In mid-October, Protiviti and ISACA released the 2019 Global IT Audit Benchmarking Study, for which we surveyed more than 2,200 internal audit (IA) executives and professionals around the world. We summarized the key findings of the survey in this post, and we discussed them at greater length during a recent webinar. In this post, I want to elaborate on one specific finding, which made the top ten priorities of IT auditors for the first time this year – “bridging IT and the business.”
Organizations are learning that it’s not enough for tech departments to keep pace with an accelerating technology curve. It’s equally important to bring along the other departments, and IT audit specifically, to provide the proper oversight of the changing risk landscape and increase operational resilience.
One of the best ways to further this process is to create greater collaboration between the IT internal audit and IT teams. In fact, the 2019 benchmarking study showed that in several key functional areas, there is significant growth in such collaboration.
In the area of “IT Governance/Risk Management,” for example, the number of IT working groups that had built ongoing partnerships with IT auditors had risen from 55% to 79% from last year. Even in the area of “Enterprise Portfolio,” a function not generally linked with IA, participation levels had nearly doubled, from 10% to 19%.
Evolution in IT Audit’s Role
The survey reveals a much-needed evolution in the role of IT audit from watchdog to advisor, a shift we have been advocating for for some time. To be sure, IA must always remain independent to fulfill its critical function as the third line of defense for risk management, operational soundness, and compliance. However, if IT audit engages with IT at a much earlier stage of new technology projects and maintains an ongoing partnership, it significantly helps IA to fulfill its oversight function more effectively. On the other side of the partnership, it also helps IT raise its success ratio for installing and enhancing systems because the likelihood of having to backtrack and put risk controls in place retroactively, after an IA review, is significantly reduced.
Every adoption of new technology changes an organization’s risk landscape. By meeting with IT personnel early in the planning stages of tech upgrades, migrations or digital initiatives, IA can build a more effective audit plan. It can get a better grasp of how data is to be sourced, processed, transmitted and consumed. Perhaps the best example of how this can benefit the organization is a cyberattack. In this often chaotic, all-hands-on-deck situation, pre-work between IT and IA can go a long way in mitigating damage and executing a quick recovery.
On the IT side, an early and ongoing collaboration with IA helps to identify and mitigate operational gaps and potential risks. As such, it can give the IT team a leg up on staying within budget and getting buy-in from the rest of the organization. While IT is naturally more focused on the technical aspects of project implementations, user training, etc., the fresh outside perspective of IT audit can spot potential pitfalls and help with timely course corrections.
Overcoming Natural Barriers
By definition, IA oversees the work of IT, and by tradition, IT often chafes at outside interference. Though the survey results point to the blurring of these lines in specific areas such as IT governance, the resistance generally remains, and overcoming it won’t happen overnight. As with all relationships, it’s about nurturing and building trust through pursuing mutuality of interests.
One way of building that trust is by collaborating on advisory-only audits early in the cycle that do not get reported beyond the participants. In this way, IT has an opportunity to work collaboratively with IA to define the contours of the auditing process and work out wrinkles in an environment of safety and trust.
Educating IA about new and advanced technology is another huge trust builder. One successful approach to increasing IA’s technical competency is to periodically bring in subject-matter experts (SMEs) for informal education sessions on a particular topic that has little or even nothing to do with auditing. Rather, the SME is there simply to inform, answer questions, and talk through some of the project challenges that IT faces.
There are other measures that can be taken as well. Some forward-looking organizations have aligned IA around the Agile approach used by many IT departments. From an audit perspective, the concept of “failing fast” – identifying problems or issues before they become actual obstructions, and then taking corrective action – makes perfect sense.
Future of Collaboration
At Protiviti, we expect this trend toward greater collaboration between IT audit and IT to continue. As the pace of technology quickens and organizations face a dynamic, uncertain future, such collaboration can provide a better grasp of how the organization is building a business plan around major tech initiatives. It will also give IA greater ability to forecast its own skills and resource requirements.
From IT’s perspective, greater partnering with IA can provide a view into the risk landscape of the enterprise, and highlight opportunities to strengthen cybersecurity controls related to data and data privacy. IA’s knowledge of organizational dynamics can help solve many of the problems IT struggles with, making information more available, data more secure, and driving enterprise value.