IT risk is everyone’s problem. By “everyone,” we mean the board of directors, senior management, process owners and internal auditors. Internal audit departments play a critical role in ensuring that mitigating processes and procedures are in place and working effectively to manage the organization’s risks. An alarming number of organizations, however, are not maximizing the input internal audit can have in helping to manage their IT risks. This neglect results in embarrassing incidents to the top of the organization, CIO organization and the owners of affected processes.

With the rapid evolution and propagation of social media, cloud and mobile technologies, IT departments are often stretched to their limits. Under pressure to implement, it’s easy to miss vulnerabilities and potential security breaches.

MORE: 12 Ways the Future Auditor Can Contribute Value

Examples–such as the website launch debacle and any number of corporate mea culpas regarding security breaches exposing customer financial data–illustrate vividly how quickly a glitch or vulnerability can escalate from an IT problem to a critical business problem and a huge reputational risk.

When it comes to IT audit programs and practices, our annual
IT Audit Benchmarking Survey consistently reveals that organizations leave themselves significant room for improvement. Too many fail to plan and institute the IT audit coverage necessary to ensure an available, secure and efficient IT environment.


Furthermore, some organizations don’t house their IT audit resources in their internal audit departments, and others lack such resources entirely. We have found that just one in four companies have an IT audit director or someone in an equivalent role focused on technology risks.

Let me close with five key questions that every CEO and audit committee member should be asking about their organization’s IT audit capabilities:

1. Is our internal audit function performing an effective IT risk assessment at least once a year, and are people who are knowledgeable of infrastructure, applications and IT involved in the process?


2. Has our internal audit team reviewed the Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013 update) and COBIT 5 frameworks, and are our audit plans based on those recognized policies and practices?


3. Does our IT audit team have a clear understanding of our organization’s short- and long-term IT objectives?


4. How do we quantify our IT risks? What industry benchmarks and best practices are used?


5. Does our IT audit risk assessment process coordinate with other risk assessment areas, including financial, operational and compliance?

As with any growing or rapidly changing risk, it is important for organizations to stay ahead of the risk management curve–and make this a sustainable effort.


This post was published originally on The Protiviti View by Protiviti Inc. Copyright 2014. Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit ( The Protiviti View is hosted by Jim DeLoach, a Protiviti Managing Director, and features regular contributions from him as well as other Protiviti subject-matter experts. Follow Jim on Twitter @DeLoachJim.