Why is it important?

Cyber risk remains one of the most important topics in the agendas of business leaders and regulators alike. This has reached the top of our survey for 2024, with respondents quoting the evolving threat landscape (with nation-state threats particularly prominent), the increased reliance on technology, regulatory requirements, and the ever-expanding attack surface. Chief amongst the areas of concern, are ransomware attacks. This has developed from an operationally disruptive phenomenon to a sophisticated suite of attack vectors that block systems, extract data and provide opportunities for further blackmail and extortion.

Organisations continued to reference the need to manage changes to their risk profile through increased digitisation of processes and activities, which provide efficiency and cost reduction, but also expose poorly designed processes and systems to many attack vectors.

There is also a very clear desire for constant hardening in the cyber security environment and to ensure that there is a level of consistency across the organisation’s wider control environment, with no divisions or subsidiaries dragging down the overall maturity level for the organisation.

What’s new?

Cybercriminals are developing more complex strategies, utilising cutting-edge technology, and taking advantage of weaknesses in digital systems. By using the most recent technological developments, such as AI and automation, cloud security, and cyber threat intelligence, data can be protected from malicious attacks, such as hacking.

We have added three areas of emerging cyber security technologies for 2024.

01. Ransomware-as-a-Service (RaaS)

In recent years, the number of ransomware attacks, where cyber criminals encrypt a victim’s files and demand a ransom, has increased. In fact, they affected 66% of organisations in 2021, an increase of 78% over 2020, according to Sophos “The State of Ransomware 2022” report. We can anticipate a rise in the use of RaaS platforms in 2024. Additionally, organisations must develop a strong security policy and robust cyber hygiene if organisations want to safeguard from RaaS risks. These procedures will become even more crucial as we proceed through the coming years as RaaS is anticipated to rank among the top cyber security trends during 2024.

02. AI-powered attacks

Criminal groups are attempting to use AI and GenAI to create more advanced attacks, and we anticipate an increase in AI-powered attacks that elude conventional security measures in 2023. For instance, AI can construct malware that adapts its behaviour to evade detection by security software or make realistic phishing emails that easily trick consumers.

03. Supply chain attacks

Attacks on the supply chain aim to access the systems and data of customers by targeting third-party vendors and service providers. The likelihood of a supply chain attack rises as organisations depend more on a network of partners and suppliers. Supply chain attacks are likely to increase in 2024 as cybercriminals look for ways to weaken an organisation’s security. To reduce the danger of a supply chain assault, organisations must also evaluate the security posture of their partners and put in place robust access controls.

Why is it important?

The continuous evolution in technology comes with great opportunities for organisations, but also new and unknown risks. Across the market there is significant in-flight transformation aiming to modernise legacy infrastructure, improve customer experience and deliver better margins through the adoption of cloud, AI and big data technologies that can help improve efficiency and reduce cost. However, organisations face challenges when it comes to monitoring the benefit realisation and the outcomes these initiatives drive for the business.

Most of the transformation we are seeing is driven by:

• M&A activity which leads organisations to want to streamline their services and product offerings whilst wanting to provide better and faster services
• digital initiatives that continue to be the main conduit for organisations to deliver their strategic priorities
• organisations which continue to face regulatory pressures and often come with a large technology and data remediation components
• the need to keep up with competition and ever-increasing customer demands.

In order to respond quickly to the market demands, organisations are looking to engage third-parties in their transformation activities while moving to Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) solutions. This increases third-party risk and shifts the focus to more robust third-party oversight.

Organisations also see the creation of a common, strategically linked language and methodology for digital transformation as a means for achieving digital advantage and adaptability. They also continue to digitally transform their business models with more hybrid working and less face-to-face interactions, although a number of organisations have recently asked their staff to return to the office and change keeps adapting to these trends.

What’s new?

In 2023, the market has been operating under significant uncertainty which leads organisations to more conservative spending and a cost constrained environment. This means that a large part of the change portfolio is delivered internally with limited resources and there is greater scrutiny on priorities and budgets.

The ongoing adoption of new digital technologies, including GenAI and increased use of cloud has led to a need for organisations to establish how to best integrate them within their current environment and service offering, manage their risk and potentially develop new value propositions and use cases for existing and new customers and markets.

