《甫瀚&國際內部審計協會：2025從人工智能到網絡安全：解構復雜的技術風險格局研究報告（英文版）（44頁）.pdf》由會員分享，可在線閱讀，更多相關《甫瀚&國際內部審計協會：2025從人工智能到網絡安全：解構復雜的技術風險格局研究報告（英文版）（44頁）.pdf（44頁珍藏版）》請在三個皮匠報告上搜索。

1、GLOBAL INTERNAL AUDITFROM AI TO CYBER DECONSTRUCTING A COMPLEX TECHNOLOGY RISK LANDSCAPEAssessing the results of the 12th Annual Global Internal Audit Perspectives on Top Technology Risks Survey from Protiviti and The Institute of Internal AuditorsProtiviti and The IIATABLE OF CONTENTS03Executive su

2、mmary and key findings24A closer look at AI and IT audit 18Why cybersecurity and data stand out as most significant concerns31Appendix full global results39Demographics09Top technology threats,organizational preparedness and IT audit proficiency28Our call to action for technology audit leaders and t

3、eams21Use of technology tools23Protiviti and The IIA01Executive summary and key findingsCybersecurity.Data privacy and governance.Artificial intelligence(AI).Third-party risk.At first glance,the results of this years Global Internal Audit Perspectives on Top Technology Risks Survey paint a familiar

4、picture of the primary technology threats faced by organizations worldwide and their readiness to tackle them.However,a deeper look reveals nuanced layers that depict todays and tomorrows challenges in different hues and dimensions.More important,the findings highlight the strategies and tools that

5、are proving most effective for technology auditors to address these challenges.The results not only reinforce some trends from prior years,but also reveal emerging risk trends that technology auditors must anticipate to remain relevant.There is greater interest in new approaches to address the chang

6、ing risk landscape,and there is an elevated level of maturity in some organizations,which signals what is to come for the technology audit profession.As noted in the key findings,cybersecurity is viewed as the most significant technology threat.Data breaches top the list of perceived cybersecurity-r

7、elated threats,largely due to increased concerns around ransomware attacks.In addition,our research reveals the greatest perceived risks associated with AI are,by a considerable margin,security and privacy issues,underscoring the dominance of cybersecurity as a critical challenge.Beyond cyber issues

8、,AI is rapidly becoming a critical area for technology auditors.Despite AIs growing influence,proficiency in AI-related auditing remains low,highlighting the urgent need for audit groups to bolster their knowledge of AI risks,including ethical,operational and reputational challenges.Factors such as

9、audit frequency stand out in the survey results.Internal audit functions that perform six or more technology audits annually,referred to as high-frequency IT auditing groups,perceive the threat landscape and their overall preparedness in a much different light a topic we explore further in our analy

10、sis.68%All organizations76%Organizations employing AI tools in technology audits76%Organizations employing cybersecurity tools in technology audits79%Organizations that perform six or more technology audits annuallyPerceived high threat levels for cybersecurity over next 12 months*Percentages reflec

11、t the number of respondents who rated the threat a 4 or 5 on a 5-point scale,where 1 indicates“No threat at all”and 5 indicates“Significant threat.”Protiviti and The IIA4Top 5 technology risks*Figure 110%20%30%40%50%60%70%80%90%100%68%61%53%50%47%CybersecurityData governance&integrityThird parties/v

12、endorsCloud computingData privacy&compliance*Percentages reflect the number of respondents who rated the threat a 4 or 5 on a 5-point scale,where 1 indicates“No threat at all”and 5 indicates“Significant threat.”Audit frequency is among several important indicators for technology audit functions as t

13、hey navigate a dynamic business landscape that is being shaped continually by exponential growth in technologies like generative AI and the concurrent emergence of new security,privacy and data-related challenges.In the following pages,we present the key findings from the survey,the complete set of

14、risks and definitions,and the analysis supporting our conclusions.Our call to action(see page 28)summarizes the key activities audit groups should undertake to ensure their technology audit functions continue to deliver value and remain relevant to their organizations.Lastly,the Appendix contains a

15、comprehensive overview of the global survey results.5Protiviti and The IIAOur key findingsCybersecurity is the top technology threat Not only do cyber concerns stand out as the top threat,but these concerns are even greater among organizations conducting technology audits more frequently,as well as

16、among those using cybersecurity and AI-based tools to support the technology audit department.These more mature organizations also expressed the highest level of preparedness to handle this risk(Standard 9.1 Understanding Governance,Risk Management,and Control Processes).AI is beginning to influence

17、 technology auditing While AI is not viewed as a significant short-term technology concern,most respondents(59%)view advanced AI systems as posing significant risks to their organizations in the next two to three years.Further,the use of AI-based tools in technology auditing is associated with eleva

18、ted concerns about various threats,including cybersecurity and data privacy,and also drives higher levels of perceived organizational preparedness to handle such threats(Standard 10.3 Technology Resources).Data concerns are prevalent Data privacy and compliance as well as data governance and integri

19、ty rank among the top technology risks organizations face,and 52%view data breaches and leaks of sensitive information as posing the greatest cybersecurity-related threats.Higher frequency of technology audits drives better performance Conducting more technology audits annually(for purposes of analy

20、zing this surveys results,defined as six or more see page 8)drives a clearer understanding of the threat landscape and contributes to improved organizational preparedness and technology audit proficiency to handle these threats.Conversely,organizations with lower audit frequency may face blind spots

21、 in their risk management efforts,underscoring the importance of regular and thorough auditing(Standards 9.4 Internal Audit Plan;13.2 Engagement Risk Assessment).Global Internal Audit StandardsTMIn January 2024,The Institute of Internal Auditors published an updated version of the Global Internal Au

22、dit Standards(“the Standards”).These standards are a mandatory component of the International Professional Practices Framework(IPPF),which facilitates the consistent development,interpretation,and application of internal auditing knowledge,thereby enhancing the profession.Applicable standards are re

