IT Audit Survey Exposes Weak Risk Assessment

Lack of training, too little use of outside auditors are two faults noted in Protiviti benchmarking survey.

Even in the face of costly and embarrassing corporate security breaches, one in four companies fails to conduct any IT risk assessment. And 42% say there are areas of their information technology audit plans that cannot be addressed because of a lack of resources and expertise.

These are two of the findings of Protiviti's 2011 IT Audit Benchmarking Survey, for which nearly 500 professionals -- including chief audit executives, audit directors and IT audit directors and managers -- were asked to analyze underlying audit trends, and perhaps to identify enforcement gaps in Corporate America. The survey was taken both online and in electronic form, and gave respondents 35 questions in four categories: IT audit in relation to the internal audit department; IT risk assessment; audit plan; and skills and capabilities.

"There are simply too many risks associated with the pervasive use of technology ‑including social media and mobile devices ‑and not enough focus on identifying and managing those risks," Bob Hirth, Protiviti executive vice president and leader of the firm's global internal audit and financial controls practice, said. "Businesses have to get serious about addressing IT risks or they will fall victim to their own vulnerabilities."

To illustrate how smaller companies tend to do much less audit work than larger ones, the survey registered 43% of companies smaller than $100 million in annual revenue saying that they had no IT audit function at all. Among companies with revenue between $100 million and $1 billion, 82% lacked "a designated IT audit director or someone in an equivalent position," Protiviti's account of the survey said.

As for the use of outside auditors to help with IT audits, only 13% of companies with $100 million to $1 billion in revenue used outside auditors to help with IT audits, and among the smaller-than-$100 million group, only 17% used outside auditors. According to Protiviti, higher percentages in both areas were expected, because companies with less than $1 billion sales have no full-time IT audit resources in place.

  • Nearly 70% of North American companies have not completed evaluations and assessments of their IT governance process, as described in the Institute of Internal Auditors Standard 2110.A2. And 36% said they didn't intend to.
  • In 29% of North American companies, "line of business executives" such as chief information officers ‑have little to no involvement with the IT risk assessment process, according to the survey.
  • Most companies with more than $1 billion in annual revenue offer IT audit staffers at least 40 hours a year of training. But 32% of companies between $100 million and $1 billion, and 20% of companies between $100 million and $1 billion, provide no IT skills training.

"If an organization or internal audit function is not thinking about IT governance, IT risks and specifically IT risk assessment, it should be," David Brand, a Protiviti managing director and the firm's national IT audit leader, said in a press release describing the survey results. "The increased use of and demand for technology and data compel companies to review how these technologies are being leveraged and the risks they are creating."

Join the CSO newsletter!

Error: Please check your email address.

Tags Protivitiauditingbusiness management

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Roy Harris

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place