As companies automate more business processes, they may risk leaving their internal auditors scrambling to catch up, at least according to a new survey that finds internal auditors are not confident in their ability to monitor the soundness of IT processes.
Protiviti, a risk-management and internal-audit consulting firm, asked more than 700 audit practitioners to rate their competency in 28 areas of general technical knowledge, and the areas directly related to IT dominated the list of those needing improvement.
The number-one technical deficiency identified was an understanding of The Guide to the Assessment of IT Risk, a publication of the Institute of Internal Auditors. Attention to the importance of technology risk has mushroomed since early 2009, when the IIA issued a new standard saying internal audit “must” assess whether a company’s IT-governance structures and processes enable the company to sustain and extend its strategies and objectives.
Indeed, in a separate question addressing eight key new or revised IIA standards, survey respondents ranked IT governance as presenting the steepest learning curve. IT governance has not been an area of focus for many internal audit departments, notes Bob Hirth, head of global internal audit for Protiviti. “Ignorance is bliss,” he says. “When you don’t have skills around something, you tend to ignore it.”
Second on the list of technical-knowledge shortfalls was International Financial Reporting Standards, which, while foremost an accounting issue, does present an assortment of technology-related challenges. The third-most-commonly cited deficiency was Extensible Business Reporting Language, or XBRL, the newly required data-tagging format for online financial statements. To date many companies have outsourced the tagging process, which means internal auditors haven’t gotten much direct exposure to it.
Still, Hirth says he’s surprised XBRL rated so highly on the need-to-improve meter. “We don’t have a service line around it, because we have concluded that most companies can do it on their own,” he says. This year will bring a new level of complexity to XBRL, with companies required for the first time to tag information in financial-statement footnotes.
Ranked fourth through sixth on the need-to-know-more list were ISO 27000 information-security standards, the COBIT framework of best practices for IT, and ISO 14000 standards for environmental-management systems. Among the 22 other areas survey respondents rated, only a couple were primarily related to IT.