Information Security (including data privacy, storage and management) ranked #1 among the top technology challenges faced by organisations, according to 2012 IT Audit Benchmarking Survey conducted by Protiviti, a global consulting firm operating in over 20 countries. Protiviti conducted the survey at the end of September 2012 with 1,000 people from companies with 100+ employees.
Cloud computing, social media, risk management & governance and regulatory compliance followed the list of top technology challenges.
The survey hints that a large of number of organizations may be understaffed in terms of IT Audit capabilities in their internal audit functions. Organizations are meeting this gap with guest auditors, co-source providers and outsource IT audit function.
While the survey indicates a significant gap in the IT audit capabilities of many organizations, 48% of small companies are not using any outside resources, clearly indicating that these organizations lack necessary skills and resources to manage IT risk.
IIA Standard 1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.
IT Audit Risk Assessment
Considering the pace of technology proliferation in organizations IT implementation and business models as well as the changing threat scope in general, IT audit risk assessment needs to be carried out on an ongoing process and at least in a quarter. Interestingly, only 13% of the organizations are conducting the risk assessment at this frequency and as many as 65% of the organizations conduct at annual intervals !! This clearly indicates, majority of organizations are NOT keeping pace with the rate of technology change, emerging new threats and innovations in the organizations.
IIA Standard 2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.
Unfortunately, responses from about three fourths of the organizations indicate that IT Governance process is NOT a priority.
The survey also covered other aspects like training, gaps in audit plan and can be accessed from http://www.protiviti.com/en-US/Documents/Surveys/2012-IT-Audit-Benchmarking-Survey-Protiviti.pdf