To meet international standards of organizational independence, IT audit should have seat at the table and report directly to board audit committee
The greatest challenge faced by IT audit professionals around the world is the ‘ever-changing nature of complex emerging technology and infrastructure changes,’ according to a recent survey by ISACA, a global nonprofit association of IT professionals, and consulting firm Protiviti. Yet, fewer than one in three organizations consider themselves ‘very effective at managing cybersecurity risk to an acceptable level.’
The report, titled A global look at IT audit best practices: assessing the international leaders in an annual ISACA/Protiviti survey, outlines the results of the fifth annual Audit Benchmarking Survey. The latest online survey, conducted in the third quarter of 2015, polled more than 1,200 executives and professionals, including chief audit executives (CAEs) and IT audit vice presidents and directors. Questions were organized in five categories: top technology challenges, IT audit in relation to the internal audit department, assessing IT risks, audit plans, and skills and capabilities.
With so much at stake, organizations need to be proactive in addressing their cybersecurity risks in their audit plans and ensuring their boards of directors are knowledgeable about cyberspace risks. ‘The easiest way for audit managers to ensure that they have thought about IT risks is to conduct an engagement-level risk assessment for the area under review and include someone from the IT audit team in that discussion to ensure the proper areas are considered,’ says David Brand, a managing director at Protiviti and leader of its IT audit practice.
The survey finds room for improvement in IT audit reporting lines, suggesting that ideally IT audit personnel should report to a CAE. Best practice for a properly operating control environment includes having three lines of defense, where operational managers who own and manage risks (the first line of defense) are periodically monitored by those in an oversight capacity such as the compliance and risk management functions (the second line). In turn, oversight activity must be evaluated regularly by an independent function such as internal audit (the third line) as the risk profile demands, Brand explains.
However, many organizations, instead of following this strategy, have those in compliance and risk management functions reporting to the board. The ISACA/Protiviti report recommends that companies abide by guidelines set by the Institute of Internal Auditors (IIA), which call for internal audit professionals (the third line of defense) to report directly to the board’s audit committee, in accordance with international standards of organizational independence.
Among the other significant findings is that while there has been an increase in the percentage of IT audit directors who regularly attend audit committee meetings, in only about half of the respondents’ companies does the IT audit director actually attend these meetings. Audit committee meetings benefit from the participation of people who understand technology issues and organizational risks related to them. The report questions whether CAEs are able to appropriately address IT audit issues when IT audit personnel are not present to provide input. ,.
As cybersecurity risks continue to grow, IT audit professionals must work at assisting their organizations to identify, reduce, and track existing and potential IT risks that threaten security, governance, and asset management. How can an organization’s corporate secretary best act on the report’s findings? Brand stresses the importance of evaluating both the IT audit-related information that is provided to the board and the reporting lines through which it is communicated from the internal audit department.
‘At a minimum, the board should receive some report from management that evaluates and ranks the risks faced by the organization in achieving its strategies and objectives, commentary on the programs in place to mitigate those risks to an acceptable level, and an independent report from the internal auditor to validate that the programs do in fact mitigate the risks and are operating effectively,’ the report says.