The area of internal audit that focuses on information technology still faces plenty of obstacles to providing the kind of assurance public companies need, or should strive to achieve, in today’s capital markets.
IT audit is challenged not only by persistent talent shortages and rapid changes in technology, but also by concerns about reporting lines that raise questions about independence and the frequency of risk assessments, according to a recent survey by ISACA, the professional association focused on IT audit and control, and consulting firm Protiviti.
The poll of more than 1,200 audit leaders globally shows emerging technology and changes in infrastructure represent the biggest area of concern from an IT audit perspective, followed closely by IT security and privacy. “Changes in security remain top of mind,” says Robert Stroud, immediate past president of ISACA and principal analyst at Forrester Research. “Emerging technology is really catching people. It’s not that they don’t want it, but it’s hard to keep up as business is really driving disruptive innovation through technology.”
The pace of change makes it continually difficult to staff up with the right skills to meet the demand, says Mickey Vaja, principal in business advisory services at Grant Thornton. “The shortage of resources right now is staggering,” he says. “In 2004 during the Sarbanes-Oxley boom, we thought we were short of people then. Compared to now, it’s earth-shattering.”
David Brand, managing director at Protiviti, says the results of the survey are encouraging in that they demonstrate internal audit leaders are focused on the right issues, but stretched in their ability to meet the constantly rising and changing demands. “Emerging technology, infrastructure, innovation,” he says. “Those are huge topics that organizations across the board are dealing with.”
“Emerging technology is really catching people. It’s not that they don’t want it, but it’s hard to keep up as business is really driving disruptive innovation through technology.”
Robert Stroud, Principal Analyst, Forrester Research
When stretched beyond capacity by the ongoing challenges of emerging technologies and talent shortages, what suffers? The survey suggests optimal reporting lines assuring independence of the audit function and risk assessments may be some of the biggest concerns.
With respect to independence, for example, the survey shows more than 20 percent of respondents in North America say they have an IT audit director who reports to someone other than the chief audit executive, such as the CEO, the chief information officer, or some other compliance function. Only 60 percent of large public companies reported they have an IT audit director. And where companies have someone in that position, a smaller number in 2015 than in 2014 reported that internal audit director attends and provides reports directly to the audit committee.
Those results raise questions, experts say, about whether IT audit risks are being assessed independently and mitigated effectively. “It’s not where it needs to be, and it’s not getting any better,” says Brand.
It could be that there just aren’t enough people out there with the skills to fill IT audit director positions, Brand says. But it also could be that internal audit staffs don’t have the resources to staff a position that is so deep in a single area, he says. “The size of an entire audit department may be 10 people or less,” he says. “Is my department large enough to warrant having someone at that level?”
It also could be that companies are still tuned in more closely to financial risks and haven’t yet shifted their resources and planning adequately to the significant technology risks that have arisen in recent years, says Brand. “A lot of internal audit departments still do a lot of regulatory compliance auditing, and they may not have evolved their strategy to address technology risks as they should,” he says.
Richard Chambers, president and CEO of the Institute of Internal Auditors, says the independence of the IT audit function is a serious concern. With IT audit directors, where they exist, reporting to the CEO or the CIO, that puts the IT audit in the “second line” of defense under the IIA’s widely accepted “three lines of defense” model for providing assurance, rather than in the preferred third line behind operations and management.
IT AUDIT RISK ASSESSMENTS
In the following chart from Protiviti and ISACA’s 5th Annual IT Audit Benchmarking Survey, respondents were asked: “Does your organization conduct an IT audit risk assessment?” Responses, based on company size, are below.
“If you have an IT audit director who is not part of the internal audit function, I would not characterize this as a function on which the board should be putting a lot of reliance,” says Chambers. Having management somehow direct the IT audit is “shortsighted,” he says. “It doesn’t reflect how integrated IT risks are with the other risks in the organization.”
That dovetails with questions about the adequacy of risk assessments, according to experts and the survey results. ISACA and Protiviti point out there are “small but meaningful numbers” of companies that do not conduct any type of IT audit risk assessment. And of those that do, roughly two-thirds of U.S. companies, regardless of size, rely on annual risk assessments, despite the rapid pace of change.
The results suggest more companies need to “operationalize risk,” says Stroud. “Effective risk management is what happens with every decision we make,” he says. “Business decisions are being made every day, yet enterprise risk management is an annual event.” Many organizations tune in to the emerging risks, like cyber-security in recent years and Sarbanes-Oxley a decade earlier, but it takes too long, he says. “The risk landscape changes constantly.”
System implementations represent a significant area of risk that often is not adequately assessed by IT audit, says Vaja. “If you look historically at the number of failed implementations, it’s very high,” he says. Companies tend to put heavy trust into a CFO or CIO who claims ‘I got this.’ “You see that high confidence that everything is going well, then half way in you get changes orders,” he says. “That’s when it might be too late.”
Communication is key, says Stroud, to increase the frequency of risk assessments as a step toward a more ongoing approach. “You have to communicate the value of it,” he says. “You start by perhaps going from an annual event to quarterly. Then you might want to go to a catalog so the IT audit assessments show up in some sort of ERM catalog.”
To further advance the profile of IT audit, Brand suggests companies even consider getting more IT skills on the audit committee. “There’s still a bias on audit committees on the external audit and financial skills,” he says. “We mandate a financial expert, but not a risk expert. This is where audit committees have an opportunity to evolve.”