Global IT Audit Practices and Benchmark

IT and Business transparency, collaboration and integration are key components for internal audit to help organizations identify, monitor and mitigate IT risks. ISACA along with Protiviti conducted it's 5th survey on Internal Audit organization that resulted in notable conclusions:

1. Emerging technology and cybersecurity challenges top the radar
2. Limited number of IT auditors with qualified skill sets available 
3. IT audit organizations not reporting to the CAE (chief audit executive) or equivalent/independent role threatens third line of defense strategy for IT
4. IT audit risk assessments still lacking by organizations and others in frequency
5. Only half of the IT audit organization are involved in IT projects from the get-go or early in the design stages
6. Strong interpersonal skills require the ability to translate complex IT issues to business risks for the non-technical audience

The questionnaire included: 1,200 executive and professionals completing online questionnaire (specifically, 14% were Chief Audit Executive or equivalent, 20% Audit Director and IT Audit Director, and 29% IT Audit Manager, etc.). And, predominately consisted of: 33% organization with $5+ billion in annual revenue and 50% from $1+ billion annual revenue spread over: 29% Financial Services, 15% Government/Education, 5% Retail, 2% Life Sciences/Biotechnology/Heathcare Payer, etc.  

By the numbers, the Audit Department total headcount consisted of: 18% 0-4; 21% 5-9, 19% 10-19, 16% 20-39, 10% 40-99 and amazingly 16% have 100+ Full Time Employees (FTE).  With regards to full-time IT auditors, 8% had zero, 23% has 1, 16% have 2, 11% have 3, 7% have 4, 16% have 5-9, 13% have 10-49 and 6% have 50+ FTE.  With those numbers, perhaps is why IT audits have been lagging over the years.  So, a comparison of total internal audit reports vs. IT audit reports for companies with $5+ billion in revenue: 24% issue greater than 20% IT audit reports; and 37% issue IT audit reports with process audit that contain underlying technology reviews.  Geographically, South America is ahead with 60% vs North American at 50%, Europe 43% and Asia 40%; overall recommendation is at least 20% of audit reports should be IT Audits.

Technology solutions cannot be without investment in human capital.  Given the lack of qualified resources reported, organizations of $5+ billion augment with outside resources: 24% via guest auditors, 5% outsource, 40% co-source providers, and 41% do not.  Geographically, North America did 69%, South America 50%, Europe 61% and Asia 57%.

• Reason for augment (by $5+ billion companies) include: 25% lack IT skill set, 19% variable resource modeling, 26% for outside perspective, 30% lack of resources, and 31% knowledge transfer/learning from outside parties.
• Cited effective auditor characteristics were: process analysis, data collection, interviewing, business writing, and project management skills – along with effective meeting and communicating results, conclusions and recommendation to all levels of management 

Key to staffing is person’s ability to translate complex issues to non-technical business audience and while this skill may be difficult to find in candidates according to 73% of the respondents, there is no notable increase in finding talent in the short-term (6% of $5+ billion company will increase by 20%).  Additionally, between 39%-46% of all respondents say the IT audit plan cannot be significant addressed based on lack of resources and/or skills.
• Companies with IT auditors that require the CISA (Certified Information Systems Auditor) certification are: North America 49%, South America 56%, Europe 52%, and Asia 59%.
• Tenure along with training required is: 6.7 for IT audit director | requiring 47 hours of training; 6.2 | requiring 52 hours of training For manager and 4.2 for staff | requiring 54 hours of training.
• Source for IT audit staff-level hires are from: 69% external hires, 14% internal IT departments and 11% are college/university.

Of course technology is always shifting and so, 60% of organization are going though IT transformation and 54% are expected to take over 1 year.  With that in motion, understanding cybersecurity threats is a key concern today.  Impacting business model viability is further heightened by disruptive changes in uncharted territory.  However, not embracing new technology such as IoT and wearable technology will significantly hamper business development and a sure loss in competitive advantage.  In connection, survey calls out a need for IT security audit improvements for the Chief Audit Executive (CAE) and overall cybersecurity risk management maturity to drive effective programs and acceptable level of risks.

