Seven in ten chief information officers at UK companies
believe their audit committees are ignoring the risks posed by IT
to their business, new research has found.
One third of internal audit heads at companies questioned in the
same survey of 18 CIOs and 44 internal audit heads said they were
not confident that their staff had the right skills and resources
to make an effective assessment of the IT risks to their
business.
Despite the central role of IT in helping companies comply with
a raft of corporate governance regulations only one quarter of
respondents at organisations surveyed by professional services firm
Ernst & Young said they carried out regular review of
third-party service providers.
IT risks include security breaches, the installation of new
computer systems, and outsourcing agreements. Internal auditors
also review the “IT controls” in place to mitigate the risks posed
by technology before making recommendations to the company
board.
Erol Mustafa, partner at Ernst & Young and head of its IT
Internal Audit services, said, “Today the audit committee must be
prepared to not only discuss but confidently challenge the IT
related threats, vulnerabilities and risks facing their
business.”
“Regulation such as Sarbanes Oxley and the future EU 8th
Directive [audit regulations] increases the need for audit
committees to understand IT risks and implications for the
business. Organisations must put greater focus on internal controls
and governance structures. IT controls failures or an inability to
detect and resolve IT control issues can carry heavy operational,
financial and reputational risks, particularly when those risks
become public knowledge.”
He added that there was a shortage of staff with the skills and
experience to carry out internal IT audits. Seventy per cent of
companies surveyed said they had a dedicated internal IT audit
department.