Vulnerability to visibility: strengthening IT resilience

The client was concerned about their ability to recover their key digital platforms in the event of a major outage or cyber incident, particularly as dependencies have evolved rapidly with the adoption of cloud-hosted services. Even a short outage could have a significant financial and reputational impact on the business given the volume of customer orders that flowed through their online channels. 

The internal audit assessment we delivered focused on the resilience and disaster recovery controls underpinning the client’s critical digital and customer order fulfilment systems.

Our review assessed the design and operating effectiveness of resilience controls across key applications, cloud platforms, and supporting infrastructure. This included evaluating the completeness of critical system identification, the robustness of recovery playbooks, the maturity of resilience testing, and the adequacy of backup and ransomware recovery capabilities. The work identified several gaps and inconsistencies the client was not aware of across their resilience framework, including issues related to governance and ownership; resilience and recovery planning; the technical resilience and recovery arrangements; documentation; and testing. 

The audit gave clear insight into the organisation’s resilience posture and highlighted priority areas requiring uplift. 

Using the output of our report and input from our resilience subject matter experts, the company was able to develop a targeted improvement plan with the aim of enhancing their resilience capability, including a formal IT resilience and disaster recovery framework, clear executive ownership, a structured testing programme for critical systems, and embedding resilience by design expectations into engineering processes. 

As well as providing critical insight to the technology team, our handover and coaching to the in-house internal audit team meant they could understand the issues we identified, were able to follow-up with IT management after the audit and hold the right people accountable for the agreed actions, as well as presenting the report to the Audit Committee.