Internal audit has never been easy, but modern business practices are challenging IA professionals even further. Social media, fraud risk and data analysis tools are areas in need of attention and, in some cases, improvement.
The 2013 Internal Audit Capabilities and Needs Survey, released by Protiviti, show that 43% of respondents have no social media policy within their organization. Among those with a policy, many fail to address even the most basic issues, such as information security and approved use of social media applications.
What’s most alarming, however, is that more than half (51%) of organizations do not address social media risk as a part of their risk assessment process — 45% indicate they have no plans to do so in the coming year’s audit plans. Of those that do address the topic, 84% rated their organization’s social media risk-assessment capability as “not effective” or “moderately effective.”
“The survey findings are surprising in that they show how many businesses are either inadequately prepared or altogether inactive in putting effective processes and policies in place around social media,” said Brian Christensen, executive vice president, global internal audit, at Protiviti. “From a risk management perspective, this poses significant potential problems for businesses that can range from reputational risk to IT infrastructure risk as a result of unchecked exposures to customer, vendor and company information.”
Other findings related to internal audit include:
- Continuous auditing was the top priority in terms of audit process knowledge in 2011 and 2012, but dropped down to #18 in the 2013 rankings.
- For audit process knowledge, auditing IT – new technologies was the third-highest “needs-improvement” priority, and scored significantly lower than any other area evaluated with regard to existing competency.
- Concerns among chief audit executives were generally aligned with the broader sampling of respondents. However, they did rank audit process knowledge around Computer-assisted Audit Techniques (CAATs) as a higher priority for improvement, compared to the overall ranking.
In 2013, we can no longer view social media as a “new” risk. Businesses must prepare for the worst, whether it’s an attack on a company’s reputation via Facebook or a rogue employee stealing an organization’s Twitter account password, social media risk can manifest itself in many ways. There is only one way for companies to deal with it, however.