As IT becomes increasingly crucial to businesses, auditing for technology risks is struggling to catch up, leading to a disparity, according to international IT governance association ISACA and Protiviti, a global business consulting and internal audit firm.
In its fourth year, their joint study called the IT Audit Benchmarking Survey revealed that more than half of the largest public companies surveyed now have “a designated IT Audit Director or equivalent position within their organizations.” Almost half of them regularly attended audit committee meetings, a figure that the study says has doubled over the last three years.
On the flipside, audit committees have increased their functions to include IT risk assessment, with one in five reporting significant involvement. This is a 6 per cent increase over last year.
“The common benchmark would be that 20 percent of your activity from an audit perspective should be focused on technology,” said David Brand, a Protiviti managing director and the firm’s global IT audit leader. “Some would argue it should be higher depending on the nature of your business.”
Yet while these figures are encouraging, and the vast majority of businesses do IT risk assessment – as much as 89 per cent in North America – what is more revealing is the frequency at which they do this, Brand said.
Eighty-two percent of North American companies conduct these audits only semi-annually or less despite financial assessments likely taking place every quarter,
“There are still companies we run into where the management team views internal audit as an extension of external audit, in other words, they should only be financial risk,” Brand said. “That is contrary to every accepted framework and guidance that comes from professional organizations.”
What’s worse, Brand added, is that it’s difficult to find people who are trained to have the skepticism of an auditor with the technological know-how of an IT professional. He says that this type of expertise still often takes a dual major or a graduate degree. This demand for cross-disciplinary professionals was also identified by the survey, which indicated that, after security and privacy, the second biggest technology challenge to businesses is staffing and skills.
“Every single client I work with has open positions; they’re trying to hire IT auditors. If you look at all of the external auditing firms, it’s one of the harder positions they have trouble [filling].”
What is driving the need is that companies are starting to realize that underneath traditional systems lie increasing amounts of technology, Brand said.
“The majority of regulations, if you peel back what they’re looking for, many of them have to do with collecting, summarizing, reporting on data that flows through the organization, and the company’s ability to do that,” he said. “It really has a link to IT.”