There’s a new Protiviti study. Their 2011 IT Audit Benchmarking Survey summarizes the input from nearly 500 professionals and makes a number of observations.
Before getting into those observations, I have a couple of my own:
- The report talks about IT risks – but there is no such thing as an IT risk, only business risks due to a failure of technology. These days, talking separately (from business auditing) about IT audit and IT risks is somewhat ‘old-fashioned’. Companies are now talking more about business risk and the role of IT as both an enabler of solutions and a source of issues. The trend is towards building an audit plan that addresses those business risks and will probably have fewer pure IT audits as a result.
- Most of the issues raised in the report (such as the fact that auditors struggle to keep up with technology) are ages-old. I have been in the profession since 1980 and they were problems then!
Here are their “key trends and takeaways”, with my comments.
“The growth and prevalence of technology throughout most operations in a company are outpacing the assessment, management and monitoring of related IT risks.”
- This has been the case since man discovered fire – and the risk of burns came later
- The report did not address whether IT auditors are involved in change projects, whether these are major new ERP implementations, moving infrastructure or applications to the crowd, or the embracing of social media and mobile. Maybe that can be included in the next survey
“IT risks do not garner nearly enough attention in organizations today, and in small companies in particular.”
- IT is a source of business risk, not a risk in-and-of-itself. The study, I think, should have considered whether the internal audit function was looking at business risks – and considering the IT impact as part of that activity
- The Protiviti statement may or may not be correct. Intuitively, as an IT auditor since (it seems) the dawn of computing, I think it is probably correct. But, the level of resources allocated to IT issues should be commensurate with the level of risk and balanced against the need to address other sources of risk.
- In smaller companies (especially), the auditor has to take on all aspects of risk – including IT-related issues. He may be supplemented with co-sourcing.
“A large percentage of companies are not complying with IIA Standard 2110.A2, which requires the internal audit function (usually through IT audit) to assess whether the organization’s information technology governance sustains and supports its strategies and objectives.”
- A large part of IT governance activities may be included as part of the audits of IT general controls (which the study shows is allocated a large level of resources).
- Even though the Standards require this, a risk-based planning exercise may have identified this as a lower risk area – and it would have been appropriate, therefore, not to include it in the plan.
- The main standard here, 2110, requires internal audit to assess governance processes in general. That is even more of a problem (fewer assess and report on more than a couple of governance processes) than IT governance.
“Many organizations do not have the requisite skills and capabilities to assess their key IT risks adequately.”
- See above. There is no such thing as an IT risk, let alone a key IT risk. And, keeping up with technology is a problem for the ages.
“A surprisingly large number of organizations fail to conduct an annual IT risk assessment.”
- Good! They should be assessing business risk and not IT risk.
- Good! It should be a continuing and not an annual process.
“IT audit functions in North America invest significantly more time on compliance-related activities than these functions do in other regions of the world.”
- That may or may not be OK. It all depends on where a business risk-based audit program says the resources should be spent.
What do you think? I would appreciate your comments.