Key technology risk areas for internal auditors and technology risk functions to consider in 2025:
Cloud governance | Generative AI | Cyber security | Critical third parties | Operational resilience | Transformation programmes | Data governance | Secure-by-design | Talent | Cross-application segregation of duties
In May 2024, Gartner predicted that the cloud spend of organisations consuming these services would grow by 20% in 2024 and 22.1% in 2025. The report also indicates that advanced technology, such as generative AI, and application modernisation is driving the increase. These are in addition to factors such as scalability and cost efficiency, which have, in the past, spurred the reliance on public cloud infrastructure.
A report from Flexera showed that the vast majority (89%) of companies surveyed operate a multi-cloud approach. While a multi-cloud approach provides organisations with enhanced resilience, it increases complexity and potentially duplicates operational management and compliance efforts. This may in turn lead to security weaknesses, inconsistent compliance across cloud platforms, and gaps in resilience controls.
A growing percentage of organisations use both a combination of multiple public clouds and a single cloud. Private cloud usage is up from 19% in 2023 to 23% in 2024 – and forecasted to increase further. While private cloud instances can be run at lower cost than public cloud, moving to private could involve the reintroduction of physical security and technology infrastructure controls.
An increasing number of organisations are initiating cloud cost optimisation initiatives and establishing dedicated FinOps teams to manage cloud costs. Cloud cost optimisation initiatives include: identifying and eliminating unused resources, right-sizing computing services, leveraging discounts, and implementing automated cost monitoring.
To manage cloud risks and avoid duplicated compliance efforts across cloud platforms, cloud security posture management (CSPM) tools are being adopted. These tools are used for continuously monitoring, identifying, and remediating security and compliance risks in cloud infrastructures.
In November 2024, the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England collectively issued SS6/24 – Critical third parties (CTPs) to the UK financial sector. This supervisory statement (SS) provides an oversight regime for CTPs to manage risks to the UK financial system that may arise due to a failure or disruption to services that a CTP provides to regulated firms and financial market infrastructures.
Artificial intelligence (AI) offers numerous transformative opportunities but also poses significant risks. In realising the full potential of AI, businesses must ensure that these risks are mitigated, and that it is developed and deployed in a way that’s safe, equitable, and trustworthy. 
Concerns include a lack of understanding of the complexities of the underlying AI models, including the potential for incorrect, inappropriate or biased outputs, and their susceptibility to attack and exploitation. Cyber criminals and nation states are also leveraging AI for malicious purposes, including creating deepfakes, creating more believable content for phishing campaigns, and to profile and target high-value individuals at the C-suite level. As generative AI becomes integral to various industries, understanding and mitigating these risks is essential to maintain trust, safeguard privacy, and ensure responsible deployment.
Timely attention to these concerns is crucial to prevent unintended consequences, protect against malicious uses, and establish robust frameworks for the ethical and secure implementation of generative AI technologies in an organisation’s rapidly evolving digital landscape.
Over the past year, the AI risk landscape has witnessed significant changes. In August 2024, the EU AI Act came into force. It marks a new era of legal and regulatory oversight, compelling EU businesses to align with newly established standards and guidance, with potentially significant financial penalties for those that breach this.
This shift has heightened the emphasis on demonstrating commercial returns from AI technology investments, placing AI leaders under increasing pressure to justify their expenditures. Many businesses view generative AI as being able to provide benefits in terms of efficiency and enablement but they also need to be aware of its risks. In a security and privacy context, businesses are outlining defensive and offensive strategies for leveraging AI’s capabilities for commercial return, while placing safeguards to mitigate emerging risks that AI presents.
The proliferation of easily accessible web-based AI tools has also introduced the risk of 'Shadow AI'. This is where AI usage bypasses IT departments and internal policies, increasing the potential for the unauthorised disclosure of sensitive corporate information. Such developments underscore the need for robust governance and strategic investment in AI to mitigate emerging risks effectively.