With cyber being a boardroom agenda item, top organizational performers reflect a sound practice in security of information, protection of brand/reputation, regulatory compliance aware and security employee’s personal information.  These practices are supported by awareness through the board of directors, suitable policies with security reference architecture that protect the right information, and a cybersecurity practice that demonstrate confidence in the ability to prevent and react/mitigate both internal and external attacks e.g. 50% are not confident and only 29% are confident.  Of the 83% that rated cybersecurity as a top threat today, only 38% are prepared for a cyber attack.

Having an IT Audit Director reporting to CAE or equivalent position is best practice…yet this model is still lagging behind. Only 58% have IT audit director or equivalent position so when it comes to expertise during board meetings, 65% of CAE have the skills to convey IT risk otherwise 42% of IT audit directors attend board meetings.  That said, clearly 91% of organizations ($5+ billion revenue) have internal audit department with IT function (56% included and 35% IT is a separate).
To properly assure third layer of defense (management), the IT Audit Director is required to “Getting to Strong” approach set by regulatory authorities in the financial industry, as a model for example.  While IT Audit Directors have started to attend board meetings over the past 4 years, attendance and adoption globally is slow.  45% in North America has an IT audit director vs. 58% in South America, 45% in Europe and 44% in Asia – and attendance in board meeting respectively are the same but South America with 67% takes the lead vs. 42% in North American.

To ensure critical technology risk is included in the IT Audit Program, IT risk assessment must be performed.  Smaller organizations seem to lag in this area but the trend to conducting assessments is increasing.  Again, of the $5 billion above, 69% said IT audit risk assessment is conducted vs. 16% for $½-$1 billion revenue companies.  Regionally, Asia tops the percentage at 61% by Audit (60% by CIO) vs. North America at 38% by Audit (66% by CIO), South America at 53% by Audit (56% by CIO) and Europe at 46% by Audit (64% CIO).
• In terms of frequency for $5+ revenue company: 16% continually, 2% monthly, 14% quarterly, 10% semi-annually, 55% annually, and 4% less than annually.  And, 48% update IT audit risk assessments on a quarterly basis.

Trending in the right direction is engagement into IT projects (earlier on) and now auditing vendors although it had not been among top 5 of IT audit function responsibilities (but now, out of the bottom five).  Engagement with significant projects are occurring during various stages: Planning 30%, Design 10%, Testing 8%, Implementation 11%, Post-implementation 27%, and no involvement 14%. On the other hand, noticeable gaps lie in lack of focus on continuous auditing, whereby, effectiveness and efficiency can be gained by identifying issues and correcting them as soon as they arise.  Level of involvement IT audit has on technology projects ($5+ billion companies): 22% on significant, 41% on moderate, 30% on minimal and 7% on none….and regionally, 57% for the Americas, 52% for Europe and 60% for Asia.
A predominate effort for IT audit is SOX and percentage of time spent indicate: greater than 75% by 6% of the companies, 20%-50% by 35% of the companies and also notable 31% do not know or none.
IT Governance assessment activity results in: 42% completed CobIT and 34% completed IIA 2110.A2…and geographically, North America 36%, South America 68%, Europe 44%, and Asia 26%...and small organization were under 50% as well.  Of the respondents, approximately 20% will perform an assessment, hence, the rest will still not.  Related, companies with an Enterprise Risk Management (ERM) program  integrated with IT audit risk framework totaled 47% which is actually down from 50% last year and 58% from 2013. The net-net is striving for full engagement with various projects, development efforts and engaging in cross-functional organization; as well as usage of COBIT / IIA Stadnard 21|10.A2 for evaluation while ISACA CobIT framework for processes and leverage standards, techniques, etc. of ISAC ITAF.

Finally, IT audit function spend:

Source of article: ISACA