Article

6. Digital Risk (▼5)

2021 Hot Topics for IT Internal Audit in Financial Services

October 2020

Why is it important?

Measures introduced in response to COVID-19 have driven many financial services organisations to accelerate their digital transformation initiatives. During the past few months we have noted elevated levels of adoption of digital technologies, with increased reliance placed upon new digital platforms, collaboration tools and distribution channels. At the same time, we are seeing organisations implementing new norms in the way they run their operations, including the way they manage a large remote workforce. In this climate, the need to adapt or transform can be fundamental to the success and survival of many organisations, and this is seen by many as an opportunity and catalyst to embrace digital transformation.

At the same time, the nature and pace of those digital initiatives introduce new “digital” risks, as well as changes to how existing, known risks manifest, at a time when getting it wrong can quickly create the next social media storm or front-page news story. Existing control processes have needed to be flexed at short notice, and often without fully understanding the potential knock-on impacts. Much like reckless spending can result in financial debt, rapid changes made in the heat of the moment can lead to accumulation of “control debt”.
 

What’s new?

Disruptive technologies, such as Artificial Intelligence (“AI”), robotic process automation and advanced analytics continue to be a core area of focus for organisations, as part of this digital transformation drive. The response to the pandemic has again highlighted to businesses the benefits of using these technologies to promote workforce productivity and operational efficiency, as well allowing digital connections and improved, faster interactions with their customers. At the same time, recent headlines in the UK about unfair and biased outcomes of algorithm-based decision-making highlight some of the potential ethical and practical challenges businesses are currently facing.

Technologies continue to advance rapidly, and assurance functions and regulators are attempting to strike a balance between innovation and control, whilst also providing firm guidance on digital ethics. Increasingly organisations may be seeking to operate an integrated assurance model to provide assurance over digital risks, promoting collaboration across lines of defence, as organisations look to build their skills and knowledge in these areas.

What should Internal Audit be doing?

Internal Audit should continue to play a key role in challenging management’s approach to adopting these technologies and ensuring that the risks to the wider business are suitably understood, assessed and managed. As a result, auditors need to adapt their way of thinking to anticipate these risks as they arise (new / evolved, or existing risks manifesting in different ways).

Digital ethics is of increasing relevance to regulators and customers alike, which means organisations and developers will also have to take notice. As well as providing assurance and guidance to management in this area, Internal Audit should ensure that ownership of digital ethics is clearly defined. The EU regulators have provided relevant guidance in the area of “trustworthy” AI1, and these principles should be duly considered by auditors, as well as factored into their digital reviews. As AI and data analytics will progressively play an important role in detecting patterns of vulnerable customer behaviour for example, this will allow organisations to provide timely support and improve customer interactions from a conduct standpoint.

However, ethics can also inform difficult judgement decisions and trade-offs when using AI enabled solutions, so appropriate consideration and assessment against key (interconnected) risk domains such as data protection, conduct requirements, ethical considerations and an overarching robust governance framework will be essential.

Where Internal Audit functions are introducing these technologies themselves, a number of factors require careful consideration; Chief Internal Auditors should be clear on the overall digital transformation strategy relating to the use of increased automation within the function, the risks being introduced and how these are to be managed.

____________________________________________________________

1 Building Trustworthy AI. A comprehensive approach to conduct, data protection, and ethics

Did you find this useful?