Breaking finance and business news, tax information, jobs and more for finance directors and senior finance professionals.

Sixty-five per cent internal audit chiefs do not recognise data privacy and IT fraud as a serious threat to their business.

A survey, released by Ernst & Young, found that internal audit chiefs ranked corporate breaches and data privacy regulation sixth in their top ten IT risks for the organisation, while for CIOs it barely made it onto the list at just ninth.

In addition just 14 per cent of internal audit chiefs said that their staff had been trained in fraud investigation.

Not a stand alone issue 

Erol Mustafa, head of IT internal audit services at Ernst & Young, warned that heads of internal audit need to recognise the increased importance of data privacy.

He pointed out that it is not a stand alone information security issue but that organisations can address privacy risks more effectively if it is part of their overall risk management and compliance strategy.

“There is a risk in assuming that data is protected effectively – in reality there are often vulnerabilities in business processes, information security, or the data management lifecycles,” Mustafa added.

The report says that internal auditors can play an important part in preventing and discovering fraud, but suggests that their investigative skills are lacking, which is becoming an increasing cause for concern.

“Internal audit can help to ensure that an end-to-end view is taken, and that fraud prevention does not fall between the cracks of two or more departments,” Mustafa said.

Outsourcing contracts 

Information security and major business programmes topped the list of concerns for CIOs and internal audit chiefs in the next 12 months, followed by business continuity and disaster recovery.

Looking ahead at organisational business strategies, the survey showed that 63 per cent of CIOs believe that the use of third party IT service providers will only increase in the next 12 months.

Reflecting on the finding, Mustafa says that too often outsourcing contracts continue to fail to deliver expected benefits and financial results, or to meet essential regulatory standards, such as data or privacy management.

Mustafa pointed out that IT auditors can play a key role in bringing to bear an independent assessment of management’s controls over extended enterprise.

He warned, however, that all too often IT internal auditors are only consulted when an outsourcing arrangement has started to fail.

“As a minimum, IT internal audit should ensure that the outsourcing decision and governance process is sound, through high level interventions during both the outsourcing design and throughout the set up process,” he concluded.

Lack of awareness 

Just over half of audit committee members believe they are sufficiently aware of the information security risks facing their organisation(s).

Lack of awareness among audit committee members around information security risk is a perennial issue.

Although CIOs agree that IT internal audit will provide the primary source of assurance in their organisations – almost two-thirds anticipate that IT requirements will increase – the concern is that there is a massive skills gap.

To meet this demand IT internal audit teams will need to resource more creatively, for example,.‘guest auditors’ and ITIA co-sourcing for specialist areas.

Many will seek a combination of IT internal audit reviews, management’s own assurance processes, such as KPIs and external third party reviews. Seventy-nine per cent of CIOs agree that IT audits add value to the organisation.

Related articles

• Reviews scathing on HMRC data losses
• Government appoints new HMRC chair
• Banks accuse HMRC of breach of duty
• Treasury outlines remit of Poynter Review
• PwC chairman to head data probe
• HMRC loses 25 million personal records
• Blog: Heads rolling is no substitute

Related links

• Ernst & Young