We asked chief audit executives (CAEs) and IT audit leaders and professionals to consider IT audit’s role in the organization’s strategic technology projects and report the percentage of that role that involved a partnership with the IT function. Based on the results and understanding the value that such partnerships can deliver, we have defined “leaders” as IT audit groups responding that 20% or more of their time involved such partnerships. Comparing the survey results of these leaders to other organizations illuminates several interesting takeaways.
Why is a strong partnership between IT audit and the IT organization so vital? Close collaboration with the IT group enables IT audit to learn about IT projects, particularly major strategic ones, before they happen, rather than during or after. As part of this, IT audit has an opportunity to participate in planning discussions and to deliver an additional and critical perspective (e.g., on the identification and mitigation of risk) that can help ensure the project’s success.
More broadly, through such partnerships, IT audit can build a better audit plan and more fluidity into periodic risk assessments. Audit plans can be organized less around arbitrary risk assessments of various activities and more around specific projects and activities that IT audit knows will be moving forward based on its interactions with the IT organization. The same principle applies to periodic risk assessments. By having knowledge of events like new applications coming online or being pushed out, IT audit can be ready to respond in an agile manner to provide meaningful insights as well as identify and communicate risks of which the IT department should be aware. Most importantly, these actions can happen ahead of time, rather than reactively in response to requests or information previously unknown to IT audit.
Finally, with regard to reporting findings and recommendations to the board (including the audit committee) and management (e.g., CEO, CFO and CIO), a strong partnership with IT enables IT audit to deliver better and more meaningful recommendations tied to strategic technology projects and other major IT initiatives that can be put into action.
On the other hand, a lack of effective collaboration between IT audit and the IT organization creates the following issues:
- IT projects are “hidden” from IT audit in order to avoid an assessment/audit.
- Gaps in risks and controls occur that cannot be remediated easily or cost-effectively, resulting in the need for the project to start over or be scrapped.
- Guesswork on the part of IT audit occurs when identifying challenges and risks, creating slowdowns and further frustration among IT leaders and managers.
- Delays in issuing IT audit reports and recommendations occur, as well as guidance that is not strategically aligned.
Ultimately, while a strong partnership between IT audit and the IT organization delivers numerous advantages, it’s also important for IT audit to maintain its objectivity as the third line of defense. IT audit must seek to partner and collaborate without crossing the line because they and the IT organization are not always going to have precisely the same objectives or priorities regarding strategic technology projects.
You can read more on this topic in our 2019 IT Audit Benchmarking Survey and by exploring these related IT tools on KnowledgeLeader: