IT Audit Perspectives on Top Technology Risks| Protiviti US

Protiviti partnered with The Institute of Internal Auditors to conduct its 11th annual Global Technology Audit Risks Survey in the second and third quarters of 2023.

The objective of this survey is to explore the top technology risks organizations face, as perceived by technology audit leaders and professionals. It also explores the practices, processes and tools employed to help enterprises identify, manage and mitigate these risks.
More than 550 executives and professionals, including CAEs and IT audit directors, participated in our study.

Go deeper: This report functions as both a mirror and a roadmap. It provides insights into the current state of technology risks while also guiding technology audit leaders and teams through the challenges and opportunities that lie ahead.

60% view third-party and vendor risks related to security, reliability and resilience as a significant cause for concern.

Key Findings

Cybersecurity is the top priority … and by a wide margin.

Nearly 75% of all respondents and even more CAEs and technology audit leaders consider cybersecurity to be a high-risk area.
Moreover, respondents believe next-gen cyber threats pose the most significant risks over the next two to three years.

Artificial intelligence (AI) is an emerging risk with gaps in organizational preparedness and audit proficiency.

While only 28% of respondents indicate AI (including generative AI) and machine learning (ML) pose significant threats to their organization over the next 12 months, AI is rated among the emerging technologies posing the most significant risks over the next two to three years. This suggests that while AI may not be perceived as an immediate threat, it is rising rapidly on the risk horizon.
As AI adoption is set to soar, it represents a latent risk that organizations must start preparing for now. Few organizations believe their level of preparedness or the proficiency of their technology audit group in handling AI and ML risks are at acceptable levels.

The talent gap in IT is a growing concern.

While respondents report that their IT audit teams are moderately proficient at effectively evaluating IT talent management and the perceived threat associated with attracting, developing and retaining skilled technology personnel ranks in the middle of the pack compared to other risks, enterprise preparedness remains relatively low.

Data privacy is a growing regulatory challenge.

Data privacy regulations such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and forthcoming legislation in other jurisdictions are adding layers of complexity to technology risk management. Our survey shows that while many respondents are confident in their organization’s cybersecurity measures, fewer are equally confident in data privacy compliance.

Data governance and transformation are of significant concern.

CAEs and IT audit leaders are concerned about ensuring the accuracy, consistency and trustworthiness of their data. Proper data governance is not just a compliance requirement – it also represents the foundation for successful digital transformations and AI initiatives.

Navigating the complex landscape of third-party and vendor risk is a challenge.

Global events such as supply chain disruptions and regulatory changes, combined with the increased use of cloud services and other outsourced IT functions, have amplified the importance of vetting third-party providers. This screening extends beyond cost effectiveness to encompass compliance with security and data protection standards.

More frequent auditing drives risk preparedness.

Our survey results demonstrate a clear connection between the number of technology audits performed annually and an organization’s ability to manage critical technology risks.

Call to Action

58% of respondents consider data privacy and compliance to be a significant threat over the next year

Here are several high-level actions for technology audit teams to consider.

Increase audit frequency for high-impact areas, especially those identified as critical emerging risks, to maintain a pulse on rapidly evolving challenges.
Leverage advanced analytics for deeper insights, integrating these tools and techniques into audit processes to better understand risks and the effectiveness of current risk management strategies.
Assess perceived threat levels of technology audit risks in conjunction with organizational preparedness and internal audit’s proficiency concerning each threat.
Improve internal audit’s ability to address IT talent management issues that pose significant threats to the organization, the internal audit function and the technology audit group.
Prioritize next-gen cyber threats today – collaborate with cybersecurity counterparts to assess organizational preparedness.
Act now on AI, including generative AI. Organizational use of these technologies is increasing rapidly and evolving in unexpected ways, while AI-related organizational preparedness and technology audit proficiency remain low.
Revisit cloud security policies, making sure to include aspects like data residency, encryption and access controls as part of this review.
Address the most significant barriers — budgets, access to technical skills, ROI quantifications — hindering the adoption of advanced auditing technologies and tools.
Invest in upskilling, especially for emerging technologies.
Integrate ESG risks into audit plans.

View infographic

58% of respondents consider data privacy and compliance to be a significant threat over the next year

A note to our readers

Advanced AI poses significant risk in emerging tech over next 2-3 years

Protiviti can provide further detailed results and insights from this study, including where other organizations in similar industries and of comparable size (and more) stand in relation to their perception of threat levels, organizational preparedness, and internal audit proficiency for each technology risk. Please contact your local Protiviti office or representative for more information.

Review previous reports and benchmarking studies here:

Advanced AI poses significant risk in emerging tech over next 2-3 years

Leadership

Angelo Poulikakos

Angelo is a Managing Director and global leader of Protiviti’s Technology Audit & Advisory practice. His specific areas of concentration include technology risk management, cybersecurity, IT compliance, internal audit, and automation. Angelo has over 18 years of ...