The top technology challenge faced by IT audit executives and professionals worldwide is to keep pace with emerging technology and infrastructure changes, including transformation, innovation and disruption, according to a new joint survey from Protiviti and ISACA.
In the new survey, 1,230 respondents worldwide shared their perceptions of top technology challenges currently facing their organizations. These challenges are consistent with current market activity and have deep interrelationships with each other. The top 10 list follows:
- Emerging technology and infrastructure changes ‑ transformation, innovation, disruption
- IT security and privacy/cybersecurity
- Resource/staffing/skills challenges
- Infrastructure management
- Cloud computing/virtualization
- Bridging IT and the business
- Big data and analytics
- Project management and change management
- Regulatory compliance
- Budgets and controlling costs.
Regulatory compliance and budgets/controlling costs have moved down significantly on the list compared to last year, indicating that other emerging areas are now top concerns for respondents.
There are significant concerns about finding qualified resources and skills – Not only was this noted by respondents as one of today’s top IT challenges, but numerous results suggest that finding the right people with the right knowledge and skills for the right job remains an uphill battle.
Many IT audit reporting lines are still off the mark – Having the IT audit director report to the Chief Audit Executive (CAE) or an equivalent role is ideal, yet many organizations still have other reporting lines in place, bringing into question whether IT audit still falls under the “third line of defense” as an independent function.
IT audit risk assessments are an absolute must – There are small but meaningful numbers of companies that are not conducting any type of IT audit risk assessment. For these organizations, this is a significant risk given the cybersecurity threat environment. Other organizations are adhering to best practices by conducting these risk assessments more frequently.
According to the survey results, 60 percent of the largest public companies surveyed have a designated IT Audit Director or equivalent position within their organizations, and yet, in half of all companies, these individuals do not attend audit committee meetings.
Many companies still have established reporting structures that are less than optimal. Having the IT Audit Director report to the CAE or equivalent is a best practice, yet 28 percent of companies in North America and Asia use another, less ideal reporting line. This number is as high as 33 percent in Latin America and 41 percent in Europe.
“Organizations need to ensure that they address effective IT audit management through a number of controls, including treating IT and cybersecurity risks as strategic-level risks, operating as a truly independent and impartial function, and allotting the necessary resources and expertise, whether internal or external, to help the organization identify and manage its IT risks effectively,” said Christos Dimitriadis, international president of ISACA.
By definition, IT auditors work in collaboration with executive management, the board of directors, IT, legal, human resources and numerous other departments to help their organizations mitigate and control an escalating volume of IT risks that could cripple the enterprise.
On a positive note, the survey revealed noticeable uptick in the frequency with which IT audit risk assessment are updated by organizations. However, the number of organizations conducting continual assessments still remains low – around 16 percent for even the largest companies.