Professional Documents
Culture Documents
The IT audit function has never held a more crucial role. From substantial cybersecurity, privacy
and infrastructure challenges and management issues to the implementation of new technologies
in the organization, IT auditors work closely with management and the board of directors to fulfill a
vital role in helping to maintain an effective control environment amid a changing business climate
and dynamic global marketplace.
The results of the latest IT Audit Benchmarking Study Why arent IT auditors involved earlier and more
from ISACA and Protiviti illustrate the increasingly often in major technology projects? More broadly,
integrated role IT audit leaders and professionals why are certain types of audits not performed? Is
are assuming in regard to technology initiatives in lack of the right framework and/or the right IT audit
their organizations. A majority have a significant or talent and skills the primary issue? Does IT audit
moderate level of involvement in major technology have the necessary authorization from management
projects, and a majority of IT audit directors regularly and the board to become involved in these projects
attend audit committee meetings (a noteworthy change earlier and in greater detail? Is IT audit building the
from just a few years ago). Yet, as we explore in this appropriate relationships with management and
report, there is room for improvement in many areas. line-of-business leaders to earn a seat at the table
Most notably, one in three IT audit functions have when critical technology projects are being planned
minimal or no involvement in significant technology and implemented? In our report, we provide possible
projects in the organization. And for those that are answers to these questions and guidance for IT audit
more involved, most of their efforts appear to be leaders seeking to grow their function into a strategic
focused on the post-implementation stages rather partner for their organizations.
than in planning, design or testing.
Cybersecurity is viewed as the top technology challenge This has been a highly ranked challenge in our prior
01 years surveys, but still has increased in importance and clearly is the top-of-mind concern for IT audit leaders and
professionals. These results are consistent with the results of Protivitis annual survey of technology leaders, which
show that IT security and incident response capabilities dominate the priority lists for CIOs.1
02
There appears to be more executive-level interest in IT audit A majority of IT audit leaders are regularly attending
audit committee meetings, and many more are reporting directly to the CEO (though this reporting relationship may
not be ideal). There also is more audit committee involvement in the IT audit risk assessment process.
03
More CAEs are beginning to carry leadership for IT audit directly CAEs are becoming increasingly IT-literate
and appear to be taking on the daily management and leadership of the IT audit function. This is a positive trend as
it provides the IT audit function with greater visibility and improved stature.
Most IT audit shops have a significant or moderate level of involvement in key technology projects While
04
it is encouraging to find some involvement in the early stages of a project such as planning and design, IT audit
functions are more frequently involved post-implementation. Given that a strong majority of organizations have
implemented a new IT system or application within the past three years, there likely are opportunities for IT audit
to become more involved earlier on with these initiatives.
Most perform IT audit risk assessments, though a majority do so annually or less frequently Considering
05 the growing risk landscape resulting from cybersecurity threats and emerging technologies, more organizations
should consider an approach that includes continually reviewing the IT risk landscape and adjusting IT audit
plans accordingly.
1
From Cloud, Mobile, Social, IoT and Analytics to Digitization and Cybersecurity, Protiviti, 2016, www.protiviti.com/ITtrends.
2 Protiviti ISACA
Methodology
ISACA and Protiviti partnered to conduct the 6th Since completion of the survey was voluntary,
Annual IT Audit Benchmarking Survey in the third and there is some potential for bias if those choosing
fourth quarters of 2016. This global survey, conducted to respond have significantly different views on
online, consisted of a series of questions grouped into matters covered by the survey from those who did
six categories: not respond. Therefore, our studys results may be
limited to the extent that such a possibility exists.
Emerging Technology and Business Challenges
In addition, some respondents answered certain
IT Implementation Project Involvement questions while not answering others, and a significant
percentage of respondents are members of ISACA.
IT Audit in Relation to the Overall Audit Department
There also is a disparity in the number of responses
Risk Assessment from each geographic region.