Find out more:
Cyber security remains a critical business risk for UK and international organisations. The latest UK Government research indicates that 74% of large businesses suffered a breach or attack over the past 12 months, with phishing attacks still a major threat due to low barriers to entry for attackers.
Ransomware attacks are also significant, with the National Cyber Security Centre, stating that these are the top cyber threat facing UK businesses today. According to a 2024 Sophos report, 59% of organisations globally were hit by a ransomware attack in the last year, with the attackers succeeding in encrypting data in 70% of attacks and ransom bills increasing five-fold since last year.
The UK Government has stated, as part of its updates on the Corporate Governance Code (CGC), that companies must have appropriate cyber security governance measures in place, and that boards have an important role to play in this.
Cyber security risks are growing in complexity. Many organisations already have in-flight cyber security programmes to enhance their controls and their ability to defend, detect, respond, and recover from cyber-attacks.
However, more refined tools, including those utilising AI, are making cyber-attacks easier to deliver at scale and pace, and increasing the sophistication of these attacks. Organisations will need a more effective control framework, utilising a defence in-depth strategy to protect their data and operations.
Against this background, organisations are taking more proactive approaches to cyber security assurance by implementing continuous monitoring and more advanced threat detection capabilities.
As part of CGC requirements, businesses will need to report on the adequacy of their material controls. For many, this will include their key cyber controls. Furthermore, in 2024 the UK Government published its proposed Cyber Governance Code of Practice. This formalises its expectations of boards of directors, of organisations of all sizes, in governing cyber risk.
Critical third-party risk management is a crucial component of overall risk management strategy. Boards and management often lack sufficient visibility into the risks managed by critical third parties and the existing levels of assurance provided by them.
In today's interconnected business environment, many companies rely on third-party and fourth-party vendors and suppliers for critical technology services and products. Effectively managing the risks around business continuity, cyber threats, and data security associated with these external relationships is of paramount importance. The CrowdStrike outage in 2024, which was a critical fourth-party vendor to many businesses, caused significant global impact – even for those without a direct relationship with CrowdStrike. Outsourcing the responsibility of technology services doesn't outsource the associated risks. Organisations need to expand their range of assurance activities accordingly to cover critical third-party and fourth-party providers.
As organisations increasingly leverage third parties – such as cloud solutions (SaaS, PaaS, and IaaS), as well as other managed services – their business operations become more reliant on external providers. This makes them vulnerable should the controls at these third parties fail.
The recent UK Corporate Governance Code Guidance emphasises the pivotal role of board oversight in managing critical third-party risks. It’s important to ensure effective governance and supervision of these critical third-party relationships, including regular reviews and updates on their status. Annual reports are now expected to comprehensively outline third-party risk management strategies, in line with the FRC's commitment to transparency.
Organisations are increasingly establishing in-house capabilities and functions – combining expertise in supplier management and security assurance – to evaluate and provide assurance over these critical third parties.
Read more about the UK Corporate Governance Code and third party risk assurance and SOC reports
The ability to prevent, withstand, recover from or adapt to a disruption to critical business services is vital to ensuring business continuity, minimising financial loss, and maintaining the trust and confidence of stakeholders and customers. Key aspects of operational resilience include:
Organisations need to identify their level of tolerable disruption and assess what constitutes a threat to that. Disruption to businesses comes in various forms, and organisations need to have a multifaceted holistic approach to resilience planning that covers technology, operations, and vendors or suppliers. While there’s a heavy focus on malicious disruptions to services – cyber-attacks for example – the impact of non-malicious disruptions can be equally significant.
In July 2024, the CrowdStrike outage disrupted operations across industries all over the world with significant financial losses. The incident tested the resilience of those impacted and highlighted potential gaps in their operational resilience scenario planning. In other words, it showed the absence of adequate risk and impact mapping with regards to automated processes and critical vendors or suppliers.
The incident also revealed how reliant many organisations are on automated processes, as well as the potential risks should these fail or if these are breached, potentially impacting business operations beyond tolerable levels. Many organisations’ mitigation plans for such processes were shown to be inadequate, given the significant level of risk propagation.
