Most companies do not conduct IT audit risk assessments, but audits often reveal efficiency improvements that could mean cost savings.
Companies spend millions of dollars on information technology (IT), yet despite that hefty investment, they often don’t conduct an IT audit risk assessment.
According to the 2012 IT Audit Benchmarking Survey from consulting firm Protiviti, most businesses do not conduct IT audit risk assessments, leaving them vulnerable to security breaches and privacy violations as well as regulatory compliance and social media risk.
The survey also found that the top technology challenges organizations face include information security, cloud computing, social media, risk management and governance, regulatory compliance, and technology integration and upgrades. There are significant gaps in the IT audit capabilities of many organizations, most notably in smaller companies making less than $100 million in revenues. Many companies, big and small, may be understaffed in terms of IT audit capabilities in their internal audit functions.
The survey reveals that evaluating and assessing IT governance processes, as required by Institute of Internal Auditors (IIA) Standard 2110.A2, is not a priority for organizations, and few have plans to do so. According to the survey, organizations may be worried that they lack the necessary resources and skills to address specific areas of their IT audit plans sufficiently, but they are doing little to change their concern into action.
Protiviti defines an IT audit as the process of collecting and evaluating evidence of the management of controls over an organization’s information systems, practices and operations. The IT audit process determines if the information systems are safeguarding assets, maintaining data integrity and operating effectively to achieve the organization’s goals and objectives. This may include traditional audits of technology processes and components, as well as integrated audits for financial audit activities, technology-dependent regulatory processes or data analytics support.
A smart investment
‘Companies spend millions on software, but once the system goes online, nobody does a post-mortem,’ notes Steve Hunt, a certified internal auditor and senior manager with accounting and consulting firm Crowe Horwath. During a recent webinar for the IIA entitled ‘Auditing IT governance’, he pointed out that companies spend money on IT but never bother to find out if they got what they expected. ‘Those who do that analysis are shocked at the cost overruns, the time spent and the functionality that was promised and wasn’t delivered,’ he said.
One reason companies don’t conduct IT audits is because they require time and resources. While painful, ‘they often identify opportunities for improvement,’ notes Robert Scott, managing partner with intellectual property and technology law firm Scott & Scott.
Taking an inventory of technology use can help identify the depth and breadth of risk that may exist in the company and can also serve as an effective tool for quantification of exposure, says Jim Burns, director of business and technology consulting firm MorganFranklin. He explains that one of the biggest challenges facing any general counsel is the timely identification of an exposure to the company. ‘This really is an area where what you don’t know can hurt you,’ says Burns. ‘Knowledge is the key, and the governance process is the best place to maintain this knowledge and use it to the benefit of the company.’
John Nerenberg, director of consulting firm AlixPartners, reminds companies that a good IT audit is an external validation that your company is performing essential functions in a proper manner. ‘There is no substitute for an external penetration test, as even the best IT people can often overlook their own mistakes,’ he says.
He also points out that there can be huge consequences to not doing an IT audit. ‘The cost of fines and litigation usually dwarfs the cost savings obtained from avoiding implementing compliance in the first place,’ he explains. ‘Reputational, brand and business losses can be incalculable if your company suffers a major data breach.’
Making it work
The big question, though, is how to get the job done. The experts say companies should establish a tone at the top of the organization – the C-suite and the board – communicating that IT controls are critical to managing the risks inherent in conducting the company’s business. ‘There is simply no substitute for true leaders in this area,’ says Nerenberg. Companies should also establish ‘controls organizations’ within the company and give them the proper resources. This includes internal audit, internal IT audit, information security and IT risk management (including functions such as quality assurance and disaster recovery).
It’s important to place the controls organization where it can be effective within the company’s hierarchy, and to avoid letting the fox guard the hen house. For example, Nerenberg says, companies should make sure that internal IT audit findings can be brought to the board without retribution or interference from the chief information officer (CIO) or CEO, and that IT security reports to the CIO and isn’t buried under the IT infrastructure.
