Technology & Digital
Financial Services Internal Audit Planning Priorities 2023
Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2023. We hope this informs your 2023 planning and assurance approach.
5.1. Digital Transformation and Change
Investment in strategic change has rebounded post-pandemic. Many organisations are now investing in long-term growth again and looking at ways to create new revenue opportunities rather than reacting to operational challenges and the need to protect colleagues, customers, and services. They are looking at how they attract new customers and better engage with existing ones through new digital services offerings. The competition for talent and the evolving skills landscape is forcing organisations to look at new and faster ways to deliver change without key dependency on internal experts. This creates new areas of risk, as well as opportunities to streamline governance and control processes, making it increasingly important that Internal Audit engages with the business early in the lifecycle to help organisations manage risks proactively.
Focus on strategy, product design and innovation. The main driver for change programmes is not only to reduce operational costs and more effectively manage risk, but to attract new customers and increase engagement with existing customers through new digital services and better customer journeys.
Increase in partnership. Due to high competition for talent, organisations are looking to collaborate with “best of breed” partners (including those outside of traditional financial services organisations) to support internal capabilities with specialist expertise and knowledge.
Investing in, and enhancing project management processes, tooling and capabilities, building and developing internal Quality Assurance and Risk Functions.
The introduction and use of data analytics tools for transparency, visibility, and better management of dependencies across the programmes, as well as having the appropriate level of resources that can interpret and make decisions based on the data.
The use of agile tools continues to gain popularity, with a focus to improve collaboration and cohesiveness across the project teams. Adoption of agile and continuous monitoring methodologies is seen as one of the most effective ways to reduce delays in programme delivery.
Internal Audit functions need to be proactively assessing the organisation’s innovation and digital transformation strategy and approach to assess whether it will benefit the business in the long term. The key is not to penalise for single product or delivery failures but look at the overall programme potential.
Internal Audit should assess the appropriateness of levels of governance for agile delivery and review of the organisation’s control environment to ensure the right level of controls are in place for Agile programme delivery, leveraging continuous monitoring solutions to minimise delay.
Internal Audit should work more closely with First and Second Line Risk and Control functions to support the organisation in its transformation journey and get involved early in the programme lifecycle. It is critical that effective management information and adequate reporting is in place to allow relevant senior stakeholders to provide right level of governance and oversight. Effective stakeholder management and governance at senior levels can help foster an operationally effective environment throughout a programme lifecycle.
As organisations adopt new analytical tools, there is a danger for the business to have too many systems in pursuit to accelerate the digitalisation without proper assessment of performance and benefits. Internal Audit should plan an assurance review of how these tools are embedded across the organisation to ensure they deliver value for money. A holistic approach is needed where the reviews include systems, structures, skills, and capabilities.
5.2. Cloud Hosted Technology Environments
Cloud hosted environments have been widely adopted across all sub-sectors of the Financial Services (FS) industry with many organisations having started their strategic Cloud migration journey 2-3 years ago. Cloud is now both an integral part of corporate strategy and day-to-day operations however, risk and control functions continue to face challenges in keeping pace with the rapid transition and scaling risk management activities and enabling organisations to adopt Cloud at pace and with confidence. There are significant regulatory pressures around Cloud use, and these are increasing globally, while many organisations that have embraced Cloud are yet to realise the full benefits.
As cloud environments become more commonplace, the modification and adoption of existing IT risk and control frameworks is increasingly important. False ‘baseline’ assurance is often placed over fresh migrations to the cloud where it is assumed that due assessment of the controls and risks in the cloud environment has already been undertaken, but as organisations have moved gradually / piecemeal to the cloud, it is highly likely that the underlying risk profile and exposure have changed since the cloud environment assessment.
Many organisations started their cloud transition journey as a key part of their broader digital transformation 2-3 years earlier and are now looking to understand the benefits realised from investment – so, demonstrating added value, objectives / benefits realisation, or tangible service performance improvement are key priorities.
Other emerging areas of regulation are often heavily impacted by cloud, and so it is increasingly important to ensure strong linkage between an organisation’s cloud team and regulatory and compliance specialists. Organisations have to consider their cloud usage and understand the implications of these services for their Operational Resilience. This has led to Regulators requesting Internal Audit functions to review cloud-related submissions such as the completeness and accuracy of the cloud outsourcing register.
