seems important for your IT guy but not as critical as, say, supply chain breakdowns, or business interruption, or being blindsided by the competition? Rarely do I see IT risk as being one of the top ten risks in an enterprise risk assessment. But take a deeper look: Technology drives virtually every function and process in organizations today, from receiving an order to paying your vendor. If your technology breaks down, your business comes to a stop.
Interestingly, a recent survey of the top ten risks for the next 12 months, conducted by Protiviti and North Carolina State University ERM Initiative and based on input from over 500 executives and directors worldwide, placed cybersecurity, identity and privacy risk, and disruption risk (which can be driven by advances in digital technology) high on the list of key risk concerns.
What’s more, with the increased reliance on third-party service providers and the ubiquity of low-cost cloud solutions and services, much of that business-critical technology is no longer contained within the companies’ own walls. No longer do businesses have full control over their IT environments, yet IT risk touches everything a business does. Every top risk is, in essence, an IT risk.
IT risk assessments are, therefore, critical to conduct as part of the overall risk assessment. They help ensure that, as internal auditors, we’re addressing the highest-priority items that impact the organization and its ability to meet its strategic objectives.
So without further ado, I’m going to address three questions I briefly touched on during the webinar – questions I believe are on every IT auditor’s mind.
How often should you perform an IT audit?
Our professional standards, both ISACA’s and The IAA’s, recommend annual IT audit risk assessments. For organizations with annual revenues over $1 billion, that is largely the case: nearly 90 percent conduct some form of IT risk assessment, and 65 percent of those do so as part of their internal audit risk assessment process. However, many organizations below the billion-dollar mark perform no annual IT risk assessment. That’s troubling.
An annual IT audit is the baseline. The speed of technology, however, demands that internal audit professionals keep technology risk on the radar year-round and have a method for periodically taking the pulse of their IT risk assessment.
Some organizations do have a continual update process for IT risk assessment. These continual update programs are often seen in organizations with mature or maturing IT risk compliance processes, and are heavily supported by automated tools that provide real-time insights into the IT risk environment. These include tool sets for governance, risk management and compliance (GRC) and other leading tools produced by IT vendors, as well as internally developed tool sets.
Should your company be striving for a continuous IT audit risk process? The answer is a resounding “yes.” In the meantime, while working on building this capacity, an annual IT risk assessment is a must.
Who should be involved with IT audit?
There is a growing trend among certain highly IT-dependent organizations to have their IT risk assessments performed by groups outside of internal audit. Many of these organizations have developed robust IT risk compliance organizations, often within the IT function. We see these capabilities as a growing area, particularly in regulated industries. Even so, internal audit groups should always evaluate these assessments to ensure that they line up with the overall strategic drivers of the organization, as opposed to being siloed within the technology evaluation process.
Another group that needs to be involved is senior management. Clearly, security breach headlines have sharpened awareness among board members and senior management about the need for IT risk assessments. But there is still significant room for improvement. Our survey revealed that, with the exception of organizations in the Middle East, executive management is viewed as having moderate-to-significant levels of involvement with IT risk assessments in just over 50 percent of organizations surveyed. However, none of the organizations exceeded 75 percent in terms of the involvement of senior management. This is an opportunity gap.
It is our job, as risk advisers to our organizations, to seek a high level of involvement by management and the board. This extends beyond the regularly scheduled board meetings. It includes providing ongoing awareness and training to senior management and acting as management’s trusted advisors on IT risk. Bringing up the topic at a single board meeting will not move the risk needle. Moving the needle requires a continuous education process because technology itself is a moving target.
What can we as IT auditors do to ensure that we’re maximizing the value and benefit of our IT risk assessment?
Our survey highlights four steps:
- Communicate regularly with the audit committee to emphasize the importance of an IT risk assessment. One of our roles as audit executives is to advise the organization about risk, and this is a great opportunity to raise risk awareness among board members.
- Strive to move from an annual risk assessment to a more frequent update model. This model can be limited to those areas with the greatest rate of change or possibility of surprise.
- Link the IT risk assessment to an active enterprise risk management process; do not silo the IT risk assessment. This linkage will help bring a business context to the assessment.
- Encourage the organization to utilize a proven framework for evaluating IT risks. Several frameworks will work; no single framework meets every organization’s objectives. ITO, COBIT, NIST and others, all have their strengths, but each also has its own shortcomings. However, the sooner you can adopt a common framework, the sooner you can help the organization raise its risk awareness by having a framework to evaluate risk even when the internal auditor is not present.
The days of IT risk being limited to a “black box” within the IT department are well behind us. IT risk exists throughout the entire organization, and often beyond. While specialization will always be needed to help navigate some of the technical challenges of auditing technology risk, the concept of IT risk is now the responsibility of the entire audit department.