According to a newly-released benchmarking study from global consulting firm Protiviti and ISACA, IT audit plans in 2018 are being directly affected by the challenge of cybersecurity. The 7th annual survey found that one in five organizations, on average, is not including cybersecurity in its audit plans due to lack of qualified resources, specifically people, skills and/or auditing tools. Given the increased focus on digital transformation within organizations, IT auditors are playing an increasingly important role and need to be involved throughout an entire technology project lifecycle.
In the study, IT audit leaders and professionals defined their top five technology challenges:
- IT security and privacy/cybersecurity
- Infrastructure management
- Emerging technology and infrastructure changes – transformation, innovation, disruption
- Resource/staffing/skills challenges
- Regulatory compliance
There is an interrelated dynamic present in these findings. Emerging technologies and digital transformation place greater pressure on existing IT infrastructure and cause companies to explore alternative delivery models (e.g. through third-party arrangements), while giving rise to new cybersecurity and privacy risks – all of which require an evolution in the skillset of IT auditors. The survey reached offers findings from more than 1,300 chief audit executives (CAE), internal audit professionals and IT audit vice presidents and directors worldwide.
“Organizations are putting themselves at risk by not planning for and addressing existing and evolving cybersecurity threats within their audit plans,” said Andrew Struthers-Kennedy, a Protiviti managing director and global leader of the firm’s IT Audit practice. “Planning for cybersecurity not only helps with risk management, but also helps address gaps that can come from digitalization. As more businesses accelerate the pace of technology transformation and increase their reliance on third-party vendors as part of their digital transformation efforts, the number and severity of cybersecurity risks is increasing.”
“Given the increased focus on digital transformation within organizations, it’s important for IT auditors to be involved throughout the entire technology project lifecycle to ensure policies and processes are put in place to mitigate risk,” said Theresa Grafenstine, chair of ISACA’s board of directors. “IT audit leaders looking to become more engaged within their organization’s major technology projects have to build credibility with executive management teams by demonstrating the value that the IT audit function provides.”
The upcoming enactment of the EU’s General Data Protection Regulation (GDPR), which establishes new compliance requirements for information security and data privacy, further highlights the importance of effective data management and protection of organizational data.
“With regulators beginning to look more closely at the security and management of organizational data, we encourage IT audit teams to be aware of all data that an organization processes, where it resides and how it’s being protected,” added Struthers-Kennedy. “While the increase in data capture and processing activities offers opportunities for enhanced business insight and competitive advantage, it also adds significant risk and therefore data protection needs to be prioritized.”
IT Audit’s Growing Importance
It’s clear that IT audit teams are of growing importance in organizations. This survey is the first one since the survey began that finds at least half of all organizations polled have a dedicated IT audit director (or equivalent position). This is a significant increase from just five years ago when only one in three organizations had a dedicated IT audit director.
Still, there is room to grow in how the IT audit function is viewed by business partners and board members within an organization. Overall, less than half of respondents indicate that their CAE or IT audit director meets regularly with their company’s CIO to help develop the IT audit plan. Regular meetings with business leaders can help not only with timely risk identification but also to convey the value audit teams deliver.
About the Survey Report and Resources Available
The 2018 IT Audit Benchmarking Survey consisted of a series of questions in six categories: Emerging Technology and Business Challenges; IT Implementation/Project Involvement; IT Audit in Relation to the Overall Audit Department; Risk Assessment; Audit Plan; Cybersecurity and Skills, Capabilities and Hiring. The full survey report, along with an infographic and a short video, is available for complimentary download from ISACA here and from Protiviti here.
Protiviti (www.protiviti.com) is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Through its network of more than 70 offices in over 20 countries, Protiviti and its independently owned Member Firms provide clients with consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit.
Named to the 2018 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Nearing its 50th year, ISACA® (isaca.org) is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by technology, and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organizations. ISACA leverages the expertise of its 450,000 engaged professionals in information and cybersecurity, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI® Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including 217 chapters worldwide and offices in both the United States and China.