Breaking finance and business news, tax information, jobs and more for finance directors and senior finance professionals.

The research, carried out by PricewaterhouseCoopers LLP on behalf of The Institute of Internal Auditors - UK and Ireland, surveyed business leaders and heads of internal audit in a wide range of companies and public sector organisations on how they manage IT risk. It found that 98 per cent of those companies see IT as strategically important to the future success of their business.

The report on the findings, IT Risk – Closing the Gap, points out that in 74 per cent of organisations, IT-related risk, in particular the potential for complex projects to fail, has risen higher up the board agenda and 87 per cent of senior management respondents say it is a major challenge to respond to the pace of change in IT.

At the same time, a clear majority (68 per cent) of heads of internal audit surveyed believe boards do not understand the IT risks they face while an even greater proportion (74 per cent) say they would like to provide more assurance over IT risk at a strategic level. This view is shared by a similar number of senior management respondents who feel boards are looking for more comfort and assurance than internal audit is currently providing.

Grant Waterfall said: “We have seen the re-emergence of large scale corporate investment into IT systems over the last two years and this has prompted many boards to look for greater levels of comfort than ever before. Our survey findings suggest that boards and audit committees may not have all the skills they need to understand and deal with IT risk, while mechanisms for communicating IT risks to the board may also not be effective enough.”

The survey also highlights a lack of mutual understanding between the board and the IT professionals over how to assess risk. Over a third of senior management respondents and almost half of internal audit heads feel IT professionals lack the ability to communicate IT risk and its potential business impact in a way that the board understands. This leads to the board having an incomplete picture of the IT risks faced by the organisation.

Well over a third of senior management respondents believe that internal audit departments, as they currently operate, lack the appropriate capabilities to provide the board with assurance over IT risks that it needs. Some heads of internal audit agree, suggesting they are well aware of the obstacles they face in providing effective assurance.

Gail Eastbrook, Chief Executive, The Institute of Internal Auditors - UK and Ireland, said: “Internal audit is well positioned to step up to some of the challenges highlighted in this survey and help provide boards with a complete picture of the risks and a strategic level of assurance over them. It can play an important role by initiating and facilitating discussions between the board and the IT function, given that it already understands risk and is used to communicating with the board. Internal audit departments may, however, need to reassess their skills base and the way in which they engage with the business on IT. Currently, as the survey points out, two-thirds of internal audit departments are spending less than 20 per cent of their time on reviewing IT risks.”

Grant Waterfall, Partner, Risk Assurance Services, PricewaterhouseCoopers LLP, added: "Assessing risk is a team game, bringing together IT professionals who understand the technology but not necessarily the business impact that has to be managed, and business managers who lack the technical background but could draw out the potential business implications. Boards, in particular most non-executive directors, simply don’t have inherent practical experience of IT risk, as one of our internal audit heads reminds us, and this means they are unlikely to understand the full extent of the risks and opportunities that technology presents to their companies.”