Professional Documents
Culture Documents
kpmg.com
Contents
As information
technology and 03 04 05 07 09
systems become
ever more complex,
those technologies are Focus shifts
changing ever more from core
operations
rapidly and we are Key areas to emerging Needs and
beginning to see the Foreword Introduction of risk risks budgets
deployment of artificial
intelligence systems;
this means entities 11 14 15 17 19 20
must audit based on
the increasing risk
they face and find
ways to overcome Sources of
Where assurance
resource and the skills Use of third Audit of IT over key Survey
budgetary constraints gaps are parties and by IT risks Conclusion demographics
to achieve this.
© 2017 KPMG International Cooperative (“KPMG International”). KPMG International provides no client services and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.
Foreward
Foreword
IT Internal Audit (ITIA) is coming under increasing The findings in this report are based on a survey of
pressure to measure the management and 250 ITIA professionals around the world. Insights
mitigation of technology risks that are proliferating. are also included from KPMG’s 2016 IT Internal
Resources are stretched and demands are ever Audit conference. It is the third report of its kind (the
increasing. As technology risks multiply, ITIA is previous ones were published in 2009 and 2013).
being asked to do more. For some, budgets are
I would like to thank all of the respondents who
rising, but not for all. IA professionals are rising to
participated in the survey, including many of our
the challenge, but nonetheless this latest survey
member firms’ clients. I hope that you will find it
of the market shows there are significant gaps in
a valuable and insightful assessment of the state
resources and capabilities.
of ITIA globally, providing you with information
To bridge the gap, ITIA must redouble its efforts to that broadens your understanding of the critical
enhance the skills of existing personnel, to partner contribution ITIA can make to the business.
with third parties and to hire talented professionals
At a time when demands placed on ITIA are steadily
where necessary. It is becoming critical to present
growing, we expect this report will stimulate your
a forward-looking and compelling business case for
thinking and provide fresh perspectives.
more resources, where needed, to the Board and
senior management.
Andrew Shefford
Global Head of IT
Internal Audit
Introduction
Technology risk is pervasive and continually changing. It is and to increase the use of tools and technologies such
a critical time for IT professionals and internal auditors (IA) as data analytic technology and automated workflow
of IT, who must build plans to provide assessments of, and tools.
insights into, the most important technology risks and how
— Forty-three percent of respondents say their ITIA
to mitigate them. ITIA must keep abreast, and wherever
budgets are likely to be stable and 8 percent say they
possible anticipate, fast-moving developments in technology.
In particular, ITIA must plan, deliver and, when necessary,
may fall between 2017 and 2018. Thirty-eight percent say ITIA focus
flex its audit plan in such a way that it responds to these
they may rise. If budgets are not, at least, maintained,
there is a danger that ITIA will not be able to perform its
will shift
changes in the most appropriate, efficient and effective
manner. And it must do so within the budgetary constraints
job of providing adequate assurance over all the different to robotics
kinds of risks, not just those affecting core operations.
imposed by the organization, facing competition (both
internal and external) for resources. — The chief area of concern is whether ITIA has the skills
and IoT.
required to provide assurance over the most important
To find out how ITIA is responding to these challenges,
technological risks to the organization. ITIA respondents
KPMG surveyed ITIA representatives of 250 organizations,
say they face talent shortages in many risk areas they
both large and small, that are operating in a wide range of
are auditing. The biggest resource gaps are in cyber
industries around the world (see demographic breakdown on
security, followed by data and analytics (D&A), and
51%
page 19). The survey took place between October 2016 and
privacy.
February 2017. Based on our analysis of the survey results,
the main findings include the following. — One area of need is the ability to use D&A for various
— ITIA is currently focusing on core operations risks, such
purposes in ITIA. Only a quarter of respondents say
they use analytics for continuous auditing, monitoring
say budgets
as unauthorized access or changes to critical business
applications. But respondents anticipate a significant
and assurance techniques; the remainder use it in an won’t rise
ad hoc way.
shift in attention in 2018 toward emerging risks, such
as robotics and the Internet of Things (IoT) (connecting — Assurance is typically delivered through direct internal
devices to the internet and to each other). ITIA will need and external audits, rather than by leveraging the
to build holistic assurance over these new risks across assurance work done by the organization’s independent
the organization to cover key components such as cyber assurance specialists. The implication is that many
defenses around data, applications and infrastructure. organizations lack an integrated approach to assurance.
