Following up on a recent blog post discussing the results of the 6th Annual IT Audit Benchmarking Study from ISACA and Protiviti, I want to revisit the subject by answering some of the audience questions we were unable to address live during the webinar, which I co-hosted with my Protiviti colleague David Brand and ISACA director Ed Moyle.
(I want to stress that we receive many great questions during our webinars but they may not always be answered in the limited window allowed by our webinar time constraints. I invite you to subscribe to our blog as we often follow up with these questions here.)
Q: How can growing organizations move from a reactionary approach to IT risk management to a more proactive approach and get ahead of emerging risk issues?
To be proactive, I think it is very important to invest in relationship-building activities with IT. Find a way to get invited to IT meetings and town halls and get added to key IT distribution lists. If you are not being included in those meetings, if you are not receiving IT organization announcements/distributions, and if you are not generally being considered a part of the IT “family,” you need to revisit your approach and take action to change your relationship status.
The goal should be to establish an ongoing dialogue so that internal audit knows what projects are in the pipeline and what technologies may be emerging in order to be appropriately involved at the earliest stages of these projects. I’ve seen a lot of IT audit organizations struggle with this. It’s hard to see the risks around the corner if the IT auditor does not know in which direction IT is headed. Too often, IT audit is reacting well after the fact, and that’s not a good position to be in.
I also suggest that IT auditors partner with enterprise risk management to maintain a good understanding of the strategic direction of the company. An IT auditor needs to understand the direction of an organization in order to identify risks associated with the future demand for technology, as well as the technology skill sets likely to be required.
For IT, the most important incentive for building a strong relationship with IT audit is the value IT audit can bring to that organization, and IT audit should be able to communicate that benefit. IT auditors are not only good evaluators, but they are individuals that can help the IT organization be successful in achieving its objectives. When reporting on IT, it is important to consider the context in which IT is operating. How information is presented — whether it is perceived as collaborative and constructive — can have a significant impact on the IT / IT audit relationship.
Q: Do you see more IT audit shops leveraging continuous auditing to focus on some of the challenges highlighted in the survey?
I see the second line of defense doing more continuous monitoring and then IT audit shops allowing for flexibility in the IT audit plan to allow for a shift based on the findings of continuous monitoring activities. As issues are identified in the second line, top-performing audit shops are able to shift activities and focus on emerging or more urgent items that require attention.
Q: Should the IT audit director report directly to the audit committee?
Not usually. While we are seeing the IT audit director attend more audit committee meetings, the line of reporting is typically up through the chief audit executive.
Q: Where does the responsibility for IT risk assessment live — with the IT organization or the IT audit function?
Certainly, IT has to be responsible for managing its own risk. But it is very common today to have a specific IT risk assessment process occurring through the internal audit organization. As technology, automation and digitization become a more integral part of our lives, boards and management are going to want more assurance around the tech environment, and that starts with an effective risk assessment process.
A coordinated or collaborative activity is the smart approach. It is best practice that IT does its own risk assessment. The trouble starts when there is a significant disconnect between the assessment results coming from IT and IT audit. Parallel assessments are perfectly legitimate and expected but there should be some effort to coordinate, collaborate and understand/reconcile any major differences.
Ultimately, you want to have an efficient risk management and IT governance process that delivers results that are easily understandable and interpreted by executive management and the board.
You can access the archived version of the webinar and more Q&As from it here.