Controls programs should be ‘grounded’ as traceable from the risk to be avoided, such as external hacking or fraud perpetuated by insiders. If involved in an acquisition, companies should make sure the due diligence looks at this area and plan any necessary ‘catch up’ project for year one, says Nerenberg.
Lastly, it’s essential to build a sustainable and self-improving IT controls organization to maintain good performance on IT audits.
The corporate secretary’s role
Where do the general counsel and corporate secretary fit into the IT audit equation? Often in a situation where assessments are completed as a regulatory or compliance requirement, the corporate secretary or general counsel is the sponsor of the IT assessment. The corporate secretary can play an important role as a consumer of information developed as part of the IT audit. The disclosure needs of a company require that management be aware of the control environment of the company and the risks that may reside in business operations. The corporate secretary should ensure that the IT audit’s measurement of inherent and residual IT risk is communicated and understood by the executive team, says Burns. A thorough understanding of each business unit’s risk profile and audit findings is critical to the company’s ability to properly disclose any key events in the financial statements.
The general counsel is key in the identification and communication of applicable laws at the state, federal and international levels. The application of these laws to the technology landscape supporting a company is fundamental to the establishment of acceptable levels of regulatory and legal risk to the company. ‘This alignment should be facilitated by the general counsel and aligned to the IT services being consumed by the business,’ says Burns.
What’s crucial is teamwork. The general counsel and corporate secretary can be aware of and provide senior-level support for budget requests from the CIO to provide resources for work that is needed to obtain a ‘clean’ audit, says Nerenberg. They can also assist the CIO and IT team in understanding new regulations and how they might change technology requirements.
‘IT should be viewed not as a standalone unit, but as a vital partner in the business,’ says Brian Christensen, a managing director at Protiviti. Otherwise, there will be no cohesiveness or alignment with strategic objectives.
Keeping pace with future challenges
All hands are needed to deal with the array of future challenges companies will face. Every year technologies are changing and new ones are being introduced. The new trend of ‘bring your own device’ is just one example of a new challenge in end-user computing, says Nerenberg. Personal devices used for business need to be monitored.
Perhaps the biggest concern is cloud computing. ‘Cloud is taking over,’ says Joseph Oringel, co-founder of services and software firm Visual Risk IQ. ‘In many companies, people are making decisions about cloud and IT isn’t involved. Anybody with a credit card or email account can make a decision that impacts the possibility of a data breach. It could be that the vice president of sales or HR has cloud-based applications and the CIO doesn’t know anything about them, so they don’t show up on the inventory list.’
As cloud computing and mobile devices become more prevalent, it becomes ever more challenging to provide security for the enterprise’s data. Protection of corporate intellectual property is critical to keeping the company in business, even if there are no compliance requirements to do so. Nevertheless, all organizations have some amount of data about their clients, industry partners and employees that should be protected. ‘This personally identifiable information has become as much a target of hackers and cyber criminals as corporate IP,’ says Jerry Irvine, CIO of consulting firm Prescient Solutions. ‘Additionally, personally identifiable information has multiple compliance requirements and will most likely be the subject of future regulations.’
Unfortunately, Christensen notes, solving most IT challenges is like trying to hit a moving target: ‘Even when you correct exposures, the people who do bad things – the crooks – continue to work just as fast to stay ahead of you.’ And of course, on the regulation front, the creation of the Consumer Financial Protection Bureau may dramatically affect compliance requirements at companies, says Nerenberg.
When it comes to keeping companies’ corporate governance and compliance efforts up to date, governance, risk and control technology solutions are a good place to start. ‘The goal of these applications is to aggregate the inherent and residual technology risk that is aligned to the company’s business processes,’ says Burns. ‘This solution can also be used to align the legal and regulatory risk that should be assessed as part of the process and offer good centralized knowledge management solutions.’
Scott says his priorities for IT spending are encryption (for data both in motion and at rest), mobile security, end-point security and intrusion, and software asset management tools such as automated discovery and entitlement repositories.
‘The rapid pace of technology change makes IT audit a critical component of risk management and corporate oversight in today’s business environment,’ concludes Christensen. ‘Small measures of prevention have the ability to identify and alleviate potentially devastating consequences.’