23、ferenced throughout this publication,with further information available via The IIAs website:www.theiiia.org/NewStandards.6Protiviti and The IIAAbout our surveyProtiviti partnered with The Institute of Internal Auditors(The IIA)to conduct its 12th annual Global Internal Audit Perspectives on Top Tec

24、hnology Risks Survey in the second quarter of 2024.The objective of this annual survey is to explore the top technology risks organizations face,as perceived by technology audit leaders and professionals.Additionally,it explores the practices,processes and tools employed to help enterprises identify

25、,assess,manage and mitigate these risks.A total of 1,246 executives and professionals,including chief audit executives(CAEs)and information technology(IT)audit directors,completed the survey this year.Definitions of survey-assessed technology risksIn this years survey,we assessed 13 technology risks

26、 that organizations face.Below is the list of these technology risks,along with their respective definitions.AI&machine learning(including generative AI)Risks from ethical concerns,security breaches,and operational issues in AI/ML applications,including large language models like GPT.Cloud computing

27、 Risks of data breaches,loss of data control,and non-compliance in cloud-based solutions.Cybersecurity Risks from unauthorized access,disruption or destruction of information,systems or networks.Data privacy&compliance Risks in protecting personal data and keeping up with evolving data protection re

28、gulations.Data governance&integrity Risks related to maintaining accurate,consistent and reliable enterprisewide data.IoT(Internet of Things)Risks from vulnerabilities in connected devices and networks leading to potential breaches.IT management Risks associated with attracting,retaining and develop

29、ing skilled IT personnel organizationwide,impacting operational efficiency and innovation capacity.Regulatory compliance Risks related to adhering to industry-specific regulations governing technology use.Software development Risks associated with modern software development and deployment,such as D

30、evOps,continuous integration and continuous delivery(CICD),and containerization.Technical debt&aging infrastructure Risks from outdated systems leading to inefficiencies,vulnerabilities and costly future updates.Technology resiliency Risks associated with maintaining adaptability and recovery capabi

31、lities in the face of IT disruptions or outages.Third parties/vendors Risks related to the security,reliability and resilience of third parties.Transformations&system implementations Risks involving major business or IT changes,including disruptions,unmet requirements,data loss,etc.7Protiviti and Th

32、e IIAEvaluating technology audit frequency Similar to the analysis conducted in the 2023 study,a metric examined in this years survey is how often organizations conduct technology audits.The survey responses were categorized into two distinct groups:High-frequency IT auditing Organizations that cond

33、uct six or more technology audits per year Low-frequency IT auditing Organizations that conduct five or fewer technology audits per year These high-and low-frequency IT auditing groups are referenced throughout the report.As illustrated in Figure 2 below,the majority(71%)of respondents indicate that

34、 their organizations perform five or fewer technology audits per year.10%20%30%40%50%13%30%28%16%13%Less than 1 IT audit3 to 5 IT audits6 to 12 IT auditsMore than 12 IT audits1 to 2 IT auditsLow-frequency IT auditingHigh-frequency IT auditing 59%of organizations anticipate advanced AI systems(includ

35、ing generative AI)will pose significant risks in the next two to three years.Unsure responses not shown.Figure 28Protiviti and The IIA89Protiviti and The IIA02Top technology threats,organizational preparedness and IT audit proficiencyCyber and data stand out:Technology auditors should be well-acquai

36、nted with the top-rated technology risks in this years survey,which include cybersecurity,data privacy and governance,third parties,and cloud computing.Threat levels are down,preparedness levels are up for some:The year-over-year trend indicates a moderate decrease in perceived technology-related th

37、reats and an increase in preparedness among organizations to manage these risks,with just two areas data privacy and compliance,and regulatory compliance showing year-over-year increases in perceived threat levels.Given the broad attention on technology-related threats over the past year,many compan

38、ies likely have matured their risk management programs.This includes enhancing cybersecurity measures,resulting in perceptions of decreasing threat levels and increasing organizational preparedness.Additionally,more organizations are adopting advanced technologies to support threat detection respons

39、e(see Figure 16).Perceived threat of technology risks in next 12 months (all respondents)*Table 120242023YOY trendsCybersecurity 68%74%Data privacy&compliance 61%58%Data governance&integrity 53%55%Third parties/vendors50%60%Cloud computing 47%50%Regulatory compliance 44%41%IT talent management 43%52

40、%Transformations&system implementations 43%55%Technology resiliency 36%44%Technical debt&aging infrastructure 33%43%Software development29%36%AI&machine learning(including generative AI)28%28%IoT22%29%*Percentages reflect the number of respondents who rated the threat a 4 or 5 on a 5-point scale,whe

41、re 1 indicates“No threat at all”and 5 indicates“Significant threat.”10Protiviti and The IIA10%20%40%50%30%60%70%80%Perceived threat of technology risks in next 12 months perspectives among high-frequency IT auditing groups*Figure 3CybersecurityData privacy&complianceData governance&integrity*Percent

42、ages reflect the number of respondents who rated the threat a 4 or 5 on a 5-point scale,where 1 indicates“No threat at all”and 5 indicates“Significant threat.”79%63%74%56%65%48%High-frequency IT auditing Low-frequency IT auditingGoing deeper:However,the perceived threat levels of technology risks ov

43、er the next 12 months,as shown in Table 1,do not provide a complete picture.Assessing the results among specific groups of respondents,such as those that use cybersecurity detection or AI-based tools,as well as organizations that represent high-frequency IT audit functions,reveals interesting variat

44、ions.These groups often perceive a broader and more significant threat landscape while viewing their organizations as better prepared to mitigate these risks.This suggests less advanced audit teams might perceive a narrower or more limited set of technology-related risks.Third-party gaps:Interesting

45、ly,third-party and vendor risk represents a significant gap for technology audit teams,as perceived threat levels are relatively high while the level of proficiency in the IT audit team to evaluate this issue are notably lower.Also,there is a significant year-over-year drop in technology audit profi

