KPMG: Risk assessment should be an ongoing process

Approximayely three quarters (78%) of the companies update their IT audit plans annually, although the risk assessment should be an ongoing process.
Nearly 300 organizations from at least 20 countries across Europe, the Middle East and Africa participated in the survey.

The current economic crisis increases the pressure on the executive level for reducing technology costs, improving operational performance and, in the same time, maintaining an acceptable level of risk. Most of the time, the measures are materialized in the rapid restructuring and reorganization of operational activities. All these actions should be based on a careful risk assessment process.

As technology is vital for the management of every business, Aurelia Costache (photo), IT Advisory Partner at KPMG in Romania warns that a rapid restructuring businesses process not followed by the alignment of the IT system to the new business cases and an appropriate update of the related controls could increase the systems’ vulnerabilities. These vulnerabilities could be exploited by both external and internal individuals. The IT internal auditor could play an important role in this respect. “The IT internal auditors should become more involved in risk assessment activities and help companies mitigate the new risks generated by the current economic environment”.

The same study shows that in banking and insurance sectors, less than 20 percent of Internal Audit time is scheduled for IT audit activities. More than 20 percent of industrial companies fail to perform risk assessment. Are these measures enough?

Few years ago, most of the organizations considered that the IT auditors should focus on IT security issues, the other IT related risks being handled by the non-IT auditors. The research revealed that only 41% of the respondents aligned their IT Internal Audit activities with wider governance activities.

Increase collaboration with the executive levels, within the limits of independence requirements, and with the non-IT auditors, could raise the profile of the IT internal auditor, turning the IT internal audit function in a governance tool. To achieve this, the IT Auditors need to have both technical and business knowledge. “It is encouraging to see that the heads of the Internal Audit function are looking for IT internal auditor having more then security skills” says Aurelia Costache. The most required skill remains, of course, security, followed by standard framework knowledge, applications and business knowledge.

According to the results of the survey, 55% of the participants chose to recruit skilled staff. 40% of the surveyed organizations outsourced certain activities to access appropriate skills. Considering the current cost constrains, KPMG appreciate that the tendency in the internal audit sector will be co-sourcing.

Other important element to be considered in the relationship between the auditors and the executive levels is the communication of the audit results. Although, 97% of the organizations communicate the audit findings in formal reports, 55% of them do not incorporate management comments in their reports. This fact may suggest either a lack of support from the executive levels or an inappropriate agreement of findings before finalizing the audit report. Moreover, just 6% present their findings to the executive management levels. Aurelia Costache insists on the increased collaboration between the auditors and the executive management level both in the planning and the reporting phases; “our experience shows that proper communication and discussions of findings with the executives fasten the implementation of the auditor’s recommendations and enhance support of the audit activity”.

Considering the current economical circumstances, Aurelia Costache concludes that the IT internal auditor could play an important role in risk management activities and “an appropriate collaboration between auditors and executives, both in the planning and the communication of audit findings phases could significantly reduce the risks induce by the market turbulences”.

Te-ar putea interesa și:

Mai multe articole din secțiunea English »

Setari Cookie-uri