The survey from global consulting firm Protiviti and the ICT professional association ISACA, titled “IT Audit Perspectives: Top Technology Risks in 2021,” reports that IT audit groups – particularly those in more digitally mature organisations – are utilising more dynamic and real-time approaches to technology risk assessment, which “enables them to be more agile and responsive to the rapidly evolving risk landscape, driven in no small part by pandemic-related challenges”.
The technology and audit benchmarking survey identified the top concerns that over 7,400 IT audit leaders and professionals from organisations around the world are facing and planning to address in 2021.
The findings also reveal that ‘digital leaders’ – those “self-characterised as having innovative and disruptive qualities, including a proven track record of delivering on digital and innovation initiatives and effective adoption of emerging technologies” – weigh risks differently from companies with lower levels of digital transformation maturity and those who are in the earlier stages of defining and delivering on their digital and innovation agenda.
The survey report notes that digital leaders stand out in their frequency of performing technology audit risk assessments - driven by more agile ways of working as well as more integration and use of data and technology.
“However, the majority (67%) of organisations do not classify themselves as digital leaders, and 11% of those non-leaders are not conducting any form of technology risk assessment,” the report notes.
The report lists top 10 IT Audit Risks for 2021, with the survey respondents asked to rate the significance of 39 technology risk issues. The top 10 10 IT audit risks identified were:
- Cyber Breach
- Confidentiality and Privacy
- Regulatory Compliance
- User Access
- Security Incident Management
- Disaster Recovery
- Data Governance
- Third-Party Risk
- Remote Workplace Infrastructure
- Availability Risk
The report notes that for the most part, the top 10 technology risks for digital leaders and other companies were the same, but risk indexes trended higher for digital leaders.
“This is likely a result of several factors, including the generally more complex technology environments of such organisations, as well as their more extensive use of advanced technologies (such as intelligent automation, IoT, artificial intelligence and machine learning), and the general levels of data and technology employed by digital leaders to support their enhanced customer engagement, operational performance and digitisation of products and services.
“One notable difference between digital leaders and other organisations was that cloud strategy and adoption was a top 10 risk for digital leaders but not for others, because digital leaders were more likely to include cloud technologies in their delivery of business services and in their longer-term planning and strategy,” the report notes.
“Companies need visibility to effectively identify and evaluate risks. The sudden shift to remote work, as well as the broader disruption experienced by many, has revealed the importance of identifying and assessing technology risks on a more dynamic and frequent basis to develop closer-to-real-time views and responses,” said Andrew Struthers-Kennedy, a managing director with Protiviti and leader of the IT Audit practice.
“We’re seeing significant demand from companies that need help integrating more dynamic and data-driven approaches to risk assessments into their internal audit activities. Internal audit functions that are able to achieve this will be much better positioned to deliver highly efficient and effective risk assurance.”
The survey also found that most organisations (61%) are now identifying and assessing technology risks for the purpose of audit planning as part of the overall internal audit risk assessment process, and notes, however, that leaves a somewhat worrying 39% of organisations that are not specifically assessing technology risks in the development of audit plans.
Despite the geographical spread of the survey respondents and number of industries included, the ranking of technology risks was generally consistent, the report says.
IT audit professionals from North America, Africa, Asia, Europe, the Middle East and Oceania all ranked cyber breaches as their top concern, with almost 80% globally noting that they plan to address the risk in their 2021 audit plans.
Cyber breaches were also consistently a primary concern across industry sectors, including consumer packaged goods and retail; energy and utilities; financial services; healthcare; manufacturing and distribution; and technology, media and telecommunications.
“Responses from this study show that missteps in risk management are amplified for organisations that have not yet mastered timely responses to business disruption,” said Robin Lyons, ISACA IT Audit Professional Practices Lead.
“Audit functions that have a strategy that keeps pace with longer-term risks and high-velocity risks will demonstrate their value as they continue to provide assurance regardless of any disruption.”
The report is based on a survey, fielded in September-October of 2020, of 7,470 executives and professionals, including Chief Audit Executives and IT audit vice presidents and directors, representing a wide range of industries globally.