How internal audit can help manage 10 top technology risks

Many of the top risks organisations face today are related to technology.

As a result, internal auditors are paying close attention to areas such as cybersecurity, data privacy, and social media. These areas – and others related to technology – have the potential to deliver devastating setbacks to a company or organisation.

“The technology risks we face today are increasingly complex, and a sophisticated, well-thought-out approach is required to manage them,” Richard Chambers, president of The Institute of Internal Auditors (IIA), said in a news release.

Methods for internal audit to help organisations manage the top ten technology risks are described in a new report, Navigating Technology’s Top 10 Risks, that was released today by the IIA and is available for download on the IIA’s website. The top 10 technology risks were determined as the result of interviews with chief audit executives and IT specialists from Africa, Latin America, the Middle East, Europe, Canada, and the US.

The report’s top ten risks – and suggestions for how internal audit can manage them – include:

  • Cybersecurity. More than 70% of the IIA survey respondents consider the risk of a data breach to be at least moderate, with IT specialists reporting more concern than other groups. Internal audit’s activities related to cybersecurity, according to the report, can include conducting vulnerability scans and penetration testing; verifying that simulation exercises related to the organisation’s crisis management plan are performed; and conducting an audit of network architecture to determine compliance with network policy and procedures.
  • Information security. Organisations are focusing now on a layered defence of critical information, rather than a single layer of protection against the network perimeter, the report says. Internal audit’s activities can include performing vulnerability scans of the internal network; reviewing the access control review process; and using third parties to conduct simulated attacks and auditing results.
  • IT systems development projects. Internal audit can perform audits of each aspect of the life cycle of systems development; participate in project audits with vendor audit and quality teams; and conduct audits of the organisation’s project management methodology, the report says.
  • IT governance. Internal audit’s duties can include assessing the tone at the top of the IT organisation; performing periodic audits to determine the IT function’s alignment with strategic priorities; and reviewing the effectiveness of IT’s resource and performance management, according to the report.
  • Outsourced IT services. Internal auditors can get involved early in the outsourcing cycle, the report says, by ensuring that the initial contract addresses important topics including oversight, monitoring, auditing, and security. Internal audit also can ask how compliance with the contract is monitored.
  • Social media use. Internal audit’s duties can include playing a consulting role as organisations define, communicate, monitor, and enforce a social media business-use policy, according to the report. A social media audit may be included in the annual internal audit plan.
  • Mobile computing. Almost half of survey respondents perform little or no assurance for use of mobile devices. The report suggests internal audit can perform an audit of the inventory process of mobile devices, perform an audit of how lost or stolen devices are managed, and verify that sensitive information is encrypted or not stored on mobile devices.
  • IT skills among internal auditors. Many internal audit departments struggle to develop and maintain the skills needed to audit IT. Understanding the technology used in the organisation and identifying skills gaps can help internal audit develop and/or outsource these skills, according to the report.
  • Emerging technologies. Internal audit can provide guidance on the risk and control requirements when new technologies are being evaluated, the report says.
  • Board and audit committee technology awareness. Limited IT expertise on a board of directors may pose governance challenges. The report suggests that internal audit can be the main conduit for bringing technology awareness to the board and audit committee.

Ken Tysiac ( is a CGMA Magazine editorial director.