Benchmarking IT Audit
Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
Whether you are an IT auditor, manage the internal audit function, or concerned about IT-related risks, Protiviti’s latest IT audit survey (PDF) is worth reading.
The authors identify these key findings and takeaways:
- The top technology challenges organizations face today include information security, cloud computing, social media, risk management and governance, regulatory compliance, and technology integration and [sic] upgradation.
- There are significant gaps in the IT audit capabilities in many organizations, and smaller companies in particular. These organizations may not be doing enough to audit their risks, and a large number of organizations, regardless of size, may be understaffed in terms of IT audit capabilities in their internal audit functions.
- There continues to be a significant number of organizations, and small companies in particular, that are not conducting any type of risk assessment focused on the technologies supporting the business; however, there is a notable increase among EMEA/APAC-based organizationsthat are conducting these assessments.
- Evaluating and assessing IT governance processes, as called for under IIA Standard 2110.A2, is not a priority for organizations and few have plans to do so.
- IT audit has responsibility for auditing IT general controls in virtually all organizations; however, a relatively small percentage of IT audit functions invest time in more strategic-level activities such as integrated auditing, data analytics and consultative activities.
- Organizations may be concerned because they lack the necessary resources and skills to address specific areas of their IT audit plans sufficiently.
Now, these points are debatable on their own, and I will comment in a moment.
But, let’s first compare them to CEOs’ and CIOs’ priorities as we enter 2013.
IBM has released a Global CEO Study. Here are a couple of key excerpts:
- Leaders are recognizing that our new connected era is fundamentally changing how people engage. This shift is one reason why, for the first time since this CEO Study series began in 2004, technology now tops the list of external forces impacting organizations. Above any other external factor — even the economy — CEOs expect technology to drive the most change in their organizations over the next three to five years.
- While CEOs are invigorated by the opportunities, they also fear falling behind, given the pace of technology change. “The biggest risk we face is technological,” explained one CEO of a French industrial products firm. “If we fail to anticipate a huge technology step, we might go out of business.”
IDC is more focused on technology and the issues facing CIOs. Here are excerpts from their look forward at 2013:
The ICT industry is in the midst of a once every 20-25 years shift to a new technology platform for growth and innovation. We call it the 3rd Platform, built on mobile devices and apps, cloud services, mobile broadband networks, big data analytics and social technologies.
- Companies that are not putting 80% or more of their competitive energy into this new market will be trapped in the legacy portion of the market, growing even slower than global GDP.
They also shared their top ten predictions, commenting that "Our 2013 Predictions for the CIO Agenda reflect the impact of the 3rd Platform Shift. Cloud, Mobile, Social and Big Data solutions are changing the Business/IT engagement models, and presenting CIOs with new opportunities to be seen as Business Innovators."
Note especially the last prediction. IT is coming out of the backroom where it provides a utility and joining the drivers of the organization.
So, are the issues identified by Protiviti aligned with where IT and the business are going? I am not persuaded that they are.
Please consider these alternative priorities:
- As the rapid deployment of new technology becomes critical to business success, executives need to ensure they not only understand the technology risks but (a) whether they should be accepted, and (b) how to monitor and manage the risks with acceptable limits. It is no longer OK for the IT audit function only to say that there is a risk and ask for additional actions to mitigate the risk, because in this environment the business needs to accept a higher level of risk than ever before. It simply can’t afford to fall behind its competitors.
- IT audit functions need to understand risk to the business, in business terms not in terms of “IT risk.” Only the risk to the business matters.
- Dependency on new technology is going to increase dramatically, and that technology will be deployed on new platforms. We all know about cloud, but how will you assess IT general controls when the application is on smartphones and tablets?
- IT auditors need to be concerned whether their IT leaders are leaders or followers (see IDC prediction 10). Will the company succeed if the CIO and his team are not business innovators?
- Does it still make sense, as implied by Protiviti, to have a separate IT risk assessment? Shouldn’t there be a single assessment of risks to the business that identifies, as part of that process, identification of reliance on technology?
- Finally, a pet point of mine: with organizations deploying all this new technology to run the business, why aren’t auditors seeking to deploy it to audit the business — especially when IT and operational management have already paid for the software?
Posted on Dec 14, 2012 by Norman Marks
Share This Article: