NEWS
A significant proportion of corporate audit departments are failing to address IT risk sufficiently, leaving businesses vulnerable and open to security threats.
Almost a third (30 per cent) of audit staff feel their audit committee doesn't spend enough time looking at IT risk, according to research by KPMG's Audit Committee Institute (ACI).
Read all about IT…
Check out the Editor's Blog for the silicon.com chief's take on the hot tech issues of the moment.
Half said they don't have oversight responsibility for business continuity, and more than half (55 per cent) said they don't have responsibility for auditing risk around information security and privacy.
Around one in five (21 per cent) said they don't have responsibility for any IT compliance or control issues.
In general, the survey showed nine out of 10 audit committee members feel at least some improvements need to be made with their oversight of IT risk issues.
Director of KPMG's ACI in the UK, Tim Copnell, said this is a worrying trend due to businesses' reliance on IT.
He added that if audit committees aren't paying sufficient attention to the IT risk then businesses could be unwittingly exposed.
Instead of IT, the top priorities for audit committee members are more general risk management, internal controls and accounting judgements.
The ACI survey covered 1,300 audit committee members in 25 countries.
Comments
There is 1 comment. Join the discussion
1. David L. Dann
I see this as a training and an insufficient resource problem. IT auditors are frequently called to audit applications and systems of which they have little familiarity. This has probably been the case since the days when it was called EDP auditing. Management does not feel remiss in not providing in-depth training of these systems for its staff. Still, those applications are professionally audited. But looking at a system to see that it has edit validation checks for user inputs is not quite the same as auditing perimeter defence such as firewalls and IDS where new vulnerabilities and threats are constantly emerging. Mgmt. also depends too much on auditors with general knowledge where subject matter experts are in order. Finally, audit staffs are hard pressed to keep up with the demands of government regulatory mandates such as SOX and industry self enforcement standards like PCI. Compliance with these does not equate to an enterprise having a better IT security posture.