Technology & Digital

Financial Services Internal Audit Planning Priorities 2021

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2021. We hope this informs your 2021 planning and assurance approach.

6.1. Digital Transformation Risk

Measures introduced in response to COVID-19 have driven many financial services organisations to accelerate their digital transformation initiatives. During the past few months we have noted elevated levels of adoption of digital technologies, with increased reliance placed upon new digital platforms, collaboration tools and distribution channels. At the same time, we are seeing organisations implementing new norms in the way they run their operations, including the way they manage a large remote workforce. In this climate, the need to adapt or transform has arguably never been more important to the success and survival of many organisations, and this is seen by many as an opportunity and catalyst to embrace digital transformation.

At the same time, the nature and pace of those digital initiatives introduce new “digital” risks, as well as changes to how existing known risks manifest, at a time when getting it wrong can quickly create the next social media storm or front-page news story. Existing control processes needed to be flexed at short notice, and often without fully understanding the potential knock-on impacts. Much like reckless spending can result in financial debt, rapid changes made in the heat of the moment can lead to accumulation of ‘control debt’.

Disruptive technologies, such as Artificial Intelligence (AI), robotic process automation and advanced analytics continue to be a core area of focus for organisations, as part of this digital transformation drive. The response to the pandemic has again highlighted to businesses the benefits of using these technologies to promote workforce productivity and operational efficiency, as well allowing digital connections and improved, faster interactions with their customers. At the same time, recent headlines in the UK about unfair and biased outcomes of algorithm-based decision-making highlight some of the potential ethical and practical challenges businesses are currently facing. Technologies continue to advance rapidly, and assurance functions and regulators are attempting to strike a balance between innovation and control, whilst also providing firm guidance on digital ethics. Increasingly organisations may be seeking to operate an integrated assurance model to provide assurance over digital risks, promoting collaboration across lines of defence, as organisations look to build their skills and knowledge in these areas.

Internal Audit should consider the following areas of the control environment:

  • Digital technologies: Internal Audit should continue to play a key role in challenging Management’s approach to adopting these technologies and ensuring that the risks to the wider business are suitably understood, assessed and managed. As a result, auditors need to adapt their way of thinking to anticipate these new and emerging risks as they arise.

    Where Internal Audit functions are introducing these technologies themselves, a number of factors require careful consideration; Chief Internal Auditors should be clear on the overall digital transformation strategy relating to the use of increased automation within the function, the risks being introduced and how these are to be managed.
  • Digital ethics: Digital ethics is of increasing relevance to regulators and customers alike, which means organisations and developers will also have to take notice. As well as providing assurance and guidance to Management in this area, Internal Audit should ensure that ownership of digital ethics is clearly defined.

    The EU regulators have provided relevant guidance in the area of ‘trustworthy’ AI, and these principles should be duly considered by auditors, as well as factored into their digital reviews. As AI and data analytics will progressively play an important role in detecting patterns of vulnerable customer behaviour, for example, this will allow organisations to provide timely support and improve customer interactions from a conduct standpoint. ​

    However, ethics can also inform difficult judgement decisions and trade-offs when using AI enabled solutions, so appropriate consideration and assessment against key (interconnected) risk domains such as data protection, conduct requirements, ethical considerations and a robust governance framework will be essential. ​

6.2. Cyber Security

Cyber threats will likely remain one of the most frequent risk to organisations and will continue to be one of the top agenda points for boards and Risk Committees in the financial services sector. Indeed, cyber-attacks have increased significantly in the wake of the pandemic, with “phishing” emails connected to COVID-19 reported to have increased 600%. Security vendors are reporting massive spikes in attacks including scams, breaches, blackmail and email compromise.

The COVID-19 crisis has also been characterised by a significant increase in fraudulent activity, including instances of social engineering fraud leading to identity theft. Cyber fraud flourishes when people are most vulnerable, or their personal, family or work circumstances are under significant change. The risk of unauthorised system access is also compounded as employees are forced to work remotely.

In addition, organisations have been facing a multitude of threats to their survival. Tough decisions have had to made, usually at pace and with limited information for staff regarding how they can continue to operate or service customers. For example how they provision IT resources to remote working staff, and how they continue to deliver core services (e.g. online and via digital channels). This has required existing control processes, on occasion, to be flexed or changed.

