Internal Audit's IT Blues
The perils and
pitfalls of automation are proving difficult for company watchdogs to keep
pace with.
As companies automate more
business processes, they may risk leaving their internal auditors scrambling
to catch up, at least according to a new survey that finds internal auditors
are not confident in their ability to monitor the soundness of IT processes.
Protiviti, a risk-management and internal-audit consulting firm, asked more
than 700 audit practitioners to rate their competency in 28 areas of general
technical knowledge, and the areas directly related to IT dominated the list
of those needing improvement.
The number-one technical
deficiency identified was an understanding of The Guide to the Assessment
of IT Risk, a publication of the Institute of Internal
Auditors. Attention to the importance of
technology risk has mushroomed since early 2009, when the IIA issued a new
standard saying internal audit "must" assess whether a company's
IT-governance structures and processes enable the company to sustain and
extend its strategies and objectives.
Indeed, in a separate
question addressing eight key new or revised IIA standards, survey
respondents ranked IT governance as presenting the steepest learning curve.
IT governance has not been an area of focus for many internal audit
departments, notes Bob Hirth, head of global internal audit for Protiviti.
"Ignorance is bliss," he says. "When you don't have skills
around something, you tend to ignore it."
Second on the list of
technical-knowledge shortfalls was International Financial Reporting
Standards, which, while foremost an accounting issue, does present an
assortment of technology-related challenges. The third-most-commonly cited
deficiency was Extensible Business Reporting Language, or XBRL, the newly
required data-tagging format for online financial statements. To date many
companies have outsourced the tagging process, which means internal auditors
haven't gotten much direct exposure to it.
Still, Hirth says he's surprised
XBRL rated so highly on the need-to-improve meter. "We don't have a
service line around it, because we have concluded that most companies can do
it on their own," he says. This year will bring a new level of
complexity to XBRL, with companies required for the first time to tag
information in financial-statement footnotes.
Ranked fourth through sixth
on the need-to-know-more list were ISO 27000 information-security standards,
the COBIT framework of best practices for IT, and ISO 14000 standards for
environmental-management systems. Among the 22 other areas survey respondents
rated, only a couple were primarily related to IT.
Article was earlier published in one of the reputed
business magazine.
|
