IT Audit Webinar: Your Questions Answered

By Gordon Braun, Managing Director
IT Audit




Following up on a recent blog post discussing the results of the 6th Annual IT Audit Benchmarking Study from ISACA and Protiviti, I want to revisit the subject by answering some of the audience questions we were unable to address live during the webinar, which I co-hosted with my Protiviti colleague David Brand and ISACA director Ed Moyle.

(I want to stress that we receive many great questions during our webinars but they may not always be answered in the limited window allowed by our webinar time constraints. I invite you to subscribe to our blog as we often follow up with these questions here.)

Q: How can growing organizations move from a reactionary approach to IT risk management to a more proactive approach and get ahead of emerging risk issues?

To be proactive, I think it is very important to invest in relationship-building activities with IT. Find a way to get invited to IT meetings and town halls and get added to key IT distribution lists. If you are not being included in those meetings, if you are not receiving IT organization announcements/distributions, and if you are not generally being considered a part of the IT “family,” you need to revisit your approach and take action to change your relationship status.

The goal should be to establish an ongoing dialogue so that internal audit knows what projects are in the pipeline and what technologies may be emerging in order to be appropriately  involved at the earliest stages of these projects. I’ve seen a lot of IT audit organizations struggle with this. It’s hard to see the risks around the corner if the IT auditor does not know in which direction IT is headed. Too often, IT audit is reacting well after the fact, and that’s not a good position to be in.

I also suggest that IT auditors partner with enterprise risk management to maintain a good understanding of the strategic direction of the company. An IT auditor needs to understand the direction of an organization in order to identify risks associated with the future demand for technology, as well as the technology skill sets likely to be required.

For IT, the most important incentive for building a strong relationship with IT audit is the value IT audit can bring to that organization, and IT audit should be able to communicate that benefit. IT auditors are not only good evaluators, but they are individuals that can help the IT organization be successful in achieving its objectives. When reporting on IT, it is important to consider the context in which IT is operating. How information is presented — whether it is perceived as collaborative and constructive — can have a significant impact on the IT / IT audit relationship.

Q: Do you see more IT audit shops leveraging continuous auditing to focus on some of the challenges highlighted in the survey?

I see the second line of defense doing more continuous monitoring and then IT audit shops allowing for flexibility in the IT audit plan to allow for a shift based on the findings of continuous monitoring activities. As issues are identified in the second line, top-performing audit shops are able to shift activities and focus on emerging or more urgent items that require attention.

Q: Should the IT audit director report directly to the audit committee?

Not usually. While we are seeing the IT audit director attend more audit committee meetings, the line of reporting is typically up through the chief audit executive.

Q: Where does the responsibility for IT risk assessment live with the IT organization or the IT audit function?

Certainly, IT has to be responsible for managing its own risk. But it is very common today to have a specific IT risk assessment process occurring through the internal audit organization. As technology, automation and digitization become a more integral part of our lives, boards and management are going to want more assurance around the tech environment, and that starts with an effective risk assessment process.

A coordinated or collaborative activity is the smart approach. It is best practice that IT does its own risk assessment. The trouble starts when there is a significant disconnect between the assessment results coming from IT and IT audit. Parallel assessments are perfectly legitimate and expected but there should be some effort to coordinate, collaborate and understand/reconcile any major differences.

Ultimately, you want to have an efficient risk management and IT governance process that delivers results that are easily understandable and interpreted by executive management and the board.

You can access the archived version of the webinar and more Q&As from it here.

Partly Cloudy: Outage Raises Resiliency Concerns

By Jeff Weber, Managing Director
Technology Strategy and Operation




Everyone needs a little downtime – critical IT infrastructure, not so much. Security and reliability have long been the two primary enterprise concerns when it comes to the cloud. And while security has been the dominant concern over the past couple of years, recent high-profile cloud outages have brought reliability front and center.

