Cybersecurity, Data Governance Continue to Challenge IT Audit

A slew of new studies and reports find that companies still struggle mightily to get a handle on IT-related risks, such as cybersecurity, data governance, and digital privacy.

The common theme to this research is that digital transformation and disruption are creating ongoing challenges in the organization, including to IT audit and internal audit, that are likely getting worse, not better.

One of the studies, 2019 Global IT Audit Benchmarking Study, examines the biggest difficulties impacting IT audit professionals as they navigate an evolving risk landscape in an era of digital transformation. The study is the eighth annual audit research project conducted by consulting firm Protiviti and ISACA, a professional association for IT auditors and other information security and governance professionals.

Based on a survey of 2,252 chief audit executives (CAEs), internal audit professionals, and IT audit vice presidents and directors worldwide, the benchmarking study provides several takeaways, analysis and recommendations for business leaders. Respondents revealed the key technology challenges they face, including a dramatic increase in the importance of data and governance, the essential role of IT partnerships and the top skills they are seeking in their teams.

Top Technology Challenges

Asked to identify their biggest technology challenges, IT audit leaders and professionals noted the following as their top five:

1. IT security and privacy/cybersecurity
2. Data management and governance
3. Emerging technology and infrastructure changes – transformation/innovation/disruption
4. Staffing and skills challenges
5. Third-party/vendor management

“As much as organizations are focusing on cybersecurity and protecting their data, they’re still behind given the changing landscape, growing sophistication of cyber criminals, evolving regulatory requirements such as GDPR and persistent gaps and process breakdowns that emerge as part of their ongoing transformation projects,” said Andrew Struthers-Kennedy , a Protiviti managing director and global leader of the firm’s IT Audit practice. “The bottom line is IT audit cannot let its guard down.”

Losing the Cybersecurity Battle?

Another study released last week shows that despite increased spending, companies are experiencing more, not fewer, cybersecurity attacks. The study, “Costs and Consequences of Gaps in Vulnerability Response,” found that despite a 24 percent average increase in annual spending on prevention, detection and remediation in 2019 compared with 2018, there was a 17 percent increase in the number cyber-attacks over the past year and a nearly 27% increase in cyber-attack severity compared to 2018. The study, conducted by research organization Ponemon Institute and digital workflow company SeviceNow, surveyed almost 3,000 security professionals in nine countries to understand how organizations are responding to vulnerabilities.

“Many organizations have the motivation to address this challenge but struggle to effectively leverage their resources for more impactful vulnerability management,” said Sean Convery, general manager of ServiceNow’s security and risk unit. “Teams that invest in automation and maturing their IT and security team interactions will strengthen the security posture across their organizations,” he added.

The Ponemon survey also identified an increase in the number of companies affected by attacks. Nearly half of organizations in the survey had been hit by at least one cyberattack in the last two years. More than 60 percent of respondents said they were unaware their organizations were vulnerable before the breach, while another 60 percent said the attacks were caused by a patch that was available for a known vulnerability but not applied.

Ransomware Attacks on the Rise, Too

The bad news doesn’t end there. A survey released in late August found that cyberattacks leveraging file-locking malware known as ransomware have more than doubled this year, with hackers modifying attack methods for larger payouts.

The new report, from cybersecurity firm McAfee, finds that ransomware incidents increased by 118 percent during the first quarter of 2019 across all sectors. Malware led disclosed attack vectors, followed by account hijacking and targeted attacks. Cybercriminals also continue to leverage lax security in Internet of Things (IoT) devices. While new malware samples increased 10 percent, total IoT malware grew 154 percent over the past four quarters.

“After a periodic decrease in new families and developments at the end of 2018, the first quarter of 2019 was game on again for ransomware, with code innovations and a new, much more targeted approach,” said Christian Beek, McAfee lead scientist and senior principal engineer.

Data Management and Governance

Respondents to the Protiviti study indicated that data management and governance pose the second most critical challenge to their organizations, a significant jump from its number ten spot in the 2018 survey. As organizations seek to leverage data with technologies such as RPA, AI, machine learning and continuous auditing and monitoring, IT audit functions are becoming increasingly focused on evaluating risks associated with data collection, processing and reporting.

“There is considerable room for improvement in terms of the structure, quality and accuracy of the data available in most organizations. When an organization reaches higher levels of maturity related to data management and governance, it’s much more adept at not only avoiding downside risks but also taking advantage of the opportunities for using data as an enterprise-enabled and competitive differentiator,” said Struthers-Kennedy. “Data is the lifeblood for many organizations, so IT audit functions need to ensure that key aspects of data management are considered as part of every audit and review activity.”

Among the difficulties companies are having in data management include preparing for compliance with the California Consumer Privacy Act. The cumbersome data privacy regulation is set to go into effect starting on January 1, 2020, yet a new study finds that many companies are woefully unprepared to comply with the law.

According to a study conducted by Big Four firm, PwC, only about half of the respondents (52 percent) expect their company to be in compliance with the terms of the CCPA by January 2020. The highest expected compliance was anticipated in financial services and technology companies, with 58 percent and 56 percent respectively. Only 46 percent of retail and consumer products companies expect to be prepared for the new California privacy law when it takes effect at the start of 2020.

Growing Importance of IT Partnerships

IT audit functions defined as ‘leaders’ in the report have significantly increased exposure to strategic activities within the organization, including being invited to participate in key IT department committees (e.g., IT governance and risk management, information security, IT strategy). Leaders also assess and identify technology risk on a more frequent, even continual, basis. Finally, leaders include cybersecurity in their plans on a more frequent basis than those who have lower levels of engagement and interaction with the IT department.

“One of the prominent themes in this year’s survey is the importance of partnership between audit and the IT function, which is particularly essential in the area of risk management,” said Robin Lyons , ISACA technical research manager. “As these two groups work together, risk management becomes a shared, real-time effort that reduces guesswork by IT audit as to which project challenges and risks truly exist.”

Lack of Skills and Resources

Organizations in every sector are experiencing a shortage of skills and resources today in IT audit. Of the surveyed organizations with revenues ranging from US$100 million to $1 billion, nearly a third (32%) are unable to address specific areas of the annual IT audit plan due to a lack of resources and skills. The survey revealed the top five skills most in demand are:

• Expertise in advanced and enabling technologies (44%)
• Critical thinking (32%)
• Data science (27%)
• Agile methodology (20%)
• Communications expertise (17%)

As businesses continue their digital transformation journeys, the importance of focusing on data and technology by internal audit grows. The way internal auditors engage and partner with their stakeholders, the skills they develop and deploy as part of their activities, and the tools and technologies they are familiar with and adopt are all critical areas that require focus.