computerwoche.de

Archiv

IT Audit Survey Exposes Weak Risk Assessment

05.10.2011
Even in the face of costly and embarrassing corporate security breaches, one in four companies fails to conduct any IT risk assessment. And 42% say there are areas of their information technology audit plans that cannot be addressed because of a lack of resources and expertise.

These are two of the findings of Protiviti's 2011 , for which nearly 500 professionals -- including chief audit executives, audit directors and IT audit directors and managers -- were asked to analyze underlying audit trends, and perhaps to identify enforcement gaps in Corporate America. The was taken both online and in electronic form, and gave respondents 35 questions in four categories: IT audit in relation to the internal audit department; IT risk assessment; audit plan; and skills and capabilities.

"There are simply too many risks associated with the pervasive use of technology -including social media and mobile devices -and not enough focus on identifying and managing those risks," Bob Hirth, executive vice president and leader of the firm's global internal audit and financial controls practice, said. "Businesses have to get serious about addressing IT risks or they will fall victim to their own vulnerabilities."

To illustrate how smaller companies tend to do much less audit work than larger ones, the survey registered 43% of companies smaller than $100 million in annual revenue saying that they had no IT audit function at all. Among companies with revenue between $100 million and $1 billion, 82% lacked "a designated IT audit director or someone in an equivalent position," Protiviti's account of the survey said.

As for the use of outside auditors to help with IT audits, only 13% of companies with $100 million to $1 billion in revenue used outside auditors to help with IT audits, and among the smaller-than-$100 million group, only 17% used outside auditors. According to Protiviti, higher percentages in both areas were expected, because companies with less than $1 billion sales have no full-time IT audit resources in place.

"If an organization or internal audit function is not thinking about IT governance, IT risks and specifically IT risk assessment, it should be," David Brand, a Protiviti managing director and the firm's national IT audit leader, said in a press release describing the survey results. "The increased use of and demand for technology and data compel companies to review how these technologies are being leveraged and the risks they are creating."