Information Security (including data privacy, storage and management) ranked #1 among the top technology challenges faced by organisations, according to 2012 IT Audit Benchmarking Survey conducted by Protiviti, a global consulting firm operating in over 20 countries. Protiviti conducted the survey at the end of September 2012 with 1,000 people from companies with 100+ employees.
Cloud computing, social media, risk management & governance and regulatory compliance followed the list of top technology challenges.
The survey hints that a large of number of organizations may be understaffed in terms of IT Audit capabilities in their internal audit functions. Organizations are meeting this gap with guest auditors, co-source providers and outsource IT audit function.
While the survey indicates a significant gap in the IT audit capabilities of many organizations, 48% of small companies are not using any outside resources, clearly indicating that these organizations lack necessary skills and resources to manage IT risk.
In-house internal audit department lacking the specific skill sets seems to be the major reason for organizations using external resources to meet the IT audit requirements. 67% of the participants expressed this opinion, which stood at 62% in 2011. This clearly indicates, the organizations are increasingly looking forward to avail the services of experienced and qualified IT auditors, while keeping the costs low.
Considering the fact that a significant number of companies have limited or no resources devoted to IT Audit, the survey concludes that a number of organizations are not in compliance with Standard 1210.A3 stipulated by the IIA.
IIA Standard 1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.
IT Audit Risk Assessment
Considering the pace of technology proliferation in organizations IT implementation and business models as well as the changing threat scope in general, IT audit risk assessment needs to be carried out on an ongoing process and at least in a quarter. Interestingly, only 13% of the organizations are conducting the risk assessment at this frequency and as many as 65% of the organizations conduct at annual intervals !! This clearly indicates, majority of organizations are NOT keeping pace with the rate of technology change, emerging new threats and innovations in the organizations.
On a positive note, 86% of the organizations adopted a framework to based their IT Audit Risk Assessments with COBIT (63%) and COSO (43%) leading the list.
The survey tested the organizations’ IT Governance processes as against the IIA standard to ensure the internal audit function assesses whether the IT Governance sustains and supports organization’s business strategy and objectives.
IIA Standard 2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.
Unfortunately, responses from about three fourths of the organizations indicate that IT Governance process is NOT a priority.
The survey also covered other aspects like training, gaps in audit plan and can be accessed from http://www.protiviti.com/en-US/Documents/Surveys/2012-IT-Audit-Benchmarking-Survey-Protiviti.pdf