Cybersecurity sits atop the list of top technology Beyond cybersecurity, other technology challenges
challenges. This increasing focus on and concern are just as striking. Compared to our prior results,
about privacy and cybersecurity should not be a there are noteworthy changes in the relative position
surprise to IT audit practitioners in light of high- of regulatory compliance, emerging technology
profile breaches and coverage of security in the challenges, budgetary challenges and cloud computing.
mainstream press. As we continue to see businesses With regard to regulatory compliance, this is a
and governmental entities compromised through striking change given that updates to the regulatory
various forms of breaches, IT auditors must be vocal landscape tend to occur slowly. Emerging trends
in providing consultation and advice as well as around infrastructure management and regulatory
ongoing assurance around controls that help secure compliance have likely driven the continued
sensitive information. Executives should view IT challenge IT departments face regarding controlling
audit as a critical resource that helps to ensure budgets and costs. Organizations seek to capitalize
their organizations stay protected. on more mature cloud offerings with the promise of
increased flexibility and reduced cost, but realizing
the benefits will, in many cases, take some time.
4 Protiviti ISACA
Challenges related to new technologies specifically Lastly, for the first time in our survey, third-party/
those concerning emerging technology (innovation, vendor management ranks among the top technology
transformation and disruption) have moved down challenges. Organizations that rely on IT service pro-
the list. Some change in this regard is to be expected viders have found that they must increase the maturity
as practitioners become more adept at dealing with the of their vendor management processes. For companies
increasing pace of disruptive innovation and managing that have strategically moved toward sourcing their
externalized, virtual environments. most critical IT processes or applications from service
providers, a highly mature and appropriately resourced
vendor management program should be a requirement.
Most organizations have implemented an IT system should assume responsibility for becoming involved in
or application within the past three years. The results these projects, and explore dialogues with management
are consistent with Protivitis latest survey of CIOs and and line-of-business leaders to determine how they
technology leaders, which indicated that a majority can contribute and add value. However, this cannot
of organizations currently are undergoing a major happen without at least an implicit invitation to do
IT transformation. so. For this reason, strong relationships with the
organizations management, audit committee and
With regard to the IT audit functions involvement in
line-of-business leaders are paramount, together with
significant technology projects, while a majority have
a good understanding of the organizations culture
either a significant or moderate level of involvement,
and the tone for IT audits involvement. These elements
a surprising number have minimal or no involvement.
will help IT audit leaders gain a seat at the table for
IT auditors generally do not believe they are brought in
practical nuts and bolts matters as well as higher-
early or frequently enough to these projects. In a related
level strategic issues.
survey finding, IT auditors generally are involved
in evaluating various aspects of IT implementation
projects most notably, post-implementation project
review, test phases and project governance. But in GLOBAL LEADER
almost every case, reported involvement is less than Africa
a majority of possible opportunities.
68 %
for Major Programme Management at the University of of IT audit functions have a
Oxford, the average large IT project runs 45 percent over significant or moderate level
budget, 7 percent over time, and delivers 56 percent less of involvement in significant
value than expected. The bottom line is that, considering
2 technology projects.
these factors, there likely are opportunities in the
organization for the IT audit group to add significant
value to technology projects. In fact, IT audit leaders
2
Bloch, M., Blumberg, S., Laartz, J., 2012. Delivering large-scale IT projects on time, on budget, and on value. www.mckinsey.com/business-functions/digital-mckinsey/our-
insights/delivering-large-scale-it-projects-on-time-on-budget-and-on-value.
6 Protiviti ISACA
Has your company implemented an IT system or application in the last three years?
Yes 88%
No 8%
Unsure 4%
Europe
84 % Asia
North America
90% 84%
Middle East
Africa 88%
Latin America/South America
82 % Oceania
95%
88%
Collaboration 9% 1% 9% 3% 0% 3% 8%
Other 2% 3% 3% 0% 5% 11% 5%
From the organizations perspective, was the IT implementation project a success or a failure?
Region
Europe
76 % Asia
North America
77% 72%
24% 28%
23% Africa
Middle East
72%
73% 28%
Oceania
65%
Latin America/South America
8 Protiviti ISACA
What level of involvement does IT audit have in significant technology projects?
