How internal audit can help manage 10 top technology risks

By Ken Tysiac

Many of the top risks organizations face today are related to technology.

As a result, internal auditors are paying close attention to areas such as cybersecurity, data privacy, and social media. These areas—and others related to technology—have the potential to deliver devastating setbacks to a company or organization.

“The technology risks we face today are increasingly complex, and a sophisticated, well-thought-out approach is required to manage them,” Richard Chambers, president of The Institute of Internal Auditors (IIA), said in a news release.

Methods for internal audit to help organizations manage the top 10 technology risks are described in a new report, Navigating Technology’s Top 10 Risks, that was released today by the IIA and is available for download on the IIA’s website. The top 10 technology risks were determined as the result of interviews with chief audit executives and IT specialists from Africa, Latin America, the Middle East, Europe, Canada, and the United States.

The report’s top 10 risks—and suggestions for how internal audit can manage them—include:

Cybersecurity. More than 70% of the IIA survey respondents consider the risk of a data breach to be at least moderate, with IT specialists reporting more concern than other groups. Internal audit’s activities related to cybersecurity, according to the report, can include conducting vulnerability scans and penetration testing; verifying that simulation exercises related to the organization’s crisis management plan are performed; and conducting an audit of network architecture to determine compliance with network policy and procedures.

Information security. Organizations are focusing now on a layered defense of critical information, rather than a single layer of protection against the network perimeter, the report says. Internal audit’s activities can include performing vulnerability scans of the internal network; reviewing the access control review process; and using third parties to conduct simulated attacks and auditing results.

IT systems development projects. Internal audit can perform audits of each aspect of the life cycle of systems development; participate in project audits with vendor audit and quality teams; and conduct audits of the organization’s project management methodology, the report says.

IT governance. Internal audit’s duties can include assessing the tone at the top of the IT organization; performing periodic audits to determine the IT function’s alignment with strategic priorities; and reviewing the effectiveness of IT’s resource and performance management, according to the report.

Outsourced IT services. Internal auditors can get involved early in the outsourcing cycle, the report says, by ensuring that the initial contract addresses important topics including oversight, monitoring, auditing, and security. Internal audit also can ask how compliance with the contract is monitored.

Social media use. Internal audit’s duties can include playing a consulting role as organizations define, communicate, monitor, and enforce a social media business-use policy, according to the report. A social media audit may be included in the annual internal audit plan.

Mobile computing. Almost half of survey respondents perform little or no assurance for use of mobile devices. The report suggests internal audit can perform an audit of the inventory process of mobile devices, perform an audit of how lost or stolen devices are managed, and verify that sensitive information is encrypted or not stored on mobile devices.

IT skills among internal auditors. Many internal audit departments struggle to develop and maintain the skills needed to audit IT. Understanding the technology used in the organization and identifying skills gaps can help internal audit develop and/or outsource these skills, according to the report.

Emerging technologies. Internal audit can provide guidance on the risk and control requirements when new technologies are being evaluated, the report says.

Board and audit committee technology awareness. Limited IT expertise on a board of directors may pose governance challenges. The report suggests that internal audit can be the main conduit for bringing technology awareness to the board and audit committee.

Ken Tysiac (ktysiac@aicpa.org) is a JofA editorial director.

SPONSORED REPORT

Keeping client information safe in an age of scams and security threats

A look at the Dirty Dozen tax scams and ways to protect taxpayer information.

TECHNOLOGY Q&A

How to create maps in Excel 2016

Microsoft Excel 2016 has two new mapping capabilities. J. Carlton Collins, CPA, demonstrates how to make masterful 2D and 3D maps in Excel 2016.

QUIZ

News quiz: IRS enforcement, a hot job, and audit value

The IRS’s 2016 Data Book, a “hot job” of particular interest at this time of year, and insight into how executive and audit committees view the insights from financial statement audits received attention recently. See how much you know with this short quiz.