TOP TECHNOLOGY CHALLENGES AND THE RELATIONSHIP TO THE AUDIT PLAN ISACA/Protiviti 6th Annual IT Audit Benchmarking Survey March 15, 2017 Webinar

A REMINDER…

2

1

We are recording today’s webinar and it will be available for ondemand viewing following the live event.

2

If you are experiencing technical difficulties during the webcast, let us know by submitting questions through the Q&A area of your screen.

3

We encourage you to submit your questions throughout the webcast. We will address as many questions as possible during the dedicated Q&A event.

CPE CREDIT We are offering 1.0 CPE credit for this 60-minute webinar. To be eligible to receive this credit, please ensure you answer at least three (3) out of the four (4) polling questions. You will receive the CPE certificate via email approximately two (2) weeks after the webinar date.

Conference Dial-In Numbers: Code #: 13657493 Participant (Toll-Free): 866-604-1616 Participant (Toll): 201-689-8043

3

TODAY’S SPEAKERS

Ed Moyle

Ed is currently Director of Thought Leadership and Research for ISACA. Prior to joining ISACA, Ed was senior security strategist with Savvis and a founding partner of the analyst firm Security Curve. In his 20 years in information security, Ed has held numerous positions including: senior manager with CTG's global security practice, vice president and information security officer for Merrill Lynch Investment Managers, and senior security analyst with Trintech. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the Information Security industry as author, public speaker, and analyst. [email protected]

4

TODAY’S SPEAKERS

Gordon Braun

Gordon is a Managing Director at Protiviti where he leads the Kansas City office and the global IT audit practice. For over seventeen years, Gordon has been providing risk consulting services across several industries. He is an active leader of Protiviti’s central region internal audit practice and has a particular focus on assisting clients with the assessment and management of business risks associated with the deployment and maintenance of technology. Gordon has served as an engagement leader on multiple outsourced and co-sourced internal audit engagements.

[email protected]

5

TODAY’S SPEAKERS

David Brand

David is a Managing Director and market leader in Protiviti’s Atlanta office. He also leads Protiviti’s southeast region. He has over 20 years’ experience working with companies across multiple industries in the areas of IT auditing, computer-assisted auditing techniques, audit formation, risk assessments and audit committee reporting.

[email protected]

6

OUR JOINT STUDY 6th Annual IT Audit Benchmarking Survey • The IT audit function has never held a more crucial role. From substantial cybersecurity, privacy and infrastructure challenges and management issues to the implementation of new technologies in the organization, IT auditors work closely with management and the board of directors to fulfill a vital role in helping maintain an effective control environment amid a changing business climate and dynamic global marketplace. • The results of the latest IT Audit Benchmarking Study from ISACA and Protiviti illustrate the increasingly integrated role IT audit leaders and professionals are assuming in regard to technology initiatives in their organizations.

7

AGENDA FOR TODAY

1

ISACA and Protiviti partnered to conduct the sixth annual IT Audit Benchmarking Survey in the third quarter of 2016.

2

This global survey, conducted online, consisted of a series of questions covering five categories:

• Today’s Top Technology Challenges • Audit’s Involvement in IT Implementation Projects • IT Audit in Relation to the Internal Audit Department • Assessing IT Risks • Audit Plan • Skills and Capabilities

8

AGENDA FOR TODAY

3

More than 1,000 executives and professionals, including chief audit executives as well as IT audit vice presidents and directors, completed the online questionnaire.

4

Today we will discuss:

• Key findings from the 6th Annual IT Audit Benchmarking Survey • The top 10 technology challenges surfaced by the benchmarking participants • How do these technology challenges relate to the internal audit plan?

