IT Risks - Closing the Gap
Giving the board what it needs to understand, manage and challenge IT risk
The past two years has seen a re-emergence of large scale corporate investment into IT systems. A recent survey, performed by PricewaterhouseCoopers LLP on behalf of the IIA, found that keeping abreast of the pace of IT change, coupled with increased IT dependency is a significant challenge for 87% of the companies surveyed. The survey also found that only 32% of internal audit heads believe the Board understand the IT risks they face compared with 76% of senior managers. This suggests a lack of mutual understanding in the area of IT risk and that Boards may have an incomplete picture of the IT risks faced by the organisation. This is of particular concern given that 98% of organisations see IT as strategically important to the future success of the business. The survey showed that boards are looking for more assurance on the management of IT risks and that heads of internal audit want to provide that assurance. However, over a third of senior managers believe that internal audit departments lack the appropriate capabilities to provide the assurance. "The most difficult thing about IT audit is that it's three dimensional, you need a specialist for every single area and then someone putting everything together."
Head of internal audit
The IIA held a focus group for heads of internal audit to discuss the results of the survey. Overwhelmingly, the participants concluded that the breadth and depth of skills required to cover all current and emerging IT risks, made it both uneconomic and impractical to maintain all skills in-house. In terms of the skill requirement they confirmed that whilst both internal audit and IT qualifications and expertise may be desirable, the most important requirement is that auditors know how to perform an audit. Looking forward, internal audit functions will need access to people who understand internal auditing, the governance context in which it takes place as well as IT risks; and who have the holistic business perspective and good communication skills needed to ensure the business implications are identified and communicated in a way
that all parties understand.
To download a copy of the full survey, please click here IT risks - closing the gap