IT Risks—Present and Future
Tommie W. Singleton, Ph.D.,
CISA, CGEIT, CI TP, CPA,
is an associate professor of
information systems (IS) at
the University of Alabama at
Birmingham (USA), a Marshall
IS Scholar and a director
of the Forensic Accounting
Program. Prior to obtaining his
doctorate in accountancy from
the University of Mississippi
(USA) in 1995, Singleton was
president of a small, value-added dealer of accounting
IS using microcomputers.
Singleton is also a scholar-in-residence for IT audit
and forensic accounting at
Carr Riggs Ingram, a large
regional public accounting
firm in the southeastern US. In
1999, the Alabama Society of
CPAs awarded Singleton the
1998–1999 Innovative User of
Technology Award. Singleton
is the ISACA academic
advocate at the University
of Alabama at Birmingham.
His articles on fraud, I T/IS, I T
auditing and IT governance
have appeared in numerous
publications, including the
ISACA Journal.
Risk management has become an area of
increased focus over the last decade or so.
Practically all types of audits begin with a risk
assessment and take a risk-based approach. IT
managers are equally more focused on IT risk.
With the major role that IT risk plays in the
current business environment, it is beneficial to
understand as much about IT risk as possible.
Two recent surveys provide valuable information
about IT risks today and in the near future.
AICPA: 2011 TOP 10 TECHNOLOGY INITIATIVES
In 2011, the AICPA conducted its 22nd Top
Technology Initiatives (TTI) Survey. Certified
Information Technology Professionals (CITPs)
and select Certified Public Accountants (CPAs)
were asked to rank the technology issues of
greatest importance today. The results were
divided into those related to public accounting
and those related to business and industry. The
final composite rankings are included in figure 1.
This list provides insight to IT auditors as
to some of the major issues most likely to be
relevant in today’s IT audit environment.
managers are working to better understand and
mitigate IT risk.
The results show that 66 percent of
respondents rate their entity’s overall approach
to mitigating IT risk as “good to expert.” Results
also reveal that IT professionals are involved in
a number of risk-related issues and feel strongly
that they should be even more involved in the
future. Current IT risk budgets have not fallen
over the last year, but, rather, have remained
steady or have increased. Organizations and
senior executives recognize the need for and
business benefits of risk mitigation. All of these
results fall under “good news.” The results were
also consistent across geographies, industries, size
and participant role.
However, there are some areas for
improvement and indicators of what the future
might hold for IT risks.
IBM GLOBAL RISK STUDY (2010)
In 2010, IBM conducted a global risk survey of
people in various roles to understand how IT
Present: IT Risk Issues
The survey results included a rating of current
IT risk issues. When respondents were asked to
identify risk issues of the last year, efforts were
focused in a few areas (responding “yes” to the IT
risk as a top-of-mind issue):
1. IT security [78%]
2. Hardware and software malfunction [63%]
3. Power failure [50%]
4. Physical security [40%]
Do you have
something
to say about
this article?
Visit the Journal pages
of the ISACA web site
( www.isaca.org/journal),
find the article, and
choose the Comments
tab to share your
thoughts.
Figure 1—AICPA Top 10 Technology Initiatives
Public
Accounting
Business
and Industry
12
21
33
45
56
68
Technology Initiative
Control and use of mobile devices
Information security
Data retention policies and structure
Remote access
Staff and management training
(Business) Process documentation
and improvements
Saving and making money with IT
Budget processes
Project management and
deployment of new IT
Technology cost controls
Key performance indicators
7
9
10
10
4
9
8
-
-
7
Present: IT Risk Maturity
One outcome of the survey was the
conclusion that the examination and
assessment of an entity’s IT risk maturity is
foundational to effective risk management.
According to the survey, there is a need for
an objective assessment of IT risk maturity
now. Recommendations included:
• Determine the entity’s IT risk maturity
with objectivity.
• Institute a cross-functional plan for all risk
categories (data, security, recovery and
new IT).
