10. Systems Development (▼9)

2021 Hot Topics for IT Internal Audit in Financial Services

October 2020

Why is it important?

Organisations are continuously seeking efficiencies across their IT operations and application development is no exception. The adoption of DevOps methodologies (combining IT development and IT operations) is still maturing, aiming to drive efficiencies through automation and collaboration in application development.

What’s new?

Organisations have also been utilising other means to gain efficiencies and meet business demand. For example, low-code, no-code (“LCNC”) development platforms allow users with little or no programming experience to build and publish new applications, without writing any lines of code. Even though LCNC platforms have been around for years, they are recently enjoying increased popularity among developers and non-developers who are seeking to reduce “time to market”. Such platforms are usually provisioned by third parties and they increase the risk profile of systems development. When configuring such platforms, striking the right balance between appropriate and sufficient controls whilst allowing for innovation to happen is key. Experimentation through the usage of “sandboxes” is a mechanism which some organisations have used to identify where this balance lies.

What should Internal Audit be doing?

Awareness is increasing across Internal Audit teams around the adoption of DevOps and LCNC platforms, and the role they play in version control, collaborative development, build validation, testing, and quality assurance. Controls implemented following the adoption of DevOps may look substantially different to traditional ones, but should still focus on addressing the same underlying risks. Organisations must have an understanding of their risk appetite and the extent to which such approaches affect their risk exposure, and they should be challenged on this.

Internal Audit’s approach towards assuring LCNC needs to be adapted depending on the maturity of such platforms and their supporting processes, the users who operate them, and the solutions which they help develop. Certain key areas to look out for are:

  • Third party controls around onboarding, ongoing management and exit of such vendors and platforms need to be assessed so that the right foundations are in place in line with the criticality of their use within the organisation. 
  • Internal Audit teams will need to challenge the consistency and diligence in which the controls within such platforms have been configured and are operated.
  • Organisations are expected to apply proportional levels of security testing to code developed using LCNC platforms to that which they would develop using traditional means. Access controls that safeguards the appropriate segregation of access to data remain fundamental.
  • With the necessary guardrails, operating within predefined boundaries, users can build solutions which are governed appropriately and therefore could contribute positively in limiting shadow IT. To realise such benefits it is important that the right governance measures are in place ahead of an organisational-wide adoption. 
  • It is key that third and second line of defence teams are engaged at the right time to provide input and feedback to ensure the organisation evolves with their digital transformation journey in a controlled manner.
Did you find this useful?