2021 Hot Topics for IT Internal Audit in Financial Services


2021 Hot Topics for IT Internal Audit in Financial Services

Confronting Uncertainty

November 2020

We are pleased to issue our latest review of the information technology hot topics for Internal Audit functions in financial services.

This is based on our survey and discussions over the past six months with Chief Internal Auditors and Heads of IT Audit across UK financial services organisations, who have openly shared their areas of focus and the organisational challenges in relation to their firms’ technology control environment.

CIOs and technology leaders played, and continue to play, significant roles during the recent crisis by leading recovery plans, acting as ‘change’ agents, and stepping beyond their functional leadership role. COVID-19 will continue to have significant implications for businesses, leading them to accelerate the move from physical to virtual ways of operating. Technology leaders are expected to architect significant enterprise changes as part of digitalisation programmes that may touch on customer channels, products, and ways of working.

PDF - 3.1mb

These priorities are reflected in our paper, with this year’s top-10 topics presented under a lens of “lessons learned” from the crisis thus far.

The impact of digitalisation is reflected in an elevated focus on cloud, digital risk and transformation topics. That said, Cyber continues to be the at the top of the list, not surprisingly perhaps, as organisations struggle to deal with a notable increase of attacks, at a time when the organisational set up has completely changed with the prevalence of remote and mobile working.

Operational resilience, now more than ever, is a key area of regulatory and business focus. Heads of IT Internal Audit need to examine how management is planning to ride the uncertain times ahead and rebuild confidence for the future by ensuring their response is resilient, safeguards the welfare and well-being of people, and is able to adapt to demand and supply challenges.

One of the principal lessons we have seen arising from the crisis, is that the more analytics-savvy and digitally mature functions performed better. They continued to provide assurance in a nonintrusive manner, analysing available data (e.g. business performance, incidents, customer complaints, cyber-attacks) in a manner that provided a level of visibility over the nature of risks faced by the organisation as well as the effectiveness status of key controls that was imperative at the time. In an environment where some functions had to pause all auditing activity, or were told to defer meetings with key staff during the initial phase of the crisis, the use of analytics and digital tools helped separate the truly ‘resilient’ functions.

We see IA functions of the future embracing digital-enabled transformation, continuous risk assessment, automated testing, exploratory analytics, and more broadly, agile methods as a way of decreasing costs and adding value. A deeper digital transformation and the use of data-driven auditing will not be merely required by Audit Committees as a nice-to-have, but in our view would be core for the development of a resilient and a high functioning function of the future.

In the graph below, the size of the bubble reflects the ranking in this year’s list, while the horizontal axis shows the threat environment - internal or external to the organisation. The vertical axis classifies the topics across the spectrum of existing/known, new and emerging risks.

Click on the picture to enlarge

Through the years: 2012-2021

Below is a comparison of the top 10 IT internal audit hot topics over the past ten years as identified through our annual survey of Heads of IT Internal Audit in the financial services sector. Topics which appear in more than two years have been colour-coded to help illustrate their movement in the top 10 over time.

Click on the picture to enlarge

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Did you find this useful?