9

KEY FINDINGS FROM THE IT AUDIT BENCHMARKING SURVEY

KEY FINDING #1 – CYBERSECURITY

CYBERSECURITY IS VIEWED AS THE TOP TECHNOLOGY CHALLENGE

01 11

This has been a highly ranked challenge in our prior years’ surveys, but still has increased in the importance and clearly is the top-of-mind concern for IT audit leaders and professionals. These results are consistent with the results of Protiviti’s annual survey of technology leaders, which show that IT security and incident response capabilities dominates the priority lists for CIOs.

KEY FINDING #2 – EXECUTIVE-LEVEL INTEREST

THERE APPEARS TO BE MORE EXECUTIVE-LEVEL INTEREST IN IT AUDIT

02 12

A majority of IT audit leaders are regularly attending audit committee meetings, and many more are reporting directly to the CEO (though this reporting relationship may not be ideal). There also is more audit committee involvement in the IT audit risk assessment process.

KEY FINDING #3 – CAE LEADERSHIP

MORE CAES ARE BEGINNING TO CARRY LEADERSHIP FOR IT AUDIT DIRECTLY

03 13

CAEs are becoming increasingly IT-literate and appear to be taking on the daily management and leadership of the IT audit function, especially given technology’s importance and risk level in most organizations. This is a positive trend as it provides the IT audit function and responsibilities with greater visibility.

KEY FINDING #4 – KEY TECHNOLOGY PROJECTS

MOST IT AUDIT SHOPS HAVE SIGNIFICANT OR MODERATE LEVEL INVOLVEMENT IN KEY TECHNOLOGY PROJECTS

04 14

While it is encouraging to find some involvement in the early stages of a project such as planning and design, IT audit functions are more frequently involved post-implementation. Given that a strong majority of organizations have implemented a new IT system or application within the past three years, there likely are opportunities for IT audit to become more involved earlier on with these initiatives.

KEY FINDING #5 – IT AUDIT RISK ASSESSMENTS

MOST PERFORM IT AUDIT RISK ASSESSMENTS, THOUGH A MAJORITY DO SO ANNUALLY OR LESS FREQUENTLY

05 15

Considering the growing risk landscape resulting from cybersecurity threats and merging technologies, more organizations should consider an approach that includes continually reviewing the IT risk landscape and adjusting IT audit plans accordingly.

TOP TECHNOLOGY CHALLENGES AND THE RELATIONSHIP TO THE AUDIT PLAN

TODAY’S TOP TECHNOLOGY CHALLENGES

17

01

IT security and privacy/cybersecurity

06

Budgets and controlling costs

02

Infrastructure management

07

Cloud computing/virtualization

03

Emerging technology and infrastructure changes – transformation, innovation, disruption

08

Bridging IT and the business

04

Resource/staffing/skills challenges

09

Project management and change management

05

Regulatory compliance

10

Third-party/vendor management

TODAY’S TOP TECHNOLOGY CHALLENGES

01

IT SECURITY AND PRIVACY/CYBERSECURITY PRIOR YEAR RANK: #2 HOW DOES THIS IMPACT THE AUDIT PLAN?

The global risks in this area have never been higher, and the magnitude is almost certain to intensify in the months and years to come. Cybercriminal activity against global companies surged in the past year, and there are growing signs suggesting that a form of global cyberwar has commenced.

18

TODAY’S TOP TECHNOLOGY CHALLENGES

02

INFRASTRUCTURE MANAGEMENT PRIOR YEAR RANK: #4 HOW DOES THIS IMPACT THE AUDIT PLAN?

IT infrastructure management has become a major challenge for organizations, particularly those that have aging cores of outdated information systems. A growing number of these organizations are electing to modernize their aging cores to achieve both increased agility and significant long-term savings in costs and resources.

19

TODAY’S TOP TECHNOLOGY CHALLENGES

03

EMERGING TECHNOLOGY AND INFRASTRUCTURE CHANGES – TRANSFORMATION, INNOVATION, DISRUPTION PRIOR YEAR RANK: #1 HOW DOES THIS IMPACT THE AUDIT PLAN? The most common drivers of transformational initiatives often include new functionality, cost optimization, operational improvement, adoption of emerging technology, and alignment between the IT organization and the business. It is important to understand IT transformation obstacles in the context of the unique challenges for your organization and industry.

