control, and governance
Aligning Risk IT Spending
Auditors can use IDC data to benchmark their organization's spending on risk-related technology.
Organizations today incorporate technology into their current and future business plans and therefore are susceptible to various cybersecurity threats. The December 2011 edition of The IIA’s Tone at the Top newsletter (PDF) detailed the dangers lurking in cyberspace and identified technology risks that remain pertinent today. The article cited an InternalAuditorOnline slideshow in which Steve Mar, director of IT audit for Nordstrom Inc., discussed the five dangers organizations face, including social networking use, mobile computing, cloud computing, nonalignment of business and IT strategy, and IT infrastructure attacks by organized crime. “Both the audit committee and internal auditors should have a proactive mindset in regard to technology, as well as all other key risks,” the Tone at the Top article notes. “This means ensuring that effective controls and security are in place up front.”
In a KPMG Audit Institute Public Company Audit Committee Member Survey, 42 percent of respondents indicated their risk management system required improvement. According to an article citing the survey in the February 2012 Tone at the Top (PDF), “This number indicates a gap in organizations’ proficiency in, or attention to, managing and overseeing risks.” With the varied financial, legal, and strategic issues associated with technology, organizations are paying close attention to IT risk and data governance. As a result, several recent articles have been published regarding audit committee oversight of an organization’s data governance, security, and risk management practices.
Organizations keep spending IT dollars on risk management activities to protect corporate assets, but will these activities continue as oversight becomes more attuned to today’s security threats? A report from IDC Financial Insights, Worldwide IT Spending 2012-2017 – Risk IT (RITS) Spending Guide 2013 Update, projects the worldwide RITS market will account for US $71.2 billion in 2014 and will reach US $87.4 billion by 2017, growing at a composite aggregate growth rate of nearly 7 percent during the forecast period.
Risk management spending includes software used for cybersecurity, data theft loss and prevention, regulatory and credit card standards compliance (e.g., Payment Card Industry Data Security Standard), financial crime, and fraud. With the onslaught of cyber tasks growing and increased entry into cyberspace by organizations, IDC’s 7 percent growth forecast may be lower than expected. Regardless, internal auditors can use the IDC forecast as a benchmark to validate whether their organizations’ RITS spending is in line. If spending is lower or higher, then auditors should question why. Because the IDC percentage is a composite score, auditors using it as a benchmark also should consider the type of IT in their organization and how it is used.
The auditors’ current comparison of spending against the IDC benchmark could become a tool for validating future RITS spending. Therefore, internal audit functions should use the IDC benchmark as a tool to assist the audit committee in evaluating the adequacy of the organization’s RITS spending.
Some questions internal auditors could ask when reviewing their organization’s RITS spending include:
Comparing the IDC forecasted rate to an organization’s RITS spending is a starting point to validate whether the spending level is sufficient. Additionally, internal auditors should further review the efficiency and effectiveness of the current RITS operational activities to validate whether potential savings could occur and to ensure they are aligned with future business and IT strategic plans.
James Reinhard, CIA, CPA, CISA, is audit director at Simon Property Group in Indianapolis.