Survey Details Shortcomings in IT Risk Assessment and Audit Practices
Most organizations participating in a Protiviti survey assess their IT risks infrequently, and many have understaffed IT audit capabilities.
Albert G. Holzinger
January 01, 2013
Protiviti’s second annual IT Audit Benchmarking Survey (PDF) reveals some alarming shortcomings in the vitally important IT risk assessment and audit practices of many organizations. “To succeed in today’s business environment, it’s absolutely critical for organizations to understand and manage IT risks that emerge with the rapidly escalating use of technology, and the best way to do that is with well-planned IT audit strategies and activities,” Protiviti Executive Vice President Brian Christensen says in a press release.
However, Protiviti’s worldwide survey of more than 300 chief audit executives (CAEs), internal audit directors, and IT audit directors and managers finds that 10 percent of respondent organizations with revenue of more than US $5 billion a year, and a much-larger 31 percent of organizations with annual revenue of less that US $100 million, do not conduct IT risk assessments of any kind. Most (65 percent) of those that do make these assessments undertake the process just once a year and 8 percent do so only semiannually — which the survey report warns “may not be adequate to keep pace with the current rate of technology change and innovation.”
The principal participants in the technology risk assessment processes of respondent organizations are internal auditors (72 percent), IT staff members (49 percent), line managers and business process owners (32 percent), top executives (31 percent), and risk managers (15 percent). ISACA’s COBIT is the framework used by most respondent organizations (63 percent) to structure IT risk assessments, followed by The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control–Integrated Framework (46 percent).
Dedicated IT Audit Functions
Most large (91 percent) and small (69 percent) respondent organizations maintain a separate IT audit function within their internal audit department. Somewhat lower percentages of large and small respondent organizations — 56 percent and 31 percent, respectively — have a designated IT audit director.
The principal focus of IT audit work at all respondent organizations is IT general controls (92 percent), IT processes such as security and privacy (85 percent), applications (82 percent), infrastructure (75 percent), and compliance (75 percent). Survey participants say the top technology challenges facing their organization are:
- Information security, including data privacy, storage, and management.
- Cloud computing.
- Social media.
- Risk management and governance.
- Regulatory compliance.
- Technology integration and upgrades.
- Resource management.
- Infrastructure management.
- Fraud monitoring.
- Business continuity and disaster recovery planning.
- System implementation.
- Performance management and measurement.
Short-staffed But Coping
The survey report observes that “a large number of organizations, regardless of size, may be understaffed in terms of IT audit capabilities in their internal audit functions.” IT audit-related head count comprises less than 10 percent of total audit staff of 27 percent of large and small respondent organizations alike — the report considers 20 percent to be optimal.
Large respondent organizations are most likely to augment their IT audit head count with guest auditors (30 percent) and cosourcing agreements (38 percent). Among small survey participants, the corresponding percentages are 12 percent and 20 percent. This difference may be due to the fact that 24 percent of small respondent organizations, but just 3 percent of large ones, outsource their entire IT audit activity. Organizations that use outside resources to conduct IT audit work cite a lack of available skill sets in-house (67 percent), an overall lack of internal audit resources (46 percent), a desire for knowledge transfer from outside resources to staff (38 percent), and a desire to get different perspectives (28 percent).
Regardless of whether they cosource some or all of their IT audit work, 33 percent of large respondent organizations and 40 percent of small ones say they are unable to address some areas of their plan due to a lack of resources or skills. Most large respondent organizations (54 percent) plan to address the skills gap by providing audit staff 40 hours to 80 hours of training in 2013, while half of small respondent organizations plan to provide less than 40 hours of staff training.