IT Internal Audit: Multiplying risks amid scarce resources
IT Internal Audit
As technology risks multiply, IT Internal Audit is being asked to do more. IA professionals are rising to the challenge, but KPMG’s latest market survey shows there still are significant gaps in resources and capabilities. To bridge the gap, ITIA must redouble its efforts to enhance the skills of existing personnel, to partner with third parties and to hire talented professionals where necessary.
It is a critical time for IT professionals and internal auditors of IT (ITIA) who must provide insights on the most important technology risks and how to mitigate them. However, a survey of 250 ITIA professionals around the world shows there are significant gaps in resources and capabilities:
- ITIA is currently focusing on core operations risks (41%), such as unauthorized access or changes to critical business applications. But respondents anticipate a significant shift in attention in 2018 toward emerging risks (63%), such as robotics and the Internet of Things (IoT). Organizations will need to gain access to new skills and potentially invest to leverage new tools to tackle these areas, and will have to come up with alternative approaches to reporting that take place in real time.
- Forty-three percent of respondents say their ITIA budgets are likely to be stable and 8 percent say they may fall between 2017 and 2018. Thirty-eight percent say they may rise. The budget are required to keep pace with technology risks, to be able to deploy more integrated audit tools across the full audit life cycle, and to implement and integrated D&A in a continuous systematic fashion in audits. In any organization, the ITIA budget needs to be matched to the risks over which assurance is needed, and this is driven by robust annual risk assessment.
- The main area of concern is whether ITIA has the skills required to provide assurance over the most important technological risks to the organization. ITIA respondents say they face talent shortages in many risk areas they are auditing. The biggest resource gaps are in cyber security, followed by D&A, and privacy.
- Over three quarters of survey respondents rely on either co-sourced or fully-outsourced delivery models. According to the survey, the main reasons for outsourcing is a lack of people and a deficit of technical skills.
- One area of need is the ability to use D&A for various purposes in ITIA. The reliance on D&A presupposes that the data is of high quality – 85% of respondents consider data quality to be very or extremely important. However, only a quarter of respondents say they use analytics for continuous auditing, monitoring and assurance techniques; the remainder use it in an ad hoc way.
- Assurance is typically delivered through direct internal and external audits, rather than by leveraging the assurance work done by the organization’s independent assurance specialists. The implication is that many organizations lack an integrated approach to assurance.
Read the other articles
Return to the Risk + Newsletter Ocotober 2017
© 2021 KPMG Central Services, a Belgian Economic Interest Grouping ("ESV/GIE") and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.
For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.
