IT auditors—the people who conduct examinations of the management controls within an organization’s IT infrastructure to determine if technology assets are secure and to ensure data integrity—have had their hands full lately.
With the emergence of data privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), IT auditing has become especially important and has taken on a whole new level of urgency.
As if the extra workload and pressure were not enough, auditors are facing a host of challenges, according to a recent report by consulting firm Protiviti and ISACA, a global association helping individuals and enterprises in the IT audit/assurance, governance, risk, and information security space.
For their report, the 8th Annual IT Audit Benchmarking Study, Protiviti and ISACA conducted an online survey of more than 2,500 chief audit executives, internal audit professionals, and IT audit vice presidents/directors worldwide in 2019.
The research identified the top technology challenges for these professionals: IT security and privacy/cyber security; data management and governance; emerging technology and infrastructure changes—transformation, innovation, and disruption; staffing and skills challenges; and third-party or vendor management.
As much as organizations are focusing on cyber security and protecting their data, they are still lagging in what they need to accomplish from an IT audit standpoint.
This is due in part because of the changing landscape, growing sophistication of cyber criminals, evolving regulatory requirements such as GDPR, and persistent gaps and process breakdowns that emerge as part of their ongoing transformation projects, according to Andrew Struthers-Kennedy, a Protiviti managing director and global leader of the firm’s IT Audit practice.
“The bottom line is IT audit cannot let its guard down,” Struthers-Kennedy said.
Survey respondents indicated that data management and governance pose the second most critical challenge to their organizations. This is a sharp increase from its number 10 spot in the list of top challenges in the 2018 survey.
As organizations look to leverage data with technologies such as robotic process automation (RPA), artificial intelligence (AI), machine learning, and continuous auditing and monitoring, IT audit functions are becoming more focused on evaluating risks associated with data collection, processing and reporting, the report said.
There is considerable room for improvement in terms of the structure, quality and accuracy of the data available in most organizations, the report noted. When an organization reaches higher levels of maturity related to data management and governance, it is much more adept at avoiding downside risks as well as taking advantage of the opportunities for using data as a competitive differentiator, Struthers-Kennedy said.
Because data is so critical to business operations, IT audit functions need to make sure that key aspects of data management are considered as part of every audit and review activity, Struthers-Kennedy said.
One of the prominent themes in the survey is the importance of partnerships between audit and the IT function, which is particularly vital in the area of risk management, according to Robin Lyons, ISACA technical research manager. As these two groups work together, risk management becomes a shared, real-time effort that reduces guesswork by IT audit as to which project challenges and risks truly exist, Lyons said.
IT audit functions defined as “leaders” in the report have significantly increased exposure to strategic activities within the organization, including being invited to participate in key IT department committees such as IT governance and risk management, information security, and IT strategy.
Leaders also assess and identify the risks of technology on a more frequent basis. Finally, leaders include cyber security in their plans on a more frequent basis than those who have lower levels of engagement and interaction with the IT department.
As in many other areas of technology, the IT audit function is facing a shortage of skills and restrained resources. In fact, the report said organizations in every sector are experiencing a shortage of skills and resources to conduct IT audits. Of the organizations in the survey with revenues ranging from $100 million to $1 billion, nearly one third (32%) are not able to address specific areas of the annual IT audit plan due to a lack of resources and skills.
The survey showed that the top five skills most in demand are expertise in advanced and enabling technologies (44%); critical thinking (32%); data science (27%); agile methodology (20%); and communications expertise (17%).
As many organizations continue to advance their digital transformation strategies, the importance of focusing on data and technology via internal audit grows, the report said. The way internal auditors work and collaborate with their stakeholders, the skills they develop and use as part of audit activities, and the tools and technologies they are familiar with and adopt are all critical areas that require focus, it said.