Good news for anyone worried about IT risks (which, really, should be all of you): the power and importance of the IT audit team is on the rise, according to a new survey from Protiviti and ISACA. Now you just need to ensure that the compliance team has a proper working relationship with IT audit, so you can cooperate on some of the most pressing problems facing Corporate America today.
Let’s start with the rising profile of the IT audit function. By almost any benchmark, the ISACA-Protiviti study found that IT audit is moving in the right direction:
More companies now have an IT audit leader;
That IT audit leader attends audit committee meetings more often;
More of internal audit’s reports focus on IT audit issues;
More companies conduct an IT audit risk assessment.
Even better, Corporate America is not starting from a low threshold for any of these activities. Fifty-nine percent of large companies ($5 billion or more in annual revenue) have an IT audit leader. Ninety-two percent of them conduct an annual IT audit risk assessment, and 82 percent have the IT audit director appear in front of the audit committee regularly. These are all good numbers, any way you cut them.
None of that should be surprising when you consider what IT auditors do. They help to fight the sexy problems that get boardroom and headline attention, like cyber-security; and also the mundane problems that drive the rest of the enterprise crazy, like ERP software implementations, data retention policies, or access control issues. IT is now at the heart of almost every business process that exists, so naturally IT audit will become more relevant to almost everything a company does.
Audit and compliance purists among us will also be delighted to hear that the vast majority of IT audit leaders (82 percent) report into the chief audit executive. That’s important; IT audit needs a strong degree of independence so it won’t end up spending too much time specifically on regulatory compliance issues (if it reports into the compliance officer) or be afraid to tackle difficult questions like the effectiveness of a big software implementation (if it reports into the IT director). Indeed, an IT audit team that’s independent from the IT department itself can be a valuable ally as you tussle with the IT department over how to address compliance issues.
Which brings me to my other point: as IT audit teams finally achieve the respect they deserve, compliance executives need to think even more about how to put those folks to work for you.
Compliance officers are starting from a strong position: one quarter of the ISACA-Protiviti survey respondents said IT audit already spends 25 to 50 percent of its time on compliance issues. And any chief compliance officer worth his or her salt should already have good lines of communication with the chief audit executive, who ultimately will be the gatekeeper deciding how much of the IT audit team’s expertise you can use.
The tension, I suspect, might arise from deciding which issues demand IT audit’s attention first or which issues merit the most time. For example, 58 percent of North American businesses said IT audit addresses Sarbanes-Oxley compliance issues—but only 28 percent said IT audit conducts vendor audits. Think about that if you do business in Europe, with customer data in the hands of a cloud storage provider who might be shipping it hither and yon. Think about that if you’re Target, and suffered one of the largest data breaches in history thanks to weak security controls at your HVAC vendor.
It may well be that different companies describe IT audit risks in different ways; maybe “vendor audits” are buried under “IT process audits” of privacy and security at your company. Nonetheless, all this harkens back to the fundamental need for clear and widely understood definitions across your whole company—compliance, IT, internal audit, IT audit, audit committee, and so forth—so you can have productive conversations about which tasks get the most time and the most priority.
The other big observation I took away from the ISACA-Protiviti study was the challenge of staffing your IT audit team: 48 percent of all large companies said they cannot execute current parts of their IT audit plan because they lack the skilled staff, and that number has been rising since 2012. Or, as the survey neatly put it: “The lack of necessary skills can often predispose internal audit functions to focus on traditional areas where they have the capability to deliver, rather than the most critical and important value adding areas.”
No surprise, then, that 60 percent of large companies also use some sort of outside help to get IT audit done, whether by co-sourcing IT audit or bringing “guest auditors” into the company for a tour of duty.
Without question, outsourced IT audit help can bring you staffers with more experience and better awareness of new IT risks. And those risks can often be immediate and acute, while developing in-house expertise takes time and money. Remember, compliance departments always want to demonstrate an effective program; dallying around while IT audit gets up to speed on current challenges isn’t necessarily a good demonstration. That’s something else to think about as you, internal audit, and the IT department sit down to talk about the importance of IT audit.
No comments yet