TOP TECHNOLOGY CHALLENGES AND THE RELATIONSHIP TO THE AUDIT PLAN ISACA/Protiviti 6th Annual IT Audit Benchmarking Survey March 15, 2017 Webinar
A REMINDER…
2
1
We are recording today’s webinar and it will be available for ondemand viewing following the live event.
2
If you are experiencing technical difficulties during the webcast, let us know by submitting questions through the Q&A area of your screen.
3
We encourage you to submit your questions throughout the webcast. We will address as many questions as possible during the dedicated Q&A event.
CPE CREDIT We are offering 1.0 CPE credit for this 60-minute webinar. To be eligible to receive this credit, please ensure you answer at least three (3) out of the four (4) polling questions. You will receive the CPE certificate via email approximately two (2) weeks after the webinar date.
Conference Dial-In Numbers: Code #: 13657493 Participant (Toll-Free): 866-604-1616 Participant (Toll): 201-689-8043
3
TODAY’S SPEAKERS
Ed Moyle
Ed is currently Director of Thought Leadership and Research for ISACA. Prior to joining ISACA, Ed was senior security strategist with Savvis and a founding partner of the analyst firm Security Curve. In his 20 years in information security, Ed has held numerous positions including: senior manager with CTG's global security practice, vice president and information security officer for Merrill Lynch Investment Managers, and senior security analyst with Trintech. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the Information Security industry as author, public speaker, and analyst.
[email protected]
4
TODAY’S SPEAKERS
Gordon Braun
Gordon is a Managing Director at Protiviti where he leads the Kansas City office and the global IT audit practice. For over seventeen years, Gordon has been providing risk consulting services across several industries. He is an active leader of Protiviti’s central region internal audit practice and has a particular focus on assisting clients with the assessment and management of business risks associated with the deployment and maintenance of technology. Gordon has served as an engagement leader on multiple outsourced and co-sourced internal audit engagements.
[email protected]
5
TODAY’S SPEAKERS
David Brand
David is a Managing Director and market leader in Protiviti’s Atlanta office. He also leads Protiviti’s southeast region. He has over 20 years’ experience working with companies across multiple industries in the areas of IT auditing, computer-assisted auditing techniques, audit formation, risk assessments and audit committee reporting.
[email protected]
6
OUR JOINT STUDY 6th Annual IT Audit Benchmarking Survey • The IT audit function has never held a more crucial role. From substantial cybersecurity, privacy and infrastructure challenges and management issues to the implementation of new technologies in the organization, IT auditors work closely with management and the board of directors to fulfill a vital role in helping maintain an effective control environment amid a changing business climate and dynamic global marketplace. • The results of the latest IT Audit Benchmarking Study from ISACA and Protiviti illustrate the increasingly integrated role IT audit leaders and professionals are assuming in regard to technology initiatives in their organizations.
7
AGENDA FOR TODAY
1
ISACA and Protiviti partnered to conduct the sixth annual IT Audit Benchmarking Survey in the third quarter of 2016.
2
This global survey, conducted online, consisted of a series of questions covering five categories:
• Today’s Top Technology Challenges • Audit’s Involvement in IT Implementation Projects • IT Audit in Relation to the Internal Audit Department • Assessing IT Risks • Audit Plan • Skills and Capabilities
8
AGENDA FOR TODAY
3
More than 1,000 executives and professionals, including chief audit executives as well as IT audit vice presidents and directors, completed the online questionnaire.
4
Today we will discuss:
• Key findings from the 6th Annual IT Audit Benchmarking Survey • The top 10 technology challenges surfaced by the benchmarking participants • How do these technology challenges relate to the internal audit plan?
9
KEY FINDINGS FROM THE IT AUDIT BENCHMARKING SURVEY
KEY FINDING #1 – CYBERSECURITY
CYBERSECURITY IS VIEWED AS THE TOP TECHNOLOGY CHALLENGE
01 11
This has been a highly ranked challenge in our prior years’ surveys, but still has increased in the importance and clearly is the top-of-mind concern for IT audit leaders and professionals. These results are consistent with the results of Protiviti’s annual survey of technology leaders, which show that IT security and incident response capabilities dominates the priority lists for CIOs.
KEY FINDING #2 – EXECUTIVE-LEVEL INTEREST
THERE APPEARS TO BE MORE EXECUTIVE-LEVEL INTEREST IN IT AUDIT
02 12
A majority of IT audit leaders are regularly attending audit committee meetings, and many more are reporting directly to the CEO (though this reporting relationship may not be ideal). There also is more audit committee involvement in the IT audit risk assessment process.
KEY FINDING #3 – CAE LEADERSHIP
MORE CAES ARE BEGINNING TO CARRY LEADERSHIP FOR IT AUDIT DIRECTLY
03 13
CAEs are becoming increasingly IT-literate and appear to be taking on the daily management and leadership of the IT audit function, especially given technology’s importance and risk level in most organizations. This is a positive trend as it provides the IT audit function and responsibilities with greater visibility.
KEY FINDING #4 – KEY TECHNOLOGY PROJECTS
MOST IT AUDIT SHOPS HAVE SIGNIFICANT OR MODERATE LEVEL INVOLVEMENT IN KEY TECHNOLOGY PROJECTS
04 14
While it is encouraging to find some involvement in the early stages of a project such as planning and design, IT audit functions are more frequently involved post-implementation. Given that a strong majority of organizations have implemented a new IT system or application within the past three years, there likely are opportunities for IT audit to become more involved earlier on with these initiatives.
KEY FINDING #5 – IT AUDIT RISK ASSESSMENTS
MOST PERFORM IT AUDIT RISK ASSESSMENTS, THOUGH A MAJORITY DO SO ANNUALLY OR LESS FREQUENTLY
05 15
Considering the growing risk landscape resulting from cybersecurity threats and merging technologies, more organizations should consider an approach that includes continually reviewing the IT risk landscape and adjusting IT audit plans accordingly.
TOP TECHNOLOGY CHALLENGES AND THE RELATIONSHIP TO THE AUDIT PLAN
TODAY’S TOP TECHNOLOGY CHALLENGES
17
01
IT security and privacy/cybersecurity
06
Budgets and controlling costs
02
Infrastructure management
07
Cloud computing/virtualization
03
Emerging technology and infrastructure changes – transformation, innovation, disruption
08
Bridging IT and the business
04
Resource/staffing/skills challenges
09
Project management and change management
05
Regulatory compliance
10
Third-party/vendor management
TODAY’S TOP TECHNOLOGY CHALLENGES
01
IT SECURITY AND PRIVACY/CYBERSECURITY PRIOR YEAR RANK: #2 HOW DOES THIS IMPACT THE AUDIT PLAN?
The global risks in this area have never been higher, and the magnitude is almost certain to intensify in the months and years to come. Cybercriminal activity against global companies surged in the past year, and there are growing signs suggesting that a form of global cyberwar has commenced.
18
TODAY’S TOP TECHNOLOGY CHALLENGES
02
INFRASTRUCTURE MANAGEMENT PRIOR YEAR RANK: #4 HOW DOES THIS IMPACT THE AUDIT PLAN?
IT infrastructure management has become a major challenge for organizations, particularly those that have aging cores of outdated information systems. A growing number of these organizations are electing to modernize their aging cores to achieve both increased agility and significant long-term savings in costs and resources.
19
TODAY’S TOP TECHNOLOGY CHALLENGES
03
EMERGING TECHNOLOGY AND INFRASTRUCTURE CHANGES – TRANSFORMATION, INNOVATION, DISRUPTION PRIOR YEAR RANK: #1 HOW DOES THIS IMPACT THE AUDIT PLAN? The most common drivers of transformational initiatives often include new functionality, cost optimization, operational improvement, adoption of emerging technology, and alignment between the IT organization and the business. It is important to understand IT transformation obstacles in the context of the unique challenges for your organization and industry.
