There's room for IT audit functions at the technology table, but most of them aren't involved in all stages of IT projects, the recent IT Audit Benchmarking Study by ISACA and Protiviti Inc. reports. The organizations surveyed 1,062 internal audit and IT audit leaders and professionals from organizations throughout the world for the study.
Nearly 90 percent of respondents say their organizations have implemented an IT system or application within the past three years. Process automation and improvements to core infrastructure were the most common projects, far outpacing initiatives involving business intelligence, customer user interfaces, and collaboration. Across all regions, respondents say most of these projects were successful.
That's not the norm for such projects, the report notes. It cites a study from consulting firm McKinsey and the University of Oxford that found that IT projects on average run 45 percent over budget and 7 percent over time, while delivering just 56 percent of the promised value.
IT auditors could be helpful in implementing projects more effectively. In the largest companies, 71 percent of IT audit functions are moderately (45 percent) or significantly (26 percent) involved in IT projects. The problem is they are most likely to be involved at the end of projects. Although 43 percent of respondents say IT audit is involved at the planning stage, 65 percent are involved in post-implementation — usually assessing how well the project has done. IT audit is less involved in design, testing, and implementation, when the bulk of the work is performed.
"There is an opportunity for organizations to derive more value from their major IT projects by engaging IT audit earlier rather than downstream in the projects," says ISACA Chairman Christos Dimitriadis, group director of information security for Athens, Greece-based gaming technology company Intralot. "With a solid foundation of assurance at the front end, organizations can have the confidence they need to be innovative and fast-paced in pursuit of their business goals."
Top Business and Technology Challenges
- IT security and privacy.
- Infrastructure management.
- Emerging technology and infrastructure changes.
- Resource, staffing, and skills.
- Regulatory compliance.
- Budgets and cost control.
- Cloud computing and virtualization.
- Bridging IT and the business.
- Project management and change management.
- Third-party and vendor management.
Source: ISACA and Protiviti Inc., IT Audit Benchmarking Study, 2017.
In addition to post-implementation project reviews (51 percent), IT audits of major projects evaluated test phases (48 percent), project governance (48 percent), the project risk management plan (45 percent), system development life cycle (45 percent), the data conversion process (44 percent), alignment of project success measures to desired business outcomes (41 percent), the project plan (41 percent), and project requirements (40 percent).
The most significant risk factor respondents identified is frequency of updates to project goals and outcomes based on changing business requirements (26 percent). Other factors include goals that aren't clearly defined (17 percent), frequency of change in project specifications without formal assessments (14 percent), lack of a defined and documented project management methodology (13 percent), capabilities and skills of the project manager and team (12 percent), and level of employee turnover on project teams (7 percent).
Raising IT audit's profile within the organization could help it become more involved in projects, the report notes. A positive sign is that 55 percent of respondents say their organization's IT audit director regularly attends board meetings, up from 49 percent in last year's study. "Audit committee members, in particular, are seeking greater assurance around critical IT risks and controls," says Gordon Braun, managing director of Protiviti's IT audit practice. "Internal audit and IT audit leaders must be prepared to demonstrate audit coverage of key areas and articulate where the highest risks remain."
Increasingly, chief audit executives (CAEs) are becoming better able to provide assurance on IT risks, the report finds. Nearly three-fourths (72 percent) of respondents say their organization's CAE has sufficient knowledge to discuss IT audit matters with the audit committee.
But there is something missing from some organizations' IT operations: IT audit risk assessments. Most respondent organizations perform them, but they are lacking in 23 percent of organizations with less than US$100 million in revenue. Across all organizations surveyed, IT audit risk assessments typically are performed as part of internal audit's overall risk assessment. Most responding organizations update those assessments annually. Continuous assessments are most common in the largest (18 percent) and smallest (14 percent) organizations.