In October 2019, Protiviti and ISACA® released the 2019 Global IT Audit Benchmarking Study, for which more than 2,200 internal audit (IA) executives and professionals around the world were surveyed. The key findings of the survey have been summarized in a published report and discussed at greater length during a recent webinar. One specific finding which made the top 10 priorities of IT auditors for the first time in 2019 should be elaborated on: “bridging IT and the business.”
Organizations are learning that it is not enough for tech departments to keep pace with an accelerating technology curve. It is equally important to bring along other departments, and IT audit specifically, to provide the proper oversight of the changing risk landscape and increase operational resilience.
One of the best ways to further this process is to create greater collaboration between the IT internal audit and IT teams. In fact, the 2019 benchmarking study showed that in several key functional areas, there has been significant growth in such collaboration.
In the area of IT Governance/Risk Management, for example, the number of IT working groups that has built ongoing partnerships with IT auditors has risen from 55% to 79% since 2019. Even in the area of Enterprise Portfolio, a function not generally linked with IA, participation levels have nearly doubled, from 10% to 19%.
Evolution in IT Audit’s Role
The survey reveals a much-needed evolution in the role of IT audit from watchdog to advisor, a shift we have been advocating for some time. To be sure, IA must always remain independent to fulfill its critical function as the third line of defense for risk management, operational soundness and compliance. However, if IT audit engages with IT at a much earlier stage of new technology projects and maintains an ongoing partnership, it significantly helps IA to fulfill its oversight function more effectively. On the other side of the partnership, it also helps IT raise its success ratio for installing and enhancing systems because the likelihood of having to backtrack and put risk controls in place retroactively, after an IA review, is significantly reduced.
Every adoption of new technology changes an organization’s risk landscape. By meeting with IT personnel early in the planning stages of tech upgrades, migrations or digital initiatives, IA can build a more effective audit plan. It can get a better grasp of how data are to be sourced, processed, transmitted and consumed. Perhaps the best example of how this can benefit the organization is a cyberattack. In this often chaotic, all-hands-on-deck situation, prework between IT and IA can go a long way in mitigating damage and executing a quick recovery.
On the IT side, an early and ongoing collaboration with IA helps to identify and mitigate operational gaps and potential risk. As such, it can give the IT team advantages such as staying within budget and getting buy-in from the rest of the organization. While IT is naturally more focused on the technical aspects of project implementations, user training, etc., the fresh, outside perspective of IT audit can spot potential pitfalls and help with timely course corrections.
Read about overcoming natural barriers and the future of collaboration in the full article from KnowledgeLeader.
This article was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.