Technology risk is pervasive and continually changing. It is a critical time for IT professionals and internal auditors of IT, who must build plans to provide assessments of, and insights into, the most important technology risks and how to mitigate them. IT Internal Audit (ITIA) must keep abreast, and wherever possible anticipate, fast-moving developments in technology. In particular, ITIA must plan, deliver and, when necessary, flex its audit plan in such a way that it responds to these changes in the most appropriate, efficient and effective manner. And it must do so within the budgetary constraints imposed by the organization, facing competition (both internal and external) for resources.
To find out how ITIA is responding to these challenges, KPMG surveyed ITIA representatives of 250 organizations, both large and small, that are operating in a wide range of industries around the world. At a time when demands placed on ITIA are steadily growing, this report is intended to stimulate your thinking and provide fresh perspectives.
Based on our analysis of the survey results, the main findings include:
- ITIA is currently focusing on core operations risks, such as unauthorized access or changes to critical business applications. But respondents anticipate a significant shift in attention in 2018 toward emerging risks, such as robotics and the Internet of Things (IoT) (connecting devices to the internet and to each other). ITIA will need to build holistic assurance over these new risks across the organization to cover key components such as cyber defenses around data, applications and infrastructure.
- ITIA faces the task of obtaining the appropriate skilled and qualified resources to assess fast-changing risks and to increase the use of tools and technologies such as data analytic technology and automated workflow tools.
- Forty-three percent of respondents say their ITIA budgets are likely to be stable and 8 percent say they may fall between 2017 and 2018. Thirty-eight percent say they may rise. If budgets are not, at least, maintained, there is a danger that ITIA will not be able to perform its job of providing adequate assurance over all the different kinds of risks, not just those affecting core operations.
- The chief area of concern is whether ITIA has the skills required to provide assurance over the most important technological risks to the organization. ITIA respondents say they face talent shortages in many risk areas they are auditing. The biggest resource gaps are in cyber security, followed by data and analytics (D&A), and privacy.
- One area of need is the ability to use D&A for various purposes in ITIA. Only a quarter of respondents say they use analytics for continuous auditing, monitoring and assurance techniques; the remainder use it in an ad hoc way.
- Assurance is typically delivered through direct internal and external audits, rather than by leveraging the assurance work done by the organization’s independent assurance specialists. The implication is that many organizations lack an integrated approach to assurance.