Confronting Uncertainty - 2021 Hot Topics for IT Internal Audit in Financial Services An internal audit viewpoint
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Confronting Uncertainty 2021 Hot Topics for IT Internal Audit in Financial Services An internal audit viewpoint
Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
Contents
Introduction
IT Internal Audit Hot Topics through the years: 2012-2021
IT Internal Audit Hot Topics 2021: A viewpoint
IT Internal Audit of the Future: Embracing Analytics
and Digital Enablement
Endnotes
Contacts
2
Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
Introduction
Introduction
IT Internal Audit Hot Topics
through the years: 2012-2021
IT Internal Audit Hot Topics
2021: A viewpoint
IT Internal Audit of the
Future: Embracing Analytics
and Digital Enablement
Endnotes
Contacts
3
Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
Welcome to our latest annual In early 2020 markets were climbing,
Introduction
innovation and technology disruption were at
viewpoint on the information the forefront of CIO agendas, along with a drive IT Internal Audit Hot Topics
technology hot topics for
through the years: 2012-2021
for transformational, rather than just incremental,
change. The arrival of the pandemic a few weeks
Internal Audit functions in
IT Internal Audit Hot Topics
later had significant implications for organisations 2021: A viewpoint
financial services. As in and their technology agendas. Business
IT Internal Audit of the
disruption is not new, but this proved to be the Future: Embracing Analytics
previous years, this is based toughest test of technology and operational and Digital Enablement
on our survey and discussions resilience many organisations have ever faced.
Endnotes
Thankfully technology functions were mostly
over the past six months with able to move quickly to invoke contingency plans, Contacts
Chief Internal Auditors and upgrade infrastructure and, most importantly,
adapt and ‘enable’ businesses to continue to
Heads of IT Audit across UK service clients in innovative ways.
financial services organisations,
CIOs played significant roles, leading crisis plans,
who have openly shared acting as ‘change’ agents, proving that there is
their areas of focus and the a unique opportunity for technology leaders
to step beyond a functional leadership role,
organisational challenges and drive technology deep into the fabric of
in relation to their firms’ the business. COVID-19 will continue to have
implications for businesses, driving them to
technology control accelerate the move from physical to virtual ways
environment. of operating. Technology leaders are expected
to architect significant enterprise changes as
part of the digitalisation programmes that touch
on customer channels, products, and ways of
working. These priorities are reflected in our
paper, with this year’s top-10 topics presented
under a lens of “lessons learned” thus far.
4
Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
The impact of digitalisation programmes is
reflected by an elevated focus on cloud, digital “Operational Introduction
risk and digital transformation topics. That said,
resilience, now
IT Internal Audit Hot Topics
through the years: 2012-2021
Cyber continues to be the at the top of the list,
not surprisingly perhaps, as organisations struggle IT Internal Audit Hot Topics
to deal with a notable increase of attacks, at a time
more than ever,
2021: A viewpoint
when the organisational set up has completely
IT Internal Audit of the
changed with the prevalence of remote and
is a key area of
Future: Embracing Analytics
and Digital Enablement
mobile working.
regulatory and
Endnotes
Operational resilience, now more than ever, is a
key area of regulatory and business focus. Heads Contacts
of IT Internal Audit need to look how management
is planning to ride the uncertain times ahead and
rebuild confidence for the future by ensuring
business focus.”
their response is resilient, safeguards the welfare
and well-being of people, and is able to adapt to
demand and supply challenges. We hope this paper helps inform your risk
assessment and planning process for 2021,
while at the same time offering useful insights
for your ongoing conversation with technology
and business leaders in an era of unfamiliar
challenges and emerging technology risks.
Mike Sobers,
Partner
5
Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
IT Internal Introduction
IT Internal Audit Hot Topics
through the years: 2012-2021
Audit Hot Topics
IT Internal Audit Hot Topics
2021: A viewpoint
IT Internal Audit of the
Future: Embracing Analytics
through the years:
and Digital Enablement
Endnotes
Contacts
2020–2021
6
Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
The table presents a comparison of the top-10 IT internal audit Introduction
hot topics over the past ten years, as identified through our IT Internal Audit Hot Topics
annual survey of Heads of IT Internal Audit in financial services.
through the years: 2012-2021
IT Internal Audit Hot Topics
2021: A viewpoint
The continued presence of cyber security
at the top of our list, particularly in the past “Focus for IT IA IT Internal Audit of the
Future: Embracing Analytics
4-5 years cannot be ignored as well as the
functions in 2021
and Digital Enablement
emergence of risks around the new, disruptive
Endnotes
technologies enabling digital business models and
transformation initiatives across FS organisations.
Focus for IT IA functions in 2021 is expected to is expected to Contacts
be on Operational and IT Resilience, Cloud, Digital
Risk and Extended Enterprise / Supplier Risk.
Cyber remains the key technology risk areas for
be on Cyber
organisations, with relevant threats increasing
particularly during the COVID19 pandemic. Operational and
Topics which appear in more than two years
have been colour-coded to help illustrate their
IT Resilience,
movement in the top 10 over time.
Cloud, Digital Risk
and Extended
Enterprise /
Supplier Risk.”
7
Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
Table 1. IT Internal Audit Hot Topics through the years: 2012-2021
Introduction
2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 IT Internal Audit Hot Topics
through the years: 2012-2021
Cyber Cyber Cyber Cyber Cyber Cyber Cyber Large Scale Third-party Cyber IT Internal Audit Hot Topics
1 Security Security Security Security Security Security Security Change management Threat 2021: A viewpoint
IT Internal Audit of the
Operational
Transformation
Technology
Strategic Strategic Strategic
Disaster IT Governance Identity Complex Future: Embracing Analytics
2 and IT
and Change
Transformation
Change Change Change
Recovery and and IT Risk and Access Financial and Digital Enablement
Resilience and Change Resilience Management Management Models
Identity &
Endnotes
Data Data
Data Access Data
Cloud Operational Management Management Third-Party Large Scale Data
3 Governance Resilience
Protection and
and Data and Data Management Change
Management Governance
Leakage
Governance
Governance Governance
and Data and Quality Contacts
Security
Extended IT Disaster IT Disaster Enterprise Data Data
Extended Technology Third-Party Large Scale
4 Enterprise
Enterprise Risk
Resilience
Recovery and
Management
Recovery and Technology Governance
Change
Governance
Management Resilience Resilience Architecture and Quality and Quality
Information
Data
Extended Security / IT Disaster Rogue Trader
Transformation Digital Management Third-party Third-party Cyber
5 and Change Technologies
Enterprise Risk Identity Recovery and
and Data management management Security
and Access
Management & Access Resilience Segregation
Governance
Management
Data
IT Governance
Digital Protection Legacy Third-Party Information Information Cyber Regulatory
6 Risk and Data architecture Management
and IT Risk
Security Security Security
Resilience
Programmes
Management
Privacy
Information
Cognitive
Cloud IT Governance Security /
Data Automation Digital and Digital and Digital and Cloud Financial
7 Governance
Governance
and Artificial
and IT Risk Identity
Mobile Risk Mobile Risk Mobile Risk Computing Crime
and Security Management & Access
Intelligence
Management
IT Strategy Enterprise IT Governance Data
IT Governance Cloud Cloud Service Mobile Third-Party
8 and IT
and IT Risk Computing Computing
Technology and IT Risk Management
Management Devices Management
Governance Architecture Management and Governance
Enterprise IT Governance Disaster Complex
Application Application Digital and Cloud Social
9 Payments
Development Development Mobile Risk Computing
Technology and IT Risk Recovery and Financial
Media
Architecture Management Resilience Modelling
Enterprise
System Legacy Payment Digital and Payment Service Cloud Social Mobile
10 Development Environments Technologies
Technology
Mobile Risk Systems Management Computing Media Devices
Architecture
8Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
IT Internal Audit Introduction
IT Internal Audit Hot Topics
through the years: 2012-2021
Hot Topics 2021:
IT Internal Audit Hot Topics
2021: A viewpoint
IT Internal Audit of the
Future: Embracing Analytics
A viewpoint1
and Digital Enablement
Endnotes
Contacts
9Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
Figure 1. A Viewpoint – Classification of the Top-15 IT Internal Audit Hot Topics for 2021.
Introduction
The size of the bubble reflects the ranking in this year’s list, while the horizontal axis the threat
environment (internal or external to the organisation). The vertical axis shows the range of IT Internal Audit Hot Topics
through the years: 2012-2021
emerging, new or existing risks.
IT Internal Audit Hot Topics
2021: A viewpoint
Emerging,
new or
evolved IT Internal Audit of the
Future: Embracing Analytics
risks and Digital Enablement
Endnotes
Contacts
Digital Risk
Operational and IT Resilience
Cloud Governance and Security
System Development and IT Change Payments
Internal External
environment Cyber Security environment
Transformation and Change
Identity and Access Management Extended Enterprise Risk Management
Application Controls Privileged Access
Regulation
IT Strategy and IT Governance Data Governance
Legacy Technology Environments
Known
risks
10Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
1. Cyber Security ( 1)
t t
Introduction
IT Internal Audit Hot Topics
through the years: 2012-2021
Why is it important? What’s new? IT Internal Audit Hot Topics
2021: A viewpoint
Cyber threats will likely remain one of the most The COVID-19 crisis has also been characterised IT Internal Audit of the
Future: Embracing Analytics
frequent and potentially most damaging risks by a significant increase in fraudulent activity, and Digital Enablement
to organisations, and will continue to be one including instances of social engineering fraud
of the top agenda points for boards and Risk leading to identity theft. Cyber fraud flourishes Endnotes
Committees in the financial services sector. when people are most vulnerable, or their
Contacts
We have seen cyber-attacks have increased personal, family or work circumstances are under
significantly in the wake of the pandemic, significant change. The risk of unauthorised
with “phishing” emails connected to COVID-19 system access is also compounded as employees
reported to have increased 600%. Security are forced to work remotely.
vendors are reporting significant spikes in
attacks including scams, breaches, blackmail In addition, organisations have been facing
and email compromise. a multitude of threats to their survival.
Tough decisions have had to made, usually
at pace and with limited information for staff
regarding how they can continue to operate
or service customers. For example how they
provision IT resources to remote working staff,
and how they continue to deliver core services
(e.g. online and via digital channels). This has
required existing control processes, on occasion,
out of necessity, to be flexed or changed.
11Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
What should Internal • IA functions should review their businesses’
remote working policy and security architecture,
Introduction
Audit be doing? focusing on aspects such as: the need for work
screens to be locked and laptops secured
IT Internal Audit Hot Topics
through the years: 2012-2021
when not in use; Bring Your Own Device (BYOD) IT Internal Audit Hot Topics
The need for Internal Audit to continue to schemes; and other associated controls, such 2021: A viewpoint
challenge management and provide advice on the as the use of multi-factor authentication; etc.
IT Internal Audit of the
optimal balance between adequacy of control, Additional areas of focus should be security Future: Embracing Analytics
risk exposure and cyber risk appetite against requirements for wi-fi networks and device and Digital Enablement
business needs, will be paramount in 2021 and security measures such as personal routers and
Endnotes
beyond. Functions should assess the maturity Virtual Private Networks (VPNs). Organisational
of their function and skills to cover cyber risk, controls around automated monitoring and Contacts
whilst continuing to refresh the cyber audit plan alerting should be enabled - with alerts when
in line with the threat environment and broader corporate VPN is switched off for instance.
organisation risk assessment. We expect that There should be focus around capability of
some of the areas of focus for 2021 will be: the Cyber operations teams being able to
appropriately support and mitigate threats
Remote working: whilst working remotely.
• Remote working heightens existing cyber risks
while introducing new ones to organisations. Vigilance and Cyber risk awareness:
It is an area that will continue to be a major • IA functions should investigate approaches
focus as we move into the post-COVID-19, taken to increase the levels of cyber awareness
recovery phase. For example, in a household, across the organisation and look into the
multiple family members could be logging in on programmes to re-educate staff on cyber
the same network, potentially exposing devices threats, or re-enforce key messages via CEO
to malware that could then enter the firm’s or CISO communication, for example. In an
network if the right endpoint controls are not environment where malicious threat actors prey
in place. In addition, we have seen a significant on emotions and uncertainty in an attempt to
rise in the use of video conferencing facilities, bypass training and rational thinking, the need
some of which may have sub-optimal security for all employees to be alert to cyber issues and
standards, increasing threats to confidentiality hyper-vigilant to phishing attacks is clearly high
and privacy. priority.
12Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
Resilience: Cyber risk governance and monitoring:
Introduction
• Functions will need to be able to support the • The immediate need to facilitate and support
increased reliance on digital technology and remote working for almost all staff, has led IT Internal Audit Hot Topics
through the years: 2012-2021
IT transformation programmes, including the some organisations to loosen certain controls
need to factor in cyber resilience-by-design, in the short term such as need for VPN, dual IT Internal Audit Hot Topics
and adopting the principles of the regulators authentication, or monitoring. With levels of 2021: A viewpoint
around operational resilience. As covered in remote working likely to remain higher than they
IT Internal Audit of the
our Operational Resilience topic, cyber risks were pre-COVID-19, organisations may need Future: Embracing Analytics
and Digital Enablement
will likely remain the most frequent threat to to find ways to reset the balance and increase
operational resilience, and should continue to flexibility without compromising security or
Endnotes
be factored into any assurance work. “flexing” control beyond risk appetite. Internal
Audit leaders should challenge management Contacts
where the control environment goes beyond
risk appetite, and explore with them alternative
arrangements, such as strengthening of
controls, restricting access to high risk staff
and access to sensitive data. The effectiveness
of monitoring or alerting controls designed to
spot unusual patterns of activity and flag it for
further investigation should be considered in
those cases.
Find out more
COVID-19 cyber risk preparedness and
response: Securing your environment
against elevated threats.
https://www2.deloitte.com/us/en/pages/
advisory/articles/covid-19-cyber-risk-
preparedness-response.html
13Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
2. Operational Resilience (s3) Introduction
IT Internal Audit Hot Topics
through the years: 2012-2021
Why is it important? What’s new? IT Internal Audit Hot Topics
2021: A viewpoint
IT Internal Audit of the
Internal Audit, as the third line of defence, The three UK supervisory authorities published Future: Embracing Analytics
was uniquely placed to play a key role in the a shared policy summary and coordinated and Digital Enablement
response to the crisis, from a position of good consultation papers (CP 19/32 and CP 29/193)
Endnotes
organisational knowledge and often with a highly on new requirements to strengthen operational
relevant skill-set. We’ve seen many functions resilience in the financial services sector. The CP Contacts
providing assurance on resilience programmes principles establish the draft rules that firms will
and the associated controls adopted by be required to follow, placing particular focus on
organisations, on a real-time basis as the crisis identifying important business services, setting
unfolds, however they will need to continue to impact tolerances and the need for regular self-
do so going forward with the benefit of looking assessments. It builds on the concepts set out
back and leveraging lessons learned. in the operational resilience Discussion Paper
published in 2018, and addresses many of the
Building the operational resilience of firms and proposed policy changes based on the
Financial Market Infrastructures (FMIs) remains a responses received.
key shared priority for the Bank of England (BoE),
the Prudential Regulatory Authority (PRA) and the
Financial Conduct Authority (FCA). UK Regulators
have been monitoring the operational resilience
of financial services firms during the pandemic,
looking particularly closely at how firms refine
their resilience plans, how they approach the
governance of their operational resilience
(including the role of the board and SMF242)
and the quality of their crisis communications.
14Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
What should Internal The PRA has asked IA functions across a number
of firms to undertake an operational resilience
Introduction
Audit be doing? audit against the principles in the consultation
paper or broader governance and approach.
IT Internal Audit Hot Topics
through the years: 2012-2021
IA will need to: IT Internal Audit Hot Topics
As part of the next phase, organisations must 2021: A viewpoint
recognise that they will have to face a period of • Review how the organisation has interpreted
IT Internal Audit of the
uncertainty and disruption over many months. the regulation and taken actions in response Future: Embracing Analytics
Throughout this period, they will need to rebuild to this whilst also leveraging industry response and Digital Enablement
confidence for the future by ensuring their and lessons learned from COVID-19.
Endnotes
response is resilient, safeguards the welfare
and well-being of people, and is able to adapt to • Challenge management’s process to identify Contacts
demand and supply challenges. Internal Audit will their most important business services in
need to focus on: order to prioritise their work and investment in
operational resilience.
• Challenging and benchmarking management’s
scenario-planning and assumptions regarding • Ensure that operational resilience is established
the nature, extent and duration of the across end-to end business services, looks
situation, as well as the plan to deliver services at business outcomes from a customer
during prolonged uncertainty in a way that perspective and takes into account third parties
is safe, flexible and resilient based on a clear and the ecosystem of the firm as a whole.
action plan.
• Validate whether the organisation has an
• Understanding whether the resilience achieved adequate internal governance and a supporting
to date was by design. If not, then what lessons control framework in place for managing
should be drawn for the future? What are operational resilience. Ensure management has
management’s ‘crunch points’ in the ability to plans to embed operational resilience across
deliver services against planning assumptions? the organisation.
• What is management’s strategy to return to • Ensure that it has set appropriate impact
“business as usual” after the crisis, and move tolerances for their important business
from “respond” to “recover” and then to “thrive”? services, and has documented the people,
How can it turn the crisis into an opportunity to processes, technology, facilities and information
emerge stronger? that support their important business services.
15Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
Introduction
IT Internal Audit Hot Topics
through the years: 2012-2021
IT Internal Audit Hot Topics
2021: A viewpoint
IT Internal Audit of the
Future: Embracing Analytics
and Digital Enablement
Endnotes
Contacts
Find out more
COVID-19 and operational resilience in the financial sector.
https://ukfinancialservicesinsights.deloitte.com/post/102g7ak/covid-19-and-operational-
resilience-in-the-financial-sector
reparing for the “next normal” – Build modified resilient operations.
P
https://www2.deloitte.com/uk/en/pages/risk/articles/preparing-for-the-next-normal.html
perational Resilience and COVID-19: Internal Audit Planning Considerations
O
https://www2.deloitte.com/uk/en/blog/auditandassurance/2020/internal-audit-planning-
considerations-for-internal-audit-functions.html
16Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
3. Cloud Governance and Security (s7) Introduction
IT Internal Audit Hot Topics
through the years: 2012-2021
Why is it important? What’s new? IT Internal Audit Hot Topics
2021: A viewpoint
IT Internal Audit of the
A survey by the Bank of England earlier in the year Reliance on the use of third-party outsourcing, Future: Embracing Analytics
identified the presence of thousands of cloud- including Cloud Service Providers, has resulted and Digital Enablement
based applications in use across the financial in an array of recent regulatory interest. With the
Endnotes
services sector, noting that cloud outsourcing, EBA6, EIOPA7 and ESMA8 all publishing guidance
“where companies store information and use on the management of cloud outsourcing, the Contacts
software via shared virtual data and processing PRA has also published Consultation Papers
services, rather than relying on local servers”, seeking to enable more consistent oversight of
is becoming increasingly popular4, as well as arrangements. The Outsourcing and third party
highly concentrated. The survey indicates that risk management Consultation Paper CP30/199
banks use cloud outsourcing more widely than gives pragmatic guidance to firms for outsourcing
insurers. They mainly use cloud outsourcing to (including cloud) with the CP 29/19 (see above
run software and access additional processing in topic 2) also requiring firms to determine the
capacity (Software-as-a-Service or SaaS) or to cloud service’s materiality to the outsourcing firm.
support IT infrastructure (Infrastructure-as-a-
Service or IaaS). The use of SaaS outweighs the As part of transitioning or “migrating “ to the
use of IaaS, and with digital transformations cloud, the responsibility for the operation of
powered by cloud technologies being accelerated many controls shifts away from the outsourcer to
throughout the pandemic5, the prevalence of the service provider. This is commonly referred
cloud as the preferred technology architecture to as “the shared responsibility model” with the
model will undoubtedly continue to grow. balance of responsibility being dialled up or down
depending upon the service and the deployment
model adopted.
17Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
The accountability over the operation of The nature of the deployment, the complexity
Introduction
effective controls as part of this broader control of the environment and the level of maturity will
environment resides with the outsourcer, in turn determine the overall audit need and IT Internal Audit Hot Topics
through the years: 2012-2021
however, who is also accountable in the specific scoping for IT audit teams.
regulators’ eyes for the broader safeguarding IT Internal Audit Hot Topics
of data and IT assets. As such, robust oversight • Cloud governance: Internal audit teams should 2021: A viewpoint
and assurance mechanisms from the outsourcer look to provide assurance over the governance
IT Internal Audit of the
perspective become obligatory in this around cloud deployments to determine Future: Embracing Analytics
and Digital Enablement
environment. the extent to which risks are proactively
managed and risk metrics are defined and
Endnotes
The outsourcing organisations should also monitored, reducing the risks of ”rogue” or
periodically assess and manage their associated non-compliant deployments for instance. Contacts
concentration risks – particularly in the case This should also consider compliance with
of over-reliance on one of the top-three cloud regulatory requirements with regard to the
service providers to support critical services. location of the cloud services. We increasingly
The regulators are particularly concerned as this see functions develop a Risk and Control Matrix
can present operational risks for the organisation and audit framework for cloud that, on the
itself, but also financial stability risks for the one hand helps bringing consistency in the
system as a whole. delivery of cloud audit work across the function,
and on the other ensures alignment to the
organisation’s key risks, applicable regulatory
What should Internal requirements as well as industry good-practice.
The framework should leverage risk and control
Audit be doing? areas across other IT risk domains.
• Cloud programmes: These reviews should
Internal audit teams considering auditing the focus on: programme governance and
adoption of cloud within their organisation should migration approach; business case and
consider audits of cloud governance, cloud benefits realisation; business alignment;
migration programmes, and targeted reviews plan for technology integration with existing
over one or more technical areas across a stable infrastructure and legacy platforms;
environment / deployment. These focus areas dependencies and deployment impact
which will enable functions to understand how assessment across technology estate.
effectively the organisation is identifying and
managing the risks associated with cloud.
18Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
• Targeted reviews: In order to audit specific
Introduction
cloud deployed instances, internal audit
teams should define an approach to prioritise IT Internal Audit Hot Topics
through the years: 2012-2021
the key risk areas for consideration and
assessment as part of the audit. A review IT Internal Audit Hot Topics
and challenge of cloud outsourcing register 2021: A viewpoint
completeness will enable firms to understand
IT Internal Audit of the
their own level of concentration risk to an Future: Embracing Analytics
and Digital Enablement
outsourced provider, including an overview of
sub-outsourcing. Additional areas to consider
Endnotes
include: access management across the firm
and outsourcing organisation(s); potential Contacts
reliance on service auditor reports or vendor
external certifications; integration with legacy
systems and impact assessment; governance
and internal controls to identify, manage and
report risks resulting from all third-party
arrangements, including when they leverage
embedded capabilities.
Find out more
Cloud outsourcing in financial services and COVID-19
https://ukfinancialservicesinsights.deloitte.com/post/102g6od/cloud-outsourcing-in-financial-
services-and-covid-19
Cloud outsourcing – regulators clarify expectations
https://ukfinancialservicesinsights.deloitte.com/post/102g14b/cloud-outsourcing-regulators-
clarify-expectations
Cloud and regulation – overcoming the barriers
https://www2.deloitte.com/uk/en/pages/financial-services/articles/cloud-and-regulation-
overcoming-the-barriers.html?nc=1
19Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
4. Extended Enterprise Risk Introduction
Management ( 4)
IT Internal Audit Hot Topics
t t
through the years: 2012-2021
IT Internal Audit Hot Topics
2021: A viewpoint
Why is it important? • The financial impact of a failure of a third party
or sub-contractor has increased significantly in
IT Internal Audit of the
Future: Embracing Analytics
and Digital Enablement
the last 5 years (at least doubled).
For many organisations, their third-party ecosystem, Endnotes
or “extended enterprise”, is an important source of • Organisations are more aware of the need to
business value and strategic advantage. However, act as a responsible business, and this forms Contacts
as the reliance on third parties continues to grow, a top driver for investment in EERM.
so do the associated risks, bringing potential
reputational damage and regulatory action. • Many organisations are developing their
strategy and vision to transform EERM over the
next two to three years.
What’s new? • Early indications show that those firms that
have made appropriate investments in EERM
Our 2020 global survey on Extended Enterprise programmes were faring better in their
Risk Management (EERM), highlighted an response to the crisis than those that did not.
increasingly high interest and leadership focus on
third-party risk management. Likewise, this area • We anticipate that organisations will re-evaluate
remains a key focus for Internal Audit. how they position third party management to
cope better with high impact events, and expect
Some of the key findings as reported in our rapid acceleration of the TPRM maturity curve
survey were: in the next 12 months.
• A rise in regulatory activity related to EERM
has put pressure on organisations, raising
benchmarks and expectations as to the definition
of good-practice and maturity in this area.
20Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
What should Internal Furthermore, controls around the monitoring of
subcontractor risk (fourth or fifth party) were still
Introduction
Audit be doing? quite immature or non-existent – with organisations
believing that it is the responsibility solely of the
IT Internal Audit Hot Topics
through the years: 2012-2021
third parties that engaged them in the first place. IT Internal Audit Hot Topics
We have seen that senior executives have 2021: A viewpoint
now been extending their focus beyond risk Conversely, proactive engagement and
IT Internal Audit of the
to encompass a broader view of third party management of third parties, and alignment with Future: Embracing Analytics
management: equally, Internal Audit functions operational resilience plans, significantly reduced and Digital Enablement
should be looking to encompass in their third party the risk exposure. Some indicative actions include:
Endnotes
management audits areas and sub-disciplines
such as contract management, performance • Identifying critical business activities, products Contacts
management, financial management, and and services, and instances with high degree of
sourcing activities. They should be auditing the dependency on third parties.
design and implementation of the firm’s EERM
framework; seek to understand how management • Including intra-group arrangements,
assesses the nature and criticality of third party subsidiaries and affiliates in this analysis.
relationships and related contractual terms;
and how they manage the associated supplier • Leveraging available data sources (internal and
concentration risks, including those related to external) with regard to critical third parties to
critical third parties. identify areas of potential risk – for instance
delivery location, financial health, market sector etc.
Third party audits should seek to explore lessons
learned from the crisis and how management have • Developing or revalidating contingency plans for
taken action to revise frameworks, controls and the “higher risk” third parties.
resilience measures to take these into account.
Our research suggested that most organisations
were unprepared to manage third party risk in Find out more
the event of such large scale disruption, such as Extended Enterprise Risk Management
the COVID-19 pandemic. The crisis highlighted Survey 2020.
the strategic impact of third-party failures, https://www2.deloitte.com/content/dam/
particularly when the operational resilience Deloitte/uk/Documents/risk/deloitte-
programmes haven’t taken into account third uk-third-party-risk-management-global-
party dependencies and associated risks. survey-2020.pdf
21Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
5. Transformation and Change Introduction
Assurance (t2)
IT Internal Audit Hot Topics
through the years: 2012-2021
IT Internal Audit Hot Topics
2021: A viewpoint
Why is it important? In many cases, this has compounded the burden
on the change teams as they adapt their ability to
IT Internal Audit of the
Future: Embracing Analytics
and Digital Enablement
deliver programmes remotely, in an environment
The crisis has elevated the need for strategic of frequent flux and often moving requirements. Endnotes
change and transformation up the board agenda They are having to transition to new alternative
to enable organisations adapt, survive and methods of delivery, are training individuals Contacts
thrive in a changed environment. It has also and recruiting SMEs, whilst grappling with the
dramatically disrupted how change is delivered challenge of how to maximise the full potential
within organisations and the way change teams of these delivery approaches when having to
now operate. With remote delivery having been deliver change using remote teams.
forced on change teams, they have had to adapt
and transform their approach to ensure they
were still able to effectively deliver change whilst
minimising its impact on the delivery plan.
What should Internal
Audit be doing?
What’s new? With this fundamental shift in the approach to
delivering change, it is important for Internal Audit
In this new landscape there is an increased need to focus on the organisation’s portfolio of change
to deliver change at pace in order to adapt and to ensure that the ability for organisations to meet
keep up with the realities of a rapidly evolving their regulatory requirements or organisational
macro environment. This, in turn, has driven strategic objectives has not been materially
(or accelerated) the adoption of new delivery impacted. There are some key areas that we
methodologies and techniques e.g. Agile, in order recommend Internal Audit should focus on:
to deliver at speed whilst adapting to frequent
changes to requirements due to unforeseeable
external factors.
22Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
• Continuous assurance: Establishing a • Portfolio level assessments: The function
Introduction
continuous oversight and assurance approach should also look beyond individual
that follows the change portfolio’s lifecycle and transformation activity and ensure their work IT Internal Audit Hot Topics
through the years: 2012-2021
helps to ensure, for example that programmes also covers the overall portfolio management
are appropriately resourced, have the right practices; the role of the board and executives IT Internal Audit Hot Topics
controls in place to achieve time, cost and in terms of portfolio oversight against strategic 2021: A viewpoint
quality objectives. As the assurance plan transformation objectives; the realisation
IT Internal Audit of the
develops, the overall portfolio governance of benefits across the wider portfolio; and Future: Embracing Analytics
and Digital Enablement
arrangements should be continually monitored whether individual programmes add value
for changes and potential delivery ‘fatigue’. against the overall portfolio.
Endnotes
• Leverage other assurance functions: Leveraging • Agile reporting: The ability to provide near real Contacts
the relevant governance and assurance time visibility of risks and flag concerns before
functions to review specific aspects of the issues materialise will be key to help drive
project or programme at the right time can successful delivery and added-value assurance,
provide early visibility of risks and drive timely meaning a traditional “after the fact” audit will
action before issues materialise. no longer suffice.
This can be achieved through the use of
second line for ongoing oversight, challenge • Skills and training: Internal Audit teams need to
and support, especially in regard to risk around be alert to any changes to delivery approaches
the change methodology and factoring its by change teams, for example a shift away from
impact on the wider portfolio of change. waterfall delivery to Agile or DevOps delivery
Close collaboration between all lines of defence approaches, and plan to have the necessary
around the delivery of change assurance skills and capabilities in place to be able to
is critical to provide the optimal levels of adequately provide oversight and assurance
assurance most efficiently across the on these programmes.
change portfolio.
Find out more
Project Assurance; bridging the gap
between your boardroom and projects.
https://www2.deloitte.com/lb/en/pages/
finance/solutions/capital-projects/project-
assurance.html
23Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
6. Digital Risk (t5) Introduction
IT Internal Audit Hot Topics
through the years: 2012-2021
Why is it important? What’s new? IT Internal Audit Hot Topics
2021: A viewpoint
IT Internal Audit of the
Measures introduced in response to COVID-19 Disruptive technologies, such as Artificial Future: Embracing Analytics
have driven many financial services organisations Intelligence (“AI”), robotic process automation and Digital Enablement
to accelerate their digital transformation initiatives. and advanced analytics continue to be a core
Endnotes
During the past few months we have noted area of focus for organisations, as part of this
elevated levels of adoption of digital technologies, digital transformation drive. The response to the Contacts
with increased reliance placed upon new digital pandemic has again highlighted to businesses the
platforms, collaboration tools and distribution benefits of using these technologies to promote
channels. At the same time, we are seeing workforce productivity and operational efficiency,
organisations implementing new norms in the way as well allowing digital connections and improved,
they run their operations, including the way they faster interactions with their customers. At the
manage a large remote workforce. In this climate, same time, recent headlines in the UK about
the need to adapt or transform can be fundamental unfair and biased outcomes of algorithm-based
to the success and survival of many organisations, decision-making highlight some of the potential
and this is seen by many as an opportunity and ethical and practical challenges businesses are
catalyst to embrace digital transformation. currently facing.
At the same time, the nature and pace of those Technologies continue to advance rapidly,
digital initiatives introduce new “digital” risks, as well and assurance functions and regulators
as changes to how existing, known risks manifest, are attempting to strike a balance between
at a time when getting it wrong can quickly create innovation and control, whilst also providing
the next social media storm or front-page news firm guidance on digital ethics. Increasingly
story. Existing control processes have needed to organisations may be seeking to operate an
be flexed at short notice, and often without fully integrated assurance model to provide assurance
understanding the potential knock-on impacts. over digital risks, promoting collaboration across
Much like reckless spending can result in financial lines of defence, as organisations look to build
debt, rapid changes made in the heat of the their skills and knowledge in these areas.
moment can lead to accumulation of “control debt”.
24Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
What should Internal However, ethics can also inform difficult
judgement decisions and trade-offs when using
Introduction
Audit be doing? AI enabled solutions, so appropriate
consideration and assessment against key
IT Internal Audit Hot Topics
through the years: 2012-2021
(interconnected) risk domains such as data IT Internal Audit Hot Topics
Internal Audit should continue to play a key role in protection, conduct requirements, ethical 2021: A viewpoint
challenging management’s approach to adopting considerations and an overarching robust
IT Internal Audit of the
these technologies and ensuring that the risks governance framework will be essential. Future: Embracing Analytics
to the wider business are suitably understood, and Digital Enablement
assessed and managed. As a result, auditors need Where Internal Audit functions are introducing
Endnotes
to adapt their way of thinking to anticipate these these technologies themselves, a number of factors
risks as they arise (new / evolved, or existing risks require careful consideration; Chief Internal Auditors Contacts
manifesting in different ways). should be clear on the overall digital transformation
strategy relating to the use of increased automation
Digital ethics is of increasing relevance to within the function, the risks being introduced and
regulators and customers alike, which means how these are to be managed.
organisations and developers will also have to
take notice. As well as providing assurance and
guidance to management in this area, Internal Find out more
Audit should ensure that ownership of digital Managing the digital risks of a remote
ethics is clearly defined. The EU regulators workforce.
have provided relevant guidance in the area of https://www2.deloitte.com/uk/en/
“trustworthy” AI10, and these principles should pages/risk/articles/managing-the-
be duly considered by auditors, as well as digital-risks-of-a-remote-workforce.
factored into their digital reviews. As AI and data html?id=uk:2sm:3li:4dcom_
analytics will progressively play an important share:5awa:6dcom:risk
role in detecting patterns of vulnerable
customer behaviour for example, this will Digital dependence: How to balance
allow organisations to provide timely support speed with control?
and improve customer interactions from a https://www2.deloitte.com/uk/en/
conduct standpoint. pages/risk/articles/digital-dependence-
how-to-balance-speed-with-control.
html?id=uk:2sm:3li:4dcom_
share:5awa:6dcom:risk
25Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
7. Data Governance (t6) Introduction
IT Internal Audit Hot Topics
through the years: 2012-2021
Why is it important? What’s new? IT Internal Audit Hot Topics
2021: A viewpoint
IT Internal Audit of the
Data should be seen by organisations as a The significant increase in remote working Future: Embracing Analytics
key differentiator in maintaining competitive amongst employees during the pandemic has and Digital Enablement
advantage, providing distinctive, customer- heightened the information security risks that
Endnotes
centric services and increasing the efficiency of organisations are facing. More specifically, data
their operations. Many organisations, however, loss and data protection risks are particularly Contacts
continue to struggle, not only to effectively elevated, compounded by the increase in
capitalise on their data, but to protect it. fraudulent activity by malicious actors over
the past few months. This is an area that will
Data protection, data privacy and data continue to be a major focus as we move into
governance remain topics of continuous attention the next phase, post-crisis. Organisations realise
and focus by senior management and Internal the strong connection between protecting and
Audit teams alike. In another year dominated safeguarding data and the broader resilience,
by data breaches and regulatory fines, it comes data breach and incident response capabilities
as no surprise that for this is again amongst the across the organisation. Businesses are seeking
hot topics and a planning priority for 2021. Data to develop effective data breach response
management failures or breaches have drawn programmes, to enable them to effectively
significant regulator and public scrutiny and have weather a potential breach/crisis when/if it
resulted in increased regulations and pressure occurs. Such initiatives will encompass processes
by boards for management to improve their data to ensure the business engages effectively with
governance procedures, policies and related customers, the public and media, while trying
data protection safeguards. to resolve the crisis.
26Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
What should Internal • Data security: Data auditors should coordinate
with information security / cyber audit SMEs
Introduction
Audit be doing? and focus on technical data protection controls,
including Data Leakage Prevention solutions
IT Internal Audit Hot Topics
through the years: 2012-2021
and other security controls to prevent data IT Internal Audit Hot Topics
Some of the areas of focus for internal audit are: breaches. The level of manual processing 2021: A viewpoint
or legacy functionality within key business
IT Internal Audit of the
• Data governance: Despite the strategic applications should form a key component of Future: Embracing Analytics
importance of data, many firms have been any Internal Audit opinion on key application and Digital Enablement
slow to implement data governance and systems, as these are often the trigger points
Endnotes
accountability frameworks, which could for data leakage within many financial services
enable a better coordinated and more organisations. Contacts
effective approach in the use of data. This, in
turn, increases the risk for regulatory fines • Data breach response: Internal Audit should
or poor decision making that can lead to the challenge management on their customer data
misallocation of critical resources or missed breach readiness procedures. Breaches will
business opportunities - in leveraging data continue to occur, and it is actually a case of
capabilities of new digital technologies, for “when rather than if”. Organisations that have
instance. experienced such events, recognise these
are hugely complex events on many levels,
• Data privacy and regulation: Internal Audit technically, strategically and operationally.
should assess the implemented data privacy Internal Audit should review these areas,
policies, framework and controls to comply focusing on clear accountabilities, cross-
with General Data Protection Regulation functional collaboration, and readiness to
(GDPR), and broader data privacy objectives. respond on a timely basis in order to contain
From complying with existing regulations, to the issue while providing high-levels of
preparing for new requirements on a global or customer service to help safeguard reputation.
multi-region scale, organisations should have
established processes to deal with the complex
matrix of relevant regulatory requirements.
27Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
8. IT Strategy and Governance ( 8)
t t
Introduction
IT Internal Audit Hot Topics
through the years: 2012-2021
Why is it important? What’s new? IT Internal Audit Hot Topics
2021: A viewpoint
IT Internal Audit of the
With the increasing prevalence of technology CIOs and IT departments were at the forefront of Future: Embracing Analytics
and, importantly, the digitisation of business COVID-19 crisis response activities supporting the and Digital Enablement
operations, the requirement for a strong link continuity of operations and customer service,
Endnotes
between information technology and business via infrastructure upscaling or the provision
strategy has never been more important. of new digital services. Robust IT governance Contacts
And yet, many organisations still struggle to arrangements that included efficient resource and
combine the two effectively. IT should be seen as vendor management, contingency plans, robust
a catalyst for business enablement contributing policies and operating procedures, proved to be
to a competitive edge and innovative customer the defining aspects of an effective, agile response
offerings. Often there are organisational during the crisis.
and cultural barriers hindering the effective
engagement between IT and business functions,
driven in part by a traditional (and frankly
outdated) mindset that sees IT purely as a back
office support function with limited added value
to the customer.
28Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
What should Internal Digital Strategy and Architecture
Enablement
Introduction
Audit be doing? • Digital tools and a move to “digitalisation” is
gaining sufficient traction in the sector. Many
IT Internal Audit Hot Topics
through the years: 2012-2021
enterprises are considering their “digital strategy” IT Internal Audit Hot Topics
Internal Audit have a continued role to play in and the architecture which enables the business 2021: A viewpoint
challenging the strategic direction of IT as well its to realise its digital goals. Internal Audit can
IT Internal Audit of the
alignment with business objectives, and this role has play a role in highlighting the robustness of the Future: Embracing Analytics
been elevated by recent global events. Functions approach and the strength of capability around and Digital Enablement
need to have a strong understanding of both the IT digital strategy delivery. The suitability of the
Endnotes
and business strategy as well a perspective on the strategy itself as well as the maturity of the
complexities of the existing IT environment, in order associated control framework and governance Contacts
to be well placed to assess risks and challenges in practices also form important areas for Internal
this area. Areas of focus should include: Audit to provide a viewpoint on.
IT Strategy Refresh Processes • The current market, economic, and social
• A review of current plans for refresh of the conditions indicate “this is the time for
IT strategy should be timely, particularly in transformational, not incremental, change” –
view of the economic outlook, changes to the something that in many cases puts pressure
broader market and operating environment. on CIOs to move quickly and lead digital
Of particular focus should be how clearly the IT transformation initiatives. There is a risk here that
strategy links to the business strategy, and the these programmes may be reactive to the market
governance structures to ensure it is properly without having considered the integration with
discussed, agreed and approved. Innovation the existing, legacy technology estate. Getting
and transformative ways to disrupt traditional the basics right, such as remediating existing
IT operating models, such as migrating to the technology weaknesses, before embarking
cloud, and adoption of DevOps operating into such initiatives would be key for success
models may be considered during strategic preventing unnecessary complexity that would
refresh to demonstrate diversity of thought raise the risk exposure of the organisation.
and genuine challenge to the status quo.
29Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
Shadow IT
Introduction
• “Shadow IT” indicates IT systems deployed and
supported by departments outside central IT Internal Audit Hot Topics
through the years: 2012-2021
IT and by definition not aligned to the central
IT strategy and direction. A review of such IT Internal Audit Hot Topics
areas in combination with broader governance 2021: A viewpoint
practices, can provide useful insight into the
IT Internal Audit of the
strategic provision of IT within the business and Future: Embracing Analytics
and Digital Enablement
its true alignment to business strategy. Business
departments operating their own IT platform
Endnotes
indicate of areas of the business which may not
being fully served by the existing IT department Contacts
and strategy. A high propensity for shadow
IT can also be indicative of a poor culture, or
engagement between IT and business.
Find out more
Findings from the Deloitte 2020 Global
Technology Leadership Study.
https://www2.deloitte.com/us/en/insights/
topics/leadership/global-technology-
leadership-study.html11
30Confronting Uncertainty | 2021 Hot Topics for IT Internal Audit in Financial Services
9. Payments (NEW) Introduction
IT Internal Audit Hot Topics
through the years: 2012-2021
Why is it important? What’s new? IT Internal Audit Hot Topics
2021: A viewpoint
IT Internal Audit of the
The payments market has been undergoing Organisations are required to ensure that their Future: Embracing Analytics
significant disruption in the last few years. implementation of the above PSD2 requirements and Digital Enablement
Regulatory scrutiny remains high, as firms develop is well governed, documented, periodically
Endnotes
new payment strategies and respond to increasing tested, evaluated and audited by operationally
compliance requirements. Recent instances of independent auditors with expertise in IT security Contacts
payment system-related outages and cyber-attacks and payments processes. Firms are in the process
have also attracted a lot of attention. The Revised of preparing their review for their first full fiscal
Payment Services Directive (PSD2) has been in accounting year which, for the majority, will be
force in the UK since 2018, and firms are continuing December 2020 or March 2021 year ends.
on their journey to fully adapt their customer
propositions and technology operating models. Furthermore, to counter cyber-attacks on the SWIFT
Two of the most impactful areas of PSD2 were network, SWIFT introduced the Customer Security
governed by the requirements set out within Programme (CSP) as a mandatory compliance
the Regulatory Technical Standard (RTS) and are initiative for the global SWIFT community, consisting
as follows: of core security standards and an assurance
framework applicable to all members – not limited
• The requirement to use Strong Customer to financial service organisations.
Authentication (SCA) for electronic payments;
• The Open Banking requirements, namely
allowing Third Party Providers (TPPs) access
account information and initiate payments
on behalf of customers through dedicated
interfaces powered by Application Programming
Interfaces (APIs) or through Modified Customer
Interfaces (MCIs).
31You can also read
