Key challenges impacting IT audit pros navigating an evolving risk landscape

Protiviti and ISACA surveyed 2,252 chief audit executives (CAEs), internal audit professionals and IT audit vice presidents and directors worldwide.

Asked to identify their biggest technology challenges, IT audit leaders and professionals noted the following as their top five:

• IT security and privacy/cybersecurity
• Data management and governance
• Emerging technology and infrastructure changes – transformation/innovation/disruption
• Staffing and skills challenges
• Third-party/vendor management

“As much as organizations are focusing on cybersecurity and protecting their data, they’re still behind given the changing landscape, growing sophistication of cyber criminals, evolving regulatory requirements such as GDPR and persistent gaps and process breakdowns that emerge as part of their ongoing transformation projects,” said Andrew Struthers-Kennedy, a Protiviti managing director and global leader of the firm’s IT Audit practice. “The bottom line is IT audit cannot let its guard down.”

Data management and governance jumps to second most important challenge

Respondents indicated that data management and governance pose the second most critical challenge to their organizations, a significant jump from its number ten spot in the 2018 survey.

As organizations seek to leverage data with technologies such as RPA, AI, machine learning and continuous auditing and monitoring, IT audit functions are becoming increasingly focused on evaluating risks associated with data collection, processing and reporting.

“There is considerable room for improvement in terms of the structure, quality and accuracy of the data available in most organizations.

“When an organization reaches higher levels of maturity related to data management and governance, it’s much more adept at not only avoiding downside risks but also taking advantage of the opportunities for using data as an enterprise-enabled and competitive differentiator,” said Struthers-Kennedy.

“Data is the lifeblood for many organizations, so IT audit functions need to ensure that key aspects of data management are considered as part of every audit and review activity.”

Growing importance of IT partnerships

IT audit functions defined as ‘leaders’ in the report have significantly increased exposure to strategic activities within the organization, including being invited to participate in key IT department committees (e.g., IT governance and risk management, information security, IT strategy).

Leaders also assess and identify technology risk on a more frequent, even continual, basis. Finally, leaders include cybersecurity in their plans on a more frequent basis than those who have lower levels of engagement and interaction with the IT department.

“One of the prominent themes in this year’s survey is the importance of partnership between audit and the IT function, which is particularly essential in the area of risk management,” said Robin Lyons, ISACA technical research manager.

“As these two groups work together, risk management becomes a shared, real-time effort that reduces guesswork by IT audit as to which project challenges and risks truly exist.”

Lack of skills and resources is pervasive challenge

Organizations in every sector are experiencing a shortage of skills and resources today in IT audit. Of the surveyed organizations with revenues ranging from US$100 million to $1 billion, nearly a third (32%) are unable to address specific areas of the annual IT audit plan due to a lack of resources and skills.

The survey revealed the top five skills most in demand are:

• Expertise in advanced and enabling technologies (44%)
• Critical thinking (32%)
• Data science (27%)
• Agile methodology (20%)
• Communications expertise (17%)

As businesses continue their digital transformation journeys, the importance of focusing on data and technology by internal audit grows. The way internal auditors engage and partner with their stakeholders, the skills they develop and deploy as part of their activities, and the tools and technologies they are familiar with and adopt are all critical areas that require focus.