46、ciency to evaluate this risk(see Table 3).Protiviti and The IIA11CommentaryOur findings reveal several key differentiators for IT audit functions to improve performance and deliver greater value to the enterprise.As observed in last years study,the frequency of technology audits performed annually r

47、eveals significant differences in how IT audit leaders and teams perceive threats and assess the organizations preparedness to manage them.This is particularly evident in areas such as cybersecurity,regulatory compliance,data privacy and compliance,and data governance and integrity.These differences

48、 suggest that high-frequency IT auditing groups may have a better understanding of these risks and the threats they pose to the organization.Much of this is understandable.Internal audit functions that perform technology audits more frequently are naturally expected to have more concerns about the t

49、echnology risk landscape.However,these differences are not visible across all technology risks.As noted earlier,two technology risks have increased year over year in terms of perceived threat to the organization:data privacy and compliance,and regulatory compliance(see Table 1).The contributing fact

50、ors to this uptick likely include evolving regulations and the increasing complexity of data governance.Business leaders need to upgrade their data privacy and governance frameworks continuously to ensure compliance remains a top priority.Additionally,cybersecurity remains a significant technology t

51、hreat,driven in great part by elevated concerns about ransomware attacks.However,the perceived level of preparedness for cybersecurity is rising,with 63%of respondents indicating their organizations are well-prepared to handle cyber threats(see Table 2).This progress reflects not only the growing ad

52、option of advanced cybersecurity tools such as vulnerability scanners and threat intelligence platforms but also the increasing prioritization of cybersecurity at the board level.As cybersecurity becomes a strategic concern for leadership,organizations are dedicating more resources and attention to

53、enhancing their defenses,resulting in stronger overall security postures.Further,notable differences are observed among organizations that use cybersecurity tools(or assess the outputs of their use by the business),as well as AI and machine learning tools,to support their IT auditing activities.This

54、 suggests that these tools are valuable assets in helping IT audit teams identify specific technology threats and understand the organizations level of preparedness to manage them.By leveraging these tools,IT audit teams can scan entire networks and identify gaps in near real-time.As a result,they b

55、ecome more security conscious and aware,enabling them to develop a better appreciation of all threats.However,it is important for technology audit teams to partner with the IT organization to understand how these tools are being used throughout the enterprise and to optimize ways for the internal au

56、dit function to leverage them(Standards 13.4 Evaluation Criteria;13.5 Engagement Resources,13.6 Work Program).These findings certainly raise several important questions.For example,what might organizations that are not utilizing cybersecurity or AI tools,or conducting technology audits frequently,be

57、 missing in their technology audits and risk coverage?In regard to third-party risk management,the significant gap between perceived threat level and the organizations preparedness to handle this risk suggests companies recognize third-party and vendor risks as a major threat but believe they are un

58、derprepared to manage them effectively.This could be due to the complexities involved in managing third-party relationships and the potential cascading effects of vendor vulnerabilities on the organization.Its also possible that,at least in some organizations,there is no clearly defined owner of thi

59、rd-party risk management.Protiviti and The IIA12Perceived level of organizational preparedness to handle technology risks in next 12 months(all respondents)*Table 220242023YOY trendsCybersecurity 63%55%Regulatory compliance 57%53%Data privacy&compliance 55%45%Cloud computing 47%42%Data governance&in

60、tegrity 47%35%IT talent management 44%25%Transformations&system implementations 39%36%Software development 38%35%Technology resiliency 37%45%Third parties/vendors 36%30%Technical debt&aging infrastructure34%35%IoT21%26%AI&machine learning(including generative AI)17%14%*Percentages reflect the number

61、 of respondents who rated the organizations level of preparedness a 4 or 5 on a 5-point scale,where 1 indicates“Not prepared at all”and 5 indicates“Extremely prepared.”“These are remarkably dynamic times for organizations,not only due to rapidly changing market conditions but also resulting from ong

62、oing technology transformation,led by the rapid rise of generative AI.Internal audit teams need to keep pace with the changes their organizations continue to undergo.More importantly,they need to embrace the use of emerging technologies like generative AI and advanced analytics in their own internal

63、 audit practices as they help to identify and address the most critical technology risks their organizations face.”Angelo Poulikakos Managing Director,Global Leader,Technology Audit and Advisory,Protiviti13Protiviti and The IIA10%20%40%50%30%60%70%80%10%20%40%50%30%60%70%80%Perceived threat of techn

64、ology risks in next 12 months perspectives among IT audit groups that use cybersecurity tools*Figure 4CybersecurityPerceived threat of technology risks in next 12 months perspectives among IT audit groups that use AI tools*Figure 5CybersecurityData privacy&complianceData privacy&compliance*Percentag

65、es reflect the number of respondents who rated the threat a 4 or 5 on a 5-point scale,where 1 indicates“No threat at all”and 5 indicates“Significant threat.”See page 35 for full survey results on use of tools,technologies and delivery methods.*Percentages reflect the number of respondents who rated

66、the threat a 4 or 5 on a 5-point scale,where 1 indicates“No threat at all”and 5 indicates“Significant threat.”See page 35 for full survey results on use of tools,technologies and delivery methods.76%58%76%65%68%53%71%58%Do not use cybersecurity toolsUse cybersecurity toolsDo not use AI toolsUse AI t

67、ools14Protiviti and The IIA10%20%40%50%30%60%70%80%Perceived level of organizational preparedness to handle technology risks in next 12 months perspectives among high-frequency IT auditing groups*Figure 6CybersecurityRegulatory complianceData governance&integrity*Percentages reflect the number of re

68、spondents who rated the organizations level of preparedness a 4 or 5 on a 5-point scale,where 1 indicates“Not prepared at all”and 5 indicates“Extremely prepared.”79%57%72%52%60%42%This years findings,as well as year-over-year trends,reveal a clear takeaway:Increased frequency of technology audits pe

69、rformed annually drives a better understanding of key technology risks such as cybersecurity,data privacy and compliance,and data governance and integrity.Several factors could explain this.The first and arguably the most significant is increased awareness and visibility.When audits are conducted mo

