IT Audit Survey Exposes Weak Risk Assessment

Even in the face of costly and embarrassing corporate security breaches, one in four companies fails to conduct any IT risk assessment. And 42% say there are areas of their information technology audit plans that cannot be addressed because of a lack of resources and expertise.

These are two of the findings of Protiviti’s 2011 IT Audit Benchmarking Survey, for which nearly 500 professionals — including chief audit executives, audit directors and IT audit directors and managers — were asked to analyze underlying audit trends, and perhaps to identify enforcement gaps in Corporate America. The survey was taken both online and in electronic form, and gave respondents 35 questions in four categories: IT audit in relation to the internal audit department; IT risk assessment; audit plan; and skills and capabilities.

“There are simply too many risks associated with the pervasive use of technology including social media and mobile devices and not enough focus on identifying and managing those risks,” Bob Hirth, Protiviti executive vice president and leader of the firm’s global internal audit and financial controls practice, said. “Businesses have to get serious about addressing IT risks or they will fall victim to their own vulnerabilities.”

To illustrate how smaller companies tend to do much less audit work than larger ones, the survey registered 43% of companies smaller than $100 million in annual revenue saying that they had no IT audit function at all. Among companies with revenue between $100 million and $1 billion, 82% lacked “a designated IT audit director or someone in an equivalent position,” Protiviti’s account of the survey said.

As for the use of outside auditors to help with IT audits, only 13% of companies with $100 million to $1 billion in revenue used outside auditors to help with IT audits, and among the smaller-than-$100 million group, only 17% used outside auditors. According to Protiviti, higher percentages in both areas were expected, because companies with less than $1 billion sales have no full-time IT audit resources in place.

• Nearly 70% of North American companies have not completed evaluations and assessments of their IT governance process, as described in the Institute of Internal Auditors Standard 2110.A2. And 36% said they didn’t intend to.
• In 29% of North American companies, “line of business executives” such as chief information officers have little to no involvement with the IT risk assessment process, according to the survey.
• Most companies with more than $1 billion in annual revenue offer IT audit staffers at least 40 hours a year of training. But 32% of companies between $100 million and $1 billion, and 20% of companies between $100 million and $1 billion, provide no IT skills training.

“If an organization or internal audit function is not thinking about IT governance, IT risks and specifically IT risk assessment, it should be,” David Brand, a Protiviti managing director and the firm’s national IT audit leader, said in a press release describing the survey results. “The increased use of and demand for technology and data compel companies to review how these technologies are being leveraged and the risks they are creating.”