Company Size (Annual Revenue)
Less than
Greater than US$1 billion US$100 million
2016 US$100
US$5 billion US$4.99 billion US$999.99 million
million
Region
Europe
50 % Asia
North America
62% 67%
50% 33%
38% Africa
Middle East
66%
68 %
34%
Oceania
59%
Latin America/South America
Planning 43%
Design 35%
Testing 38%
Implementation 37%
Post-implementation 65%
No involvement 12%
Region
10 Protiviti ISACA
For IT implementation projects that occurred in the last three years, which of the
following did IT audit evaluate? (Multiple responses permitted)
Project risk management plan 52% 39% 53% 50% 41% 42% 50%
System development lifecycle (SDLC) 44% 38% 40% 35% 45% 50% 24%
Data conversion process 57% 38% 29% 38% 31% 50% 38%
Alignment of project success mea-
63% 38% 47% 43% 38% 35% 47%
sures to desired business outcomes
Project plan 43% 25% 36% 45% 48% 45% 38%
Communication plan project plan 35% 21% 23% 20% 28% 35% 29%
Communication plan stakeholders 37% 19% 21% 20% 21% 32% 29%
Define project success measures 38% 16% 25% 25% 21% 21% 21%
What is the most significant risk factor for IT implementation projects within
your organization?
Capabilities and skills of the project manager and/or broader project team 12%
Other 11%
12 Protiviti ISACA
IT Audit in Relation to the Internal Audit Department
Profiling Todays IT Audit Function
We see that while the results for organizations that have IT audit leaders must be prepared to demonstrate audit
a designated IT audit director position are flat (showing coverage and articulate where the highest risks remain.
little year-over-year change), a small but increasing
We also find that in cases where the IT audit director
number of IT audit leaders are reporting directly to the
is not attending audit committee meetings regularly,
CEO. In these instances, it is possible that the CAE is
the CAE usually has sufficient knowledge to discuss IT
serving as the IT audit director, which is a positive trend
audit matters with the committee. While it is positive
as it provides the IT audit function and responsibilities
to see IT audit garnering sufficient attention at the
with greater visibility and stature. It also is a logical
board level, there are some important caveats. First, it
progression given how more organizations have become
appears that in one in four organizations, the CAE lacks
increasingly technology-dependent, driving the need
sufficient knowledge to have these discussions. Second,
for the technology-savvy CAE to also serve as IT audit
reviewing the mechanics of IT audit with the board
director. More CAEs are now assuming this role, which
is different from discussing deeper technology risks
can be advantageous because, among other reasons,
associated with the expanding use of technology across
skilled and experienced IT audit directors are hard to find.
the organization. In these instances, it is important that
Overall, with more organizations and internal audit a technical expert be available to the audit committee.
groups becoming increasingly technology-centric, it
There also is an opportunity to enhance IT audit
is a natural progression for CAEs to assume IT audit
activities by having the CAE or IT audit director in
leadership roles. Higher numbers of IT audit leaders
attendance at various IT meetings at increasing levels
reporting to the CEO likely reflect a number of trends,
throughout the organization. Whether it is regular
from the growing emphasis on digital transformation
meetings with the CIO, large-scale IT-enabled project
initiatives to the need to maximize independence while
meetings or IT portfolio management meetings, the
mitigating conflicts of interest.
rate of CAE or IT audit director attendance at these key
A similar trend shows significantly higher numbers of discussions is disappointingly low.
IT audit directors regularly attending audit committee
Within IT audit functions, a lack of resources and
meetings, with notable jumps in most regions. Boards
aligned skill sets remains a significant challenge. For
and audit committees are asking for additional
many organizations, these issues are often drivers
assurance around critical IT risks internal audit and
for the use of outside resources.
70%
60%
50%
40%
30%
20%
10%
0%
2012 2013 2014 2015 Current
Yes No
14 Protiviti ISACA
Do you have a designated IT audit director (or equivalent position)?
Region (Yes responses)
Europe
49 % Asia
North America
47% 35%
Middle East
Africa 33%
Latin America/South America
36 % Oceania
46%
52%
To whom within the organization does your IT audit director report?
