The ISACA/Protiviti fifth annual IT Audit Benchmarking Survey in the third quarter of 2015 was released today. While I have not had the chance to read the full 48-page report, a quick scan focused my attention on one area of the survey. It relates to the relationship between IT Audit and Internal Audit. The heading for it is:
“IT Audit in Relation to the Internal Audit Department”
The survey starts by stating that there has been no significant change in the relationship over the years. It says that many companies still have established reporting structure for IT audit that are less than optimal. It continues to say that having the IT Audit Director report to the CAE or equivalent is best practice.
Interesting statistics from the survey:
58% of the surveyed companies have an IT Audit Director or equivalent position.
91% of the surveyed Oceania companies have an ideal reporting structure (reporting to the CAE or a director under him/her) for the IT Audit director.
The break down for the rest of the world is as follows:
Latin/South America 79%
Middle East 79%
North America 79%
How is the IT Audit structured in your company and to whom it reports?
Do you agree that IT Audit should report to the CAE?
Few years ago I wrote a short but wild blog post asking for the merger of the IIA and ISACA, I still stand by this crazy idea!
These are my thoughts, please share yours!