Keeping pace with emerging technology and infrastructure changes, including transformation, innovation and disruption is the number one technology challenge of today’s IT audit executives and professionals.
In today’s dynamic and ever-changing business and technology environments, companies are challenged to manage an escalating volume of IT risks at the same rapidity with which they are presented—a task that must be mastered in order to ensure the well-being of a business, notes ISACA which presented the findings of a survey it conducted with global consulting firm Protiviti.
“Rapid change is the norm in today’s business environment. IT audit professionals have recognised the need to grow their knowledge and expertise while also updating their policies, processes, people and technology, all in order to arm themselves against the increasing challenges and threats presented by an ever-evolving technology landscape,” says David Brand, who leads the global IT audit practice at Protiviti.
The fifth annual IT Audit Benchmarking Survey, titled A Global Look at IT Audit Best Practices, examines where IT audit functions stand in their capabilities to help management and the board of directors address these complex issues.
In the new survey, 1,230 respondents worldwide shared their perceptions of top technology challenges currently facing their organisations.
These challenges are consistent with current market activity and have deep interrelationships with each other, says ISACA, in a statement.
The top 10 challenges they cited were:
1. Emerging technology and infrastructure changes ‑ transformation, innovation, disruption
2. IT security and privacy/cybersecurity
3. Resource/staffing/skills challenges
4. Infrastructure management
5. Cloud computing/virtualisationRead more: ‘Smart machines will disrupt the marketplace’
6. Bridging IT and the business
7. Big data and analytics
8. Project management and change management
9. Regulatory compliance
10. Budgets and controlling costsRead more: Tech disruption is new entrant to top 10 risks for NZ directors
Regulatory compliance and budgets/controlling costs have moved down significantly on the list compared to last year, indicating that other emerging areas are now top concerns for respondents.
ISACA says respondents also expressed significant concerns about finding qualified resources and skills.
Not only was this noted by respondents as one of today’s top IT challenges, but numerous results suggest that finding the right people with the right knowledge and skills for the right job remains an uphill battle, says ISACA.
Read more: Barry Devlin: ‘Be fully transparent about intended use of data’
The survey finds many IT audit reporting lines are still off the mark. Having the IT audit director report to the chief audit executive (CAE) or an equivalent role is ideal, yet many organisations still have other reporting lines in place, bringing into question whether IT audit still falls under the “third line of defence” as an independent function.
The study not that there are small but meaningful numbers of companies that are not conducting any type of IT audit risk assessment. For these organisations, this is a significant risk given the cybersecurity threat environment, says ISACA, Other organisations are adhering to best practices by conducting these risk assessments more frequently.
Meanwhile, 60 per cent of the largest public companies surveyed have a designated IT Audit Director or equivalent position within their organisations, and yet, in half of all companies, these individuals do not attend audit committee meetings. Furthermore, many companies still have established reporting structures that are less than optimal.
Having the IT audit director report to the CAE or equivalent is a best practice, yet 28 per cent of companies in North America and Asia use another, less ideal reporting line. This number is as high as 33 per cent in Latin America and 41 per cent in Europe.
"Organisations need to ensure that they address effective IT audit management through a number of controls, including treating IT and cybersecurity risks as strategic-level risks, operating as a truly independent and impartial function, and allotting the necessary resources and expertise, whether internal or external, to help the organisation identify and manage its IT risks effectively," says Christos Dimitriadis, international president of ISACA.
He says by definition, IT auditors work in collaboration with executive management, the board of directors, IT, legal, human resources and numerous other departments to help their organisations mitigate and control an escalating volume of IT risks that could cripple the enterprise.Read more: CIO Upfront: Mobile payment threats to drive adoption of mobile virtualisation
On a positive note, the ISACA-Protiviti survey reveals a noticeable uptick in the frequency with which IT audit risk assessment are updated by organisations. However, the number of organisations conducting continual assessments still remains low – around 16 per cent for even the largest companies.
Globally, respondents cited COBIT as the most accepted industry framework on which the IT audit risk assessment is based, followed by COSO, ISO and ITIL. In practice, organisations may utilise a combination of these frameworks to complete their risk assessments.
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, CDOs, COOs, CTOs and senior IT managers.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.