Seven in ten chief information officers at UK companies believe their audit committees are ignoring the risks posed by IT to their business, new research has found.
One third of internal audit heads at companies questioned in the same survey of 18 CIOs and 44 internal audit heads said they were not confident that their staff had the right skills and resources to make an effective assessment of the IT risks to their business.
Despite the central role of IT in helping companies comply with a raft of corporate governance regulations only one quarter of respondents at organisations surveyed by professional services firm Ernst & Young said they carried out regular review of third-party service providers.
IT risks include security breaches, the installation of new computer systems, and outsourcing agreements. Internal auditors also review the “IT controls” in place to mitigate the risks posed by technology before making recommendations to the company board.
Erol Mustafa, partner at Ernst & Young and head of its IT Internal Audit services, said, “Today the audit committee must be prepared to not only discuss but confidently challenge the IT related threats, vulnerabilities and risks facing their business.”
“Regulation such as Sarbanes Oxley and the future EU 8th Directive [audit regulations] increases the need for audit committees to understand IT risks and implications for the business. Organisations must put greater focus on internal controls and governance structures. IT controls failures or an inability to detect and resolve IT control issues can carry heavy operational, financial and reputational risks, particularly when those risks become public knowledge.”
He added that there was a shortage of staff with the skills and experience to carry out internal IT audits. Seventy per cent of companies surveyed said they had a dedicated internal IT audit department.