Ineffective IT internal audit plans reduce risk management effectiveness

KPMG’s IT internal audit survey has found that only 16 percent of respondents have a rolling or quarterly planning processes in place, and a quarter of respondents don’t use a planning framework at all, which can leave the IT audit vulnerable and allow core business risks to go unaddressed by management.

KPMG’s survey of 297 finance professionals across Europe, the Middle East and Africa, one of the largest completed, identifies current trends in IT internal audit practices, in association with the Institute of Internal Auditors and the Information Systems Audit and Control Association.

The survey also found that over three quarters of respondents (78 percent) undertake their audit planning on an annual basis only. In an environment where technology is a vital part of a businesses’ make-up, and the opportunity for deliberate sabotage is high, the need for a more regular review of plans has never been greater.

Warren Middleton, global head of IT internal audit at KPMG comments:
“It’s clear from our survey that IT internal auditors must position themselves at the heart of the business to ensure that the business and technology risks are well understood.

“The need for up-to-date and regular reviews should be a fundamental part of the audit process – especially in the current climate where IT continues to be open to potential attack. For businesses, life without technology is unthinkable and the need to get this right should make this a priority issue for all Boards.”

However the problem would appear to be deeper, as the survey found that the majority (59 percent) of respondents are not aligning their IT internal audit within their wider governance plans. In addition, just over a third appear to be moving in the right direction with some coordination in place and further alignment planned, indicating that many companies are not ‘joined up’ in their overall governance approach.

Warren Middleton comments: “This is a worrying trend and in the current recessionary environment, where the propensity for fraud remains high. It suggests that businesses should take a close look at the bigger picture, where IT systems have a vital and important role to play in the daily running of the business.”

As far as the reporting of their findings goes, the majority of respondents (72 percent) said they present them to the audit committee; however, slightly more worryingly only 37 percent of external auditors receive a copy of their findings showing there is a disconnect between internal and external reporting procedures.

Heads of audit are looking for IT audit staff with both data and information security skills. For 62 percent of respondents security is the biggest skill set in demand. However, over 40 percent of organizations say they will use outsourcing to access appropriate skills and resources and this trend is likely to continue over the next eighteen months because of rising skill shortages.

Finally, the survey showed that the quality of the IT internal audit is measured by just over half (56 percent) of respondents, while the remainder had no quality controls in place, and in 41 percent of cases they undertook only an informal assessment or worse, no assessment at all.

Warren Middleton concludes: “It’s clear that IT internal audit needs to do more to get closer to the business, especially in these turbulent times when the commercial landscape is constantly changing.

“By ensuring their audit plans are signed off by the Audit Committee, and that head of audit reports to the Board, the internal profile of IT audit is raised to ensure their message is properly communicated and, ultimately, understood.”

Read the full survey report (PDF)

•Date:17th April 2009• Region: World •Type: Article •Topic: IT continuity
Rate this article or make a comment - click here