A recent outage affected almost 150,000 sites. In the not so distant, cloud-less past, most companies would have had in-house servers, and the disruption would have been limited and isolated. Included in the outage was an internet messaging and chat service popular among IT professionals, who were quick to notice and spread the word. More importantly, this service enables IT services and communication and impacted organizations in their ability to maintain service levels.

Even companies with on-premise enterprise systems could find themselves unexpectedly cut off from critical services, vendor portals and clients, in the event of a service interruption at a cloud-based communications provider.

Cloud functionality affects virtually everyone. These days, if any company thinks it doesn’t have significant cloud exposure, it needs to think again. Now is the time for companies to be asking themselves whether their risk management framework is robust enough to identify risk exposure they may not have thought about.

The worst time to discover a critical exposure to a cloud outage is…well, always. Protiviti recommends that companies act now to conduct a cloud risk assessment and impact analysis and develop an effective response plan. Key elements include:

  • Conducting a thorough process review to identify any hidden cloud exposures
  • Identifying and prioritizing “crown jewels” – in this case, critical functions that must be protected from disruption
  • Comparing exposures against the company’s risk appetite and establishing a remediation threshold – for example, frequency and duration of outage
  • Creating an awareness of susceptibilities and developing response procedures

Although for many companies this type of exercise is new when it comes to cloud computing, it is essentially the same process they have applied in the past to telecommunications, infrastructure and other “always-on” systems and applications. The chief information officer should lead, or at least be at the table for this discussion, and ensure that the right people are involved in the conversation. Furthermore, the discussion should be conducted in business-relevant terms (risk, effect on operations) rather than IT terms (systems downtime, for example).

Public reaction to cloud outages, to date, has been relatively muted. That is likely to change, and quickly, as connectivity increases and digitization and the Internet of Things transforms existing business models. No one is really shocked that cloud outages happen, but now that they are on the radar, it is important to plan for the occasional yet inevitable “inclement weather.”

Taking a Global Look at IT Audit Best Practices – ISACA/Protiviti Survey

infographic-6th-annual-it-audit-benchmarking-survey-isaca-protivitiProtiviti and ISACA, a global business technology professional association for IT audit/assurance, governance, risk and information security professionals, have released the results of our joint annual IT Audit Benchmarking Survey. Key takeaways from this year’s study include the following:

  • Cybersecurity is viewed as the top technology challenge.
  • There appears to be more executive-level interest in IT audit.
  • More CAEs are assuming a direct leadership role for IT audit.
  • Most IT audit shops have a significant or moderate level of involvement in key technology projects.
  • Most IT audit shops perform IT audit risk assessments, though a majority do so annually or less frequently.

Take a look at our infographic and video here. For more information and to download a complimentary copy of our report, A Global Look at IT Audit Best Practices – Assessing the International Leaders in an Annual ISACA/Protiviti Survey, visit

A Global Look at IT Audit Best Practices from ISACA and Protiviti

Brand.jpgby David Brand
Managing Director – Leader, IT Audit Practice



There is no disputing technology’s role in business today as an enabler of virtually every process and function. With this enablement and the advantages IT brings also come global risks – security, cyberattacks, privacy issues, data breaches, governance, asset management and much more. The critical question we ask is: Are IT audit practices keeping pace in order to assess, monitor and mitigate critical risks coupled to a technology-enabled business? This is what ISACA and Protiviti set out to determine in conducting the fourth annual IT Audit Benchmarking Survey.

Our 5 key findings from this year’s study:

  1. Cybersecurity and privacy are primary concerns – This area is rated as the top technology challenge and also may be driving trends such as increasing involvement from audit committees in IT auditing activities.
  1. Companies face significant IT audit staffing and resource challenges – Not only is this issue ranked among the top technology challenges, but it is an undercurrent in many of the survey findings, including the use of external resources to support IT auditing efforts.
  1. Audit committees, as well as organizations in general, are becoming more engaged in IT audit – More organizations have a designated IT audit leader, and over the past three years, the percentage of IT audit leaders that regularly attend audit committee meetings has doubled.
  1. IT audit risk assessments are not being conducted, or updated, frequently enough – Given the dynamic nature of technology change and risk, it is surprising to find that some companies still do not conduct IT audit risk assessments. Not only must IT audit risk assessments be performed, but they also should be reviewed and, if necessary, updated on a quarterly basis or more frequently. However, a majority of companies are conducting these reviews annually or even less frequently.
  1. There’s room for growth in IT audit reports and reporting structures – A majority of companies do not issue enough IT audit reports, and many still have the IT audit leader in a less-than-ideal reporting structure.

