Technology & Digital has been saved
Technology & Digital
Financial Services Internal Audit Planning Priorities 2022
Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2022. We hope this informs your 2022 planning and assurance approach.
6.1. Digital Risk
Why is it important?
The pandemic has accelerated the societal trend for increased use of digital services by both corporate and personal customers, across the UK and global economy, and financial services (FS) has been no exception to this. FS businesses across all sub-sectors of the FS marketplace are having to consider their digital strategies and utilise new digital services offerings more than ever before, in order to ensure they continue to offer what their customers need, when they need it. Whilst the transformation of digital services has not been as pronounced in FS as in some sectors as a result of the COVID-19 pandemic (retail for example), those FS organisations which have embraced digital services to a greater degree have been better placed to adapt and respond to these changing consumer demands. Fast paced change and adoption of digital services do, however, bring with them a plethora of risks to be managed, and many businesses are challenged to evolve as required, whilst also managing these risks effectively.
- The last 18 months has seen wholesale interruption of established supply chains for FS products, alongside changing product requirements from customers.
- The velocity required of FS organisations to successfully change their digital presence across new products and new digital challenges, whilst managing increased demand for existing web and mobile digital channels, has been unparalleled.
- The regulatory framework around digital services continues to evolve, with areas such as cloud, operational resilience, and third party risk management all being subjected to increasing levels of regulation.
- As digital becomes increasingly central to organisations’ business strategies, it is becoming more challenging for businesses to ensure they have the right skillsets on hand, from a technical standpoint as well as the associated transformation skills for digital delivery (agile, development operations (Dev Ops) etc).
- Further, the requisite skills and methodologies to provide risk and compliance assurance from all Three Lines of Defence over digital areas remain in short supply.
- The convergence of related risks such as conduct issues and digital (for example where Artificial Intelligence (AI) is making customer decisions), continues to emerge and evolve, and drives the continuing regulatory agenda in relation to digital.
What should Internal Audit be doing?
- Internal Audit functions need to remain sufficiently close to the digital strategy, and to the business’ ability to be able to register when the two might be diverging. Given the COVID-19 pandemic, 2022 may be a good time to reassess the business fit of the technology strategy (including digital).
- Review whether the Second Line framework-driven approach to risk management meets all the needs of the business in managing risk day-to-day. If not, then what is the gap and how can Internal Audit functions support the business in closing the gap?
- Coordinate with others Lines of Defence at scoping and planning assurance activity phases, aiming for a combined view across the Three Lines of Defence as to how to best focus risk and audit resources on areas of highest priority risk.
- As business change delivery approaches and related skills evolve, consideration of the governance framework evolution to support these new approaches may be wise. Agile change delivery still requires a methodology and an approach but our repeated experience on clients tells us this often is not the case.
- Review of key risk areas which highlight the interplay between technology and business areas, can also inform the digital risk landscape, for example:
- Product design governance;
- Web and mobile development processes; and
- Data governance and security.
Why is it important?
Cloud services have continued to be adopted rapidly across all sub-sectors of the financial services (FS) industry in 2021, and are becoming ubiquitous, with IT service delivery across the sector enabling organisations to adapt business models, products and channels. Risk and control functions, including Internal Audit, are often struggling to keep up with rapid transition to cloud technologies at many organisations. There are significant regulatory pressures around moving to the cloud, and these are increasing rapidly, and many organisations have significant cloud migration programmes coming to fruition which require suitable related assurance regimes.
- As cloud becomes more commonplace the modification and adoption of existing IT risk and control frameworks is increasingly important. False ‘baseline’ assurance is often placed over fresh migrations to the cloud where it is assumed that due assessment of the controls and risks in the cloud environment has already been undertaken, but as organisations have moved gradually/piecemeal to the cloud, it is likely that risks and materiality have changed since the cloud environment assessment.
- Other emerging areas of regulation are often heavily impacted by cloud, and so it is increasingly important to ensure strong linkage between an organisation’s Cloud team and regulatory and compliance specialists. For example, Operational Resilience Supervisory Statements released in 2021 by the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have requirements that often require organisations to consider their cloud usage and understand the implications of these services for their operational resilience. This has led to Regulators requesting Internal Audit functions to review cloud related submissions such as cloud outsourcing register completeness and accuracy.
