Technology issues dominate list of top internal audit priorities

A new survey by consulting firm Protiviti finds that more companies are evaluating cyber security risks as part of their annual audit plans.

According to the survey, "Arriving at Internal Audit's Tipping Point Amid Business Transformation," nearly three out of four companies (73 percent) now include cyber security risk in their internal audits, a 20 percent increase from when the survey was last conducted.

While there is a clear need among most internal audit groups to strengthen their ability to address cyber security risk, the survey found that these capabilities are much stronger for top-performing organizations, particularly those in which the board of directors has a high level of engagement in information security risks.

"Cyberattack threats are significant and continuously evolving in sophistication," said Brian Christensen, executive vice president of global internal audit, at Protiviti. "Our survey found that when it comes to cyber security and auditing processes, the highest performing organizations have audit committees and boards who actively engage with the internal audit function during the discovery and assessment of these risks. It's still apparent, however, that further work is essential to build out these internal audit capabilities. Companies must take stronger action to set these imperatives into place."

It's no surprise that internal audit is taking more steps to make assessing cyber security risks a mainstay of its agenda. Cyber security has steadily climbed the list of board concerns. A separate survey recently published by accounting firm Eisner Amper found that boards ranked cyber security as their overall top concern for public company boards. Still, some boards are worried about their own ability to monitor cyber risks. Just 24 percent of them said their boards were well-versed in understanding cyber risks.

Top Internal Audit Priorities

More than 1,300 internal audit professionals, including more than 150 chief audit executives, participated in the Protiviti annual survey, which assess the top priorities for internal audit functions in the coming year.

Areas that continue to surface as top priorities year-over-year include: ISO 27000, data analysis technologies, various areas of auditing IT, technology-enabled auditing, and fraud risk management. This year was not different, with technology issues dominating the priority list for internal auditors.

The top 10 priorities for internal audit in 2016 are:

  1. ISO 2700 (information security)
  2. Mobile applications
  3. NIST Cyber security Framework
  4. GTAG 16 – Data Analysis Technologies
  5. Internet of Things
  6. Agile Risk and Compliance
  7. ISO 14000 (environmental management)
  8. Data Analysis Tools – Statistical Analysis
  9. Country-Specific ERM Framework
  10. Big Data/Business Intelligence

"With most of the top priorities identified relating to IT risks, it's clear that auditing IT has never been more important to internal audit functions and to the state of an organization's overall risk profile," added Christensen. "The rapid introduction of new technologies, combined with the growing frequency and magnitude of corporate cyber security lapses, is driving internal audit to increase its IT audit capabilities each year. With internal audit now at a tipping point, these top priorities are more important than ever before. If the internal audit function doesn't keep up with the growth and innovation of companies, it will be left behind. The time to act is now."

Cyber Security Risk Capabilities

During the past decade, the importance of cyber security in internal audit functions has evolved from a simple IT risk to a serious strategic business risk, an issue that now must be addressed regularly by executive management and the board of directors. In fact, 57 percent of companies surveyed have received inquiries from customers, clients or insurance providers about the organization's state of cyber-security.

Protiviti's survey found that there are two critical success factors when establishing and maintaining an effective cyber security plan:
1) A high level of engagement by the board of directors in information security risks
2) Including the evaluation of cyber security risk in the current audit plan.

Companies with at least one of these success factors in place have a stronger risk posture to combat cyber threats. For example, 92 percent of organizations with a high level of board engagement in information security risks have a cyber security risk strategy in place, compared to 77 percent of other organizations. Similarly, 83 percent of companies that include cyber security risk in the annual audit plan have a cybersecurity risk policy, versus 53 percent that do not include cybersecurity risk in their audit plans.