Region
CIO 3% 10% 8% 0% 0% 2% 0%
Reports through some
14% 18% 9% 0% 0% 11% 12%
other function
70%
60%
50%
40%
30%
20%
10%
0%
2012 2013 2014 2015 Current
Yes No
52 % of organizations have
an IT audit director or
equivalent position.
16 Protiviti ISACA
Does the IT audit director (or equivalent position) regularly attend audit committee meetings?
Region (Yes responses)
Europe
60 % Asia
North America
42% 87%
Middle East
Africa 64%
Latin America/South America
64 % Oceania
75%
71%
KEY FACT
Percentage of large companies in which the IT audit
director regularly attends audit committee meetings GLOBAL LEADER
Asia
22 % 48 %
87% of IT audit directors
regularly attend audit
committee meetings.
2012 Current
Yes 72%
No 16%
Does the CAE or IT audit director attend any of the following meetings to help construct
the IT audit plan? (Multiple responses permitted)
Region
Large-scale IT audit project meetings 28% 23% 26% 27% 22% 39% 31%
IT portfolio management meetings 15% 13% 15% 11% 19% 18% 23%
18 Protiviti ISACA
How are IT audit resources organized within your organization?
Company Size (Annual Revenue)
2016 Current 2015 2014 Current 2015 2014 Current 2015 2014 Current 2015 2014
Part of the
internal audit
department, 50% 56% 55% 61% 56% 59% 59% 63% 59% 46% 44% 36%
not a separate
function
Part of the
internal audit
department,
36% 35% 35% 26% 31% 27% 23% 22% 23% 22% 17% 23%
but considered
to be a separate
function
Embedded in the
organization as
a separate audit
function, e.g., 10% 7% 8% 8% 7% 8% 10% 9% 12% 21% 27% 30%
line of business
teams, process
teams, etc.
No IT audit
resources are
4% 2% 2% 5% 6% 6% 8% 6% 6% 11% 12% 11%
available within
the organization
Do you use outside resources to augment/provide your IT audit skill set? (Multiple
responses permitted)
Company Size (Annual Revenue)
2016 Current 2015 2014 Current 2015 2014 Current 2015 2014 Current 2015 2014
Greater than
22% 24% 21% 6% 5% 4% 36% 40% 35% 43% 41% 40%
US$5 billion
US$1 billion
15% 17% 17% 5% 9% 5% 46% 34% 34% 40% 48% 44%
US$4.99 billion
US$100 million
24% 21% 21% 8% 10% 7% 30% 32% 25% 45% 47% 47%
US$999.99 million
Less than
22% 28% 18% 8% 11% 10% 23% 20% 17% 51% 49% 55%
US$100 million
20 Protiviti ISACA
Do you use outside resources to augment/provide your IT audit skill set?
Region (Yes responses)
Europe
52 % Asia
North America
61% 56%
Middle East
Africa 50%
Latin America/South America
57 % Oceania
80%
24%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
22 Protiviti ISACA
Please indicate the primary reason(s) your company uses outside resources to augment IT
audit skills. (Multiple responses permitted)
Company Size (Annual Revenue)
Less than
Greater than US$1 billion US$100 million
2016 US$100
US$5 billion US$4.99 billion US$999.99 million
million
In-house internal audit department lacks IT
22% 27% 25% 21%
audit skill sets
Region
30%
25%
20%
15%
10%
5%
0%
2012 2013 2014 2015 Current
The IT audit function is new. We have only conducted a few IT general controls audits of agencies of the
government to build the capacity of our IT auditors and IT implementation audits.
IT audit director, small government organization, Africa
24 Protiviti ISACA
Please indicate the number of IT audit reports issued as a percentage of the total reports
issued by the internal audit department.
Region
Europe
39 % Asia
North America
46% 45%
6% 12%
6% Africa
Middle East
56%
43 %
3%
Oceania
66%
Latin America/South America
42% 11% 9%
13%
Greater than 15% Less than 5%
Greater than
2016 YOY Trend 15-20% YOY Trend
20%
Less than
Greater than US$1 billion US$100 million
2016 US$100
US$5 billion US$4.99 billion US$999.99 million
million
Region
The IT audit team is a unit of the internal audit department. Resources are matrixed across IT and process audits
and are based on risks and skills required.
