Given the state of rapidly advancing technology, there’s a stronger focus than ever on assurance. Internal auditors and technology risk functions need to know how to respond to the emerging areas of technology risks their businesses face today.

Cyber security and ransomware

Cyber security iconCyber security continues to be a key area of risk for UK and global organisations. Government research indicates that almost 40% of UK businesses are attacked at least once a week, making the risk near-constant, with geopolitical events also contributing to many recent attacks.

 While data loss and service disruption continue to be two of the major risks associated with a cyber attack, ransomware attacks are also significant. Research indicated that 66% of organisations globally were hit by a ransomware attack in the last year, and the number of organisations suffering an attack in 2022 increased by over 40% compared to 2021.

What has changed?

This is not a new risk, and many organisations already have in-flight cyber security programmes to enhance controls. Internal audit and risk teams continue to work closely alongside the programme teams to give real-time assurance and challenge.

In addition, organisations are enhancing their ransomware prevention and response arrangements through enhanced backup provisions and crisis management exercises in response to statistics that suggest there is an increased likelihood they will suffer such an attack.

What should internal audit and risk functions do?

Internal audit and technology risk functions should:

  • focus internal audit work not just on their organisation’s current cyber security measures, but the investments and programmes in place to protect against evolving and emerging threats.
  • assess the arrangements the organisation has in place to defend and respond to a ransomware attack, including how to engage and communicate with the attackers.

Cloud adoption

Cloud service iconCloud service offerings continue to expand, with various functional areas within businesses adopting these. Worldwide end-user spending on public cloud services is forecasted to grow 20.7% to total $591.8 billion in 2023 compared to 2022, according to the latest forecast from Gartner. Historically, there was a perception that cloud environments are inherently more secure or resilient than on-premise systems, however businesses are becoming more aware that this is not the case, and as a consequence are enhancing their cloud controls, and including cloud governance and technical reviews on most internal audit plans.

What has changed?

Despite this increased adoption, we have noted that cloud environments and available settings are not always being fully leveraged to achieve a security and resilience standard aligned with business needs. Internal policies are also not being adapted to the new ways of working and risks posed by cloud computing.

Alongside these developments, an emerging challenge facing organisations is switching between cloud vendors, with some businesses facing long lock-in periods. Root causes of this include the lack of upfront termination clauses and not considering exit strategies when entering agreements with cloud vendors.

What should internal audit and risk functions do?

Internal audit and technology risk functions should:

  • review whether internal policies have been adapted for cloud and implement controls accordingly
  • help their business to understand the ‘shared responsibility model’ and review exit plans agreed with the cloud provider
  • review the use of termination clauses and the exit strategies for their organisation’s cloud instances
  • assess cloud providers’ third-party assurance reports (eg, SOC 1 and 2) to understand the impact and risk of moving controls to cloud instances.

Technology transformation programmes

Organisation iconOrganisations are progressing with their change/transformation agendas at full pace, with technology-enabled change dominating the portfolio as organisations seek to be more digital, both internally and customer facing.

Effective delivery of business strategy is increasingly reliant on technology, leading to greater integration between business and IT. With the current economic outlook, there is a sharper focus from business leaders on ROI and a realisation of benefits for all technology-enabled change.

What has changed?

Organisations are embarking on multi-year, multi-divisional, entity-wide transformation, often involving multiple third parties. These transformations face challenges in keeping sight of the original business and benefits case and being able to track both delivery of and realisation of the benefits. Typically, the root cause of these challenges is that the business evolves throughout the multi-year transformation timeline with acquisitions, divestitures, senior organisation and sponsorship changes and external market factors: all of which result in changing business priorities leading to budget overruns and unplanned additional phases to programmes.

SAP ECC is is approaching its end of life, read our insight on the secrets of a successful transition.

What should internal audit and risk functions do?

Internal audit and technology risk functions should: 

  • adopt a real-time 'heartbeat assurance' approach, in which the work of the transformation programme team is reviewed as key decisions are being made
  • perform short 'deep dive' reviews at key points throughout a programme, the output of which is a summary audit memo highlighting key issues and actions required
  • focus on benefits realisation, ROI, and the design of controls for BaU once the programme delivers.

Data

browser search iconOrganisations increasingly need to deliver high quality and impactful data to support commercial operations, and regulatory and internal control compliance.

Effective data leaders will assess their data environment and focus on quality and integrity to ensure data used by the business is reliable. This will enable them to create a successful platform to generate risk insights and monitor key controls in real time.

What has changed?

There is an increased scrutiny of how data is used in an organisation. This is driven by data growth, digital transformations, high-profile data breaches, and expanding privacy and ESG regulations.

The quality of data management will directly affect an organisation’s ability to manage risk and gain a competitive advantage. The pressure to deliver on digital change or report on key risks and controls, often leads to compromised outcomes due to time and budgetary constraints.

What should internal audit and risk functions do?

Internal audit and technology risk functions should:

  • consider process, whether the right data usage behaviours are being encouraged and monitored across the organisation
  • assess technology and the appropriate solutions in place to provide automation and real-time reporting, or enforce data governance principles
  • keep in mind people, the data ownership and stewardship structures, together with skilled data practitioners.

Read our data in a downturn insight with key data strategies that can help you succeed in an economic downturn.

DevOps

cloud computing iconDevOps involves effectively leveraging cloud computing resources and is typically used when developing cloud native apps. Many business leaders are starting to view this methodology as fundamental to the digital transformation of their organisation.

A trend which is gaining popularity in this area includes serverless computing, which is a cloud-native development model that allows developers to build and run applications without having to manage servers. There are still servers in serverless, but they are abstracted away from app development.

What has changed?

With serverless, there is an increased reliance on developers to introduce security controls rather than relying on central IT support or infrastructure teams who are familiar with IT controls. Code repositories (such as Github) are increasingly being stored in public cloud instances, which makes them more exposed to external cyber attacks.

In order to achieve stronger guardrails and standardisation of controls in development processes, large organisations have started to adopt a pipeline product model, where pipelines across the business have to be derived from a baseline standard.

Read our latest insight on preparing for the assurance challenges of DevOps.

What should internal audit and risk functions do?

Internal audit and technology risk functions should:

  • determine whether the chosen methodology for software development is supported by a strong business case, and an approval from the right levels of management
  • consider whether the security and level of documentation retained during the development of new apps or new features is in line with the organisation’s risk appetite
  • assess how automation, continuous integration and development pipelines, security, privacy and resilience are considered by design during development activities
  • review the level of training that developers receive around secure coding practices and how they are guided to apply these throughout their work.

Supply chain assurance

Supply chain iconThe added flexibility, bespoke skillsets, and technical expertise make third parties increasingly significant parts of business capability, particularly for technology services. Using third parties to provide these services allows organisations to access market-leading technologies and skills, while not facing the typical barriers of developing these internally.

Outsourcing the responsibility for these services, however, does not outsource the associated risks and organisations need to expand their range of assurance activities to cover third-party providers.

What has changed?

The trend towards technology third parties continues, and is evolutionary, rather than revolutionary. Crucially, beyond the traditional 'outsourced service desk', critical services in security, finance and operations are now in the hands of partners, with outsourced Security Operations Centres (SOCs), SAAS finance systems and many customer-facing services ever more commonplace.

As a result, organisations are increasingly establishing in-house functions dedicated to this area that interact with other business functions focussed on supply chain compliance.

What should internal audit and risk functions do?

Internal audit and technology risk functions should:

  • shift their focus to these key strategic partners rather than just looking at the controls operating within their organisations
  • review the work done to risk assess the supply chain and identify critical suppliers. Typical risk metrics (notably volume of spend) are often misleading when assessing technology-specific risks (availability, privacy, etc), as well as other risks covering ESG, AML, and modern slavery
  • identify how assurance over key technology controls is in place when these are operated by the third party
  • review whether risks are assessed at both onboarding and offboarding (including access revocation, data deletion).

IT control programmes

programming code iconDocumenting centralised IT control frameworks can help organisations standardise how IT controls are defined and implemented, ensuring IT controls mitigate the key technology risks their organisation is facing. They also enable control gaps or weaknesses to be easily identified and help facilitate periodic reviews of the control environment. They serve as the foundation of risk-based internal compliance regimes.

What has changed?

