IT Internal Audit
Ensuring effective identification and evaluation of the significant technology risks
Organisations are increasingly embracing more complex and sophisticated technology solutions in an effort to provide a wider suite of services, reach more customers and drive greater efficiencies.
Internal audit functions must draw on expertise to ensure the right technology risks are identified and related controls assessed, including cyber security, the changing data privacy agenda, growing technology resilience dependencies and challenges with implementation of digitalisation across the business. The risks associated with such solutions are significant and, if not addressed, can result in severe impacts on operations with associated adverse reputational impacts, costs, and in some instances, regulatory intervention.
In such circumstances, Boards and Audit Committees are often held to account and are challenged over whether appropriate insights were obtained to help evaluate whether the technology risks – principally to the ongoing confidentiality, integrity and availability of systems and data – are being effectively managed. Understanding these risks is critical in order to ensure that the right countermeasures are in place and operating effectively. Internal Audit therefore has a fundamental role to play in reviewing and providing assurance over the way in which an organisation evaluates and implements its technology risks and controls.
At BDO our IT Internal Audit team is well versed in assessing traditional and emerging technology risks. We have a formal IT risk evaluation methodology to ensure the assessment of risk is both consistent and comprehensive, drawing upon deeper skills within the team as required (for example, cyber security threat intelligence).
The methodology recognises six main areas of IT risk:
- IT Security
- IT Governance
- Managing change
- IT Operations
- IT Continuity
- Strategic Leadership
Behind each risk sits numerous sub-risks, each of which can be separately evaluated and used to benchmark an organisation’s maturity in the operation of its mitigating controls.
BDO’s IT Internal Audit team possesses significant experience of performing audit procedures over a broad spectrum of technology risks (e.g. cyber security, business resilience, data management) using COBIT 5 as a framework but also supported by industry experience and a number of analytical tools that support the efficient production of detailed outputs and meaningful recommendations.