Integration of new technologies is seen as less of a challenge than it was in the past but IT security concerns are increasing dramatically, according to a review of IT auditing best practice that has also found that risk management of third parties is rising rapidly.
The latest annual ISACA-Protiviti IT Audit Benchmarking Survey found IT security to be the top-of-mind concern amongst IT audit leaders, who are increasingly engaging with executives and courting IT project leaders as they work to increase the visibility of risk management within major IT rollouts.
Getting that visibility remains difficult for many IT audit specialists, with only 55 percent of the 1062 respondents saying they regularly attend audit committee meetings. This was well up over historical figures – in 2012 the figure was just 22 percent – but well behind world leader Asia, where 87 percent of IT audit directors regularly attend audit committee meetings.
These figures reflect the relative profile of IT auditors – whose remit increasingly includes evaluation of and remediation of cybersecurity risk – within the company’s overall business function. And while Oceania businesses were relatively high by world standards – 75 percent of IT audit directors regularly attend audit committee meetings, compared with just 42 percent in North America –even that presence isn’t a guarantee of robust IT risk management.
Indeed, just 25 percent of participating organisations update their IT audit risk assessments once per quarter or more frequently – suggesting that most IT auditing functions are established on a set-and-forget basis that may not reflect the rapidly changing nature of the organisation and its technology.
Involving IT auditors later in the game can come back to bite businesses that may only come to find cybersecurity issues late in the game, or even after systems are deployed.
“Seeing greater involvement by IT audit in significant technology projects is a positive trend, especially considering the dynamic nature of technology and critical risks related to security and privacy,” said Christos Dimitriadis, chair of ISACA’s board of directors and group director of information security for INTRALOT in a statement.
“Having IT audit bring a mindset of risk and control to these projects can be highly advantageous,” he continued. “However, our results show that IT audit is more involved in the post-implementation stages of these projects versus earlier planning and design stages. With a solid foundation of assurance on the front end, organisations can have the confidence they need to be innovative and fast-paced in pursuit of their business goals.”
Building this foundation of assurance is easier said than done, however, since organisations across Australia and the rest of Oceania are moving quickly to establish themselves in areas with clear business benefits and attendant competitive advantage. Some 95 percent of businesses in the Oceania region had implemented an IT system or application in the last three years – well ahead of the response rate in other regions – and there were far more projects focused on improving the customer interface and improving employee collaboration than in Asia or North America.
Oceania businesses were also far less likely than other regions to be implementing infrastructure improvements, and more likely than European or North American companies to be implementing process automation. Oceania companies were also more likely to focus IT auditing efforts on areas such as project governance (53 percent compared with 50 percent in North America and Europe, and 37 percent in Asia) and evaluating the project’s risk management plan (50 percent, against 42 percent in North America and 39 percent in Asia).
These figures reinforce the picture of Australian businesses as being forward-looking and project-focused – although such a progressive outlook is not without its risks.
Indeed, respondents named the biggest risk factor for IT implementation projects as being the frequency of updates to project goals and outcomes. Budgets were also reviewed less than in other geographies, with just 21 percent of Oceania companies monitoring budget expenditure as against 41 percent in Africa, 29 percent in Europe and 22 percent in North America.
“This is also notable,” Dimitriadis said, “because a substantial percentage of IT projects tend to run over budget and behind schedule and fail to achieve the desired objectives. Audit committee members, in particular, are seeking greater assurance around critical IT risks and controls – internal audit and IT audit leaders must be prepared to demonstrate audit coverage of key areas and articulate where the highest risks remain.”
Several Australian organisations have recently led the charge in integrating IT risk management more closely with their development efforts, with companies including Telstra and Optus-affiliated Macquarie Group appointing teams to monitor cybersecurity within their ongoing project work.