Ten IT considerations for internal audit
Our recent research publication Turning risks into results: how leading companies use risk management to fuel better performance indicates that organizations achieve results from risk in three interrelated ways:
- Focus on mitigating overall enterprise risk
- Focus on efficiency, reducing the overall cost of controls
- Look to create value, often through a combination of risk mitigation and cost reduction
Increasing your level of confidence in the risk assessment process is one of the most fundamental ways to focus on mitigating overall enterprise risk, determining appropriate levels of effort and resources and identifying where to add value.
Organizations need to identify and address key risk areas and quickly close the gaps through:
- Identifying and understanding the “risks that matter”
- Differentially investing in the risks that are “mission critical” to the organization
- Effectively assessing risks across the business and driving accountability and ownership
- Demonstrating the effectiveness of risk management to investors, analysts and regulators
As many organizations prepare for risk assessment discussions, consider our perspective on the leading practices that will help increase your organization’s level of confidence in addressing these critical questions:
- How do we look around the corner?
- How do we know we identified all the right risks?
Thoughtful executives will need to understand which IT trends to consider in their critical internal audit plans.
These 10 key IT internal audit considerations are aligned with, and provide connection to, leading practices designed to help ensure robust performance in the IT internal audit process:
1. Information security
Traditional security models focus on keeping external attackers out. The reality is that there are as many threats inside an organization as outside. Mobile technology, cloud computing, social media, employee sabotage, cyber attacks — these are only a few of the threats organizations face.
Unfortunately, many organizations have no idea they are compromised until it is too late. IT internal audit can play a critical role in evaluating the organization’s information security strategy and supporting program and partnering to improve the level of control.
2. Business continuity management
Recent large global disasters, as well as smaller disruptions, have prompted leading executives to hope for the best but prepare for the worst by investing in effective business continuity management (BCM).
While BCM should be viewed as an enterprise-wide risk and effort, the reality is that it is often IT that is asked to lead critical planning activities and serve as lead facilitator. IT systems and disaster recovery procedures are a cornerstone of the broader BCM plan, so IT internal audit is well positioned to evaluate broader BCM procedures.
Mobile computing devices (laptops, tablets, smartphones) are in widespread use, allowing individuals to access and distribute business information from anywhere and at any time.
IT internal audit’s knowledge of the organization’s mobile strategy needs to evolve as quickly as the mobile landscape. Evaluating these risks will help audit add value to the organization while confirming key risks are well managed.
Many organizations are looking to cloud computing to increase the effectiveness of IT initiatives, reduce cost of in-house operations, increase operational flexibility and generate a competitive advantage.
IT internal audit needs to understand how the organization is embracing cloud technologies and the risks the business faces based on the adopted cloud strategy.
5. IT risk management
As the IT risk profile and threat landscape rapidly changes and risks increase, companies need to change their mindset and approach toward IT risk to address a new normal. The Securities and Exchange Commission, other regulators, and the audit committee have increased their focus on companies managing risks holistically.
Company stakeholders/shareholders expect the company to focus risk management activities and resources on areas with the greatest impact. Internal audit is uniquely positioned to help drive growth and create value for the company through reviewing IT risk management activities.
6. Program risk
Program complexity is increasing at a faster rate than companies can adapt. While companies have been cautious with IT investments over the last few years, investment portfolios are now being expanded to keep up with emerging technology trends or to master costly legacy issues.
Organizations are still failing to properly adapt their program approaches to this increased complexity. Internal audit can play an effective role in confirming the right processes are in place to manage programs and those processes and controls are being executed appropriately.
7. Software/IT asset management
With increased focus on cost reduction in a global economy struggling to recover, effective software asset management and IT asset management can make a significantly positive impact.
It is critical that IT auditors thoroughly understand software and IT asset management processes and controls.
8. Social media risk management
The social media elements that generate business opportunity for companies to extend their brands are often the same elements that have created IT-related risk. IT is heavily relied on to enable social media strategies in coordination with marketing strategies.
It is critical that IT internal audit has an understanding of the organization’s social media strategy as well as the related IT risk. IT internal audit must add value by providing leading practice enhancements and assurance that key risks are mitigated.
9. Segregation of duties/identity and access management
While segregation of duties (SoD) is considered by many to be a fundamental control that organizations have developed strong processes, the complexity of today’s enterprise systems leaves many companies struggling. As the sophistication of tools available to audit firms has increased, new issues and challenges with the systematic enforcement of SoD have come to light.
Many IT audit departments rely on the businesses’ review of IT access reports from ERP systems; however, the reality is that many business professionals lack the knowledge of ERP role definitions to truly understand what they are certifying. Therefore, a comprehensive SoD review is an audit that should be on all IT internal audit plans on a periodic basis.
10. Data loss prevention and privacy
Over the last few years, companies in every industry sector around the globe have seen their sensitive internal data lost, stolen or leaked to the outside world. Executives are investing more money to protect the privacy of personal information — to respond to ever-increasing government regulation and enforcement and to stem the rising tide of risk.
But are they spending it in the right places? Internal audit is well positioned to help the organization address this question.
For more information about key IT internal audit considerations, download the full report.