Technology risk areas that internal audit and technology risk functions need to consider:
Cyber security continues to be a key area of risk for UK and global organisations. Government research indicates that almost 40% of UK businesses are attacked at least once a week, making the risk near-constant, with geopolitical events also contributing to many recent attacks.
While data loss and service disruption continue to be two of the major risks associated with a cyber attack, ransomware attacks are also significant. Research indicated that 66% of organisations globally were hit by a ransomware attack in the last year, and the number of organisations suffering an attack in 2022 increased by over 40% compared to 2021.
This is not a new risk, and many organisations already have in-flight cyber security programmes to enhance controls. Internal audit and risk teams continue to work closely alongside the programme teams to give real-time assurance and challenge.
In addition, organisations are enhancing their ransomware prevention and response arrangements through enhanced backup provisions and crisis management exercises in response to statistics that suggest there is an increased likelihood they will suffer such an attack.
Internal audit and technology risk functions should:
Cloud service offerings continue to expand, with various functional areas within businesses adopting these. Worldwide end-user spending on public cloud services is forecasted to grow 20.7% to total $591.8 billion in 2023 compared to 2022, according to the latest forecast from Gartner. Historically, there was a perception that cloud environments are inherently more secure or resilient than on-premise systems, however businesses are becoming more aware that this is not the case, and as a consequence are enhancing their cloud controls, and including cloud governance and technical reviews on most internal audit plans.
Despite this increased adoption, we have noted that cloud environments and available settings are not always being fully leveraged to achieve a security and resilience standard aligned with business needs. Internal policies are also not being adapted to the new ways of working and risks posed by cloud computing.
Alongside these developments, an emerging challenge facing organisations is switching between cloud vendors, with some businesses facing long lock-in periods. Root causes of this include the lack of upfront termination clauses and not considering exit strategies when entering agreements with cloud vendors.
Internal audit and technology risk functions should:
Organisations are progressing with their change/transformation agendas at full pace, with technology-enabled change dominating the portfolio as organisations seek to be more digital, both internally and customer facing.
Effective delivery of business strategy is increasingly reliant on technology, leading to greater integration between business and IT. With the current economic outlook, there is a sharper focus from business leaders on ROI and a realisation of benefits for all technology-enabled change.
Organisations are embarking on multi-year, multi-divisional, entity-wide transformation, often involving multiple third parties. These transformations face challenges in keeping sight of the original business and benefits case and being able to track both delivery of and realisation of the benefits. Typically, the root cause of these challenges is that the business evolves throughout the multi-year transformation timeline with acquisitions, divestitures, senior organisation and sponsorship changes and external market factors: all of which result in changing business priorities leading to budget overruns and unplanned additional phases to programmes.
SAP ECC is is approaching its end of life, read our insight on the secrets of a successful transition.
Internal audit and technology risk functions should:
Organisations increasingly need to deliver high quality and impactful data to support commercial operations, and regulatory and internal control compliance.
Effective data leaders will assess their data environment and focus on quality and integrity to ensure data used by the business is reliable. This will enable them to create a successful platform to generate risk insights and monitor key controls in real time.
There is an increased scrutiny of how data is used in an organisation. This is driven by data growth, digital transformations, high-profile data breaches, and expanding privacy and ESG regulations.
The quality of data management will directly affect an organisation’s ability to manage risk and gain a competitive advantage. The pressure to deliver on digital change or report on key risks and controls, often leads to compromised outcomes due to time and budgetary constraints.
Internal audit and technology risk functions should:
Read our data in a downturn insight with key data strategies that can help you succeed in an economic downturn.
DevOps involves effectively leveraging cloud computing resources and is typically used when developing cloud native apps. Many business leaders are starting to view this methodology as fundamental to the digital transformation of their organisation.
A trend which is gaining popularity in this area includes serverless computing, which is a cloud-native development model that allows developers to build and run applications without having to manage servers. There are still servers in serverless, but they are abstracted away from app development.
With serverless, there is an increased reliance on developers to introduce security controls rather than relying on central IT support or infrastructure teams who are familiar with IT controls. Code repositories (such as Github) are increasingly being stored in public cloud instances, which makes them more exposed to external cyber attacks.
In order to achieve stronger guardrails and standardisation of controls in development processes, large organisations have started to adopt a pipeline product model, where pipelines across the business have to be derived from a baseline standard.
Read our latest insight on preparing for the assurance challenges of DevOps.
Internal audit and technology risk functions should:
The added flexibility, bespoke skillsets, and technical expertise make third parties increasingly significant parts of business capability, particularly for technology services. Using third parties to provide these services allows organisations to access market-leading technologies and skills, while not facing the typical barriers of developing these internally.
Outsourcing the responsibility for these services, however, does not outsource the associated risks and organisations need to expand their range of assurance activities to cover third-party providers.
The trend towards technology third parties continues, and is evolutionary, rather than revolutionary. Crucially, beyond the traditional 'outsourced service desk', critical services in security, finance and operations are now in the hands of partners, with outsourced Security Operations Centres (SOCs), SAAS finance systems and many customer-facing services ever more commonplace.
As a result, organisations are increasingly establishing in-house functions dedicated to this area that interact with other business functions focussed on supply chain compliance.
Internal audit and technology risk functions should:
Documenting centralised IT control frameworks can help organisations standardise how IT controls are defined and implemented, ensuring IT controls mitigate the key technology risks their organisation is facing. They also enable control gaps or weaknesses to be easily identified and help facilitate periodic reviews of the control environment. They serve as the foundation of risk-based internal compliance regimes.
Financial services firms have long been familiar with IT control frameworks due to regulatory requirements. Large corporates are now, however, also commissioning programmes to design and implement these.
The main driver for this is the recent outcome of the BEIS consultation. The recommendations raised (often referred to as ‘UK SOX’) include the requirement that boards need to ensure their organisations have adequate controls in place, including IT controls, and to create a statement to this effect in their annual report.
Internal audit and technology risk functions should:
Over the past couple of years, a number of high-profile organisations have experienced service outages. Such incidents can have a direct impact on business’s abilities to operate, leading to lost revenue, reputational damage, and, in some cases, regulatory penalties. As a result, IT and operational resilience remain a key concern for senior leadership teams.
IT resilience is not a new concept and has been on many organisations’ risk registers for several years. The last few years, however, have seen significant changes to organisational ways of working and how technology infrastructure is provided (such as through cloud-hosted solutions).
This increased technology reliance has also impacted organisations’ supply chains. As a result, organisations are increasingly expanding their third party assurance processes to obtain comfort over their suppliers’ operational resilience arrangements and, in some cases, are involving third parties in tests of their IT resilience controls.
Internal audit and technology risk functions should:
Post-pandemic, businesses have needed to invest significantly in new and emerging technologies, and in the skills required to deliver technological solutions (like large scale digital transformations or the introduction of new technologies), to support the business-run operations both remotely and in a hybrid manner.
Technology skills evolve at pace as the market and technologies change. Filling critical vacancies is driven by candidates who are making choices based on flexibility, job role profiles, and salary levels. Attracting key talent has seen organisations offering higher salary levels to secure individuals with the right skills from a limited pool of candidates, which puts pressure onto businesses as they balance these against existing employee reward.
Market volatility continues to increase with organisations looking at external talent with new technology skills to complement internal IT/digital resource as technologies continue to evolve. Consequently, candidates are in a position to demand greater salary levels as organisations compete for talent from the same candidate pools.
Additionally, the cost of living crisis leads to employees reviewing how their organisation is rewarding (through salary and bonus) and protecting their staff to ensure the retention of key skills.
Internal audit and technology risk functions should:
Organisations are increasingly turning to Robotic Process Automation (RPA) or 'bots' to help streamline and automate laborious business processes. RPA can create efficiencies in processing big data, reduce errors from manual processing, and realise immediate cost savings through reallocation of resources. While these benefits are compelling, it requires an effective framework to deliver and manage compliance with regulatory, security and continuity requirements.
The ability to perform automation by end users is more accessible than ever due to the rise in 'low code' applications. This avoids the need for complex coding so users simply drag and drop actions to automate processes. On one hand this encourages innovation and promises the same benefits, but on the other hand, the use of low code applications is often without IT governance and can introduce risk unnecessarily.
Internal audit and technology risk functions should:
Read how we automated assurance for IT controls and SOX compliance →