Financial services firms have understood the importance of operational resilience for many years – underscored by regulatory requirements. Organisations from other sectors are starting to adopt similar approaches.
In a drive to reduce the impact on consumers and markets, the FCA requires firms in scope of PS21/3: Building operational resilience to ensure their important business services can be delivered in severe but plausible scenarios by March 2025.
The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and applied from 17 January 2025. DORA harmonises rules relating to operational resilience for the financial sector. It affects 20 different types of financial entities and ICT third-party service providers.
Getting IT transformation right is essential for maintaining organisational resilience. Robust IT transformations ensure that new and evolving systems are resilient, secure, and capable of adapting to evolving business challenges. When IT systems are properly transformed, they can withstand disruptions, cyber threats, and technical failures, ensuring continuous operations and service delivery.
Quality IT transformation also aligns technological advancements with business strategies, facilitating seamless integration and enhancing overall efficiency. This alignment minimises downtime and mitigates risks associated with system failures. By prioritising accuracy in IT transformation, organisations can build a resilient infrastructure that supports growth, innovation, and customer satisfaction.
Failure to get IT transformation right can lead to significant resilience issues, including operational disruptions, security breaches, and financial loss. Therefore, investing in accurate and strategic IT transformation is essential for safeguarding organisational stability and achieving long-term success.
The rapid advancement of technology, coupled with changing consumer behaviours and market dynamics over the past 12 months, has prompted organisations to embrace digital transformation as a strategic imperative. This trend is driven by the need to enhance operational efficiency, improve customer experiences, and stay competitive in an evolving digital landscape.
In recent years, there’s been a notable transition towards implementing cloud-based ERP systems. Companies increasingly favour these due to their scalability, cost-effectiveness, and flexibility. Unlike traditional on-premise solutions, cloud-based ERPs offer real-time data accessibility and seamless integration across various business functions. This shift is driven by the need for enhanced operational efficiency, better security, the ability to adapt swiftly to market changes, and streamlining processes in an evolving digital landscape.
We’ve also seen a shift towards a more controlled form of Agile delivery, as governance committees and sponsors demand better risk management where Agile has been overly flexible.
Find out more:
The UK financial services regulators are increasingly focusing on change and transformation. They have issued both firm and personal sanctions following change implementation going wrong.
The role, capability and effectiveness of management and governance with respect to change activities is the key area of scrutiny, with a focus on the roles of internal audit and risk in the change process.
Without mature data governance, artificial intelligence (AI) and data-driven decision-making face significant risks. Poor data governance can lead to biased AI models, as unbalanced or skewed data can produce discriminatory outputs. This undermines decision-making and can damage an organisation’s credibility.
Additionally, inadequate governance increases the risk of data privacy breaches, as sensitive information may be mishandled or exposed. The lack of clear data lineage and governance can also result in opaque decision-making, making it difficult to trace and interpret AI decisions. This can lead to unethical or harmful outcomes, increasing regulatory scrutiny and operational costs.
Data governance risks have evolved significantly in the past year due to several factors. Increased scrutiny on AI investments has highlighted the necessity for robust data governance to ensure commercial returns aren’t compromised.
The growing emphasis on ESG reporting disclosures has also amplified the need for management to assure the completeness and accuracy of non-financial reporting. Stringent documentation is needed to demonstrate data integrity and lineage.
Finally, there’s an increasing demand for making data more accessible to a broader range of stakeholders – both internal colleagues and external parties, such as supply chain partners. Known as ‘data democratisation’, this aims to empower non-technical teams to self-serve their data requirements, while maintaining effective data governance controls.
The FCA has escalated the number of S166 skilled person reviews, focusing on data lineage and the importance of good documentation and governance over data flows. These factors collectively underscore the heightened importance of robust data governance practices to mitigate risks and ensure regulatory compliance.
Secure-by-design is an approach that integrates security principles from the very beginning of the software development life cycle, ensuring systems are inherently secure. In the context of DevSecOps and Infrastructure-as-code, this means embedding security into every phase of development and deployment, automating security checks, and enforcing consistent secure configurations across all environments. Without Secure-by-design principles, systems are more susceptible to security breaches, loss of data, and operational disruption.