70、re frequently,organizations are more likely to uncover risks,vulnerabilities and control weaknesses that might otherwise go unnoticed.Further,as companies become more attuned to the dynamic nature of technology and cyber risks,their perception of risk heightens.Risks can change and evolve quickly.Fi

71、nally,there may be cultural factors at play.Organizations that perform more frequent audits generally have a stronger culture of risk awareness.The survey indicates that 43%of organizations perform two or fewer technology audits annually(see Figure 2).This statistic highlights a critical gap in risk

72、 detection and mitigation.Organizations conducting fewer audits may lack the real-time insights necessary to address rapidly evolving threats,underscoring the need for more frequent and comprehensive technology audits to enhance the organizations risk posture.Organizations that audit more frequently

73、 have a greater perception of riskHigh-frequency IT auditing Low-frequency IT auditingProtiviti and The IIA15“Cybersecurity continues to be a major concern for most organizations.While many internal auditors do not focus exclusively on information technology,it is becoming increasingly important tha

74、t they are aware of cyber-related risks.There is an element of cybersecurity in most business processes,highlighting the need for internal auditors to identify cyber risks during the engagement risk assessment.”George Barham Director of Standards and Professional Guidance,The IIAPerceived level of I

75、T audit team proficiency to evaluate technology risks effectively in next 12 months(all respondents)*Table 320242023YOY trendsCybersecurity 58%53%Data privacy&compliance 56%52%Regulatory compliance 55%54%Data governance&integrity45%49%Cloud computing 41%34%IT talent management 39%31%Transformations&

76、system implementations 39%44%Technology resiliency 38%47%Software development 34%35%Third parties/vendors 33%48%Technical debt&aging infrastructure 31%42%IoT17%22%AI&machine learning(including generative AI)13%14%*Percentages reflect the number of respondents who rated their IT audit teams proficien

77、cy level a 4 or 5 on a 5-point scale,where 1 indicates“Not at all proficient”and 5 indicates“Extremely proficient.”Protiviti and The IIA16Comparing perceived threats with organizational preparedness and technology audit proficiency*Percentages reflect the number of respondents who rated this threat

78、a 4 or 5 on a 5-point scale,where 1 indicates“No threat at all”and 5 indicates“Significant threat,”and the number of respondents who rated their IT audit teams proficiency level a 4 or 5 on a 5-point scale,where 1 indicates“Not at all proficient”and 5 indicates“Extremely proficient.”Perceived threat

79、 level vs.IT audit proficiency top three*Figure 710%20%30%40%50%70%60%Third parties/vendorsAI&machine learning(including generative AI)50%33%28%13%68%58%CybersecurityIT audit proficiencyPerceived threat levelThere is a noteworthy and insightful connection between how organizations perceive various t

80、echnology risks and their corresponding levels of preparedness and proficiency in managing these risks within their technology audit functions.The most significant gaps are in the areas of third-party/vendor risks,and AI and machine learning,including generative AI.The percentages below reflect the

81、number of respondents who rated the level of threat,organizational preparedness or technology audit function proficiency a 4 or 5 on a 5-point scale see Figures 13,14 and 15 in the Appendix for details,including definitions of scales for perceived threat,organizational preparedness and technology au

82、dit proficiency.Third parties/vendors:Perceived threat:50%Organizational preparedness:36%Technology audit proficiency:33%Many organizations may lack the necessary frameworks or expertise to monitor and control the risks associated with external vendors effectively.These gaps highlight potential vuln

83、erabilities in the supply chain,where a failure to manage third-party risks adequately could lead to significant disruptions or security breaches.AI and machine learning(including generative AI):Perceived threat:28%Organizational preparedness:17%Technology audit proficiency:13%The gaps between the p

84、erceived threat of AI and machine learning and the levels of preparedness and proficiency are particularly concerning given the rapid adoption of AI technologies across industries.Organizations may be embracing AI without fully understanding the associated risks or developing the necessary controls

85、to mitigate them.This leaves them vulnerable to potential ethical,security and operational challenges that could arise from AI use.17Protiviti and The IIA18Protiviti and The IIA03Why cybersecurity and data stand out as most significant concernsWhats top of mind:Chief concerns for IT audit leaders an

86、d teams this year include cybersecurity and a number of data-related issues privacy,compliance,governance and integrity(see Table 1).In terms of areas of cybersecurity perceived to pose the greatest risks,data breaches and leaks of sensitive information stand out,by far,as the most significant.Follo

87、wing these,third-party and supply chain risks,along with cloud service provider security weaknesses,are the next most worrisome issues(see Figure 8).Underlying regulatory factors:Its understandable to find these issues among the top technology risks,given the regulatory attention they continue to dr

88、aw and the increased levels of preparedness to manage them.In the United States,for example,the new cybersecurity disclosure rules from the Securities and Exchange Commission(SEC)have placed a spotlight on being more diligent and mindful regarding cyber risks.The rules increase reporting and disclos

89、ure requirements for companies registered with the SEC.Among the requirements,organizations must file an incident report within four business days of the companys materiality determination regarding a cyber incident.Organizations must provide insight into how the cybersecurity risk management functi

90、ons are integrated into broader risk management systems and processes,such as risk reporting and monitoring processes used in conjunction with the enterprise risk management process.Similarly,the Network and Information Security Directive 2(NIS2)in the European Union has expanded the scope of the or

91、iginal directive to enhance cybersecurity across the entire European region by unifying national laws with common minimum requirements.52%of technology audit leaders see data breaches and leaks of sensitive information as a major risk to their organization in the coming year.19Protiviti and The IIAA

92、s cyber threat actors continue to enhance the sophistication of their attack methods,IT audit teams must also continue to upskill their techniques to help management identify relevant risks.It will be increasingly difficult to keep pace without support from cyber tooling and other technology-enabled

93、 tactics.CommentaryAs cyber threat actors continue to enhance the sophistication of their attack methods,IT audit teams must also continue to upskill their techniques to help management identify relevant risks.It will be increasingly difficult to keep pace without support from cyber tooling and othe

