The number, scale and complexity of IT risks facing organisations continues to grow underscoring the importance of managing IT risk effectively. Failing to manage these risks can lead to embarrassing and costly incidents such as the loss of sensitive data, failed software upgrades or revenue misstatement where computer applications fail to operate correctly. As a result of these types of incidents, executive management are increasingly aware that IT related risks can result in very large costs to an organisation’s bottom line and reputation.
Within the financial sector it is often the role of IT Risk functions in combination with Operational Risk, Security and other Compliance functions to report, manage and mitigate these risks, whilst setting policy and ensuring/monitoring appropriate governance and control over technology.
Why is it an issue?
Many organisations already have existing and significant spend on activities to manage selected IT risks - information security programmes, regulatory compliance, business continuity, SOX, incident management solutions, project risk, IT internal audit and IT governance committees for example. However, the effectiveness of this expenditure is often challenged when mistakes are still made.
IT risks continue to evolve with threats becoming ever more sophisticated and difficult to mitigate against. This, in addition to the ever increasing regulatory focus means the role of IT Risk functions within organisations is evolving rapidly, with ever more expectation on the assurances and services they provide.
- Benchmarking of technology risk management functions and processes against recognised good practice and industry peers
- Establish and refresh technology risk management frameworks, including control rationalisation, design, and implementation
- Implementing process improvements to technology risk functions, ranging from incremental enhancements to existing processes through to large scale change
- Utilising tools to manage delivery of technology risk management and demonstrate compliance requirements from a single source.
The role of the Internal Audit department has expanded, both in scope and the requirement to deliver tangible value to the business. The business environment is growing more complex by the day with rapidly changing technologies, increasing demand for IT services among business units, and the continual expansion of the “extended enterprise” all translating into greater IT risks for most organisations.
Many new regulations in the industry, for example Solvency II for insurers and Basel III will require significant technology and business change projects to be undertaken. Internal Audit are often asked to perform independent assessments over such projects. The ability for IA functions to be able to mobilise the appropriate specialist resource to ensure the right risks are focused upon and a robust review is performed is essential given the reliance Audit Committees and senior management place on such reviews.
The increasing regulatory focus on internal audit and their capabilities, including the use of data analytical techniques to both review entire populations of data and provide insights into an institutions data, provides a further challenge for internal audit functions in terms of the development of such capability. This is an area we see as becoming far more prevalent in the industry in the coming year.
- Deloitte is able to offer flexible resourcing options to clients ranging from complete outsourcing of IT IA to partial co-sourcing arrangements
- Deloitte is able to assess the end to end effectiveness of internal audit functions including IT
- Our specialist project risk professionals are experienced at reviewing significant change programmes and the common pitfalls to successful implementation
- Drawing upon our specialist business, risk, regulatory and technology professionals we are able to significantly enhance the capability of IA functions for specific one-off reviews