Organizations further along the digital transformation maturity spectrum have an advantage

Concerns around security, privacy, cloud and technology resilience are being further fueled by shifting business priorities, the pandemic-induced remote work environment and accelerated deployment of new technologies, according to a survey from Protiviti and ISACA.

Entering into 2021, IT audit groups – particularly those in more digitally mature organizations – are utilizing more dynamic and real-time approaches to technology risk assessment, which enables them to be more agile and responsive to the rapidly evolving risk landscape, driven in no small part by pandemic-related challenges.

The technology and audit benchmarking survey identified the top concerns that over 7,400 IT audit leaders and professionals from organizations around the world are facing and planning to address in 2021.

The benefits of being a digital leader

The findings reveal that ‘digital leaders’ – those self-characterized as having innovative and disruptive qualities, including a proven track record of delivering on digital and innovation initiatives and effective adoption of emerging technologies – weigh risks differently from companies with lower levels of digital transformation maturity and those who are in the earlier stages of defining and delivering on their digital and innovation agenda.

The survey report notes that digital leaders stand out in their frequency of performing technology audit risk assessments, driven by more agile ways of working as well as more integration and use of data and technology.

However, 67% of organizations do not classify themselves as digital leaders, and 11% of those non-leaders are not conducting any form of technology risk assessment.

The top 10 IT audit risks for 2021

The survey asked respondents to rate the significance of 39 technology risk issues. Of those, the top 10 IT audit risks identified were as follows:

• Cyber breach
• Confidentiality and privacy
• Regulatory compliance
• User access
• Security incident management
• Disaster recovery
• Data governance
• Third-party risk
• Remote workplace infrastructure
• Availability risk

For the most part, the top 10 technology risks for digital leaders and other companies were the same, but risk indexes trended higher for digital leaders.

This is likely a result of several factors, including the generally more complex technology environments of such organizations, as well as their more extensive use of advanced technologies (such as intelligent automation, IoT, artificial intelligence and machine learning), and the general levels of data and technology employed by digital leaders to support their enhanced customer engagement, operational performance and digitization of products and services.

Cloud strategy and adoption a top 10 risk for digital leaders

One notable difference between digital leaders and other organizations was that cloud strategy and adoption was a top 10 risk for digital leaders but not for others, because digital leaders were more likely to include cloud technologies in their delivery of business services and in their longer-term planning and strategy.

“Companies need visibility to effectively identify and evaluate risks. The sudden shift to remote work, as well as the broader disruption experienced by many, has revealed the importance of identifying and assessing technology risks on a more dynamic and frequent basis to develop closer-to-real-time views and responses,” said Andrew Struthers-Kennedy, a managing director with Protiviti and leader of the IT Audit practice.

“We’re seeing significant demand from companies that need help integrating more dynamic and data-driven approaches to risk assessments into their internal audit activities. Internal audit functions that are able to achieve this will be much better positioned to deliver highly efficient and effective risk assurance.”

The survey found that 61% of organizations are now identifying and assessing technology risks for the purpose of audit planning as part of the overall internal audit risk assessment process. However, that leaves a somewhat worrying 39% of organizations that are not specifically assessing technology risks in the development of audit plans.

Concerns by location and industry

Despite the geographical spread of the survey respondents and number of industries included, the ranking of technology risks was generally consistent.

IT audit professionals from North America, Africa, Asia, Europe, the Middle East and Oceania all ranked cyber breaches as their top concern, with almost 80% globally noting that they plan to address the risk in their 2021 audit plans.

Cyber breaches were also consistently a primary concern across industry sectors, including consumer packaged goods and retail; energy and utilities; financial services; healthcare; manufacturing and distribution; and technology, media and telecommunications.

“Responses from this study show that missteps in risk management are amplified for organizations that have not yet mastered timely responses to business disruption,” said Robin Lyons, ISACA IT Audit Professional Practices Lead.

“Audit functions that have a strategy that keeps pace with longer-term risks and high-velocity risks will demonstrate their value as they continue to provide assurance regardless of any disruption.”