94、r technology-enabled tactics.Of note,the use of tools such as vulnerability scanners and intrusion detection systems does not alleviate risk levels in fact,they may reveal previously unknown risks and vulnerabilities.There have been situations where an organization,after employing threat detection t

95、echnology,realized they were“flying blind”prior to using them.Another important point:Privately held companies may also see value in enhancing their incident identification,evaluation and remediation practices through greater use of technology tools by the IT audit function,even if they are not subj

96、ect to the same public disclosure requirements.Also,as organizations increasingly rely on data-driven decision-making,technology audit functions must evolve to provide more rigorous assessments of data governance frameworks,verifying that data integrity is maintained across both internal processes a

97、nd third-party interactions.Greatest cyber risks to organizations over next 12 monthsFigure 810%20%30%40%50%60%52%38%33%Data breaches/leaks of sensitive informationCloud service provider security weaknessesThird-party/supply chain cyber risksProtiviti and The IIA2021Protiviti and The IIA04Use of tec

98、hnology toolsAI on the rise:Nearly one in four IT audit functions(23%)are using AI and machine learning tools almost double the number reported in last years results.AI tools can provide an advantage in conducting full population testing and help to identify where sensitive data resides in the organ

99、ization sometimes in unexpected places such as in text fields within forms(see Figure 16).Different technologies being employed:There is increased adoption of technologies such as cybersecurity tools and cloud-based audit management software.Additionally,although the usage has not increased compared

100、 with last years results,many IT audit functions continue to employ data analytics tools(see Figure 16).CommentaryInternal audit functions must strive to become more technology-enabled by employing tools such as AI and data analytics,among others,to deliver improved and more detailed insights into v

101、arious business processes and activities.According to findings from the Internal Audit Foundations Internal Audit:Vision 2035 Creating Our Future Together 1,new and emerging technologies are expected to have a major impact on the profession.The projects survey results(n=6,506)revealed that 96%of res

102、pondents believe internal auditors will need to increase their technology skills to stay relevant,93%think that the use of new technology will offer better insights for their recommendations,and 92%consider new technology essential for internal audit to add more value.As new technologies like genera

103、tive AI tools are expected to impact internal audit functions significantly in the coming years,they will also affect every other function in the organization.However,internal audit functions have a unique role to play in shaping and governing the use of AI throughout an organization.Further,by inte

104、grating AI across the internal audit lifecycle(in planning,fieldwork,reporting and follow-up),internal auditors are positioned to transform the way audits are performed.Adopting new tools and techniques presents numerous challenges.Transforming and innovating within the internal audit function requi

105、res a strong commitment.Failing to leverage technology efficiently can result in slower audits,a higher risk of misalignment on focus areas,and less insightful,relevant and valuable outputs from internal audit activities.Nearly nine out of 10(87%)survey respondents from Internal Audit:Vision 2035 ag

106、reed that internal audit functions that do not leverage new technology will face challenges and potential failure.Finally,its important to remember that technology is not just a tool,nor is it the ultimate solution.Instead,technology should be viewed as an integral component for enhancing internal a

107、udit practices.55%of IT audit functions are employing data analytics tools to support technology audits.23%are using AI and machine learning tools(including generative AI),nearly double the level reported last year.1 “Internal Audit:Vision 2035 Creating Our Future Together,”The IIAs Internal Audit F

108、oundation,July 15,2024:https:/ia-vision2035.org/.Protiviti and The IIA2210%20%40%50%30%60%70%80%Perceived level of organizational preparedness to handle technology risks in next 12 months perspectives among IT audit groups that use cybersecurity tools*Figure 9CybersecurityPerceived level of organiza

109、tional preparedness to handle technology risks in next 12 months perspectives among IT audit groups that use AI tools*Figure 10CybersecurityData privacy&compliance*Percentages reflect the number of respondents who rated the organizations level of preparedness a 4 or 5 on a 5-point scale,where 1 indi

110、cates“Not prepared at all”and 5 indicates“Extremely prepared.”*Percentages reflect the number of respondents who rated the organizations level of preparedness a 4 or 5 on a 5-point scale,where 1 indicates“Not prepared at all”and 5 indicates“Extremely prepared.”74%60%10%20%40%50%30%60%70%80%64%50%63%

111、53%Use cybersecurity toolsDo not use cybersecurity toolsDo not use AI toolsUse AI tools70%57%Regulatory compliance23Protiviti and The IIA24Protiviti and The IIA05A closer look at AI and IT audit AI is the focus of the longer-term outlook for emerging risks:While IT audit leaders and professionals do

112、 not view AI as presenting a high level of risk over the next 12 months(see Table 1),their views change when looking further ahead.A majority of respondents see advanced AI systems as posing significant risks to the business over the next two to three years(see Figure 11)far more than other emerging

113、 technologies,such as advanced IoT systems.A majority of organizations(59%)believe advanced AI systems(including generative AI)will pose significant risks in the next two to three years.Security and privacy top the list of AI risk concerns:A majority of respondents see security risks such as hacking

114、,adversarial attacks and data poisoning to be the most significant AI-related risks over the next 12 months.Privacy risks such as data misuse and consent violations also rank highly.This is understandable given the rapid rise in the use of AI,including generative AI systems,throughout organizations

115、without,in many cases,commensurate levels of governance,controls and oversight over data use and security protocols.Internal audit is engaged in AI opportunities:In most organizations,the internal audit function is involved in researching the future use of AI(see Figure 19).This is a positive develo

116、pment,considering the integral role that IT and internal audit functions play in assessing that AI is implemented effectively,efficiently and in a controlled manner throughout the enterprise.To achieve success,the internal audit function will require a strong understanding of how to use AI within it

117、s own activities.25Protiviti and The IIACommentaryAudit leaders and professionals seem less concerned about AI risks in the next 12 months(see Table 1)compared to the two-to three-year outlook(see Figure 11).One possible reason behind the 12-month numbers could be a lack of understanding of the risk

