Ten IT considerations for internal audit

Ten IT considerations for internal audit

  • Share

Our recent research publication Turning risks into results: how leading companies use risk management to fuel better performance indicates that organizations achieve results from risk in three interrelated ways:

  • Focus on mitigating overall enterprise risk
  • Focus on efficiency, reducing the overall cost of controls
  • Look to create value, often through a combination of risk mitigation and cost reduction

Increasing your level of confidence in the risk assessment process is one of the most fundamental ways to focus on mitigating overall enterprise risk, determining appropriate levels of effort and resources and identifying where to add value.

Organizations need to identify and address key risk areas and quickly close the gaps through:

  • Identifying and understanding the “risks that matter”
  • Differentially investing in the risks that are “mission critical” to the organization
  • Effectively assessing risks across the business and driving accountability and ownership
  • Demonstrating the effectiveness of risk management to investors, analysts and regulators

As many organizations prepare for risk assessment discussions, consider our perspective on the leading practices that will help increase your organization’s level of confidence in addressing these critical questions:

  • How do we look around the corner?
  • How do we know we identified all the right risks?
Thoughtful executives will need to understand which IT trends to consider in their critical internal audit plans.

These 10 key IT internal audit considerations are aligned with, and provide connection to, leading practices designed to help ensure robust performance in the IT internal audit process:

1. Information security

Traditional security models focus on keeping external attackers out. The reality is that there are as many threats inside an organization as outside. Mobile technology, cloud computing, social media, employee sabotage, cyber attacks — these are only a few of the threats organizations face.

Unfortunately, many organizations have no idea they are compromised until it is too late. IT internal audit can play a critical role in evaluating the organization’s information security strategy and supporting program and partnering to improve the level of control.

Recommended reading: Fighting to close the gap: 2012 Global Information Security Survey

2. Business continuity management

Recent large global disasters, as well as smaller disruptions, have prompted leading executives to hope for the best but prepare for the worst by investing in effective business continuity management (BCM).

While BCM should be viewed as an enterprise-wide risk and effort, the reality is that it is often IT that is asked to lead critical planning activities and serve as lead facilitator. IT systems and disaster recovery procedures are a cornerstone of the broader BCM plan, so IT internal audit is well positioned to evaluate broader BCM procedures.

Recommended reading: Ready for the challenge: integrated governance — the key to effective business continuity management

3. Mobile

Mobile computing devices (laptops, tablets, smartphones) are in widespread use, allowing individuals to access and distribute business information from anywhere and at any time.

IT internal audit’s knowledge of the organization’s mobile strategy needs to evolve as quickly as the mobile landscape. Evaluating these risks will help audit add value to the organization while confirming key risks are well managed.

Recommended reading: Mobile device security: understanding vulnerabilities and managing risks

4. Cloud

Many organizations are looking to cloud computing to increase the effectiveness of IT initiatives, reduce cost of in-house operations, increase operational flexibility and generate a competitive advantage.

IT internal audit needs to understand how the organization is embracing cloud technologies and the risks the business faces based on the adopted cloud strategy.

Recommended reading: Ready for takeoff: preparing for your journey into the cloud

5. IT risk management

As the IT risk profile and threat landscape rapidly changes and risks increase, companies need to change their mindset and approach toward IT risk to address a new normal. The Securities and Exchange Commission, other regulators, and the audit committee have increased their focus on companies managing risks holistically.

Company stakeholders/shareholders expect the company to focus risk management activities and resources on areas with the greatest impact. Internal audit is uniquely positioned to help drive growth and create value for the company through reviewing IT risk management activities.

Recommended reading: The evolving IT risk landscape: the why and how of IT risk management today

6. Program risk

Program complexity is increasing at a faster rate than companies can adapt. While companies have been cautious with IT investments over the last few years, investment portfolios are now being expanded to keep up with emerging technology trends or to master costly legacy issues.

Organizations are still failing to properly adapt their program approaches to this increased complexity. Internal audit can play an effective role in confirming the right processes are in place to manage programs and those processes and controls are being executed appropriately.

Recommended reading: Strategy deployment through portfolio management: a risk-based approach

7. Software/IT asset management

With increased focus on cost reduction in a global economy struggling to recover, effective software asset management and IT asset management can make a significantly positive impact.

It is critical that IT auditors thoroughly understand software and IT asset management processes and controls.

Recommended reading: Effective software asset management: how to reap its benefits

8. Social media risk management

The social media elements that generate business opportunity for companies to extend their brands are often the same elements that have created IT-related risk. IT is heavily relied on to enable social media strategies in coordination with marketing strategies.

It is critical that IT internal audit has an understanding of the organization’s social media strategy as well as the related IT risk. IT internal audit must add value by providing leading practice enhancements and assurance that key risks are mitigated.

Recommended reading: Protecting and strengthening your brand: social media governance and strategy

9. Segregation of duties/identity and access management

While segregation of duties (SoD) is considered by many to be a fundamental control that organizations have developed strong processes, the complexity of today’s enterprise systems leaves many companies struggling. As the sophistication of tools available to audit firms has increased, new issues and challenges with the systematic enforcement of SoD have come to light.

Many IT audit departments rely on the businesses’ review of IT access reports from ERP systems; however, the reality is that many business professionals lack the knowledge of ERP role definitions to truly understand what they are certifying. Therefore, a comprehensive SoD review is an audit that should be on all IT internal audit plans on a periodic basis.

Recommended reading: A risk-based approach to segregation of duties

10. Data loss prevention and privacy

Over the last few years, companies in every industry sector around the globe have seen their sensitive internal data lost, stolen or leaked to the outside world. Executives are investing more money to protect the privacy of personal information — to respond to ever-increasing government regulation and enforcement and to stem the rising tide of risk.

But are they spending it in the right places? Internal audit is well positioned to help the organization address this question.

Recommended reading: Privacy trends 2013: the uphill climb continues

For more information about key IT internal audit considerations, download the full report.