Tuesday, December 1, 2015

Should IT Audit Report to the CAE?


The ISACA/Protiviti fifth annual IT Audit Benchmarking Survey in the third quarter of 2015 was released today. While I have not had the chance to read the full 48-page report, a quick scan focused my attention on one area of the survey. It relates to the relationship between IT Audit and Internal Audit. The heading for it is:

                             “IT Audit in Relation to the Internal Audit Department”

The survey starts by stating that there has been no significant change in the relationship over the years. It says that many companies still have established reporting structure for IT audit that are less than optimal. It continues to say that having the IT Audit Director report to the CAE or equivalent is best practice.

Interesting statistics from the survey:

58% of the surveyed companies have an IT Audit Director or equivalent position.

91% of the surveyed Oceania companies have an ideal reporting structure (reporting to the CAE or a director under him/her) for the IT Audit director.

The break down for the rest of the world is as follows:

Africa  63%

Asia    86%

Europe  70%

Latin/South America  79%

Middle East 79%

North America 79%

Oceania 91%

How is the IT Audit structured in your company and to whom it reports?

Do you agree that IT Audit should report to the CAE?

Few years ago I wrote a short but wild blog post asking for the merger of the IIA and ISACA, I still stand by this crazy idea!

These are my thoughts, please share yours!

No comments:

Post a Comment

Are you getting the most from the ethics mandatory hours?

 Like many of you at this time of year, I have been looking to take the mandatory two hours of ethics training to comply with the IIA cpe  r...