New Protiviti Study Shows Technology Use and Risks Outpacing IT Audit Capabilities in Most Organizations

    New Protiviti Study Shows Technology Use and Risks Outpacing IT Audit
                      Capabilities in Most Organizations

Survey results find companies challenged by variety of technology issues,
including security, governance and social media

PR Newswire

MENLO PARK, Calif., Nov. 19, 2013

MENLO PARK, Calif., Nov. 19, 2013 /PRNewswire/ --Despite ongoing efforts to
address information technology issues, companies continue to come up short in
their IT audit functions, according to a new survey from global consulting
firm Protiviti ( The study reveals that a large percentage
of organizations are not planning and instituting the IT audit coverage
necessary to assure critical IT operations, evaluate risk and provide a
secure, available IT environment.


Now in its third edition, Protiviti's latest IT audit benchmarking study,
titled From Cybersecurity to IT Governance – Preparing Your 2014 Audit Plan,
analyzes the primary technology-related challenges companies face from the
internal audit perspective, and identifies trends in the ways organizations
evaluate their approach to IT audit functions and capabilities. The survey
report can serve as a helpful guide to internal audit functions, audit
committees and boards of directors as they build their annual audit plans.

"In today's organizations, virtually every function is technology-dependent,
which means companies face a greater number of challenges to ensure an
efficient, secure IT environment," said Brian Christensen, Protiviti executive
vice president of global internal audit. "Based on the study, it's apparent
that there is a tremendous gap between where most companies are and where they
should be in terms of managing IT risk and strengthening governance and
controls. As audit plans are developed, these technology challenges should
also be top-of-mind for internal audit."

Top Technology Challenges
According to the 469 respondents who participated in Protiviti's 2014 IT Audit
Benchmarking Survey, including chief audit executives, IT audit directors, IT
audit managers, and other auditing professionals, the top technology-related
challenges facing organizations are:

  oIT security (including data security, cyber security, and mobile security;
    this result was the number one challenge for the second consecutive year)
  oIT governance
  oLack of ERP implementations, development, and knowledge
  oSocial media
  oVendor management
  oCloud computing
  oEmerging technology and infrastructure changes
  oBig data and analytics
  oPCI compliance

The recurring challenge of IT security points to the need for security teams
to tap their organization's internal audit team's expertise to develop more
efficient, sustainable compliance programs. In a report titled Engage Audit
Professionals for Better Security

Assessment Outcomes (June 26, 2013),  Forrester Research, Inc. writes about
the benefits of audit and security working together to address security
compliance: "There are simple ways for security and audit professionals to
coordinate more closely in ways that will help both sides achieve their goals…
When done correctly, the audit function becomes a powerful advocate for the
security team, helping highlight the strength of the program when appropriate
and helping justify more investments when there are gaps to fill."

Companies' IT Audit Practices Still Fall Short
Analysis of Protiviti's survey results also provides important insights into
how effectively organizations are improving their IT audit programs and
practices, and some notable findings suggest there is a need for dramatic
improvement. These include:

  oA large number of companies fail to devote adequate resources to IT audit
    and, as a result, are not able to fully assess potential risks. Also, 42
    percent of organizations reported that they rely on outside resources to
    augment their IT audit departments because they lack the appropriate
    internal resources.
  oMany internal audit functions are not performing IT audit risk assessments
    regularly, and even many of the companies that do perform these
    assessments need to do so more frequently. Of concern, one-third of
    companies with less than $100 million in revenue do not conduct any type
    of IT audit risk assessment, which presents countless potential hazards
    for their respective businesses.
  oAlso a cause for concern is the increase from 2012 to 2013 in the number
    of IT audit directors who report to the CIO. Even though the overall
    number of organizations with this reporting relationship is relatively
    low, allowing the IT department to audit itself is a potential recipe for
    disaster because independence and objectivity of assessments are lost.

"Although there are areas that clearly need attention, it's a good sign that
more companies are working to implement IT governance policies and
procedures," said David Brand, a Protiviti managing director and leader of the
firm's IT Audit practice. "We have seen an uptick in the number of companies
that are evaluating IT governance as part of their audit process."

Survey Resources – Webinar, Report, Video and Podcast
A webinar exploring the survey results will be held today at 10:00 a.m. PST.
Joining Brand for the one-hour webinar will be another Protiviti managing
director, Jonathan Bronson, and guest speaker Forrester Research, Inc. Senior
Analyst Renee Murphy. To register for the complimentary webinar, please visit

The survey report From Cybersecurity to IT Governance – Preparing Your 2014
Audit Plan is available for download at, along
with a short video about the survey results. Additionally, Brand has recorded
a podcast discussing the survey findings, which is available at

The 2014 IT Audit Benchmarking Survey  was conducted  in the second and third
quarters of 2013. Eighty-four percent of the responses were from companies in
North America, with the rest spread among Europe, Asia-Pacific, the Middle
East and Africa. Sixty-two percent of the participants' companies had annual
revenues of $1billion or greater. The types of organizations participating in
the survey were:

  oPublic – 50%
  oPrivate – 26%
  oNot-for-profit – 12%
  oGovernment – 11%
  oOther – 1%

About Protiviti
Protiviti ( is a global consulting firm that helps companies
solve problems in finance, technology, operations, governance, risk and
internal audit. Through its network of more than 70 offices in over 20
countries, Protiviti has served more than 35 percent of FORTUNE 1000^® and
FORTUNE Global 500^® companies. The firm also works with smaller, growing
companies, including those looking to go public, as well as with government

Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in
1948, Robert Half International is a member of the S&P 500 index.

Protiviti is not licensed or registered as a public accounting firm and does
not issue opinions on financial statements or offer attestation services.

SOURCE Protiviti

Contact: Kathy Keller, (650) 234-6252,
Press spacebar to pause and continue. Press esc to stop.