New survey by Protiviti and ISACA finds that organisations further along the digital transformation maturity spectrum have a clear advantage amid the COVID-19 environment.
MENLO PARK, Calif., December 15, 2020 – According to a new survey from Protiviti and ISACA, titled “IT Audit Perspectives: Top Technology Risks in 2021,” concerns around security, privacy, cloud and technology resilience are being further fueled by shifting business priorities, the pandemic-induced remote work environment and accelerated deployment of new technologies. Entering into 2021, IT audit groups – particularly those in more digitally mature organisations – are utilising more dynamic and real-time approaches to technology risk assessment, which enables them to be more agile and responsive to the rapidly evolving risk landscape, driven in no small part by pandemic-related challenges.
The technology and audit benchmarking survey identified the top concerns that over 7,400 IT audit leaders and professionals from organisations around the world are facing and planning to address in 2021. The findings reveal that ‘digital leaders’ – those self-characterised as having innovative and disruptive qualities, including a proven track record of delivering on digital and innovation initiatives and effective adoption of emerging technologies – weigh risks differently from companies with lower levels of digital transformation maturity and those who are in the earlier stages of defining and delivering on their digital and innovation agenda. The survey report notes that digital leaders stand out in their frequency of performing technology audit risk assessments, driven by more agile ways of working as well as more integration and use of data and technology. However, the majority (67%) of organisations do not classify themselves as digital leaders, and 11% of those non-leaders are not conducting any form of technology risk assessment.
The Top 10 IT Audit Risks for 2021
The survey asked respondents to rate the significance of 39 technology risk issues. Of those, the top 10 IT audit risks identified were as follows:
- Cyber Breach
- Confidentiality and Privacy
- Regulatory Compliance
- User Access
- Security Incident Management
- Disaster Recovery
- Data Governance
- Third-Party Risk
- Remote Workplace Infrastructure
- Availability Risk
For the most part, the top 10 technology risks for digital leaders and other companies were the same, but risk indexes trended higher for digital leaders. This is likely a result of several factors, including the generally more complex technology environments of such organisations, as well as their more extensive use of advanced technologies (such as intelligent automation, IoT, artificial intelligence and machine learning), and the general levels of data and technology employed by digital leaders to support their enhanced customer engagement, operational performance and digitisation of products and services.
One notable difference between digital leaders and other organisations was that cloud strategy and adoption was a top 10 risk for digital leaders but not for others, because digital leaders were more likely to include cloud technologies in their delivery of business services and in their longer-term planning and strategy.
“Companies need visibility to effectively identify and evaluate risks. The sudden shift to remote work, as well as the broader disruption experienced by many, has revealed the importance of identifying and assessing technology risks on a more dynamic and frequent basis to develop closer-to-real-time views and responses,” said Andrew Struthers-Kennedy, a managing director with Protiviti and leader of the IT Audit practise. “We’re seeing significant demand from companies that need help integrating more dynamic and data-driven approaches to risk assessments into their internal audit activities. Internal audit functions that are able to achieve this will be much better positioned to deliver highly efficient and effective risk assurance.”
The survey found that most organisations (61%) are now identifying and assessing technology risks for the purpose of audit planning as part of the overall internal audit risk assessment process. However, that leaves a somewhat worrying 39% of organisations that are not specifically assessing technology risks in the development of audit plans.
Despite the geographical spread of the survey respondents and number of industries included, the ranking of technology risks was generally consistent. IT audit professionals from North America, Africa, Asia, Europe, the Middle East and Oceania all ranked cyber breaches as their top concern, with almost 80% globally noting that they plan to address the risk in their 2021 audit plans. Cyber breaches were also consistently a primary concern across industry sectors, including consumer packaged goods and retail; energy and utilities; financial services; healthcare; manufacturing and distribution; and technology, media and telecommunications.
“Responses from this study show that missteps in risk management are amplified for organisations that have not yet mastered timely responses to business disruption,” said Robin Lyons, ISACA IT Audit Professional Practises Lead. “Audit functions that have a strategy that keeps pace with longer-term risks and high-velocity risks will demonstrate their value as they continue to provide assurance regardless of any disruption.”
The report is based on a survey, fielded in September-October of 2020, of 7,470 executives and professionals, including Chief Audit Executives and IT audit vice presidents and directors, representing a wide range of industries globally. The survey was conducted in collaboration with ISACA, a global technology association and learning organisation.
Survey Resources Available
The survey report is available for complimentary download from Protiviti here and from ISACA here, in addition to an infographic that highlights key findings. To view a short video about the study, click here.
For more than 50 years, ISACA® (www.isaca.org) has equipped individuals with knowledge, credentials, education, and community to progress their careers and transform their organisations and enables enterprises to train and build quality teams. ISACA is a global professional association and learning organisation with 145,000 members who work in information security, governance, assurance, risk, and privacy. It has a presence in 188 countries, including more than 220 chapters worldwide.