Audit teams come under fire in CIO survey of risk assessment

IT directors fear internal audit staff lack resources and skills

Corporate governance regulations such as Basel 2 and Sarbanes-Oxley require companies to clearly document risks to their business and measures to mitigate them. But IT directors have serious concerns about the skills and resources of the teams used by company boards to identify IT-related risks to the business.

That was one of the conclusions of UK research published last month by professional services firm Ernst & Young, which questioned IT directors and internal audit heads about the effectiveness of IT auditors.

IT audit teams work within audit committees and should provide independent assurance to company boards about the risks to their business and the controls in place to mitigate them.

Examples of IT-related risks include computer viruses, the installation of new computer systems, and outsourcing agreements.

Controls could include a firewall to block hackers or the way applications are configured to block employee access to commercially confidential information. Internal auditors make recommendations about these matters to the company board.

However, almost three-quarters of chief information officers and internal audit heads at large UK companies questioned by Ernst & Young said their audit committees were ignoring the risks posed by IT to their business.

In its survey of 62 heads of internal audit and CIOs only six of the 18 CIOs questioned felt that their company's audit committee spent enough time discussing IT risks.

One-third of internal audit heads said they were not confident that their staff had the right skills and resources to make an effective assessment of the IT risks to their business.

And despite the central role of IT in helping companies to comply with a raft of corporate governance regulations, only one-quarter of respondents said they carried out regular reviews of external service providers. A quarter did not conduct any review of suppliers.

Overall, however, CIOs questioned believed their internal auditors performed a useful role. More than two-thirds said internal IT auditors helped them run IT processes and deliver new projects.

Areas in which CIOs said internal auditors were most useful include penetration testing to check the rigour of IT security measures, IT governance and programme reviews.

Erol Mustafa, partner at Ernst & Young and head of its IT internal audit services, said IT directors needed to work closely with their internal IT auditors.

"Chief information officers should be able to discuss openly what the key issues are for their department [with internal auditors]," he said.

"They should involve the audit function from the planning stage of a project to the finish." He added that IT directors should appoint someone within their department to follow up the recommendations of internal auditors within a realistic timeframe.

IT audit tips

  • Communicate and consult. It is vital to gain buy-in and co-operation throughout the planning process
  • Align the audit with wider assurance activities across the organisation. It is not an isolated function
  • Be flexible. A good audit does not assume a static environment and should allow a percentage of budget for contingencies
  • Ensure compromises on scope or coverage, and the associated risks, are made clear and signed off
  • Transparency is essential for stakeholder support. The logic underlying the audit plan must be clear and easily explained.

Source: Ernst & Young

Read more on IT risk management