Internal Audit functions need to reflect on the increasing adoption of Cloud and treat it as a new “technology environment” or part of their “digital universe”, rather than an application or a component to be audited in isolation. They should consider implementing an approach of looking into Cloud environment components or thematic areas on a cyclical basis and assess adequacy of coverage as part of planning. Furthermore, Cloud should also be considered as a broader trigger point during business audit planning, for example, planning for each audit should raise key questions around Cloud usage (as well as third parties more broadly) in the delivery of a given business service or process.
Enterprise use of Cloud should be reviewed holistically to evaluate concentration risk and how the organisation is able to manage the potential impact of Cloud on operational resilience and associated tolerances.
It is also sensible for functions to reflect on the assurance that is provided over Cloud service providers, and whether a piecemeal adoption of Cloud solutions, has resulted in an overarching control framework which lags the prevalence of Cloud usage. Focussing on Management’s understanding of Cloud usage across the enterprise and the controls which prevent the procurement of Cloud capabilities outside of established governance / procurement processes can be a high-risk area of focus here.
Internal Audit functions need to evaluate and truly understand the risks in the context of Cloud and how this should be controlled, for example development access to production environments should be controlled through comfort over the configuration of Cloud pipelines and controls over changes to code, rather than traditional controls such as review of user access lists.
5.3. Cyber Security Incident Response
The financial services sector is the most targeted because of its obvious access to accounts and funds. Any organisation would potentially suffer numerous and substantial consequences from a successful hack or security event that could include one or all of the following: breach of General Data Protection Regulation (GDPR) and hence significant fines for loss of data, loss of confidential information, loss of key operational systems and a reduction in customer confidence. The reputational risk factor in this sector is very high and any loss of trust could have a highly negative impact.
The sector also relies on multiple third parties which increases the risk of third-party hacking, i.e. an attacker gains access to their systems and data by attacking one of their suppliers or partners.
The sector continues to be at the forefront of new cyber risk defences with technologies such as Multi Factor Authentication (MFA), biometrics, electronic authentication.
Cloud adopting continues at a high pace, leading to an all-time-high in terms of the number of institutions availing of Cloud services with often inadequate effort being placed on Cloud security.
Ransomware continues to present a significant risk across all sectors, with financial services being no exception. We are seeing the prevalence of (double and triple) extortion which can be particularly damaging, owing to the exfiltration of sensitive data in addition to the ceasing of operations. After encrypting victim networks, threat actors use double or triple extortion by threatening to (1) release stolen data, (2) disrupt access and / or (3) inform victims’ customers, employees, partners or suppliers about the incident.
There has been a significant increase in the implementation of artificial intelligence technologies to aid detection efforts and identify fraud, identity theft, and other suspicious activities in real time.
Social engineering remains a common infiltration tactic. Staff, customers and employees are falling victim to targeted phishing attacks at ever increasing rates.
There is an increasing concern over the potential use of ‘Deep Fake’ technology to identity theft. Deep Fake technology refers to synthetic media that leverages powerful techniques from machine learning and artificial intelligence to generate visual and audio content that looks real in order to manipulate or deceive the viewer. This is a technology seeing rapid development with relatively slower development of deep fake detection technology.
There is still a balance to be struck between customer convenience e.g., mobile application payments and banking, and appropriate regulation and security.
Review the “incident response” ability of the organisation, i.e. the capability across various domains to prevent, detect, mitigate, and respond to ransomware incidents.
Review the organisation's cyber security strategy in the context of operations, environment and current organisation. This will include checking alignment to future business, people and organisational plans.
Review the management of third-party services – this should include initial take-on, contracts, relationship management and review.
Consideration also needs to be given to the agents and suppliers that they also rely upon – the subcontractors, or “fourth party” services.
Review the ability of the organisation to detect and pull back / recover from major cyber security incident or breach (not ransomware).
Review the overall cyber capability at Management and Board level.
Confirm simulation / exercises are being conducted across the business and that subsequent observations / outputs are being tracked and remediated where required.