Cybersecurity risks are abundant for businesses today, and with the global proliferation of mobile devices and rapidly maturing Internet of Things connecting technologies and people like never before, they undoubtedly will grow exponentially over the next decade. Information Technology (IT) auditors are faced with the daunting task of collaborating with executive management, the board of directors, IT, legal, human resources and other departments to help their organizations undergo business transformation while managing potential IT risks that could cripple the enterprise.
Many companies still have established reporting structures for IT audit that are less-than-optimal; having the IT audit director report to the CAE is best practice. Any other reporting line, even to the CEO, varies from the third line of defense best practice (internal audit) that companies are encouraged to employ. Specifically, any other reporting structure likely falls under the second line of defense (management), which is less appropriate for internal audit and IT audit. Organizations need to ask themselves whether their internal audit function is an extension of external audit, or whether the function has a broader mandate to help the organization understand and manage its risks, including cybersecurity and IT risks.
ISACA and Protiviti partnered to conduct the 5th Annual IT Audit Benchmarking Survey in the third quarter of 2015 to determine where IT audit functions stand in their capabilities to address key challenges. This global survey, conducted online, consisted of a series of questions grouped into five categories: Today’s Top Technology Challenges, IT Audit in Relation to the Internal Audit Department, Assessing IT Risks, Audit Plan, and Skills and Capabilities. More than 1,200 executives and professionals, including CAEs as well as IT audit vice presidents and directors, completed our online questionnaire. What may be most notable in this year’s results is the lack of significant change over the findings in the prior years of our study. The results are not changing, the question is, “Why?” In this report, we explore this and highlight valuable IT audit insights from this year’s Annual IT Audit Benchmarking Survey study.