Risk consultancy firm Protiviti said that 31% of those companies do not carry out such an assessment, up from 25% in 2011.
It said that staff shortages across most companies also put firms of all sizes at risk of failing to properly spot IT risks they face. Protiviti formed the view after conducting a survey of more than 300 chief audit executives, audit directors, and IT audit directors and managers during the first half of this year.
According to a report (38-page / 3.95MB PDF) detailing the survey results, respondents say they face IT audit challenges in areas relating to information security, cloud computing, regulatory compliance and social media, among others.
"While this year’s survey shows some improvement in regard to the number of companies conducting IT audit risk assessments particularly among organisations with revenues of $100 million - $999.99 million, there is still much room for improvement," Protiviti said in a statement. "Most notably, more than 30% of organisations with less than $100 million in annual revenues do not conduct any type of IT audit risk assessment."
David Brand, Protiviti managing director, said that even companies that do conduct IT audit risk assessments have "some considerable gaps in their capabilities".
"Those gaps can be just as damaging as skipping an assessment,” Brand said. "For example, a majority of our respondents are understaffed, meaning less than 20% of their internal audit department is made up of IT audit staff."
More than three quarters of those that responded to its survey from firms with revenues of greater than $1 billion are concerned that they are not properly resourced and lack the skills to "sufficiently address all areas of their IT audit plans," Protiviti said.
"Examples of common gaps cited in the survey include limited ability to provide training for the IT audit team; not using outside resources to provide or augment IT audit capabilities; and lack of qualified IT audit professionals," the company added.
Companies that conduct IT audit risk assessments annually may not be doing so regularly enough, Protiviti said. Annual assessments "may not be adequate to keep pace with the current rate of technology change and innovation," it added.
"Companies today face new IT-related risks and challenges every day," Brand said. "Internal auditors need to be more nimble than ever before and must constantly fine-tune their approach to the IT audit risk assessment to make a positive impact on their organisations."
Protiviti's executive vice president of global internal audit, Brian Christensen added: "There’s no question that IT risks can affect the bottom line. To succeed in today’s business environment, it’s absolutely critical for organisations to understand and manage IT risks that emerge with the rapidly escalating use of technology, and the best way to do that is with well-planned IT audit strategies and activities."