20
TODAY’S TOP TECHNOLOGY CHALLENGES
04
RESOURCE/STAFFING/SKILLS CHALLENGES PRIOR YEAR RANK: #3 HOW DOES THIS IMPACT THE AUDIT PLAN?
In today’s market, it’s a challenge to find qualified and experienced IT auditors, and talent levels are below where many organizations want them to be. Not only was this noted by respondents as one of today’s top IT challenges, this is supported in numerous results within the survey.
21
TODAY’S TOP TECHNOLOGY CHALLENGES
05
REGULATORY COMPLIANCE PRIOR YEAR RANK: #9 HOW DOES THIS IMPACT THE AUDIT PLAN?
Increasing, and increasingly sophisticated, cyberattacks will likely result in more regulations and oversight, as governments and regulatory authorities seek to bolster protections of consumer and organizational data. This is especially an issue for organizations in highly regulated industries.
22
TODAY’S TOP TECHNOLOGY CHALLENGES
06
BUDGETS AND CONTROLLING COSTS PRIOR YEAR RANK: #10 HOW DOES THIS IMPACT THE AUDIT PLAN?
IT budgets are rising. Investments in running IT operations and maintaining technology through the business consume large portions of IT budgets, often followed by investments in improvements and innovation, security and compliance.
23
TODAY’S TOP TECHNOLOGY CHALLENGES
07
CLOUD COMPUTING/VIRTUALIZATION PRIOR YEAR RANK: #5 HOW DOES THIS IMPACT THE AUDIT PLAN?
Cloud adoption and virtualization will continue to take place in the coming years. The widespread adoption of infrastructure as a service, software as a service and platform as a service will require significant planning and changes.
24
TODAY’S TOP TECHNOLOGY CHALLENGES
08
BRIDGING IT AND THE BUSINESS PRIOR YEAR RANK: #6 HOW DOES THIS IMPACT THE AUDIT PLAN?
Technology risk is a significant component of critical enterprise risks. It is important that internal audit understand the technologyrelated risks that present threats to the business model. Audit should follow these developments closely because of the potential audit and disclosure implications they may have.
25
TODAY’S TOP TECHNOLOGY CHALLENGES
09
PROJECT MANAGEMENT AND CHANGE MANAGEMENT PRIOR YEAR RANK: #7 HOW DOES THIS IMPACT THE AUDIT PLAN? In organizations today, there is a growing number of critical initiatives underway as they undergo the types of IT transformation, cloud, digitization and big data projects. However, there are significant roadblocks, both technological (legacy systems and processes) and cultural (change management problems and skills gaps) in nature.
26
TODAY’S TOP TECHNOLOGY CHALLENGES
10
THIRD-PARTY/VENDOR MANAGEMENT PRIOR YEAR RANK: NA HOW DOES THIS IMPACT THE AUDIT PLAN?
Organizations that rely on IT service providers have found that they must increase the maturity of their vendor management processes. Managing infrastructure is changing as operations and services shift to the cloud.
27
ARE THESE TOP TECHNOLOGY CHALLENGES ADDRESSED IN THE AUDIT PLAN?
28
01
IT security and privacy/cybersecurity
06
Budgets and controlling costs
02
Infrastructure management
07
Cloud computing/virtualization
03
Emerging technology and infrastructure changes – transformation, innovation, disruption
08
Bridging IT and the business
04
Resource/staffing/skills challenges
09
Project management and change management
05
Regulatory compliance
10
Third-party/vendor management
QUESTIONS?
29
THANK YOU FOR ATTENDING
Visit www.protiviti.com/itauditsurvey to download the publication.
Visit www.isaca.org/2017itauditstudy to download the publication.
30