IT auditors need more business initiative

Now IT auditors have improved their collaboration with CIOs, they need to enhance their relationship with business stakeholders

Chief information officers (CIOs) argue the biggest problem encountered working with auditors is reaching an agreement on findings and recommendations for business risk improvement, according to new research from Ersnt and Young consultancy firm.

Ernst and Young conducted a survey of IT internal audit chiefs from more than 60 companies, as well as 20 CIOs, through face-to-face interviews.

From the CIO perspective, 70 per cent said IT auditors had improved knowledge of IT risk since the previous Ernst and Young audit survey in 2004, but auditors were blamed by more than half the CIOs questioned for not communicating technical issues in business terms.

The heads of internal audit (HoIA) and the CIOs have a positive relationship, according to the survey findings, but Ernst and Young urged HoIAs to also interact more with business stakeholders as IT ownership becomes a shared business and IT priority.

IT internal audit staff should extend their responsibilities from safeguarding the business from risk to seeking ways the business can improve, said Ernst and Young in a report, arguing audit staff should be engaged earlier in strategic business decisions, such as outsourcing and operational change. “Currently internal auditors are only consulted when the outcomes of strategic changes start to turn problematic,” said the report.

However the report also highlighted a shortfall in good IT auditors particularly those with skills addressing specialist risk areas such as third parties, programmes and fraud.

Therefore, to increase auditor’s business input, IT needs to take over responsibility of low level IT risks, such as logical access and change management control. HoIAs also indicated a strong interest in exploring more automation such as continuous auditing and controls monitoring, 60 per cent believing they will use more of such methods in the future.

When business leaders were asked to identify the top ten risks for global businesses across all business sectors, regulatory and compliance risk came top of their priorities. The top IT risk rated by audit committees was data privacy and IT related fraud.