Assessing the results of the Global Technology Audit Risks Survey conducted by Protiviti and The Institute of Internal Auditors

Technology audit’s view of risks on the horizon

Protiviti partnered with The Institute of Internal Auditors to conduct its 11th annual Global Technology Audit Risks Survey in the second and third quarters of 2023. 

  • The objective of this survey is to explore the top technology risks organisations face, as perceived by technology audit leaders and professionals. It also explores the practices, processes and tools employed to help enterprises identify, manage and mitigate these risks. 
  • More than 550 executives and professionals, including CAEs and IT audit directors, participated in our study. 

Go deeper: This report functions as both a mirror and a roadmap. It provides insights into the current state of technology risks while also guiding technology audit leaders and teams through the challenges and opportunities that lie ahead.

60% view third-party and vendor risks related to security, reliability and resilience as a significant cause for concern.

Key Findings

Cybersecurity is the top priority … and by a wide margin. +
  • Nearly 75% of all respondents and even more CAEs and technology audit leaders consider cybersecurity to be a high-risk area.
  • Moreover, respondents believe next-gen cyber threats pose the most significant risks over the next two to three years.
Artificial intelligence (AI) is an emerging risk with gaps in organisational preparedness and audit proficiency. +
  • While only 28% of respondents indicate AI (including generative AI) and machine learning (ML) pose significant threats to their organisation over the next 12 months, AI is rated among the emerging technologies posing the most significant risks over the next two to three years. This suggests that while AI may not be perceived as an immediate threat, it is rising rapidly on the risk horizon.
  • As AI adoption is set to soar, it represents a latent risk that organisations must start preparing for now. Few organisations believe their level of preparedness or the proficiency of their technology audit group in handling AI and ML risks are at acceptable levels. 
The talent gap in IT is a growing concern. +
  • While respondents report that their IT audit teams are moderately proficient at effectively evaluating IT talent management and the perceived threat associated with attracting, developing and retaining skilled technology personnel ranks in the middle of the pack compared to other risks, enterprise preparedness remains relatively low. 
Data privacy is a growing regulatory challenge. +
  • Data privacy regulations such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and forthcoming legislation in other jurisdictions are adding layers of complexity to technology risk management. Our survey shows that while many respondents are confident in their organisation’s cybersecurity measures, fewer are equally confident in data privacy compliance. 
Data governance and transformation are of significant concern. +
  • CAEs and IT audit leaders are concerned about ensuring the accuracy, consistency and trustworthiness of their data. Proper data governance is not just a compliance requirement – it also represents the foundation for successful digital transformations and AI initiatives. 
Navigating the complex landscape of third-party and vendor risk is a challenge. +
  • Global events such as supply chain disruptions and regulatory changes, combined with the increased use of cloud services and other outsourced IT functions, have amplified the importance of vetting third-party providers. This screening extends beyond cost effectiveness to encompass compliance with security and data protection standards.
More frequent auditing drives risk preparedness. +
  • Our survey results demonstrate a clear connection between the number of technology audits performed annually and an organisation’s ability to manage critical technology risks.
58% of respondents consider data privacy and compliance to be a significant threat over the next year

Call to Action

Here are several high-level actions for technology audit teams to consider.

  • Increase audit frequency for high-impact areas, especially those identified as critical emerging risks, to maintain a pulse on rapidly evolving challenges.
  • Leverage advanced analytics for deeper insights, integrating these tools and techniques into audit processes to better understand risks and the effectiveness of current risk management strategies.
  • Assess perceived threat levels of technology audit risks in conjunction with organisational preparedness and internal audit’s proficiency concerning each threat.
  • Improve internal audit’s ability to address IT talent management issues that pose significant threats to the organisation, the internal audit function and the technology audit group.
  • Prioritise next-gen cyber threats today – collaborate with cybersecurity counterparts to assess organisational preparedness.
  • Act now on AI, including generative AI. Organisational use of these technologies is increasing rapidly and evolving in unexpected ways, while AI-related organisational preparedness and technology audit proficiency remain low.
  • Revisit cloud security policies, making sure to include aspects like data residency, encryption and access controls as part of this review.
  • Address the most significant barriers — budgets, access to technical skills, ROI quantifications — hindering the adoption of advanced auditing technologies and tools.
  • Invest in upskilling, especially for emerging technologies.
  • Integrate ESG risks into audit plans.
View infographic
58% of respondents consider data privacy and compliance to be a significant threat over the next year
Advanced AI poses significant risk in emerging tech over next 2-3 years

A note to our readers

Protiviti can provide further detailed results and insights from this study, including where other organisations in similar industries and of comparable size (and more) stand in relation to their perception of threat levels, organisational preparedness, and internal audit proficiency for each technology risk. Please contact your local Protiviti office or representative for more information.

Review previous reports and benchmarking studies here:

Advanced AI poses significant risk in emerging tech over next 2-3 years