20

TODAY’S TOP TECHNOLOGY CHALLENGES

04

RESOURCE/STAFFING/SKILLS CHALLENGES PRIOR YEAR RANK: #3 HOW DOES THIS IMPACT THE AUDIT PLAN?

In today’s market, it’s a challenge to find qualified and experienced IT auditors, and talent levels are below where many organizations want them to be. Not only was this noted by respondents as one of today’s top IT challenges, this is supported in numerous results within the survey.

21

TODAY’S TOP TECHNOLOGY CHALLENGES

05

REGULATORY COMPLIANCE PRIOR YEAR RANK: #9 HOW DOES THIS IMPACT THE AUDIT PLAN?

Increasing, and increasingly sophisticated, cyberattacks will likely result in more regulations and oversight, as governments and regulatory authorities seek to bolster protections of consumer and organizational data. This is especially an issue for organizations in highly regulated industries.

22

TODAY’S TOP TECHNOLOGY CHALLENGES

06

BUDGETS AND CONTROLLING COSTS PRIOR YEAR RANK: #10 HOW DOES THIS IMPACT THE AUDIT PLAN?

IT budgets are rising. Investments in running IT operations and maintaining technology through the business consume large portions of IT budgets, often followed by investments in improvements and innovation, security and compliance.

23

TODAY’S TOP TECHNOLOGY CHALLENGES

07

CLOUD COMPUTING/VIRTUALIZATION PRIOR YEAR RANK: #5 HOW DOES THIS IMPACT THE AUDIT PLAN?

Cloud adoption and virtualization will continue to take place in the coming years. The widespread adoption of infrastructure as a service, software as a service and platform as a service will require significant planning and changes.

24

TODAY’S TOP TECHNOLOGY CHALLENGES

08

BRIDGING IT AND THE BUSINESS PRIOR YEAR RANK: #6 HOW DOES THIS IMPACT THE AUDIT PLAN?

Technology risk is a significant component of critical enterprise risks. It is important that internal audit understand the technologyrelated risks that present threats to the business model. Audit should follow these developments closely because of the potential audit and disclosure implications they may have.

25

TODAY’S TOP TECHNOLOGY CHALLENGES

09

PROJECT MANAGEMENT AND CHANGE MANAGEMENT PRIOR YEAR RANK: #7 HOW DOES THIS IMPACT THE AUDIT PLAN? In organizations today, there is a growing number of critical initiatives underway as they undergo the types of IT transformation, cloud, digitization and big data projects. However, there are significant roadblocks, both technological (legacy systems and processes) and cultural (change management problems and skills gaps) in nature.

26

TODAY’S TOP TECHNOLOGY CHALLENGES

10

THIRD-PARTY/VENDOR MANAGEMENT PRIOR YEAR RANK: NA HOW DOES THIS IMPACT THE AUDIT PLAN?

Organizations that rely on IT service providers have found that they must increase the maturity of their vendor management processes. Managing infrastructure is changing as operations and services shift to the cloud.

27

ARE THESE TOP TECHNOLOGY CHALLENGES ADDRESSED IN THE AUDIT PLAN?

28

01

IT security and privacy/cybersecurity

06

Budgets and controlling costs

02

Infrastructure management

07

Cloud computing/virtualization

03

Emerging technology and infrastructure changes – transformation, innovation, disruption

08

Bridging IT and the business

04

Resource/staffing/skills challenges

09

Project management and change management

05

Regulatory compliance

10

Third-party/vendor management

QUESTIONS?

29

THANK YOU FOR ATTENDING

Visit www.protiviti.com/itauditsurvey to download the publication.

Visit www.isaca.org/2017itauditstudy to download the publication.

30