Ensuring effective identification and evaluation of the significant technology risks
Organisations are increasingly embracing more complex and sophisticated technology solutions in an effort to provide a wider suite of services, reach more customers and drive greater efficiencies. Internal audit functions must draw on expertise to ensure the right technology risks are identified and related controls assessed, including cyber security, changing data privacy agenda, growing technology resilience dependencies, challenges with implementation of digitalization across the business. The risks associated with such solutions are significant, and if not addressed can result in severe impacts on operations with associated adverse reputational impacts, costs, and in some instances, regulator intervention.
In such circumstances, Boards and Audit Committees are often held to account and are challenged over whether appropriate and deep insights were obtained to help evaluate the technology risks – principally the risk to the ongoing confidentiality, integrity and availability of systems and data - is being effectively managed. Understanding these risks is critical in order to ensure that the right countermeasures are in place and operating effectively. Internal Audit therefore has a fundamental role to play in reviewing and assuring the way in which an organisation evaluates its technology risks and controls.
At BDO we have a dedicated IT Audit team well versed in assessing traditional and emerging technology risks and support audit functions when undertaking annual IT audit planning (including the production of the IT audit plan itself). We have a formal IT risk evaluation methodology to ensure the assessment of risk is both consistent and comprehensive, drawing upon deeper skills within the team as required (for example, cyber security threat intelligence).
The methodology recognizes six main areas of IT risk:
- IT security
- IT governance
- Managing change
- IT operations
- IT continuity
- Strategic leadership
Behind each risk sits 32 sub risks each of which can be separately evaluated and used to benchmark an organization’s maturity in the operation of mitigating controls.
BDO’s IT internal audit team possesses significant experience of performing audit procedures over a broad spectrum of technology risks (e.g. cyber security, business resilience, data management) using COBIT 5 as a framework but also supported by industry experience and a number of analysis tools that support the efficient production of detailed outputs and meaningful recommendations.