Boards unprepared for IT risks, says survey

The vast majority of firms see IT as strategically important to their business, but internal auditors believe boards do not fully understand the risks that come with technology, a survey by PricewaterhouseCoopers and the Institute of Internal Auditors has found.

Some 98 per cent of the 250 senior managers surveyed said IT was necessary to ensure future successes, moving IT-related risk issues to board agenda for three-quarters of organisations. But 68 per cent of internal auditors said boards don't understand IT risks, leading 74 per cent of auditors to say they would like to be included in providing assurances over the use of strategic technology.

"We have seen the re-emergence of large scale corporate investment into IT systems over the last two years and this has prompted many boards to look for greater levels of comfort than ever before," said Grant Waterfall, partner, risk assurance services, PricewaterhouseCoopers in a statement. "Our survey findings suggest that boards and audit committees may not have all the skills they need to understand and deal with IT risk, while mechanisms for communicating IT risks to the board may also not be effective enough."

Some 40 per cent of senior managers surveyed for the report said internal audit departments lack the ability to discuss business implications of IT risk. But Gail Eastbrook, chief executive, of the Institute of Internal Auditors - UK and Ireland, disagreed. "Internal audit is well positioned to step up to some of the challenges highlighted in this survey and help provide boards with a complete picture of the risks and a strategic level of assurance over them, she said. "It can play an important role by initiating and facilitating discussions between the board and the IT function, given that it already understands risk and is used to communicating with the board."

But she warned that internal audit departments may need to expand their skills base and spend more time on IT. "Currently, as the survey points out, two-thirds of internal audit departments are spending less than 20% of their time on reviewing IT risks," Eastbrook added.

The increasingly fast pace of IT change in businesses means boards and IT professionals must better communicate on risks, the report said. "Assessing risk is a team game, bringing together IT professionals who understand the technology but not necessarily the business impact that has to be managed, and business managers who lack the technical background but could draw out the potential business implications," said Waterfall. "Boards, in particular most non-executive directors, simply don't have inherent practical experience of IT risk, as one of our internal audit heads reminds us, and this means they are unlikely to understand the full extent of the risks and opportunities that technology presents to their companies."