  • Remote working: Internal Audit functions should review the business’ remote working policy, focusing on aspects such as: the need for work screens to be locked and laptops secured when not in use; Bring Your Own Device schemes; and other associated controls, such as the use of multi-factor authentication; etc. Additional areas of focus should be security requirements for wi-fi networks and device security measures such as personal routers and Virtual Private Networks (VPNs). Organisational controls around automated monitoring and alerting should be enabled – with alerts when corporate VPN is switched off for instance.
  • Vigilance and cyber risk awareness: Internal Audit functions should investigate the levels of cyber awareness across the organisation and look into the programmes to re-educate staff on cyber threats, or re-enforce key messages via CEO or CISO communication, for example. In an environment where malicious threat actors prey on emotions and uncertainty in an attempt to bypass training and rational thinking, the need for all employees to be alert to cyber issues and hyper-vigilant to phishing attacks has never been more pressing.
  • Resilience: Functions will need to be able to support the increased reliance on digital technology and IT transformation programmes, including the need to factor in cyber resilience-by-design, and adopting the principles of the regulators around operational resilience. As covered in our Operational Resilience topic, cyber risks will likely remain the most frequent threat to operational resilience, and should continue to be factored into any Internal Audit work.
  • Cyber risk governance and monitoring: The immediate need to facilitate and support remote working for almost all staff, has led some organisations to loosen some controls in the short term such as need for VPN, dual authentication, or monitoring. With levels of remote working likely to remain higher than they were pre-COVID-19, organisations may need to find ways to ‘reset’ the balance and increase flexibility without compromising security or “flex” control beyond risk appetite. Internal Audit leaders should challenge Management where the control environment goes beyond risk appetite, and recommend alternative arrangements, such as strengthening of controls, restricting access to high risk staff or for sensitive data. The effectiveness of monitoring or alerting controls designed to spot ‘unusual’ patterns of activity and flag it for further investigation should be considered in those cases.

6.3. Data Privacy and GDPR

Data should be seen by organisations as a key differentiator in maintaining competitive advantage, providing distinctive, customer-centric services and increasing the efficiency of their operations. Many organisations, however, continue to struggle, not only to effectively capitalise on this data, but to protect it. Data protection, data privacy and data governance remain topics of continuous attention and focus by senior Management and Internal Audit teams alike. In another year dominated by data breaches and regulatory fines, it comes as no surprise that this is again amongst the hot topics and a planning priority for 2021. Data management failures or breaches have drawn significant regulator and public scrutiny and have resulted in increased regulations and pressure by Boards for Management to improve their data governance procedures, policies and related data protection safeguards.

The significant increase in remote working amongst employees during the COVID-19 pandemic has heightened the cyber risks that organisations are facing. More specifically, data loss and data protection risks are particularly elevated, compounded by the increase in fraudulent activity by malicious actors over the past few months.

This is an area that will continue to be a major focus as we move into the next phase, post-pandemic. Organisations realise the strong connection between protecting and safeguarding data and the broader resilience, data breach and incident response capabilities across firms.

Businesses are seeking to develop effective data breach response programmes, to enable them to effectively weather a potential breach crisis when/if it occurs. Such initiatives will encompass processes to ensure the business engages effectively with customers, the public and media, while trying to resolve the crisis.

Internal Audit focus areas should include:

  • Data governance: Despite the strategic importance of data, many firms have been slow to implement data governance and accountability frameworks, which could enable a better coordinated and more effective approach in the use of data. This, in turn, increases the risk for regulatory fines or poor decision making that can lead to the misallocation of critical resources or missed business opportunities – in leveraging data capabilities of new digital technologies, for instance.
  • Data privacy and regulation: Internal Audit should assess the implemented data privacy policies, framework and controls to comply with General Data Protection Regulation (GDPR), and broader data privacy objectives. From complying with existing regulations, to preparing for new requirements on a global or multi-region scale, organisations should have established processes to deal with the complex matrix of relevant regulatory requirements.
  • Data security: Data auditors should coordinate with information security/cyber audit SMEs and focus on technical data protection controls, including Data Leakage Prevention solutions and other security controls to prevent data breaches.
  • Data breach response: Internal Audit should challenge Management on their customer data breach readiness procedures. Breaches will continue to occur, and it is actually a case of “when rather than if”. Organisations that have experienced such events, recognise these are hugely complex events on many levels, technically, strategically and operationally. Internal Audit should review these areas, focusing on clear accountabilities, cross-functional collaboration, and readiness to respond on a timely basis in order to contain the issue while providing high-levels of customer service to help safeguard reputation.