118、s and how the organization is using or planning to use AI.This suggests a need for organizations to drive more preparedness to handle AI-related risks and to build technology audit proficiency in these areas to be ready for the future.Although AI is not perceived to be a significant short-term risk,

119、audit leaders should proactively assess the ethical,operational and reputational challenges it poses(especially considering the velocity of adoption in the market).CAEs should give AI immediate attention,focusing on determining whether their organizations are establishing governance and leveraging f

120、rameworks(e.g.,the NIST AI Risk Management Framework)to enable readiness for more sophisticated AI implementations.Looking at the most significant risk concerns around the use of AI,its likely that the technology will increasingly raise security and privacy concerns,particularly around data,in the f

121、uture.As AI becomes more ingrained in businesses and for personal use worldwide,new data security and privacy concerns are likely to emerge alongside these technological advancements.52%Researching future use of AI39%Auditing use of AI in the organization39%Using AI for internal audit activitiesTop

122、3 AI-related activities in which the internal audit function is involvedProtiviti and The IIA26Emerging technologies expected to pose most significant risks in the next 2-3 yearsFigure 1110%20%30%40%50%60%70%70%80%90%80%59%39%39%Advanced AI systems(including generative AI)Smart robots and automation

123、Advanced IoT systemsRespondents selected up to three answers top three shown.See Figure 19 for a full list of responses.Greatest risks related to AI over next 12 monthsFigure 1210%20%30%40%50%60%52%50%42%Security risks(hacking,adversarial attacks,data poisoning)Operational risks(system failures,erro

124、rs,downtime)Privacy risks(data misuse,consent violations)Respondents selected up to three answers top three shown.See Figure 20 for a full list of responses.90%Protiviti and The IIA2728Protiviti and The IIA06Our call to action for technology audit leaders and teamsThis years research results point t

125、o several important actions that CAEs and technology audit leaders and teams should take to address todays and tomorrows technology challenges and position their organizations for success.Increase the frequency of technology audits performed annually.Audit groups that conduct six or more technology

126、audits annually perceive some technology risks as more significant threats to the business compared to low-frequency IT auditing groups.Moreover,they have more positive views of the levels of preparedness in organizations to manage technology risks.Some organizations continue to conduct just one tec

127、hnology audit every year.The path forward in technology auditing begins with performing more detailed,technology-enabled and thorough IT audits across the enterprise on an annual basis.IT audit teams also should focus on upskilling or exploring other ways to evaluate technology risks more consistent

128、ly.Assess technology audit proficiency gaps.The survey results reveal significant gaps between perceived threat levels and proficiency levels for a number of technology risks,including third-party risk and AI.Technology audit functions need to prioritize elevating their proficiency in these areas.To

129、 accomplish this,organizations should focus on providing tailored training for their audit teams,including certification programs,hands-on workshops and collaborative exercises with IT departments.Internal audit leaders also should foster knowledge-sharing initiatives and encourage cross-functional

130、teams to work together to increase technical expertise and domain knowledge,particularly in rapidly evolving areas like AI and cloud security.Notably,understanding and addressing discrepancies between perceived threats and actual capabilities is crucial for strategic planning.By identifying these ga

131、ps,organizations can prioritize their efforts and resources more effectively.Such a targeted approach not only mitigates potential risks but also enhances overall resilience and readiness in an increasingly complex technology landscape.Embrace the use of advanced tools in technology auditing.Leverag

132、ing technology tools such as AI for risk prediction,anomaly detection and text generation,along with cybersecurity tools like vulnerability scanners,provides a clearer understanding of the threat landscape.This approach also fosters more positive perceptions of an organizations preparedness to manag

133、e current and emerging threats.Stay laser-focused on cybersecurity.IT audit leaders and teams view cyber threats as the top technology risk for organizations,by a large margin.These threats drive concerns over breaches,leaks of sensitive information and long-term reputation damage.While cybersecurit

134、y remains a front-and-center issue for technology auditors,they must stay current not only on the latest specific cyber threats but also on the tools and technologies that can help organizations defend against and combat these threats.Stay on the leading edge of AI.The exponential growth in the use

135、of AI will continue.Technology audit leaders and teams must stay closely attuned to how AI is being deployed throughout the enterprise to monitor effective use and identify potential risks.They must also ensure that appropriate controls and governance are in place so that data privacy and security r

136、isks are managed appropriately and ethical use of these technologies is evaluated.Additionally,they should look for opportunities to incorporate AI into their audits,which will enhance their overall precision and effectiveness.Organizations should provide targeted training to audit and risk manageme

137、nt teams to enhance their understanding of AI technologies and the unique risks they pose.This will help build internal proficiency and enable more effective oversight.Protiviti and The IIA29Dont forget data.While cybersecurity stands out as the most significant risk concern for technology audit lea

138、ders and teams,there are a number of data-related issues as well among them,privacy,governance,integrity and compliance.There also are growing data-related concerns pertaining to the increasing use of AI.Technology audit teams must remain focused on these data issues and ensure they have access to t

139、he right data from the enterprise.This access is essential for performing thorough audits and delivering the deep insights and analysis expected by stakeholders.Prioritize third-party risk management.The study highlights that third-party and vendor management represents the technology risk with the

140、widest gap between perceived threat levels and both organizational preparedness as well as IT audit proficiency.This disparity underscores the need for audit teams to enhance their skills and capabilities in managing third-party risks,especially as organizations become more reliant on external vendo

141、rs and partners.Audit leaders should develop and implement specialized training programs focused on third-party risk management.Additionally,investing in tools that offer continuous monitoring and evaluation of vendor performance and security practices is important.Audit functions should establish o

142、r refine governance frameworks that define roles,responsibilities and processes clearly for managing third-party risks.Regular audits and assessments should be conducted to ensure compliance with these frameworks.Resources offered by The IIAFor relevant IT auditing guidance,we encourage you to explo

