I just read through the latest ISACA/Protiviti survey, A Global Look at IT Audit Best Practices.
It has a wealth of generally useful information and I recommend it to all internal audit leaders but not to board members — the level of detail is too much for their use. The executive summary is the most I would have a director read. But it would be better to have the CAE summarize the report for them, focusing on what lessons should be learned for their particular organization.
Some things surprised and others disappointed me.
My most important issue is that we need to stop talking about IT audit.
We should be talking about auditing risks relating to technology!
In the days of yore, the IT department owned and ran all the technology — with the exception of minor pieces of so-called user-managed software.
But not in 2016.
A good friend of mine, Gene Kim, is co-author of The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win. I recommend it to anybody interested in technology and today's approach to running the IT function.
Recently, I read a review of The Phoenix Project by Sara Hruska. She makes a few pertinent points:
- Pretty much every business is so dependent on technology that the distinction between leading the IT function and the CEO/chief operating officer role is diminishing.
- The success of any organization can be dependent on the ability of the IT function to deliver at speed technology solutions that will drive the business.
So, my first point is that the topic should no longer be the IT function, but the development, maintenance, and use of technology across the extended enterprise.
Let's talk about technology auditing.
Then there's my constant drumbeat comment that there is no such thing as IT risk.
It's technology-related business risk.
What could go wrong when it comes to the development, maintenance, or use of technology that would significantly affect the achievement of business objectives?
For that reason, there should not be a separate IT audit plan. It should, as Protiviti reports is more often than not the case, part of an integrated audit plan that is updated as often as risks change.
According to Protiviti, about half the respondents only update their (IT) audit plan annually.
That simply won't do in an era of dynamic change, especially around technology and its use.
I find it curious that despite the point made by Sara Hruska, the ability to identify the potential for disruptive technology to drive the organization forward is not among the top technology challenges in the Protiviti report. Perhaps it is because that was not an option Protiviti allowed respondents to select. More likely, though, it is because practitioners simply don't pay enough attention to the problem.
Is that correct?
Maybe Protiviti thought that their question about auditing IT governance would cover it. But, IMHO, a single audit of IT governance is not recommended. The topic is broad and practitioners should assess only those aspects of IT governance that are more critical to their business.
Other points of interest in the survey results:
- Nearly half believe their IT department is not aware of all of their organization's connected devices (e.g., connected thermostats, TVs, fire alarms, cars).
- 83 percent of respondents say cyberattacks are among the top three threats facing organizations today, and only 38 percent say they are prepared to experience one. — Comment, I wonder if they have assessed the business risk of a breach.
- The study also found that only 29 percent of the respondents are very confident in their enterprise's ability to ensure the privacy of its sensitive data.
- Only 65 percent said their CAE has sufficient knowledge to discuss IT audit matters with the audit committee. — Comment, that is dreadful.
- Half or less than half of companies have their CAE or IT audit lead meet regularly with the chief information officer!
- Where there is a corporate ERM framework, less than half the IT audit work is integrated with it.
- Only about half are doing a significant or even a moderate amount of work on new technology initiatives.
This is a disappointing state of affairs. I was an IT auditor for many years before becoming a CAE and always made sure my team was involved in every major technology initiative. The IT audit staff was generally about a third of the team — and I am talking about from 1990 to 2012!
Today, technology-related risk is huge and merits a lot more attention that it appears, from the study, it is getting.
What do you think?
What jumps out at you from the survey?