Top Technology Risks that Keep Internal Audit Up at Night
Chief audit executives (CAEs) and IT audit leaders see cybersecurity as the top technology risk their companies face over the next year, followed by risks associated with third parties and vendors. Those are the findings of Navigating A Technology Risk-Filled Horizon, the eleventh annual Global Technology Audit Risks Survey conducted by consulting firm Protiviti and The Institute of Internal Auditors (IIA). Protiviti and IIA surveyed 559 IT professionals on the technology risks their companies face over the next 12 months and over the longer term.
Roughly half of the respondents (258) identified as CAEs or as IT Audit Directors. Looking only at the responses of this subset, the technology threat risks identified as at the highest level (5 or 4 on a scale of 1-5) in the next 12 months were:
Cybersecurity (82 percent). Not surprisingly, 82 percent of CAES and technology audit leaders consider cybersecurity a high-risk area. (Seventy-five percent of all respondents cited cybersecurity as a top risk.)
Third party/vendors (67 percent). The survey reports states: “Global events such as supply chain disruptions and regulatory changes, combined with the increased use of cloud services and other outsourced IT functions, have amplified the importance of vetting third-party providers. This screening extends beyond cost effectiveness to encompass compliance with security and data protection standards.”
Data governance & integrity (64 percent). Data governance and integrity refers to the risks related to maintaining accurate, consistent, and reliable enterprise-wide data. The report observes that “[p]roper data governance is not just a compliance requirement -- it also represents the foundation for successful digital transformations and AI initiatives.”
Transformations & systems implementations (62 percent). These threats include disruptions, unmet requirements, data loss, and other risks arising from major business or IT changes.
IT talent management (60 percent). Protiviti/IAA describe IT talent management and the perceived threats associated with attracting, developing, and retaining skilled technology personnel as “in the middle of the pack compared to other risks.”
Only 28 percent of all respondents identified artificial intelligence and machine learning (including generative AI) as significant threat risk in the coming year. However, 54 percent view AI systems as a substantial risk in the next two to three years. CAEs and IT Audit Directors were somewhat more concerned about AI threats, with 33 percent of those respondents selecting AI as a significant near-term risk area.
A section of the survey report headed Protiviti Commentary offers this advice:
“If you take only one action based on the findings of this research, consider increasing the frequency of your technology audits. If you can make another move, consider deploying (or increasing) the use of data analytics on technology audits.
“These two activities correspond to a wide range of positive technology audit outcomes. These outcomes include more timely snapshots and deeper insights into both traditional and newly relevant technology risks. Additionally, they contribute to improved organizational preparedness and technology audit proficiency to address cybersecurity, regulatory compliance, data privacy and compliance, data governance, third-party risk management (TPRM), IT talent management, AI-related risk management, and more.”
CAEs typically report to the audit committee. Audit committees may want to consider using this report as a basis for discussion with their internal audit head concerning how he or she perceives the company's top technology risks in the near and medium term and what steps can be taken to address such risks.