143、re the valuable resources provided by The Institute of Internal Auditors:GTAG Assessing Cybersecurity Risk GTAG Cyber Incident Response and Recovery GTAG Cybersecurity Operations Prevention and Detection GTAG Auditing Mobile Computing GTAG Understanding and Auditing Big Data The IIAs Auditing Artifi

144、cial Intelligence Framework30Protiviti and The IIA31Protiviti and The IIA07Appendix full global resultsFollowing are the full global results from our study.All data represents responses from all survey participants(n=1,246).Perceived threat of technology risks in next 12 monthsFigure 1310%10%20%20%3

145、0%30%40%40%50%50%60%60%70%70%80%80%90%90%68%74%43%55%Cybersecurity Transformations&system implementations 53%55%33%43%Data governance&integrity Technical debt&aging infrastructure47%50%28%28%Cloud computing AI&machine learning(including generative AI)43%52%IT talent management 61%58%36%44%Data priva

146、cy&compliance Technology resiliency 50%60%29%36%Third parties/vendors Software development 44%41%22%29%Regulatory complianceIoT Question:Please rate the following technology risk in terms of the perceived threat it poses to your organization over the next 12 months(scale of 1 to 5,where 1 indicates“

147、No threat at all”and 5 indicates“Significant threat”shown:percentage of responses of“4”or“5”).n=1,246.2023202432Protiviti and The IIA10%20%30%40%50%60%70%80%90%Level of organizational preparedness to handle technology risks in next 12 monthsFigure 14 10%20%30%40%50%60%70%80%90%63%55%38%35%Cybersecur

148、ity Software development 55%45%36%30%Data privacy&compliance Third parties/vendors 47%35%21%26%Data governance&integrityIoT39%36%Transformations&system implementations 57%53%37%45%Regulatory compliance Technology resiliency 47%42%34%35%Cloud computing Technical debt&aging infrastructure 44%25%17%14%

149、IT talent management AI&machine learning(including generative AI)Question:How prepared is your organization to handle each of the following technology risks over the next 12 months(scale of 1 to 5,where 1 indicates“Not at all prepared”and 5 indicates“Extremely prepared”shown:percentage of responses

150、of“4”or“5”).n=1,246.2023202433Protiviti and The IIAProficiency of IT audit team to evaluate technology risksFigure 1510%10%20%20%30%30%40%40%50%50%60%60%70%70%80%80%90%90%58%53%38%47%Cybersecurity Technology resiliency 55%54%33%48%Regulatory compliance Third parties/vendors 41%34%17%22%Cloud computi

151、ng IoT39%44%Transformations&system implementations 56%52%34%35%Data privacy&compliance Software development 45%49%31%42%Data governance&integrityTechnical debt&aging infrastructure 39%31%13%14%IT talent management AI&machine learning(including generative AI)Question:How would you assess the proficie

152、ncy of your IT audit team at effectively evaluating the following technology risks?(Scale of 1 to 5,where 1 indicates“Not at all proficient”and 5 indicates“Extremely proficient”shown:percentage of responses of“4”or“5”).n=1,246.2023202434Protiviti and The IIAUse of tools,technologies and delivery met

153、hods to support the IT audit functionFigure 16Question:Which of the following tools,technologies or delivery methods,if any,are currently used to support your IT audit department?(Multiple responses permitted.)n=1,246.“Other”and“None of the above”responses not shown.10%20%30%40%50%60%70%80%90%10%20%

154、30%40%50%60%70%80%90%56%68%26%35%Collaboration toolsContinuous auditing/monitoring tools53%43%25%36%Cybersecurity toolsAgile methodologies39%43%17%26%Data visualization toolsScripting and automation tools55%57%25%N/AData analytics toolsAutomation47%31%23%12%Cloud-based audit management softwareAl an

155、d machine learning(including generative Al)36%42%15%17%Governance,Risk&Compliance(GRC)toolsProcess mining tools2023202435Protiviti and The IIADefinitions of survey-assessed tools,technologies and delivery methodsAI and machine learning(including generative AI)Using advanced algorithms and large lang

156、uage models like ChatGPT for risk prediction,anomaly detection,knowledge discovery,text generation and other related activities.Agile methodologies Applying principles of Agile(flexibility,customer-centricity,iterative progress)to the IT audit function.Automation Using software robots or“bots”to aut

157、omate routine,rule-based tasks.Cloud-based audit management software Shifting audit management systems to the cloud for improved scalability,accessibility and integration.Collaboration tools Tools like MS Teams or Slack that enhance communication and collaboration within the IT audit team and with o

158、ther teams.Continuous auditing/monitoring tools Implementing systems for ongoing,real-time assessment of organizational risks and controls.Cybersecurity tools Using tools like vulnerability scanners,intrusion detection systems and threat detection/intelligence platforms to audit the organizations cy

159、bersecurity posture.Data analytics tools Deploying software that can analyze large volumes of data for risk assessment,trend identification and audit planning/execution.Data visualization tools Using software to represent audit findings and risk assessments in a graphical,easy-to-understand format.G

160、overnance,Risk and Compliance(GRC)tools Leveraging GRC software to streamline and automate IT audit processes.Process mining tools Automated analysis of business and IT processes based on event logs for discovering,monitoring and improving real processes.Scripting and automation tools Using programm

161、ing and scripting languages(e.g.,Python,PowerShell,Bash)to automate routine IT audit tasks.36Protiviti and The IIA10%20%30%40%50%60%70%80%10%20%30%40%50%60%70%80%24%Advanced wireless technology and 6G networks39%Smart robots and automation39%Advanced IoT systems59%Advanced AI systems(including gener

162、ative AI)19%Quantum computing16%Edge computing14%Blockchain and cryptocurrencies20%Biometric technologiesEmerging technologies expected to pose most significant risksFigure 17Question:Which of the following emerging technologies,if any,do you anticipate will pose the most significant risks to your o

