New Protiviti Study Shows Technology Use and Risks Outpacing IT Audit Capabilities in Most Organizations

New Protiviti Study Shows Technology Use and Risks Outpacing IT Audit 
Capabilities in Most Organizations 
Survey results find companies challenged by variety of technology issues, 
including security, governance and social media 
MENLO PARK, Calif., Nov. 19, 2013 /CNW/ - Despite ongoing efforts to address 
information technology issues, companies continue to come up short in their IT 
audit functions, according to a new survey from global consulting firm 
Protiviti ( The study reveals that a large percentage of 
organizations are not planning and instituting the IT audit coverage necessary 
to assure critical IT operations, evaluate risk and provide a secure, 
available IT environment. 
Now in its third edition, Protiviti's latest IT audit benchmarking study, 
titled From Cybersecurity to IT Governance – Preparing Your 2014 Audit Plan, 
analyzes the primary technology-related challenges companies face from the 
internal audit perspective, and identifies trends in the ways organizations 
evaluate their approach to IT audit functions and capabilities. The survey 
report can serve as a helpful guide to internal audit functions, audit 
committees and boards of directors as they build their annual audit plans. 
"In today's organizations, virtually every function is technology-dependent, 
which means companies face a greater number of challenges to ensure an 
efficient, secure IT environment," said Brian Christensen, Protiviti executive 
vice president of global internal audit. "Based on the study, it's apparent 
that there is a tremendous gap between where most companies are and where they 
should be in terms of managing IT risk and strengthening governance and 
controls. As audit plans are developed, these technology challenges should 
also be top-of-mind for internal audit." 
Top Technology Challenges According to the 469 respondents who participated in 
Protiviti's 2014 IT Audit Benchmarking Survey, including chief audit 
executives, IT audit directors, IT audit managers, and other auditing 
professionals, the top technology-related challenges facing organizations are: 

    --  IT security (including data security, cyber security, and
        mobile security; this result was the number one challenge for
        the second consecutive year)
    --  IT governance
    --  Lack of ERP implementations, development, and knowledge
    --  Social media
    --  Vendor management
    --  Cloud computing
    --  Emerging technology and infrastructure changes
    --  Big data and analytics
    --  PCI compliance

The recurring challenge of IT security points to the need for security teams 
to tap their organization's internal audit team's expertise to develop more 
efficient, sustainable compliance programs. In a report titled Engage Audit 
Professionals for Better Security

Assessment Outcomes (June 26, 2013), Forrester Research, Inc. writes about the 
benefits of audit and security working together to address security 
compliance:  "There are simple ways for security and audit professionals to 
coordinate more closely in ways that will help both sides achieve their 
goals… When done correctly, the audit function becomes a powerful advocate 
for the security team, helping highlight the strength of the program when 
appropriate and helping justify more investments when there are gaps to fill."

Companies' IT Audit Practices Still Fall Short Analysis of Protiviti's survey 
results also provides important insights into how effectively organizations 
are improving their IT audit programs and practices, and some notable findings 
suggest there is a need for dramatic improvement. These include:
    --  A large number of companies fail to devote adequate resources
        to IT audit and, as a result, are not able to fully assess
        potential risks. Also, 42 percent of organizations reported
        that they rely on outside resources to augment their IT audit
        departments because they lack the appropriate internal
    --  Many internal audit functions are not performing IT audit risk
        assessments regularly, and even many of the companies that do
        perform these assessments need to do so more frequently. Of
        concern, one-third of companies with less than $100 million in
        revenue do not conduct any type of IT audit risk assessment,
        which presents countless potential hazards for their respective
    --  Also a cause for concern is the increase from 2012 to 2013 in
        the number of IT audit directors who report to the CIO. Even
        though the overall number of organizations with this reporting
        relationship is relatively low, allowing the IT department to
        audit itself is a potential recipe for disaster because
        independence and objectivity of assessments are lost.

"Although there are areas that clearly need attention, it's a good sign that 
more companies are working to implement IT governance policies and 
procedures," said David Brand, a Protiviti managing director and leader of the 
firm's IT Audit practice. "We have seen an uptick in the number of companies 
that are evaluating IT governance as part of their audit process."

Survey Resources – Webinar, Report, Video and Podcast   A webinar exploring 
the survey results will be held today at 10:00 a.m. PST. Joining Brand for the 
one-hour webinar will be another Protiviti managing director, Jonathan 
Bronson, and guest speaker Forrester Research, Inc. Senior Analyst Renee 
Murphy. To register for the complimentary webinar, please visit

The survey report From Cybersecurity to IT Governance – Preparing Your 2014 
Audit Plan is available for download at, along 
with a short video about the survey results. Additionally, Brand has recorded 
a podcast discussing the survey findings, which is available at

The 2014 IT Audit Benchmarking Survey was conducted in the second and third 
quarters of 2013. Eighty-four percent of the responses were from companies in 
North America, with the rest spread among Europe, Asia-Pacific, the Middle 
East and Africa. Sixty-two percent of the participants' companies had annual 
revenues of $1billion or greater. The types of organizations participating in 
the survey were:
    --  Public – 50%
    --  Private – 26%
    --  Not-for-profit – 12%
    --  Government – 11%
    --  Other – 1%

About Protiviti Protiviti ( is a global consulting firm that 
helps companies solve problems in finance, technology, operations, governance, 
risk and internal audit. Through its network of more than 70 offices in over 
20 countries, Protiviti has served more than 35 percent of FORTUNE 1000(®) 
and FORTUNE Global 500(®) companies. The firm also works with smaller, 
growing companies, including those looking to go public, as well as with 
government agencies.

Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 
1948, Robert Half International is a member of the S&P 500 index.

Protiviti is not licensed or registered as a public accounting firm and does 
not issue opinions on financial statements or offer attestation services.

Editor's note: An infographic of key survey findings is available in JPEG and 
PDF upon request.

SOURCE  Protiviti 
Kathy Keller, (650) 234-6252, 
PRN Photo Desk, 
To view this news release in HTML formatting, please use the following URL: 
CO: Protiviti
ST: California
-0- Nov/19/2013 13:02 GMT
Press spacebar to pause and continue. Press esc to stop.