Financial services firms have long been familiar with IT control frameworks due to regulatory requirements. Large corporates are now, however, also commissioning programmes to design and implement these.

The main driver for this is the recent outcome of the BEIS consultation. The recommendations raised (often referred to as ‘UK SOX’) include the requirement that boards need to ensure their organisations have adequate controls in place, including IT controls, and to create a statement to this effect in their annual report.

What should internal audit and risk functions do?

Internal audit and technology risk functions should:

  • review management’s assessment of the in-scope systems to ensure that all appropriate applications, databases, and infrastructure elements are included
  • determine whether the framework includes all known controls (including application controls and end user computing controls) based on their knowledge of the business
  • assess how controls operated by third parties are included and governed
  • review and monitor management’s improvement plans to resolve any control weaknesses or gaps.

Resilience

iconOver the past couple of years, a number of high-profile organisations have experienced service outages. Such incidents can have a direct impact on business’s abilities to operate, leading to lost revenue, reputational damage, and, in some cases, regulatory penalties. As a result, IT and operational resilience remain a key concern for senior leadership teams.

What has changed?

IT resilience is not a new concept and has been on many organisations’ risk registers for several years. The last few years, however, have seen significant changes to organisational ways of working and how technology infrastructure is provided (such as through cloud-hosted solutions).

This increased technology reliance has also impacted organisations’ supply chains. As a result, organisations are increasingly expanding their third party assurance processes to obtain comfort over their suppliers’ operational resilience arrangements and, in some cases, are involving third parties in tests of their IT resilience controls.

What should internal audit and risk functions do?

Internal audit and technology risk functions should:

  • review the work undertaken to identify the key risks impacting the resilience of IT services and their impact on business operations, including third-party services
  • understand how the organisation has reduced the likelihood of outages through replication, redundancy, and use of high availability services
  • assess the recovery technologies and procedures in place and how these have been tested to ensure that services and data can be recovered when required
  • assess how the organisation has considered diversification as a means of ensuring the continuity of key operational functions and communications.

Digital talent

Technical skills iconPost-pandemic, businesses have needed to invest significantly in new and emerging technologies, and in the skills required to deliver technological solutions (like large scale digital transformations or the introduction of new technologies), to support the business-run operations both remotely and in a hybrid manner.

Technology skills evolve at pace as the market and technologies change. Filling critical vacancies is driven by candidates who are making choices based on flexibility, job role profiles, and salary levels. Attracting key talent has seen organisations offering higher salary levels to secure individuals with the right skills from a limited pool of candidates, which puts pressure onto businesses as they balance these against existing employee reward.

What has changed?

Market volatility continues to increase with organisations looking at external talent with new technology skills to complement internal IT/digital resource as technologies continue to evolve. Consequently, candidates are in a position to demand greater salary levels as organisations compete for talent from the same candidate pools.

Additionally, the cost of living crisis leads to employees reviewing how their organisation is rewarding (through salary and bonus) and protecting their staff to ensure the retention of key skills.

What should internal audit and risk functions do?

Internal audit and technology risk functions should:

Automation

Automation iconOrganisations are increasingly turning to Robotic Process Automation (RPA) or 'bots' to help streamline and automate laborious business processes. RPA can create efficiencies in processing big data, reduce errors from manual processing, and realise immediate cost savings through reallocation of resources. While these benefits are compelling, it requires an effective framework to deliver and manage compliance with regulatory, security and continuity requirements.

What has changed?

The ability to perform automation by end users is more accessible than ever due to the rise in 'low code' applications. This avoids the need for complex coding so users simply drag and drop actions to automate processes. On one hand this encourages innovation and promises the same benefits, but on the other hand, the use of low code applications is often without IT governance and can introduce risk unnecessarily.

What should internal audit and risk functions do?

Internal audit and technology risk functions should:

  • determine if an effective RPA or End User Computing strategy, and coding and development guidance are in place
  • assess if access around RPA or low code applications and data is restricted, and if resilience arrangements have been implemented over automated processes
  • determine if data used by automated processes is accurate and meets quality standards.

Read how we automated assurance for IT controls and SOX compliance →

Heads of internal audit: technical updates and guidance to support your role

Get the latest insights, events and guidance, straight to your inbox.