Register  |  Update details
R E L A T E D   C O N T E N T
Similar articles
KnowledgeBANK
News centre
More from Financial Director
ADVERTISEMENT

IT risk management

Neil Hodge, Financial Director, 25 Oct 2007

IT risks may be moving up the business agenda, but understanding and managing those risks is another matter

While technology-related risks may figure higher on the agenda of UK company boards than ever before, new research questions whether board members really have sufficient understanding of their organisations’ IT risks to address them adequately. It is also apparent that boards should examine the focus of their internal audit departments to ensure that they get the appropriate level of assurance when monitoring these risks.

The research, carried out by PricewaterhouseCoopers on behalf of the Institute of Internal Auditors UK and Ireland, surveyed business leaders and heads of internal audit in a range of companies and public sector organisations on how they manage IT risk. It found that 98% of those companies see IT as strategically important to the future success of their business.

The report on the findings, IT Risk: Closing the gap, shows that in 74% of organisations IT-related risk has risen higher up the board agenda and 87% of senior management respondents say that it is a major challenge to respond to the pace of change in IT.

Identifying IT risk

According to the survey, senior managers and heads of internal audit have identified six key IT risks facing organisations. These are:

- IT project risk (failure to deliver benefits or stay within budget) ­ 79%;
- IT resilience and continuity ­ 69%;
- IT governance risk (lack of alignment between IT and the business) ­ 63%;
- Data security and privacy ­ 60%;
- Business systems risk (such as poor change control over an ERP system) ­ 59%; and
- Data quality risk ­ 49%.

However, despite recognising the IT risks facing their organisations, only two-fifths of internal auditors surveyed believe that the focus of their work should examine the strategic and governance issues surrounding these risks, as well as auditing the details upon which these risks are assessed. The majority firmly maintain that the focus of their work should be to monitor processes and procedures.

At the same time, 68% of heads of internal audit surveyed believe boards do not understand the IT risks they face, while an even greater proportion (74%) say they would like to provide more assurance over IT risk at a strategic level, rather than focusing largely on process and procedural issues. This view is shared by a similar number of senior management who feel boards are looking for more comfort and assurance than internal audit is currently providing.

Grant Waterfall, partner, risk assurance services at PwC, says: “We have seen the re-emergence of large-scale corporate investment into IT systems over the past two years and this has prompted many boards to look for greater levels of comfort than ever before.

“Our survey findings suggest that boards and audit committees may not have all the skills they need to understand and deal with IT risk, while mechanisms for communicating IT risks to the board may also not be effective enough,” says Waterfall.

The survey also highlights a lack of mutual understanding between the board and the IT professionals over how to assess risk. More than one-third of senior management and almost half of internal audit heads feel IT professionals lack the ability to communicate IT risk and its potential business impact in a way that the board understands.

According to the survey, only one-in-three heads of internal audit believes the board understands the IT risks facing the business, thereby potentially underestimating the organisation’s risk profile.

Analysis by sector reveals that retail, manufacturing and the public sector have less understanding of IT risk than other industries. Consequently, some believe that the composition of boardrooms should be reorganised so that it includes people with a better understanding of IT-related issues.

Furthermore, says Waterfall, “Boards simply do not have inherent practical experience of IT risk and this means they are unlikely to understand the full extent of the risks and opportunities that technology presents to their companies.”

More than one-third of senior management believe that internal audit departments currently lack the appropriate capabilities to provide the board with assurance over IT risks that it needs. Some heads of internal audit agree, suggesting they are well aware of the obstacles they face in providing effective assurance.

While senior management might expect internal audit staff to have the appropriate credibility and related capabilities, only 60% of respondents said that internal audit was able to discuss the business implications of IT risks effectively with the board.

Assessing the risk

In addition, almost one-third of all senior manager respondents felt that IT internal auditors did not have credibility, such that their views were respected by the business because few are perceived to have actually carried out the work that they are recommending.

An internal audit focus group held by the IIA to discuss the initial survey findings concluded that the breadth and depth of skills required to cover all current and emerging IT risks, made it both uneconomic and impractical to maintain all skills in-house.

Gail Easterbrook, chief executive of the IIA, says: “Internal audit is well positioned to step up to some of the challenges highlighted in this survey and help provide boards with a complete picture of the risks and a strategic level of assurance over them… departments may, however, need to reassess their skills base and the way in which they engage with the business on IT.”

She adds that “currently, two-thirds of internal audit departments are spending less than 20% of their time on reviewing IT risks.”

ADVERTISEMENT
M A R K E T P L A C E
Sponsored links
F I N A N C E   J O B S
Insurance Accountant
| Goodman Masson Recruitment
My client, a leading Insurance company based in the city is looking for an enthusiastic and proactive management Year end accountant to join their Central finance team based in the Central London head office. You ... more >
Interim Financial Accountant
| Goodman Masson Recruitment
My client, a leading financial services organisation based in Central London, have a fantastic opportunity for an interim financial accountant. Working within the UK retail accounting team you will be responsible for manipulation of budget ... more >
Auditors
| Grainger West Ltd
My client, a leading public sector organisation, is once again working at the heart of government initiatives such as Olympic 2012 Developments, the Crossrail implementation and funding for Anti-Terrorism measures. It is looking for a ... more >
Treasury Audit
| Goodman Masson Recruitment
My client, a unique and specialist global client services firm is looking for a fully qualified Internal Auditor to join their established London based team. The position is specifically focused on treasury operations, in particular ... more >
More Jobs in Finance
ADVERTISEMENT
Job zone
Job of the week
Related jobs
Search for a job
 
> More Financial Director jobs
ADVERTISEMENT