- Cloud transformation programmes have continued to be front and centre of many organisations’ change agendas but have been required to be delivered in unfamiliar circumstances during the COVID-19 lockdowns that have occurred globally in the last 12-18 months. For large scale migrations (those which involve a complete exit of the on-site data centre) assurance over the business case, cost savings, and performance metrics of the delivered cloud estate are paramount, as is mapping of the organisations control framework to the cloud solution controls to assess continuity of coverage.
- ‘Software as a Service’ (SaaS) offerings, where a third party hosts and administers all aspects of the platform, including the actual application in question itself, continue to proliferate, and therefore third party risk management concerns become of increasing importance to the delivery of services and providers have responsibility for a greater range of IT controls than “Infrastructure as a Service” (IaaS), and “Platform as a Service” (PaaS).
What should Internal Audit be doing?
- Internal Audit functions need to reflect on the increasing adoption of cloud and consider whether an approach of looking at cloud on a cyclical basis is appropriate, or whether consideration of cloud as a broader trigger point during the delivery of audit planning is now becoming more appropriate (i.e. if during planning for a given audit key questions around cloud usage in the delivery of a given business service or process, could be standard during the audit planning process).
- Now may also be a sensible time to reflect on the assurance that is provided over cloud service providers, and whether piecemeal adoption of cloud solutions, has resulted in an overarching control framework which lags behind the prevalence of cloud usage. Focussing on Management’s understanding of cloud usage across the enterprise and the controls which prevent procurement of cloud capabilities outside of IT knowledge and established procurement processes can provide a useful area of focus here.
- Given the ever increasing regulatory burden and overlap with other areas of emerging regulatory attention (such as operational resilience), assessment of risk and compliance involvement, as well as skills and capability, to provide the oversight and assurance regime of cloud are also logical considerations.
- Internal Audit functions need to truly understand and evaluate the risks in the context of cloud and how these should be controlled, for example, development access to production environments should be controlled through comfort over the configuration of cloud pipelines and controls over changes to code, rather than traditional controls such as review of user access listings.
6.3 Cyber Security
Why is it important?
The financial services sector is the most targeted because of its obvious access to accounts and funds. Any organisation would potentially suffer numerous and substantial consequences from a successful hack or security event that could include one or all of the following: breach of GDPR and hence significant fines for loss of data, loss of confidential information, loss of key operational systems and a reduction in customer confidence. The reputational risk factor in this sector is very high and any loss of trust could have a highly negative impact.
The sector also relies on multiple third parties which increases the risk of third party hacking, i.e. an attacker gains access to their systems and data by attacking one of their suppliers or partners.
- Over the past year there has been continued growth of targeted phishing and whaling that attacks the ‘soft underbelly’—staff, customers and suppliers.
- Disruptors continue to push new technologies and processes which need to be secured.
- The financial services sector continues to be at the forefront of new cyber risk defences with technologies such as multi-factor authentication, biometrics and electronic authentication.
- Growth of FinTech tools that use Artificial Intelligence (AI) technologies and machine learning to detect fraud, identity theft or other suspicious activities in real time.
- There is still a balance to be struck between customer convenience e.g. app payments and banking, and regulation and security.
- An increased investment in cyber threat intelligence models and tools such as security information and event management (SIEMs)—this is the collection and sharing of intelligence, information, patterns of attacks and potential vulnerabilities to enable business to learn and develop over time.
- Ever increasing use of cloud services as cloud security continues to mature—the fear of using the cloud to host financial systems and services has all but disappeared.
What should Internal Audit be doing?
- Review the current cyber security strategy in the context of operations, environment and current organisation. This will include checking alignment to future business, people and organisational plans.
- Review the management of third party services. This should include initial take-on, contracts, relationship management and review. Consideration also needs to be given to the agents and suppliers that they also rely upon, i.e. the fourth party services.
- Review the ability of the organisation to detect and retract to any major cyber security incident or breach.