Most Companies Not Doing Enough to Manage IT Risks

Oct. 19, 2011
Despite businesses’ overwhelming reliance on technology and a continuing increase in information security breaches, a majority of companies still don’t place enough emphasis on understanding and addressing their IT risks, according to a new survey from Protiviti.

Despite businesses’ overwhelming reliance on technology and a continuing increase in information security breaches, a majority of companies still don’t place enough emphasis on understanding and addressing their IT risks, according to a new survey from Protiviti, a global consulting firm. Results from the firm’s 2011IT Audit Benchmarking Survey reveal that many organizations, including one in four with revenues up to $1 billion, are not conducting any kind of IT risk assessment. In addition, 42 percent of organizations acknowledge there are specific parts of their IT audit plans that they cannot address sufficiently due to a lack of resources and expertise.

Protiviti’s inaugural IT Audit Benchmarking Survey, which includes input from nearly 500 executives and professionals worldwide ‑ including chief audit executives, audit directors, and IT audit directors and managers ‑ seeks to analyze some of the many underlying IT audit trends and gaps evident in organizations today. In addition to data and analysis, the survey report also includes key questions for audit professionals to consider as they evaluate their own IT audit functions.

“There are simply too many risks associated with the pervasive use of technology ‑ including social media and mobile devices ‑ and not enough focus on identifying and managing those risks,” said Bob Hirth, Protiviti executive vice president and leader of the firm’s global internal audit and financial controls practice. “Businesses have to get serious about addressing IT risks or they will fall victim to their own vulnerabilities. We hope that our survey data and insights will inspire organizations to take a hard look at the effectiveness of their IT audit function.”

Key Survey Findings
According to the survey results, the growth and prevalence of technology throughout most organizations is outpacing the assessment, management and monitoring of related IT risks. Respondents revealed that their organizations often don’t have the staff required to address the growing need appropriately.

Survey data also shows that the smaller the company, the less likely it is to have an IT audit function. For example, 43 percent of companies with less than $100 million in annual revenues have no such function. Even more notably, 82 percent of organizations with annual revenues of $100 million to $1 billion lack a designated IT audit director or someone in an equivalent position.

Other key findings include:

  • Only 13 percent of companies in the $100 million - $1 billion revenue category, and 17 percent under $100 million, use outside auditors to help with IT audits. Higher percentages for both categories of companies would be expected because most of these companies do not have full-time IT audit resources in place.
  • Nearly 70 percent of North American companies and nearly 80 percent of EMEA/APAC companies have not completed an evaluation and assessment of their IT governance process (as outlined in The Institute of Internal Auditors Standard 2110.A2). Even more surprisingly, when asked if they intend to complete that assessment, 36 percent of North American companies and nearly 30 percent of EMEA/APAC companies said no.
  • In 31 percent of EMEA/APAC companies and 29 percent of North American companies, line-of-business executives ‑ for example, chief information officers ‑ have little to no involvement with the IT risk assessment process, according to the survey.
  • A majority of companies at the $1 billion - $5 billion level and those at greater than $5 billion are ensuring their IT audit staff members obtain more than 40 hours of training per year. However, 18 percent of respondents from EMEA/APAC organizations report that they do not provide IT skills training for IT audit staff. Additionally, 32 percent of all small companies (less than $100 million) and 20 percent of companies at the $100 million - $1 billion level provide no IT skills training for these staff members.

“If an organization or internal audit function is not thinking about IT governance, IT risks and specifically IT risk assessment, it should be,” said David Brand, a Protiviti managing director and the firm’s national IT audit leader. “The increased use of and demand for technology and data compel companies to review how these technologies are being leveraged and the risks they are creating.”

Protiviti conducted the 2011IT Audit Benchmarking Survey using both online and electronic surveys. Survey participants responded to more than 35 questions covering four categories: IT audit in relation to the internal audit department; IT risk assessment; audit plan; and skills and capabilities.

Voice your opinion!

To join the conversation, and become an exclusive member of T&D World, create an account today!