2022 IT Audit Technology Risks in Tech, Media & Telecom
Survey Shows Elevated Concerns Around Cybersecurity, Privacy and Compliance for the Technology, Media and Telecom Industry
For the technology, media and telecommunications (TMT) industry, the greatest IT audit concerns in 2022 lie with cybersecurity-related breaches, privacy and regulatory compliance. More than 1,000 IT audit leaders and professionals from the TMT industry provided this assessment of the current technology risk landscape in the latest IT Audit Technology Risks Survey, conducted by ISACA and Protiviti.
The TMT survey participants were among more than 7,500 IT audit leaders from across nearly every industry who shared insights on the biggest IT risks and how they are structuring their functions to address current and future demands. The top IT audit issues, which align with those expressed by IT audit leaders across other industries, are of greater concern because they can lead to significant reputational damage and loss of revenue and customers, as well as regulatory fines or scrutiny.
Cybersecurity is not a new threat to TMT organisations; however, the level of urgency has clearly escalated in recent years. According to the Identity Theft Resource Center, there were 1,862 data breaches in 2021, up more than 68% from 2020 and breaking the previous record of 1,506, set in 2017. Protiviti’s latest annual Top Risks Survey also showed that, for the TMT industry group, the cyber threat moved up six notches to the fourth position this year on the top-risk list.
It is also not a surprise that privacy concerns are weighing heavily on the minds of TMT IT audit leaders. Increasingly, governments around the world are enacting new privacy rules and imposing heavy fines and penalties on organisations that are found to be violating the rules.
An ever-changing regulatory environment
Indeed, across all industries, internal audit teams, as well as other departments (e.g., legal, compliance, IT), are scrambling to keep pace with new data privacy and data security rules, as well as changing legal and regulatory compliance requirements that have growing implications for organisational data management and technology-related activities.
In the TMT industry, for example, there’s intense effort on the part of legislative and regulatory bodies globally to rein in companies that are perceived to have unfettered power and influence. The Federal Trade Commission has been particularly aggressive with enforcement in the United States, a trend that many predicted following President Biden’s appointment of a fierce technology industry critic to the commission. Read our recent blog post, “Finding Equilibrium: Transformative Regulations Create More Hurdles for TMT Companies,” to learn how companies can manage through this difficult regulatory environment.
The latest IT Audit Technology Risks Survey shows that IT audit teams at TMT organisations are working to address these various concerns through the audit process. Consistent with other industries, a majority of TMT IT audit leaders (68%) said they assess technology risk as part of the overall internal audit risk assessment process, while 12% conduct it separately from the overall internal audit risk assessment process. But more important than how technology audit is conducted is how often it is done. About 34% of the TMT survey participants said they conduct annual assessments, while 27% said they do it continually or more frequently than monthly. Also, nearly half of the respondents said their organisation’s tech audit risk framework aligns with their enterprise risk management framework.
The survey also indicates that the velocity and persistence of factors impacting the tech audit risk assessment process are higher for the TMT industry than for other industries. Roughly 34% of TMT respondents said their technology risk audit process has changed to consider the potential duration of a risk event or persistence, and 33% said it has changed due to velocity.
Clearly, as the survey shows, the TMT industry faces significant technology risk challenges. Going forward, to drive success and reduce risks, companies need to prioritise developing a culture of compliance, just as they have done with innovation and a first-to-market attitude. This means regularly assessing and reacting to the impact of evolving regulations and enforcement on their organisation’s business model. Building capabilities, including staffing up on compliance, risk management, legal, privacy and legislative expertise, with clearly assigned roles and responsibilities, is also crucial to success.
The intensifying data privacy environment calls for organisations in the TMT industry to develop a comprehensive data privacy programme, if they have not already, and make it an embedded process. It is also critical that organisations break down silos by leveraging a broad, data-driven transformative risk management framework, and conduct regular risk assessments. This framework should be built to evolve quickly and at the same pace as innovation.
The 10th annual IT Audit Technology Risks Study was conducted in the fourth quarter of 2021. The in-depth survey report (which includes a detailed breakdown of benchmarking data by organisation size, region, industry and more), as well as a podcast, a webinar and an infographic on the topic, are available from Protiviti here and from ISACA here.