Internal Audit Teams Target IT Security In 2013
IT risk management grows in importance amid other business-level enterprise risk management concerns
As internal audit teams juggle the entire stack of enterprise risk management concerns, IT security and data privacy will continue to grow in priority amid other concerns like competition and risk from financial markets. Two new reports released during the past few weeks point to the growing need for IT risk management among internal auditors, as well as the increasing trend for internal audit teams to beef up their IT security acumen throughout the rest of 2013.
"There's a continuing emphasis around information security and how auditors help reduce that risk to a more nominal level," says Brian Christensen, executive vice president, global internal audit, at Protiviti. "Despite valiant efforts to get their hands around that, it remains an ever-growing challenge."
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Simple, Effective Patch Management: From Dilemma to Done Deed
- Thwart off Application-Based Security Exploits: Protect Against Zero-Day Attacks, Malware, Advanced Persistent Threats
Protiviti's recent "2013 Internal Audit Capabilities and Needs Survey Report," which was conducted among 1,000 U.S. auditors, found that auditing IT was No. 2 out of the top five areas listed by respondents as the most ripe for improvement among internal auditors. Compare that to last year when it didn't make the list, and to 2011 when it was the fourth out of five, and it is clear that internal auditors are moving IT risk management up the stack.
Part of it stems from growing awareness among internal audit teams that the bar for gaining a comfortable level of knowledge within the IT risk management field continues to rise each year, Christensen says.
"When an organization feels that it has reached that level of comfort, someone will either figure out another way to take [threats] to another level, or the dynamic nature of changing technology requires an even greater element of discipline to understand and reduce the risk," he says. "We see the need to keep up with the technical security skill levels on the internal auditing side just to stay cognizant of those risks."
[How well do you normalize data for risk management? See Does Your Security Data Mesh With Risk Metrics?.]
This observation tracks with the "2013 State of the internal audit profession study" out by PwC, which was based on an online survey across a spectrum of CEOs, CFOs, chief audit executives, and chief risk officers around the globe, as well as on in-depth, case-study interviews of 140 additional executives. It showed that 41 percent of internal audit organizations are planning to add IT security skills to their internal audit capabilities in the next 18 months. Of those, 71 percent say they'll have to hire from outside the business or leverage third parties to bring that expertise.
"The ability of the internal audit staff to, one, attract the professionals, the IT professionals, and others and retain those people in the face of severe competition has been a real issue," Arthur Rothkopf, trustee and chair of the audit committee for Educational Testing Service, said during a recent industry roundtable sponsored by PwC.
But the more reliant the company is on technology to maintain the business objectives of the organization, the more important it is for internal auditors to embed themselves into the IT organization to search for risks. And that will require the right skill sets to cooperate with IT staff as closely as possible.
"When organizations are contemplating or going through strategic change or investments in systems, infrastructures, or processes, the auditor of the future really should be embedded in part of that control process at the onset," Christensen says.
Historically, internal auditors came in after systems were deployed and processes defined. But the rapidly advancing technology and threat landscape requires a different approach, he says.
"The dynamic nature of IT environments today really makes them too late to the game if they apply themselves in that fashion," he says. "The auditor should be the strategic partner working with IT departments and really understand and really bring in the concepts of controls and risk."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.