November 6, 2012 - The ever-increasing investment and growing reliance on IT at banks and other large companies around the world is not being reflected in a thorough enough IT audit to check that systems are being optimised, says a new survey from consulting firm Protiviti which questioned 300 firms.
The '2012 IT Audit Benchmarking Survey' from Protiviti says that a significant number of the 300 organisations it surveyed do not conduct any type of IT audit risk assessment, meaning they never identify gaps between what is expected and what is delivered. Naturally enough the consultancy concludes that a considerable number of companies that do conduct assessments have critical gaps in their IT audit capabilities that need fixing. The survey found that:
- More than 30 per cent of organisations with less than $100m in annual revenues do not conduct any type of IT audit risk assessment.
- 65% of organisations conduct their IT audit risk assessments on an annual basis, which may not be adequate to keep pace with rate of technology change and innovation.
"There's no question that IT risks can affect the bottom line. To succeed in today's business environment, it's critical for organisations to understand and manage IT risks that emerge with the rapidly escalating use of technology, and the best way to do that is with well-planned IT audit strategies and activities," said Brian Christensen, Protiviti's executive vice president (EVP) of global internal audit. "We hope our survey results drive organisations to cast a more critical eye on their own IT audit strategy, whether that means establishing a function or cultivating their IT audit team's experience and capabilities.
The survey asked 300 professionals worldwide, through an open-ended question that required a write-in response, about the top technology challenges that organisations face today. Protiviti says that the top issues from the perspective of IT audit, including information security, cloud computing, social media, and risk management and governance, are consistent with those commonly cited by C-level executives and IT organisations.
The top 10 issues cited by participants in the survey, conducted in the first half of 2012 and only now released, were as follows:
1. Information security (including data privacy, storage, and management).
2. Cloud computing.
3. Social media.
4. Risk management and governance.
5. Regulatory compliance.
6. Technology integration and upgrades.
7. Resource management.
8. Infrastructure management.
9. Fraud monitoring.
10. Business continuity/disaster recovery.
"Our findings also show that even when organisations do conduct IT audit risk assessments there is still further room for improvement," said Mark Peters, director and IT audit leader at Protiviti UK. "The results show the key areas that need to be addressed, such as linking IT audit risk assessments to the overall risk assessment process; using specialists' skills and capabilities to help target the risks that matter most; and considering the frequency at which technology risks are assessed, specifically whether they are conducted frequently enough."