Protiviti IT Audit Study Analyzes Gaps in Companies' IT Audit Function and Risk Assessments

Protiviti IT Audit Study Analyzes Gaps in Companies' IT Audit Function and 
Risk Assessments 
Survey also identifies top 10 IT challenges 
MENLO PARK, Calif., Nov. 5, 2012 /CNW/ - Although companies continue to 
increase their investments in and dependency on IT resources, many aren't 
doing enough to protect themselves, according to a new survey from global 
consulting firm Protiviti ( The firm's 2012 IT Audit 
Benchmarking Survey ( ? which also reveals the 
top 10 technology challenges businesses face ? finds that a significant number 
of organizations do not conduct any type of IT audit risk assessment, and a 
considerable number of companies that do conduct assessments have critical 
gaps in their IT audit capabilities. 
Protiviti's second edition of the IT Audit Benchmarking Survey analyzes some 
of the underlying IT audit trends and gaps evident in organizations today. In 
addition to data and analysis, the survey report also includes key questions 
for audit professionals to consider as they evaluate their own IT audit 
functions and capabilities. 
"There's no question that IT risks can affect the bottom line. To succeed in 
today's business environment, it's absolutely critical for organizations to 
understand and manage IT risks that emerge with the rapidly escalating use of 
technology, and the best way to do that is with well-planned IT audit 
strategies and activities," said Brian Christensen, Protiviti's executive vice 
president of global internal audit. "We hope our survey results drive 
organizations to cast a more critical eye on their own IT audit strategy ? 
whether that means establishing a function or cultivating their IT audit 
team's experience and capabilities." 
The Top 10 Technology Challenges  The IT Audit Benchmarking Survey asked 
participants to weigh-in – through an open-ended question that required a 
write-in response – on the top technology challenges that organizations face 
today. The top issues from the perspective of IT audit, including information 
security, cloud computing, social media, and risk management and governance, 
are consistent with those commonly cited by C-level executives and IT 
1. Information security (including data privacy, storage, and 
  2. Cloud computing
  3. Social media
  4. Risk management and governance
  5. Regulatory compliance
  6. Technology integration and upgradation
  7. Resource management
  8. Infrastructure management
  9. Fraud monitoring
 10. Business continuity/disaster recovery 
IT Audit Risk Assessments – Good and Bad News  While this year's survey 
shows some improvement in regard to the number of companies conducting IT 
audit risk assessments ? particularly among organizations with revenues of 
$100 million - $999.99 million, there is still much room for improvement. Most 
notably, more than 30 percent of organizations with less than $100 million in 
annual revenues do not conduct any type of IT audit risk assessment. 
"Our findings also show that even when organizations do conduct IT audit risk 
assessments, they have some considerable gaps in their capabilities. Those 
gaps can be just as damaging as skipping an assessment," said David Brand, a 
Protiviti managing director and the firm's national IT audit leader. "For 
example, a majority of our respondents are understaffed, meaning less than 20 
percent of their internal audit department is made up of IT audit staff." 
Seventy-eight percent of survey respondents from companies with revenues 
greater than $1 billion see those gaps and have concerns that they may lack 
the necessary resources and skills to sufficiently address all areas of their 
IT audit plans. Examples of common gaps cited in the survey include limited 
ability to provide training for the IT audit team; not using outside resources 
to provide or augment IT audit capabilities; and lack of qualified IT audit 
Additional Highlights 
Other research findings of note include: 

    --  Sixty-five percent of organizations conduct their IT audit risk
        assessments on an annual basis, which may not be adequate to
        keep pace with the current rate of technology change and
    --  Evaluating and assessing the IT governance process, as called
        for under The Institute of Internal Auditors Standard 2110.A2,
        is not a priority for organizations, regardless of size or
        region. On average, less than 30 percent of companies have
        complied with this standard, and less than one in three plans
        to do so within the next year.

"Companies today face new IT-related risks and challenges every day," Brand 
said. "Internal auditors need to be more nimble than ever before and must 
constantly fine-tune their approach to the IT audit risk assessment to make a 
positive impact on their organizations."

Protiviti conducted its IT Audit Benchmarking Survey in the first and second 
quarters of 2012. Survey participants were comprised of more than 300 
professionals worldwide, including chief audit executives, audit directors, 
and IT audit directors and managers. They responded to questions covering four 
categories:  IT audit in relation to the internal audit department; assessing 
IT risk; IT audit in relation to the internal audit department; and skills and 
capabilities. To learn more about the 2012 IT Audit Benchmarking Survey and 
obtain a complimentary copy of the report, please visit:

Podcast Available with Additional Survey Insights    Protiviti has produced a 
podcast that offers David Brand's analysis and commentary about the findings 
in the survey. Please visit to listen or download 
the complimentary podcast.

About Protiviti   Protiviti ( is a global consulting firm 
that helps companies solve problems in finance, technology, operations, 
governance, risk and internal audit. Through its network of more than 70 
offices in over 20 countries, the firm has served more than 35 percent of 
FORTUNE(®) 1000 and Global 500 companies. Protiviti also works with smaller, 
growing companies, including those looking to go public, as well as with 
government agencies.

Protiviti is a wholly owned subsidiary of Robert Half International (NYSE: 
RHI). Founded in 1948, Robert Half International is a member of the S&P 500 

Protiviti is not licensed or registered as a public accounting firm and does 
not issue opinions on financial statements or offer attestation services.

NOTE TO EDITORS: Infographic of high-level survey results available in JPEG 
and PDF.

Kathy Keller, +1-650-234-6252,

PRN Photo Desk,

SOURCE: Protiviti

To view this news release in HTML formatting, please use the following URL:

CO: Protiviti
ST: California

-0- Nov/05/2012 18:02 GMT

Press spacebar to pause and continue. Press esc to stop.