With technology changing so rapidly, the biggest challenge for IT audit professionals is to just keep up with the pace of it all while undergoing constant transformation, according to the latest survey by professional association ISACA and consulting firm Protiviti.
In a poll of more than 1,200 globally, IT audit executives say IT changes and security are the biggest issues that keep them up at night. Rapid innovation, disruption, and growth in cyber-security risks are the biggest technology challenges for IT auditors, the survey report says. The results show 60 percent of organizations are undergoing a major IT transformation, and 54 percent say it will take a year or longer to complete.
Nearly half of IT audit professionals report their IT department is not fully aware of all the devices that are connected to the the entity’s systems, and nearly three-quarters say their organizations face a medium or high likelihood of being hacked. Employee privacy is a concern as well, they say, with 63 percent reporting they believe increasing use of mobile and other connected devices has compromised privacy.
“Rapid change is the norm in today’s business environment,” said David Brand, a managing director at Protiviti and leader of the firm's global IT audit practice, in a statement. “IT audit professionals have recognized the need to grow their knowledge and expertise while also updating their policies, processes, people and technology, all in order to arm themselves against the increasing challenges and threats presented by an ever-evolving technology landscape.”
Behind those high-level technology concerns, IT auditors are also concerned about challenges around resources, staffing, and skills, the survey says. In North America in particular, 37 percent of respondents said they outsource portions of IT audit activity because they lack the resources necessary internally to get the job done. Nearly one-fourth say they outsource because they lack the IT audit-specific skills that are needed.
The survey results also suggest reporting lines are not optimal, according to ISACA and Protiviti. Many organizations still have the IT audit director reporting to someone other than the chief audit executive, the survey found, raising questions about whether the IT audit is adequately independent. Half of the largest public companies that have a designated IT audit director do not have that individual attending audit committee meetings, for example.
"Organizations need to ensure that they address effective IT audit management through a number of controls to help the organization identify and manage its IT risks effectively.” said Christos Dimitriadis, international president of ISACA, in a statement. That includes, “treating IT and cyber-security risks as strategic-level risks, operating as a truly independent and impartial function, and allotting the necessary resources and expertise, whether internal or external.”