control, and governance
Regulations Top IT Audit Concerns
Technology auditors are primarily focused on regulatory compliance and other ongoing technology issues this year, according to a recent ISACA study.
Associate Managing Editor
IT, security, and audit managers rank regulatory compliance as their top concern affecting enterprise IT in the next 12 to 18 months, according to ISACA’s Top Business/Technology Issues Survey. The study, based on responses from more than 2,400 ISACA members in 126 countries, notes that participants’ organizations are increasingly automating regulatory compliance activities using governance, risk, and compliance applications to support monitoring and segregation of duties in enterprise resource planning systems as well as for tracking and reporting on controls. “Our members’ organizations have not yet optimized these processes to be as efficient as possible,” says Tony Noble, vice president of IT audit at Viacom Inc. in New York and a member of the ISACA Guidance and Practices Committee that conducted the study.
Respondents rank enterprise-based IT management and governance second in importance. Their chief concern within this category is IT project risk, which 45 percent rate very important. The ISACA report notes that many respondents are automating the process of documenting and tracking such risks to protect against unanticipated delays and development costs.
Information security is third on the list, driven by respondents’ concern about the growing number of data breaches as well as increased expenditures on technologies to prevent them. Eighty percent say it is important for senior management to set direction for security, but many worry that executives view technology risk solely as an IT concern. That’s a mind-set auditors can help change by educating executives of their responsibilities for information security and the questions they should be asking to ensure that enterprise-level risks are being addressed, Noble says. “This education cannot be a one-off meeting,” he stresses, “but needs to be a continuing dialogue.”
Overall, respondents’ top concerns reflect ongoing IT issues such as disaster recovery and business continuity, IT risk management, and vulnerability management, rather than new technology trends, the survey notes. Eighty-seven percent of respondents say it is important for managers and business owners to be trained about their responsibility to keep business functions operating after a disaster over the next 12 to 18 months. During the same period, 86 percent are concerned about management’s awareness of IT risk, while 80 percent say senior management needs a greater commitment to IT risk management. The chief concerns under vulnerability management are intrusion detection and prevention, security information and event management, and virus management.
Continuous process improvement is new to the list this year. This reflects attempts to use technology to improve compliance, security, and IT governance processes, Noble points out. Nearly 90 percent of respondents say it is important for the organization to instill a business-process centered culture based on continuous improvement over the next 12 to 18 months.
Newer IT issues such as mobile device management, cloud computing, and virtualization didn’t crack this year’s list, but are rising in importance, according to the survey. While these areas have rated higher on several CEO surveys, Noble says they may not change the role of IT audit and control professionals who are working more closely with these technologies. “I suspect they are addressing the same concerns they do with any technology,” he says. “What are my regulatory, information security, and governance issues? Do I need to update my disaster recovery and business continuity plans to accommodate this technology?” Moreover, Noble says, some survey respondents may not be involved in these emerging areas yet, focusing instead on maintaining controls over their organization’s major revenue streams.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.