IT Audit Benchmarking Survey Infographic

Check out our infographic here. To view and download our report with detailed results from our study, visit


IT Risks Are Prevalent – Do You Have Enough IT Audit Coverage?

Brand.jpgBy David Brand
Managing Director – Leader, IT Audit Practice



IT risk is everyone’s problem. By “everyone,” we mean the board of directors, senior management, process owners and internal auditors. Internal audit departments play a critical role in ensuring that mitigating processes and procedures are in place and working effectively to manage the organization’s risks. An alarming number of organizations, however, are not maximizing the input internal audit can have in helping to manage their IT risks. This neglect results in embarrassing incidents to the top of the organization, CIO organization and the owners of affected processes.

With the rapid evolution and propagation of social media, cloud and mobile technologies, IT departments are often stretched to their limits. Under pressure to implement, it’s easy to miss vulnerabilities and potential security breaches.

Examples – such as the website launch debacle and any number of corporate mea culpas regarding security breaches exposing customer financial data – illustrate vividly how quickly a glitch or vulnerability can escalate from an IT problem to a critical business problem and a huge reputational risk.

When it comes to IT audit programs and practices, our annual IT Audit Benchmarking Survey consistently reveals that organizations leave themselves significant room for improvement. Too many fail to plan and institute the IT audit coverage necessary to ensure an available, secure and efficient IT environment.

Furthermore, some organizations don’t house their IT audit resources in their internal audit departments, and others lack such resources entirely. We have found that just 1 in 4 companies have an IT audit director or someone in an equivalent role focused on technology risks.

I could say a lot on this topic, but our benchmarking survey provides a much more thorough and detailed analysis. I encourage you to read it. For now, let me close with five key questions that every CEO and audit committee member should be asking about their organization’s IT audit capabilities:

  1. Is our internal audit function performing an effective IT risk assessment at least once a year, and are people who are knowledgeable of infrastructure, applications and IT involved in the process?
  2. Has our internal audit team reviewed the COSO (2013 update) and COBIT 5 frameworks, and are our audit plans based on those recognized policies and practices?
  3. Does our IT audit team have a clear understanding of our organization’s short- and long-term IT objectives?
  4. How do we quantify our IT risks? What industry benchmarks and best practices are used?
  5. Does our IT audit risk assessment process coordinate with other risk assessment areas, including financial, operational and compliance?

As with any growing or rapidly changing risk, it is important for organizations to stay ahead of the risk management curve – and make this a sustainable effort.

For more about Protiviti’s IT Audit Benchmarking Survey, watch our video. I also invite you to see how you rate in auditing your IT risks at

Cybersecurity at the board level: Is your intellectual property and sensitive information leakproof?

In my line of work, I have the pleasure of talking to boards of directors and C-Level executives all over the country. I’m often impressed with their commitment to their enterprises, their keen intelligence, their professionalism and their drive. But I’m frequently stunned to see organizations without a process and control environment for protecting their intellectual property online. Of particular interest, board communications are among the most vulnerable.

Too many organizations treat emails, stored internal document files and social media communications as operational exceptions to otherwise tight cybersecurity framework rules. In fact, Thomson Reuters Accelus pointed out in its annual Board Governance Survey that more than 75 percent of organizations “utilize unsecure, personal email accounts to distribute board documents.” And barely half ensure these communications are encrypted. In this day and age, I call that a “wow!”

Board books, in particular, are almost 70 percent bigger than they were just a couple of years ago, according to some estimates, and more than half of companies produce them digitally. We all realize the importance of saving trees and “going green” but, having said that, we also know that confidential information is included in these books. Interestingly, the number of companies that distribute them electronically has dropped of late.

Things are changing for the better. Thomson Reuters Accelus also reported that 52 percent of organizations use board-only portals to share sensitive board information. Another encouraging trend: More organizations are providing their boards with secure mobile devices for board communications.

I call that good news because protecting sensitive information is getting harder every day. We pointed out in an issue of our Board Perspectives: Risk Oversight newsletter that despite the U.S. Securities and Exchange Commission requirements to disclose cyberattacks, reported attacks are just the tip of a vast iceberg. And cybercriminals are using ever more sophisticated means to gain control of online information. Simply stated, they are playing for keeps. We know that because Protiviti helps companies all over the world assess and manage these growing threats.

For boards of directors, as well as any other level of the organization seeking to secure its data and communications, an approach toward security that focuses on information governance is critical. This fosters cross-organizational collaboration and structured policymaking. That kind of team approach is vital to managing the risk of cyberattacks on board documents; it seems perfectly tailored to the less-than-structured and flexible approach so many companies now take to their board communications.

Protiviti employs a number of content management measures, including document locking on our online intellectual property. Others have been known to go so far as to embed user verification codes that cause documents to electronically “shred” themselves if opened by an unauthorized user. Some swear by this kind of digital rights management. Others have found it cumbersome to the extreme. This is challenging in the board environment, as directors and executive teams like to keep things simple.

What do you do to protect your board communications and intellectual property and sensitive information online? Share your thoughts in the comments below.


The CIO’s New World – Transformation, Innovation and the Impediments to Achieving Them

by Ed Page
Managing Director – Leader, Protiviti’s National Financial Services IT Consulting Practice

Innovation and IT transformation are hot topics these days. Our Emerging Risks and IT Priorities surveys highlight these points clearly, as there’s good reason for these trends.

Technology is evolving at an incredible pace, putting new capabilities in the hands of both end users and IT professionals alike. This creates a growing need for IT organizations to become more nimble as they seek to adapt to changes in both the technology landscape and consumer behaviors. A lot of attention is being paid to the impact of social, mobile, analytics, and cloud (SMAC) technologies, with many organizations moving towards Agile development methodologies and supporting tools (DevOps) as means of becoming responsive. These areas of focus fuel many of the innovation and IT transformation opportunities that we so often hear about.

On the other hand, there is little talk about the impediments that exist in many large IT shops. The unfortunate reality is that many large enterprises are simply not engineered to take full advantage of these new methods and technical capabilities.

For example, the IT infrastructure for most enterprises in financial services has been developed over decades, often complicated by the impact of multiple mergers and acquisitions. The result is an architecture that I liken to an archeological dig. At the top layer, you’ll find some of the shiniest and newest technology known to man, but dig a little deeper, and you’ll find that it’s built on top of layers and layers of older technology, some dating back three decades or more. The interdependencies between these layers are complex, so it’s not a simple matter to “rip and replace” the older parts of the environment, but absolutely mission critical. Dealing with this reality is not as easy or lacks the same level of sizzle as deploying new products and services, but it cannot be ignored.

This underscores the need for IT transformation, making the job of the CIO a lot like the manager of a large city that has to undergo urban renewal. The enterprise – the CIO’s city – has to keep operating flawlessly while the renewal occurs. Funding for infrastructure renewal has to be procured, risks have to be managed, and “detours” have to be planned and communicated – all while core infrastructure work is underway.

And it’s not just about the technology; working through organizational change has importance since processes are designed to support the current complexity. Successful IT executives will be those who recognize the need for change, then develop and execute a risk-managed plan to adapt their people, processes and technology to create a solid foundation within an organization to support the adoption of new technical capabilities and enable innovation.

These transformation challenges, as well as opportunities presented, are described more fully in our recent FS Insights article on The IT Hierarchy of Concerns and the Ambiguous Cloud of Emerging Technology.