IT audit director, large insurance company, North America
26 Protiviti ISACA
Assessing IT Risks
86 %
assessment, it may be desirable to make this activity
more frequent. Strategies to do so include: of organizations conduct IT
audit risk assessments.
Make the IT audit risk assessment flexible enough
to add or remove the highest risks as the organiza-
tions circumstances change.
Less than
Greater than US$1 billion US$100 million
2016 US$100
US$5 billion US$4.99 billion US$999.99 million
million
Yes, it is conducted as part of the overall internal
68% 59% 59% 54%
audit risk assessment process
Yes, it is conducted separately from the overall
16% 16% 17% 16%
internal audit risk assessment process
Yes, it is conducted by a group other than
internal audit, but internal audit relies on the 6% 7% 8% 7%
output to produce their audit plan
No, an IT audit risk assessment is not conducted 10% 18% 16% 23%
Region
The IT audit risk assessment is done as part of the entitywide assessment. It is also assessed as part of the IT
steering committee.
Chief audit executive, midsize utility company, Africa
28 Protiviti ISACA
Please indicate the level of involvement of each of the following individuals/groups in
your organizations IT audit risk assessment process. (Shown: Significant/Moderate
levels of involvement)
Region
Europe
55 % Asia
North America
43% 60%
60% 65%
68% Africa
Middle East
64%
63 %
50%
Oceania
68%
Latin America/South America
Internal audit is the only group currently conducting a risk assessment for IT. Our enterprise risk management
function does not look at IT in their program.
Chief audit executive, midsize financial services company, North America
Monthly 2% 1% 1% 1%
Never 1% 1% 2% 1%
Region
Europe
24 % Asia
North America
25% 17%
74% 80%
74% Africa
Middle East
9%
37 %
91%
Oceania
32%
Latin America/South America
30 Protiviti ISACA
On which of the following accepted industry frameworks is the IT audit risk
assessment based? (Multiple responses permitted)
Region
37 %
IT audit director, large insurance company, North America
of organizations update their
IT audit risk assessments at
least quarterly.
3
AXELOS, www.axelos.com.
32 Protiviti ISACA
If your company has an ERM program, does the IT audit risk framework used for the risk
assessment link to the ERM framework?
Company Size (Annual Revenue)
2016 Current 2015 2014 Current 2015 2014 Current 2015 2014 Current 2015 2014
Yes 47% 47% 50% 36% 40% 46% 42% 44% 40% 33% 34% 42%
Europe
38 % Asia
North America
38% 41%
Middle East
Africa 41%
Latin America/South America
46% Oceania
50%
47%
Not surprisingly, we find that IT audit functions remain IT audit function is to audit the organizations most
highly focused on conducting IT general control audits, significant risks. Even if the IT audit group is deferring
application audits, IT process audits and, in many cases, to other parts of the business for certain cybersecurity
integrated audits. In addition, an increasing number activities, internal audit ultimately has a responsibility
of IT audit functions are responsible for developing to the board to audit and report on the organizations
and implementing data analysis activities within the most critical risks cybersecurity, technology,
internal audit function. compliance, regulatory, and so forth.
In many regions, one area that ranks on the lower Of note, the reported percentages for vendor audits
end of the scale in terms of IT audit responsibility is appear relatively low. Depending on the organization
conducting cybersecurity audits. This is surprising and its specific circumstances, this could represent
given the growing risks globally around security and an opportunity for growth given the number of risks
privacy, together with the fact that it ranks as the involved with third-party vendors, coupled with the
top technology challenge for organizations (as we volume of data and projects that organizations are
detailed on pages 4-5). A key responsibility for the outsourcing to these vendors.