163、rganization in the next 2-3 years?(Up to three responses permitted.)n=1,246 “Other”and“None of the above”responses not shown.Most significant cybersecurity risksFigure 18Question:Within the realm of cybersecurity,which of the following areas,if any,pose the greatest risks to your organization over t

164、he next 12 months?(Up to three responses permitted.)n=1,246 “Other”and“None of the above”responses not shown.25%Threats employing AI(deepfakes,adaptive malware)33%Cloud service provider security weaknesses38%Third-party/supply chain cyber risks52%Data breaches/leaks of sensitive information23%Intern

165、et of Things/connected device vulnerabilities22%Insider threat16%Identity and access management weaknesses15%Malware/virus infections/malicious code15%Ransomware attacks10%Advanced persistent threats(APTs),including state-sponsored attacks7%Distributed denial of service(DDoS)attacks23%Social enginee

166、ring attacksProtiviti and The IIA3710%20%30%40%50%60%70%80%Internal audit involvement in AI activitiesFigure 19Question:Is your internal audit function involved in any of the following activities related to artificial intelligence?(Multiple responses permitted.)n=1,246 “Other”and“None of the above”r

167、esponses not included.29%Providing advisory services for policies related to artificial intelligence39%Auditing use of artificial intelligence in the organization39%Using artificial intelligence for internal audit activities52%Researching future use of artificial intelligence25%Pre-implementation ad

168、visory services on artificial intelligence projectsGreatest risks related to AIFigure 20Question:Which of the following areas related to AI(including ML and Generative AI),if any,pose the greatest risks to your organization over the next 12 months?(Up to three responses permitted.)n=1,246 “Other”and

169、“None of the above”responses not shown.10%20%30%40%50%60%70%80%27%Talent/skillset risks(shortage of AI experts)42%Operational risks(system failures,errors,downtime)50%Privacy risks(data misuse,consent violations)52%Security risks(hacking,adversarial attacks,data poisoning)21%Integration risks(AI sol

170、utions not integrating well with existing systems)Competitive risks(being outpaced by AI adoption of competitors)16%Ethical risks(bias,lack of transparency,accountability)13%Reputational risk(failed AI efforts with highly public visibility)27%Regulatory/compliance risks(violating AI governance rules

171、)21%38Protiviti and The IIA39Protiviti and The IIA08DemographicsThe following tables reflect the demographics of the survey participants(n=1,246).PositionIndustryChief Audit Executive(or equivalent)36%IT Audit Director10%Audit Director9%Audit Manager8%IT Audit Manager6%IT Manager6%IT Executive6%IT R

172、isk/Control Manager5%IT Risk/Control Executive5%IT Risk/Control Director5%IT Audit Staff1%Audit Staff1%Other2%Government12%Healthcare Provider9%Financial Services Banking8%Retail8%Technology(Software,High-Tech,Electronics)7%Power and Utilities6%Manufacturing(other than Technology)5%Consumer Packaged

173、 Goods5%Insurance(other than Healthcare Payer)4%Oil and Gas4%Telecommunications and Data Infrastructure4%Financial Services Asset Management3%Healthcare Payer3%Mining3%Media3%Transportation and Logistics3%Automotive3%Pharmaceuticals and Life Sciences2%Chemicals2%Financial Services Broker-Dealer1%Fin

174、ancial Services Other1%Wholesale and Distribution1%Airlines1%Higher Education1%Private Equity1%40Protiviti and The IIAOrganization typeSize of organization(financial services organizations)by annual assets under management in U.S.dollarsSize of organization(other than financial services)by gross ann

175、ual revenue in U.S.dollarsSize of government agencys annual budget in U.S.dollarsPublicly traded54%Privately held32%Government13%Not-for-profit1%Other0%$20 billion or more20%$10 billion-$19.99 billion14%$5 billion-$9.99 billion14%$1 billion-$4.99 billion28%$500 million-$999.99 million9%$100 million-

176、$499.99 million10%Less than$100 million4%Unsure1%$250 billion or more40%$50 billion-$249.99 billion24%$25 billion-$49.99 billion10%$10 billion-$24.99 billion5%$5 billion-$9.99 billion5%$1 billion-$4.99 billion8%Less than$1 billion4%Unsure4%$50 billion or more9%$10 billion-$49.99 billion30%$5 billion

177、-$9.99 billion13%$1 billion-$4.99 billion19%$500 million-$999.99 million14%$100 million-$499.99 million8%Less than$100 million6%Unsure1%41Protiviti and The IIATotal number of full-time technology auditorsOrganization headquarters05%111%213%39%47%58%6-1019%11+28%United States35%Canada24%Italy5%United

178、 Kingdom(UK)4%Australia3%China3%France3%Germany3%India3%Japan3%The Netherlands3%Switzerland3%Hong Kong2%New Zealand2%Singapore2%Israel1%Qatar1%42Protiviti and The IIAAbout The IIAThe Institute of Internal Auditors(The IIA)is an international professional association that serves more than 245,000 glo

179、bal members and has awarded more than 200,000 Certified Internal Auditor(CIA)certifications worldwide.Established in 1941,The IIA is recognized throughout the world as the internal audit professions leader in standards,certifications,education,research,and technical guidance.For more information,vis

180、it theiia.org.About ProtivitiProtiviti()is a global consulting firm that delivers deep expertise,objective insights,a tailored approach and unparalleled collaboration to help leaders confidently face the future.Protiviti and its independent and locally owned member firms provide clients with consult

181、ing and managed solutions in finance,technology,operations,data,digital,legal,HR,risk and internal audit through a network of more than 90 offices in over 25 countries.Named to the Fortune 100 Best Companies to Work For list for the 10th consecutive year,Protiviti has served more than 80 percent of

182、Fortune 100 and nearly 80 percent of Fortune 500 companies.The firm also works with government agencies and smaller,growing companies,including those looking to go public.Protiviti is a wholly owned subsidiary of Robert Half Inc.(NYSE:RHI).43Protiviti and The IIA 2024 Protiviti Inc.An Equal Opportunity Employer M/F/Disability/Veterans.PRO-0924 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.