• Read Top Business/Technology Issues Survey Report 2011. www.isaca.org/toptech
• Look at the range of risks and plan for each.
• Search for IT risk champions among senior leaders.
• Articulate the benefits of risk mitigation to all constituents.
Areas the survey identified as major ones for improvement
in IT risk maturity include:
1. IT risk planning happens in silos [48%]
2. Creating a formal risk management department [41%]
3. Being more proactive vs. reactive [38%]
Future: Emerging IT Risks
The survey results show several emerging technologies that
represent significant IT risks. Those with the most concerns
were (rating the IT as “extremely risky/risky”):
1. Social networking tools [64%]
2. Mobile platforms [54%]
3. Cloud computing [42%]
There were some common threads across these risky
technologies. One is the security control of the flow of data to
and from these technologies. Another was the fact that entities
are still struggling with securing their own networks while
considering moving to cloud computing; that is, professionals
were not sure they were ready internally to extend the IT
risks to cloud computing since they were not yet effectively
managing IT risks locally. Cutting costs was an attraction for
cloud computing in particular, but many consider the risk to
be very high.
Social networking and mobile computing concerns were
primarily in loss of control of data and threats of unauthorized
access to confidential, proprietary data. Overall, social
networking and mobile computing were considered very risky.
Future: Shift in Involvement
The survey looked at the current and future involvement of
IT managers and professionals in IT risk management. There
was a shift predicted three years out—increases in the area
of branding (customer service, marketing), business strategy
and financials. The decline side of the shift was infrastructure.
Perhaps the decline shift is either because infrastructure is
being successfully hardened or because entities are moving
to cloud computing, Software as a Service (SaaS) and
Infrastructure as a Service (IaaS) and, therefore, are able to
focus more attention on other areas.
Sixty-five percent of the respondents said that risk
mitigation is becoming a more integral part of their job, and
83 percent agree that IT managers should be more involved.
IMPLICATIONS TO IT AUDITORS
First, these surveys provide information to better assess
IT risks for any current IT audit activities. In particular,
they provide information on emerging issues such as cloud
computing and mobile computing. For instance, the IT risk
maturity assessment (IBM) would be beneficial information to
have for an IT audit. There are areas identified for IT auditors
to seek evidence of IT risks and mitigating controls.
The surveys also help focus IT auditors on key issues in
performing IT risk assessments. For instance, it is beneficial
to compare these two lists and note that mobile computing
and information security are prominent on both lists. Risks
associated with data are also prominent in both surveys.
The IBM survey also provides forward-looking information
to see where IT audits might be moving in the future. Clearly,
social networking, mobile computing, cloud computing, SaaS
and IaaS (data centers) are areas in which IT auditors will be
asked to do more The IBM survey shows the future parties of
interest for potential interviews and sources of information
for the IT auditor. For instance, IT managers will apparently
become even more involved with IT risk assessment and
management in the future, at the enterprise level. It is
particularly interesting to note that there will be a shift to
more involvement by IT managers in financial-related IT risks.
CONCLUSION
Because of the nature of IT, IT auditors have to stay abreast
of the ever-changing IT environment. The AICPA TTI and the
IBM Global Risk surveys provide valuable information to help
keep the IT auditor up to date.
