2022 IT Audit Benchmarking Survey
Where to begin?
The IT audit director for a large multinational conglomerate ponders this question while prioritizing the organization’s lengthy list of technology risk assessments to be conducted. Many of the organization’s employees continue to work remotely, introducing a range of technical and security challenges. Cybersecurity risk always looms large and is especially critical this year given the threat of war-related cyberattacks.
This hypothetical scenario remains just as realistic if the organization is in the telecommunications, logistics, technology, healthcare or financial services industry. An uncertain global economy, volatile geopolitical developments, a persistent pandemic, a changing regulatory landscape, and an evolving catalog of technology risk concerns have created mounting challenges for IT audit leaders and their functions.
The results of the latest IT Audit Technology Risks Survey from ISACA and Protiviti, in which more than 7,500 IT audit leaders and professionals from around the world participated, show a dynamic threat landscape that has notably increased in severity since the last survey.
Our notable findings:
- The greatest IT audit concerns lie with cybersecurity-related breaches and related risk issues (ransomware, loss of data, etc.) — Across nearly every industry and organization type, cybersecurity is the top-ranked technology risk. Related cyber issues such as data privacy, managing security incidents, disaster recovery, access risk and third-party risk also rate as top concerns given that they can lead to reputation damage, loss of revenue/customers and regulatory fines/scrutiny.
- Data governance and data integrity are being scrutinized — These risk issues are proving difficult given the frequency and magnitude of internal changes and transformations as well as external disruptions and volatility.
- Regulatory compliance burdens and risk are increasing rapidly — IT audit teams, as well as other departments (e.g., legal, compliance, IT), are scrambling to keep pace with new data privacy and data security rules as well as changing legal and regulatory compliance requirements that have growing implications for organizational data management and technology-related activities.