34 Protiviti ISACA
Which of the following activities is your IT audit function responsible for? (Multiple
responses permitted)
Region
Conducting application audits 82% 67% 71% 77% 77% 73% 85%
Conducting IT infrastructure audits 70% 61% 70% 79% 67% 70% 59%
Conducting integrated audits 50% 43% 63% 65% 43% 60% 65%
Conducting pre- and post-
68% 42% 54% 53% 47% 60% 65%
implementation audits
Collecting and analyzing
67% 56% 48% 65% 50% 44% 50%
data analytics
Conducting cybersecurity audits 49% 35% 58% 56% 50% 70% 53%
Providing consultative services 38% 34% 39% 35% 30% 54% 44%
Conducting IT fraud investigations 49% 26% 36% 49% 43% 28% 21%
Performing continuous auditing 45% 24% 23% 56% 27% 29% 38%
Providing external audit support 39% 23% 27% 35% 20% 46% 35%
Conducting vendor audits 38% 30% 34% 33% 27% 33% 21%
Maintaining internal control
33% 28% 24% 33% 23% 24% 12%
framework documentation
Testing for IT Sarbanes-Oxley or
other related country-specific 12% 16% 18% 33% 0% 54% 9%
compliance
Conducting social media audits 21% 10% 20% 26% 23% 24% 32%
Less than
Greater than US$1 billion US$100 million
2016 US$100
US$5 billion US$4.99 billion US$999.99 million
million
36 Protiviti ISACA
What percentage of time does the IT audit function spend on assurance vs. compliance vs.
consulting activities?
Company Size (Annual Revenue)
Africa
Asia
Europe
Middle East
North America
Oceania
38 Protiviti ISACA
Has your IT audit activity completed an evaluation and assessment of your organizations
IT governance process, in accordance with ISACAs COBIT Framework and IIA Standard
2110.A2? (Yes responses shown below)
Company Size (Annual Revenue)
51%
43%
COBIT
44%
39%
40%
30%
2110.A2
32%
25%
Region
52%
41%
50%
COBIT 60%
48%
40%
35%
40%
30%
31%
2110.A2 38%
24%
33%
16%
Yes, within the next year Yes, but not within the next year
68 %
40 %
completed an evaluation completed an evaluation
and assessment of their and assessment of their
IT governance process, in IT governance process,
accordance with ISACAs in accordance with IIA
COBIT Framework. Standard 2110.A2.
40 Protiviti ISACA
If you answered No to the previous question, indicate whether you intend to complete
an evaluation and assessment of your organizations IT governance process.
Region
Yes, within the next year Yes, but not within the next year
When planning, conducting and reporting the results of IT audits, does the IT audit
function utilize ISACAs standards, guidelines and procedures, as incorporated in the
Information Technology Assurance Framework (ITAF)? (Yes responses shown below)
Company Size (Annual Revenue)
Africa 74%
Asia 57%
Europe 52%
Oceania 68%
When performing IT process assessments, does the IT audit function use ISACAs COBIT
Framework? (Yes responses shown below)
Company Size (Annual Revenue)
Region
Africa 78%
Asia 53%
Europe 60%
Oceania 77%
42 Protiviti ISACA
In your most recently completed year of Sarbanes-Oxley (SOX) compliance, what percentage
of your organizations IT audit hours are associated with SOX-related activities?
Base: Respondents required to comply with the U.S. Sarbanes-Oxley Act
7%
Greater than 75%
6%
10%
50-75%
14%
21%
20-49%
19%
13%
10-19%
16%
17%
Less than 10%
14%
31%
None/Dont know
31%
Current 2015
74 %
85 %
of organizations use
of organizations use
ISACAs ITAF when
ISACAs COBIT Framework
planning, conducting
when performing IT
and reporting the results
process assessments.
of IT audits.
Please indicate the level of importance that you place on the following IT audit technical
skills for your IT audit staff:
Please indicate the level of importance that you place on the following business and
interpersonal skills for your IT audit staff:
44 Protiviti ISACA
Are IT audits conducted by individuals who are full-time internal audit professionals in the
internal audit department and who focus on IT audit projects?
Company Size (Annual Revenue)
Greater than US$5 billion 87% 13% 84% 16% 88% 12%
US$1 billion US$4.99 billion 83% 17% 82% 18% 84% 16%
US$100 million US$999.99 million 74% 26% 66% 34% 72% 28%
Less than US$100 million 67% 33% 64% 36% 64% 36%
Are there specific areas of your current IT audit plan that you are not able to address
sufficiently due to lack of resources/skills?