— ITIA faces the task of obtaining the appropriate skilled
and qualified resources to assess fast-changing risks
Strategic/emerging risks
The areas chosen most frequently are: general IT controls External
Extended enterprise
(GITCs) and application layer controls. The prominence 16 Regulatory
8 Vendor risk reporting
of these two areas reflects ITIA’s ongoing assurance 14 Cloud
management 18 Social
over these key controls, under regulations such as those media
services
pertaining to the Sarbanes-Oxley Act in the US. 15 Mobile
governance
channels
Core Emerging
IT risk universe external areas
risks
Based on KPMG’s experience of advising clients on
managing IT risk, key risk areas have been placed in an Stable/known IT risk Changing/new
5 Cyber
IT risk universe, portrayed in this chart and the one on universe 9 Data/privacy
defenses
page 6. The horizontal axis depicts the pace of change, governance
from static at the left to fast moving on the right. The Core Business
3 Change and/or
vertical axis indicates whether the focus of control configuration operations change
Operational policy and control
Strategic/execution business
internal (below it). 4 Identity & 19 IT program/project
access assurance
1 GITCs & management
change risks
2 IT application
controls
11 IT strategy/
governance 12 Data
6 IT risk migration 17 Digital
transformation
management 13 IT service
governance
management
10 IT asset 7 Resilience/
management continuity Internal
Source: IT Internal Audit: Multiplying risks amid scarce resources, KPMG International, 2017
Strategic/emerging risks
External IoT
these risks are joined by areas such as: the IoT and robotics
Extended enterprise
and machine learning (computers performing routine tasks 16 Regulatory
previously done by humans). These are seen as emerging reporting 14 Cloud
8 Vendor risk services
risks that will grow in importance in the coming months. management 18 Social 15 Mobile
In these cases, the risks include the governance and media channels
change management associated with their integration governance
into business processes, as well as their compatibility
Robotics
with other IT systems and the culture of the organization.
Core Emerging
These new risks present challenges for ITIA to understand external areas
and provide assurance over, as well as opportunities to risks
enhance, its capabilities. Stable/known 9.1 Data Changing/new
IT risk governance
In summary, there are some stark differences between universe
this chart and the one on page 5. There is a marked shift in Industrial
3 Change 5 Cyber 9.2 Privacy
focus to emerging areas, such as robotics and IoT. Yet at the control system Core defences
control
and/or Business
same time, organizations cannot afford to neglect the basic configuration (ICS) security operations
change
control
Strategic/execution business
management, industrial control system security and IT 4 ID & user project
andand
1 GITCs &
change risks
platforms
policy
2 IT application
controls 11 IT strategy/ 12 Data 17 Digital
Operational
13 IT service governance
Management
management
D&A
7 Resilience/
10 IT asset
continuity Internal
management
Source: IT Internal Audit: Multiplying risks amid scarce resources, KPMG International, 2017
Significant
change of focus
Source: IT Internal Audit: Multiplying risks amid scarce resources, KPMG International, 2017
Stable
Up
43%
38%
Not known
Down
11%
8%
Source: IT Internal Audit: Multiplying risks amid scarce resources, KPMG International, 2017
D&A
Privacy
4 Risk management
5 ERP systems
6 Compliance
7 Change management
9 Data quality
11 Other
Source: IT Internal Audit: Multiplying risks amid scarce resources, KPMG International, 2017
Information systems
16%
and security
Professional
11%
accounting
IT service
8%
management
None 4%
Other 4%
Source: IT Internal Audit: Multiplying risks amid scarce resources, KPMG International, 2017
53%
Source: IT Internal Audit: Multiplying risks amid scarce resources, KPMG International, 2017
Source: IT Internal Audit: Multiplying risks amid scarce resources, KPMG International, 2017
methodology/workflow tools
across the full spectrum of their
audit lifecycles.
Source: IT Internal Audit: Multiplying risks amid scarce resources, KPMG International, 2017
1
The Creative CIO, The Harvey Nash/KPMG CIO Survey 2016
Plan, resource
Case for Organization Process Systems
Leadership & progress KPIs/metrics
management change design design design
100,000 +
10,000–100,000
0–10,000
0 50 100 150
4% 5% 9%
7%
34%
9%
Business services
Energy and mining 51%
Healthcare and life sciences 41% Survey
11%
Public services and infrastructure demographics
Industrial manufacturing
TMT Asia Pacific
16% 13% Americas
Consumer markets
Financial services Europe, Middle East, Africa
Source: IT Internal Audit: Multiplying risks amid scarce resources, KPMG International, 2017
Phillip Lageschulte
Americas Region IT Internal Audit Lead
KPMG in the US
T: +1 312 665 5380
E: pjlageschulte@kpmg.com
Brad Peake
Asia Pacific Region IT Internal Audit Lead
KPMG Australia
T: +61 2 9335 8148
E: bradpeake@kpmg.com.au
kpmg.com/socialmedia
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
© 2017 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm
has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Designed by Evalueserve.
Publication name: IT Internal Audit: Multiplying risks and scarce resources
Publication number: 134524-G
Publication date: July 2017