By incorporating security principles from the outset, Secure-by-design helps prevent the accumulation of security-related technical debt. Technical debt increases maintenance costs, reduces agility, introduces security vulnerabilities, lowers productivity, and hinders innovation.
With the growing adoption of AI-powered tools, these can be used to enhance Secure-by-design practices by automating security checks and identifying vulnerabilities early in the development process. They can analyse code for potential security issues, enforce secure coding practices, and continuously monitor for threats, ensuring that security is integrated throughout the software life cycle.
The use of AI for software development and testing can also introduce security vulnerabilities by generating insecure code or exposing sensitive data. Additionally, these tools may be susceptible to external attacks, such as data poisoning, which can compromise system integrity. Robust checks of AI-generated code are essential to identify and correct errors, biases, and maintain secure coding practices.
Most organisations aren’t investing in and leveraging technology effectively to identify and develop key skills, despite the rapid pace of change in required technical competencies. Some are also not adequately identifying and mapping existing talent to internal skills requirements. Research by Gartner shows that only 15% of organisations are conducting strategic workforce planning activities to identify what skills they need to recruit for or develop from within.
In the tech space, skills development is even more crucial due to the unprecedented rapid and widespread use of automation, artificial intelligence and other technologies.
If organisations aren’t resilient, and don’t adapt quickly and effectively, they may face significant people risks. This may hinder their ability to meet business priorities in the short, medium, and long term.
By prioritising skills development, organisations can adapt more quickly and remain resilient to evolving business needs and technological advancements, such as AI and cybersecurity.
Learning professionals anticipate that AI-enabled skills management will be a key investment priority this year. Understanding what skills organisations have now – and where there are skills gaps – requires focus, making strategic workforce planning a priority.
While many organisations conduct a level of workforce planning, this tends to focus on number of roles rather than the skills needed for the medium and long term. There’s a risk, therefore, of failing to put the required skills in place to support business activities.
Additionally, some organisations are starting to utilise AI-enabled technologies to support strategic workforce planning activity. This is at an early stage, however. Most are still using manual processes, which is time-consuming, infrequent, and makes it challenging to incorporate external market data into skills development strategies.
If organisations don’t act now to integrate technologies, such as generative AI, they may struggle to maximise opportunities to identify and prioritise uplifting of internal employees’ skills, or to attract new talent. This increases the risk of widening the skills gap, failing to efficiently utilise skills already present within organisations, or missing out on attracting candidates with a compelling employee value proposition that can differentiate an organisation from its competition.
When considering their own skills and capabilities, internal audit and technology risk functions should:
More broadly, internal audit and technology risk functions should:
Increasing regulations – such as the UK Corporate Governance Code, and control requirements – are driving the need for large corporates to adopt and maintain effective segregation of duties (SOD) practices, which are crucial for compliance, risk management, and financial integrity. The key risks related to segregation of duties include fraud, errors, lack of accountability, and the ability for a user to perform an end-to-end process without management oversight.
Cross-application SOD analysis involves evaluating and managing SOD risks across multiple business applications within an organisation. This process ensures that no single individual has control over all critical aspects of any business transaction, even when these transactions span different systems. Effective cross-application SOD controls are typically tool-driven. They require specialist skills across system administration and business processes.
Whereas historically, organisations focused on SOD within siloed applications, the increased use of software-as-a-service (SaaS) applications has led to a need for an increased focus on cross-application SOD. The typical systems landscape of a large organisation is now made up of a combination of ERPs, SaaS, and a multitude of off-the-shelf and internally developed applications. This landscape increases SOD risk due to the increased complexity in managing and monitoring identities and access permissions across these systems.
Tooling is increasingly being used to define new and more efficient user and access recertifications. Organisations are starting to move towards reviewing deviations of user access against an agreed access security design. This process needs to be accompanied by a thorough periodic review of the access security design by risk specialists.
Get the technical updates and guidance to support your role