Information and Controls Assurance

Organisations are constantly challenged with an increasing number of information technology security threats, technology outages, data integrity and quality issues, IT governance concerns and privacy mandates. Organisations need to be sure of the integrity, confidentiality, and availability of their information and underlying systems. This requires information systems that are properly deployed, monitored and controlled. Organisations are therefore looking to IT Advisory specialists to provide assurance that appropriate controls are designed and operating effectively to manage these technology risks, both today and in the future

Deloitte assist organisations with the identification and management of Information Technology related risks. Our services include the following:

Our Services

Deloitte has the breadth of resources, skills and experience to meet the most fundamental IT audit and advisory requirements including:

• IT Internal Audit (Co-Sourcing and Outsourcing)
• Integrated External IT Audit
• IT Controls Transformation
• Third Party Assurance (ISAE3402)
• IT Risk and Governance

IT Internal Audit

The role of the Internal Audit department has expanded, both in scope and the requirement to deliver tangible value to the business. The IT Audit environment is growing more complex by the day. Rapidly changing technologies, increasing demand for the IT services among business units, and the continual expansion of the “extended enterprise” all translate into greater IT risks for most organisations. The IT Audit and Compliance functions are tasked with keeping tabs on these risks. Deloitte’s IT Internal Audit services can be tailored to suit any organisation’s sourcing, co-sourcing and knowledge transfer needs, and fit within our proven IT internal audit methodology.

Integrated external IT audit

Based on understanding of clients’ business, the risk that the organisation faces and its IT internal controls, Deloitte professionals assess the risk of material misstatement of the financial statements and then design effective audit procedures. For public companies subject to the internal control reporting requirements of global regulations (such as Sarbanes-Oxley Act), Deloitte integrates the audit of IT internal controls over financial reporting with the audit of the financial statements. Our professionals bring a comprehensive IT audit methodology that leverages extensive professional and technical resources tailored to an organisation's specific circumstances.

IT Controls transformation

IT internal controls not only help prevent bad things from happening, they can also drive performance. Right-sizing your IT controls helps keep costs down, grow revenue, secure assets, and achieve legal and regulatory compliance. Conversely, the wrong level of controls costs money, wastes resources, leaves organisations exposed, increases compliance costs, and distracts management from running the business. Proper controls can spur innovation and growth. When management knows the right controls are in place, they can confidently rely on those controls to manage the risks that they take. In challenging times, even the most mature organisations need to consider whether their controls are relevant, efficient, and adaptable to their needs.

Deloitte focuses on assessing, testing, and assisting organisations in improving IT processes and IT controls, transforming the way our clients effectively address business, technology, and financial statement risk. Deloitte helps organisations improve business performance by increasing the effectiveness and efficiency of functions closely linked to the financial statements and the related IT internal controls.

Third party reporting (ISAE3402)

Third Party Reporting includes ISAE3402, Service Auditor and Assurance Services. These services provide an independent assessment of the organisation's control procedures and establish whether those controls meet the objectives stated by management. The third-party services may be used to demonstrate those controls to customers and their auditors. The third-party services minimise the number of requested audits of the service organisation's internal controls by different customers and their auditors. Assurance services provide management with a level of assurance over business and/or IT controls.

Deloitte professionals perform third-party services, help organisations get ready for third-party reporting, and provide assistance throughout the entire examination process. Deloitte offers practical, pragmatic views and insights related to an ever-changing market and focuses on having the right combination of industry experience, technology specialisation, and qualified professionals to help organisations through their entire process.

IT Governance

IT governance consists of the leadership and organisational structures and IT management processes that ensure that the organisation’s IT sustains and extends its strategies and objectives. The purpose of IT governance is to direct IT endeavours, to ensure that IT performance meets the IT objectives.

Deloitte professions assist with and advise on:

• Determining the appropriate governance processes, structures, and mechanisms to increase business-IT alignment
• Diagnosing the current IT-governance processes, structures, and mechanisms to determine where improvements can improve a business’ bottom line.
• Developing efficient and effective IT organisation and processes by aligning IT with organisational objectives
• Realising the expected benefits of IT through increasing efficiency/automation, decreasing costs, and reducing complexity
• Analysing which IT costs can be reduced through controls rationalisation

IT Risk Assessments

It is widely accepted that IT risk is a component of the overall risk universe of the enterprise. Other risks an enterprise faces includes strategic risk, environmental risk, market risk, compliance risk etc. IT risk is a business risk, specifically the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. In this context, it is important to identify and manage potentially significant IT risk issues.

Deloitte can assist clients in performing a risk assessment to determine the inherent risk related to the use of IT.

A Deloitte proprietary IT Risk Management (ITRM) Diagnostic has been developed to perform IT risk assessments. It is based on the COSO (Committee of Sponsoring Organisations of the Treadway Commission) enterprise risk management framework and has been organised into a set of primary ITRM Framework components. Within these components, a set of underlying ITRM risk domains have been created.

Key contacts

Shahil Kanjee
+27 (0)11 806 5353
+27 (0)83 634 4445
kanjee@deloitte.co.za

Danita de Swardt
+27 (0)11 806 5208
+27 (0)82 777 1817
ddeswardt@deloitte.co.za

Thought Leadership:

• The Tech-Intelligent Board – Priorities for Directors as they Oversee IT Risk and Strategy
• The Risk Intelligent CIO