The IT audit function has never held a more crucial role. From substantial cybersecurity, privacy and infrastructure challenges and management issues to the implementation of new technologies in the organization, IT auditors work closely with management and the board of directors to fulfill a vital role in helping maintain an effective control environment amid a changing business climate and dynamic global marketplace.
The results of the latest IT Audit Benchmarking Study from ISACA and Protiviti illustrate the increasingly integrated role IT audit leaders and professionals are assuming in regard to technology initiatives in their organizations. A majority have a significant or moderate level of involvement in major technology projects, including at the important planning stages. A majority of IT audit directors regularly attend audit committee meetings (a noteworthy change from just a few years ago). Yet, as we explore in this report, there is room for improvement in many areas. Most notably, a substantial percentage of IT audit functions report having minimal or no involvement in significant technology projects in the organization. And for those that are more involved, most of their efforts appear to be focused on the post-implementation stages rather than in planning, design or testing.
Why aren’t IT auditors involved earlier and more often in major technology projects? More broadly, why are certain types of audits not performed? Is lack of the right framework and/or the right IT audit talent and skills the primary issue? Does IT audit have the necessary authorization from management and the board to become involved in these projects earlier and in greater detail? Is IT audit building the appropriate relationships with management and line-of-business leaders to earn a seat at the table when critical technology projects are being planned and implemented? In our report, we provide possible answers to these questions and guidance for IT audit leaders seeking to grow their function into a strategic partner for their organizations. Our key findings include:
- Cybersecurity is viewed as the top technology challenge – This has been a highly ranked challenge in our prior years’ surveys, but still has increased in the importance and clearly is the top-of-mind concern for IT audit leaders and professionals. These results are consistent with the results of Protiviti’s annual survey of technology leaders, which show that IT security and incident response capabilities dominates the priority lists for CIOs.
- There appears to be more executive-level interest in IT audit – A majority of IT audit leaders are regularly attending audit committee meetings, and many more are reporting directly to the CEO (though this reporting relationship may not be ideal). There also is more audit committee involvement in the IT audit risk assessment process.
- More CAEs are beginning to carry leadership for IT audit directly – CAEs are becoming increasingly IT-literate and appear to be taking on the daily management and leadership of the IT audit function, especially given technology’s importance and risk level in most organizations. This is a positive trend as it provides the IT audit function and responsibilities with greater visibility.
- Most IT audit shops have significant or moderate level of involvement in key technology projects – While it is encouraging to find some involvement in the early stages of a project such as planning and design, IT audit functions are more frequently involved post-implementation. Given that a strong majority of organizations have implemented a new IT system or application within the past three years, there likely are opportunities for IT audit to become more involved earlier on with these initiatives.
- Most perform IT audit risk assessments, though a majority do so annually or less frequently – Considering the growing risk landscape resulting from a cybersecurity threats and merging technologies, more organizations should consider an approach that includes continually reviewing the IT risk landscape and adjusting IT audit plans accordingly.