Technology is permeating virtually every aspect of business today. From email and mobile communication tools to global complex ERP systems and extensive internet activities, most companies today rely on technology to the point that without it, their operations would grind to a halt. Of course, such a heavy reliance on technology also creates a high volume of significant risks that companies must assess, manage and monitor appropriately. This was the case before the introduction of social media channels such as LinkedIn, Facebook, Twitter and now Google+ that employees can access any time of the day, if not on company systems then certainly on personal computers or mobile devices. This access has created an entirely new realm of IT risks that companies today are just now beginning to define and understand how to manage.
It is in this dynamic IT environment that Protiviti conducted its inaugural IT Audit Benchmarking Survey, seeking to analyze some of the many underlying IT audit trends and gaps evident in organizations today. For the purposes of this study, we define “IT audit” as the process of collecting and evaluating evidence of the management of controls over an organization’s information systems, practices, controls and operations. The evaluation of evidence obtained through the IT audit process determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization’s goals and objectives. This may include traditional audits of technology processes and components as well as integrated audits for audit activities, technology-dependent regulatory processes (i.e., privacy) or data analytics support. These are some of the key trends and takeaways from the study that are discussed further in our report:
- The growth and prevalence of technology throughout most operations in a company are outpacing the assessment, management and monitoring of related IT risks.
- IT risks do not garner nearly enough attention in organizations today, especially not in small companies.
- A large percentage of organizations are not complying with IIA Standard 2110.A2, which requires the internal audit function (usually through IT audit) to assess whether the organization’s information technology governance sustains and supports its strategies and objectives.
- Many organizations do not have the requisite skills and capabilities to assess their key IT risks adequately.
- A surprisingly large number of organizations fail to conduct an annual IT risk assessment.
- IT audit functions in North America invest significantly more time on compliance-related activities than these functions do in other regions of the world.
We would like to thank the close to 500 professionals (including chief audit executives, audit directors, and IT audit directors and managers, among many others) who participated in this year’s survey.
Download the entire report:
IT Audit Function Poll