IT risk management

While technology-related risks may figure higher on the agenda of UK company
boards than ever before, new research questions whether board members really
have sufficient understanding of their organisations’ IT risks to address them
adequately. It is also apparent that boards should examine the focus of their
internal audit departments to ensure that they get the appropriate level of
assurance when monitoring these risks.

The research, carried out by PricewaterhouseCoopers on behalf of the
Institute of Internal Auditors UK and Ireland, surveyed business leaders and
heads of internal audit in a range of companies and public sector organisations
on how they manage IT risk. It found that 98% of those companies see IT as
strategically important to the future success of their business.

The report on the findings, IT Risk: Closing the gap, shows that in 74% of
organisations IT-related risk has risen higher up the board agenda and 87% of
senior management respondents say that it is a major challenge to respond to the
pace of change in IT.

Identifying IT risk

According to the survey, senior managers and heads of internal audit have
identified six key IT risks facing organisations. These are:

– IT project risk (failure to deliver benefits or stay within budget) ­ 79%;

– IT resilience and continuity ­ 69%;
– IT governance risk (lack of alignment between IT and the business) ­ 63%;

– Data security and privacy ­ 60%;
– Business systems risk (such as poor change control over an ERP system) ­ 59%;
and
– Data quality risk ­ 49%.

However, despite recognising the IT risks facing their organisations, only
two-fifths of internal auditors surveyed believe that the focus of their work
should examine the strategic and governance issues surrounding these risks, as
well as auditing the details upon which these risks are assessed. The majority
firmly maintain that the focus of their work should be to monitor processes and
procedures.

At the same time, 68% of heads of internal audit surveyed believe boards do
not understand the IT risks they face, while an even greater proportion (74%)
say they would like to provide more assurance over IT risk at a strategic level,
rather than focusing largely on process and procedural issues. This view is
shared by a similar number of senior management who feel boards are looking for
more comfort and assurance than internal audit is currently providing.

Grant Waterfall, partner, risk assurance services at PwC, says: “We have seen
the re-emergence of large-scale corporate investment into IT systems over the
past two years and this has prompted many boards to look for greater levels of
comfort than ever before.

“Our survey findings suggest that boards and audit committees may not have
all the skills they need to understand and deal with IT risk, while mechanisms
for communicating IT risks to the board may also not be effective enough,” says
Waterfall.

The survey also highlights a lack of mutual understanding between the board
and the IT professionals over how to assess risk. More than one-third of senior
management and almost half of internal audit heads feel IT professionals lack
the ability to communicate IT risk and its potential business impact in a way
that the board understands.

According to the survey, only one-in-three heads of internal audit believes
the board understands the IT risks facing the business, thereby potentially
underestimating the organisation’s risk profile.

Analysis by sector reveals that retail, manufacturing and the public sector
have less understanding of IT risk than other industries. Consequently, some
believe that the composition of boardrooms should be reorganised so that it
includes people with a better understanding of IT-related issues.

Furthermore, says Waterfall, “Boards simply do not have inherent practical
experience of IT risk and this means they are unlikely to understand the full
extent of the risks and opportunities that technology presents to their
companies.”

More than one-third of senior management believe that internal audit
departments currently lack the appropriate capabilities to provide the board
with assurance over IT risks that it needs. Some heads of internal audit agree,
suggesting they are well aware of the obstacles they face in providing effective
assurance.

While senior management might expect internal audit staff to have the
appropriate credibility and related capabilities, only 60% of respondents said
that internal audit was able to discuss the business implications of IT risks
effectively with the board.

Assessing the risk

In addition, almost one-third of all senior manager respondents felt that IT
internal auditors did not have credibility, such that their views were respected
by the business because few are perceived to have actually carried out the work
that they are recommending.

An internal audit focus group held by the IIA to discuss the initial survey
findings concluded that the breadth and depth of skills required to cover all
current and emerging IT risks, made it both uneconomic and impractical to
maintain all skills in-house.

Gail Easterbrook, chief executive of the IIA, says: “Internal audit is well
positioned to step up to some of the challenges highlighted in this survey and
help provide boards with a complete picture of the risks and a strategic level
of assurance over them… departments may, however, need to reassess their skills
base and the way in which they engage with the business on IT.”

She adds that “currently, two-thirds of internal audit departments are
spending less than 20% of their time on reviewing IT risks.”