Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/6/2018
10:05 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Cybersecurity, IT Governance, Emerging Tech Shaping 2018 IT Audit Plans: Protiviti, ISACA

Technological changes give rise to new risks; drive demand for more advanced auditing technology, skills, knowledge and resources.

Rolling Meadows, IL, USA (5 April 2018) — IT security and privacy, IT governance and risk management, regulatory compliance, emerging technology and cloud computing are the key issues impacting IT audit plans in 2018, according to a just-released benchmarking study from global consulting firm Protiviti and ISACA, a global association helping individuals and enterprises in the IT audit/assurance, governance, risk and information security space.

The seventh annual survey of more than 1,300 chief audit executives (CAE), internal audit professionals and IT audit vice presidents and directors worldwide found that most audit plans for 2018 are impacted by the challenge of cybersecurity. Yet more progress is still needed, as one in five organizations, on average, is not including cybersecurity in its audit plans. The most commonly cited reason is a lack of qualified resources, specifically people, skills and/or auditing tools. Such shortcomings need to be addressed with urgency.

“Organizations are putting themselves at risk by not planning for and addressing existing and evolving cybersecurity threats within their audit plans,” said Andrew Struthers-Kennedy, a Protiviti managing director and global leader of the firm’s IT Audit practice. “Planning for cybersecurity not only helps with risk management, but also helps address gaps that can come from digitalization. As more businesses accelerate the pace of technology transformation and increase their reliance on third-party vendors as part of their digital transformation efforts, the number and severity of cybersecurity risks is increasing.”

“Given the increased focus on digital transformation within organizations, it’s important for IT auditors to be involved throughout the entire technology project lifecycle to ensure policies and processes are put in place to mitigate risk,” said Theresa Grafenstine, chair of ISACA’s board of directors. “IT audit leaders looking to become more engaged within their organization’s major technology projects have to build credibility with executive management teams by demonstrating the value that the IT audit function provides.”

Top Technology Challenges

Asked to identify their top technology challenges, IT audit leaders and professionals cited IT security and privacy as their top priority. The top ten responses are:

1.    IT security and privacy/cybersecurity

2.    Infrastructure management

3.    Emerging technology and infrastructure changes – transformation, innovation, disruption

4.    Resource/staffing/skills challenges

5.    Regulatory compliance

6.    Budgets and controlling costs

7.    Cloud computing/virtualization

8.    Third-party/vendor management

9.    Project management and change management

10. Data management and governance

The above listed areas portray an interrelated dynamic – emerging technologies and digital transformation place greater pressure on existing IT infrastructure and cause companies to explore alternative delivery models (e.g. through third-party arrangements), while giving rise to new cybersecurity and privacy risks – all of which require an evolution in the skillset of IT auditors.

The upcoming enactment of the EU’s General Data Protection Regulation (GDPR), which establishes new compliance requirements for information security and data privacy, further highlights the importance of effective data management and protection of organizational data.

“With regulators beginning to look more closely at the security and management of organizational data, we encourage IT audit teams to be aware of all data that an organization processes, where it resides and how it’s being protected,” added Struthers-Kennedy. “While the increase in data capture and processing activities offers opportunities for enhanced business insight and competitive advantage, it also adds significant risk and therefore data protection needs to be prioritized.”

IT Audit’s Growing Importance

It’s clear that IT audit teams are of growing importance in organizations. This survey is the first one since the survey began that finds at least half of all organizations polled have a dedicated IT audit director (or equivalent position). This is a significant increase from just five years ago when only one in three organizations had a dedicated IT audit director.

Still, there is room to grow in how the IT audit function is viewed by business partners and board members within an organization. Overall, less than half of respondents indicate that their CAE or IT audit director meets regularly with their company’s CIO to help develop the IT audit plan. Regular meetings with business leaders can help not only with timely risk identification but also to convey the value audit teams deliver.

About the Survey Report and Resources Available

The 2018 IT Audit Benchmarking Survey consisted of a series of questions in six categories: Emerging Technology and Business Challenges; IT Implementation/Project Involvement; IT Audit in Relation to the Overall Audit Department; Risk Assessment; Audit Plan; Cybersecurity and Skills, Capabilities and Hiring. The full survey report, along with an infographic and a short video, is available for complimentary download from ISACA here and from Protiviti here.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Synergy360
50%
50%
Synergy360,
User Rank: Apprentice
5/2/2018 | 2:19:04 AM
Importance of IT Security
With the advancement of technology, risks are also increasing. The facts that you have shared are truly shocking to read. It is true that many organizations still Today do not pay much attention to the cybersecurity threats and can suffer a huge loss due to its negligence. I would recommend every organization, small or big must add IT Security to their audit plans. Thanks for sharing this article. I am sure it will benefit many readers and they will understand the importance of Cybersecurity.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...