Company Size (Annual Revenue)
Greater than US$5 billion 41% 59% 46% 54% 48% 52%
US$1 billion US$4.99 billion 48% 52% 45% 55% 47% 53%
US$100 million US$999.99 million 45% 55% 39% 61% 49% 51%
Less than US$100 million 45% 55% 40% 60% 43% 57%
Less than
Greater than US$1 billion US$100 million
2016 US$100
US$5 billion US$4.99 billion US$999.99 million
million
Increase it by 11-20% 5% 5% 6% 8%
Reduce it by 5-10% 0% 1% 1% 1%
Reduce it by 11-20% 1% 0% 0% 0%
Region
Remain about the same 47% 44% 58% 55% 54% 63% 65%
Reduce it by 5-10% 0% 0% 0% 0% 0% 1% 3%
Reduce it by 11-20% 1% 0% 1% 3% 0% 1% 0%
46 Protiviti ISACA
Does your organization require an IT auditor to acquire the Certified Information Systems
Auditor (CISA) certification? (Yes responses shown below)
Region
Europe
57 % Asia
North America
52% 64%
Middle East
Africa 75%
Latin America/South America
68 % Oceania
45%
73%
Yes
What percentage of IT auditors within your organization have acquired, or are in the
process of acquiring, their CISA certification?
Region
10-19% 7% 17% 8% 5% 4% 4% 3%
Certified Public Accountant (CPA) 27% 27% 18% 13% 11% 43% 35%
Less than
Greater than US$1 billion US$100 million
2016 US$100
US$5 billion US$4.99 billion US$999.99 million
million
48 Protiviti ISACA
If colleges/universities are a source for hiring new IT audit staff in your organization, what
degrees do you target for this position? (Multiple responses permitted)
Less than
Greater than US$1 billion US$100 million
2016 US$100
US$5 billion US$4.99 billion US$999.99 million
million
What is the current average tenure (number of years within the audit department) for
each position level?
Less than
Greater than US$1 billion US$100 million
2016 US$100
US$5 billion US$4.99 billion US$999.99 million
million
Less than
Greater than US$1 billion US$100 million
2016 US$100
US$5 billion US$4.99 billion US$999.99 million
million
What are the primary sources of training/education for each level? (Multiple
responses permitted)
What is the primary destination of IT auditors who leave the IT audit department?
(Multiple responses permitted)
50 Protiviti ISACA
Survey Demographics
Position
IT Audit Director 9%
Audit Director 5%
Audit Manager 9%
Audit Staff 6%
Other 10%
Government/Education/Not-for-Profit 14%
Professional Services 8%
Insurance 6%
Manufacturing/Engineering 6%
Technology 5%
Healthcare Provider 3%
Telecommunications 3%
Retail 3%
Energy 3%
Consumer Products 3%
Utility 2%
Transportation 2%
Healthcare Payer 1%
Media 1%
Life Sciences/Biotechnology 1%
Hospitality 1%
Other 7%
52 Protiviti ISACA
Size of Organization (by gross annual revenue in U.S. dollars)
Type of Organization
Private 36%
Government 17%
Not-for-profit 6%
Other 4%
Organization Headquarters
Europe 19%
Asia 12%
Africa 11%
Latin America 5%
Oceania 3%
Middle East 3%
Europe 17%
Asia 14%
Africa 12%
Latin America 5%
Oceania 3%
Middle East 3%
0-4 21%
5-9 21%
10-19 19%
20-29 9%
30+ 30%
0 8%
1 24%
2 16%
3 11%
4 7%
5 5%
6-10 12%
54 Protiviti ISACA
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders
confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data,
analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000 and 35 percent of Fortune Global 500 companies. We also work with smaller, growing companies,
including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948,
Robert Half is a member of the S&P 500 index.
ABOUT ISACA
ISACA (isaca.org) helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards,
networking, credentialing and career development. Established in 1969, ISACA is a global nonprofit association of 140,000 professionals in 180 countries. ISACA
also offers the Cybersecurity Nexus (CSX), a holistic cybersecurity resource, and COBIT, a business framework to govern enterprise technology.