ISACA and Protiviti have released the results of their 6th annual survey of IT audit best practices.
While I recommend it to you, I have some comments of my own:
- It is time to rename the activity "Technology auditing". The IT department is no longer the sole custodian and owner of technology, nor is it responsible for all technology-related risks. Renaming the function will shift the emphasis to how the organization as a whole uses and manages technology.
- The survey fails to point out that the risk assessment performed to identify which projects these specialists should work on should be based on how technology can affect the achievement of business objectives. How could a failure to manage, or even to deploy, technology affect the enterprise's business strategies, plans, and objectives?
- There is no such thing as "IT risk" (to quote Jay Taylor). There is only technology-related business risk.
- A critical technology risk that is omitted is the failure to take enough risk when it comes to the deployment of new technology. Will the organization fail because it is second to adopt it and fall behind its competitors?
- One area that should always be considered is the length and age of the change management queue. The longer and older it is, the more likely that technology users are dissatisfied with the products and services they are using.
- The survey indicates that the audit plan is not being updated continually. Especially when it comes to technology, changes may be required at any time – and an annual plan is simply unacceptable!
- The survey also indicates that IT audit functions (using that old term) report outside the internal audit function. I find that totally wrong.
- Very few CAEs are, according to the survey, able to communicate technology-related issues to the audit committee. That also is unacceptable.
What do you think of the report?
What stands out for you?
I welcome your comments.
Please join the discussion by clicking on the Subscribe button, below.