The IT audit function has never held a more crucial role. From substantial cybersecurity, privacy and infrastructure challenges and management issues to the implementation of new technologies in the organization, IT auditors work closely with management and the board of directors to fulfill a vital role in helping maintain an effective control environment amid a changing business climate and dynamic global marketplace.
The results of the latest IT Audit Benchmarking Study from ISACA and Protiviti illustrate the increasingly integrated role IT audit leaders and professionals are assuming in regard to technology initiatives in their organizations. A majority have a significant or moderate level of involvement in major technology projects, including at the important planning stages. A majority of IT audit directors regularly attend audit committee meetings (a noteworthy change from just a few years ago). Yet, as we explore in this report, there is room for improvement in many areas. Most notably, a substantial percentage of IT audit functions report having minimal or no involvement in significant technology projects in the organization. And for those that are more involved, most of their efforts appear to be focused on the post-implementation stages rather than in planning, design or testing.
Why aren’t IT auditors involved earlier and more often in major technology projects? More broadly, why are certain types of audits not performed? Is lack of the right framework and/or the right IT audit talent and skills the primary issue? Does IT audit have the necessary authorization from management and the board to become involved in these projects earlier and in greater detail? Is IT audit building the appropriate relationships with management and line-of-business leaders to earn a seat at the table when critical technology projects are being planned and implemented? In our report, we provide possible answers to these questions and guidance for IT audit leaders seeking to grow their function into a strategic partner for their organizations.