Agile methodology and tools continue to be popular, and we’re seeing more and more organisations adopting these not just in their operations but also their audit functions. These tools are targeted to improve collaboration across the organisation and the use of agile, combined with continuous monitoring, are being used effectively to make programme delivery quick and efficient.

There are still large regulatory initiatives that drive strategic decisions for organisations (i.e. the Consumer Duty Act, Digital Services Act, ESG and DORA) which necessitate the need for robust change frameworks that enable cross functional delivery and effective management oversight.

Why is it important?

Data governance, data management, and data quality are wide-ranging disciplines and processes across organisations that ensure that data is an asset, and not a liability. Data continues to be a core focus area for internal audit functions. We’ve seen various instances in the news where poor data governance resulted in fines and reputational damage. Indeed, data governance and quality are critical components of global regulatory requirements such as GDPR with steep penalties for non-compliance. Recent years have seen some hefty fines levied against large organisations with a maximum penalty of £17.29m or 4% of global revenue. The biggest fines seen are above £17.29m with the highest recorded so far being £43.2m.

Data is, and will remain, crucially important across all businesses and industry sectors. Good data governance, sound processes and robust data management are key enablers of using data to make informed business decisions and remain compliant with regulation.

What’s new?

Data governance is not a new area for many organisations, it has been a frequent feature in our IT internal audit hot topics list for many years, however we have seen increased focus on data quality, data governance, and stewardship over the past year.

Many functions have been called on to review data strategies and data governance frameworks and these are fast becoming standard features in most annual internal audit plans. From our interactions with clients and discussions with industry experts, we have also noted the following:

Increased number of businesses have mentioned data strategy implementation or refresh with a focus on tooling, resourcing, and skills. This is in part due to the continued move from legacy to modern solutions, particularly where legacy tooling is going out of service.

There has been an increase in the definition of roles and responsibilities regarding data ownership across sectors. However, this is still in its early stages with challenges around data requiring multiple teams to have access, and, in many cases, limited understanding of who is using their data and how.

For many organisations, the focus is still on short term activities and setting up a data governance framework, writing policies, establishing ways of working and building the foundation for successful data governance going forward. While this is encouraging, we see many organisations potentially caught up in delivery of short-term objectives rather than focusing on longer-term strategic data goals, with the current cost-conscious corporate environment often driving this behaviour.

Additionally, we notice organisations continually struggle with designing and implementing data strategies and overarching effective governance. Attrition in key data roles often impacts this with multiple attempts to improve data governance being undertaken without much progress seen.

While more advanced from a technology standpoint, some businesses are using sophisticated analytics like machine learning for continuous monitoring and automation. Barriers such as low data quality and challenges with access are slowing or preventing progress. The speed at which technology is moving and the adoption of GenAI solutions means organisations may need to accelerate their data governance activities to ensure they optimise the value from GenAI and remain future-fit.

Internal audit functions are increasingly using analytics to aid the audit process and provide improved data-driven insights. However, our recent digital and analytics survey shows data access and quality is still a blocker with 69% of functions reporting access to appropriate data being their biggest barrier, and data quality also recognised as a key challenge across 56% of survey respondents. This is one indicator of the impact of immature data governance and data quality processes on utilisation of data.

In the Financial Services sector, one of the key topics defined by the European Banking Authority (EBA) for banking supervision in 2023 is the aggregation of risk data and data governance. The current status is far from satisfactory. Therefore, there is renewed supervisory focus on this aggregation of risk data and the principles for effective risk data aggregation and risk reporting as defined in BCBS 2392. It is expected that this focus will significantly impact banks, so adequate focus from internal audit functions will be required.

Why is it important?

Enterprise adoption of AI systems has been growing for a number of years, and during 2023, GenAI has truly captured the imagination of the world, fuelling discussion among businesses and policymakers. It is incredibly rare for any emerging technology to achieve these levels of adoption and frequency of usage so rapidly. While initial use was mainly by individuals, Deloitte’s research also found a third (32%) or approximately 4 million people in the UK who have used GenAI have done so for work and organisations are investing heavily in enterprise use cases.

With the rapid acceleration and integration of GenAI into business functions, AI and accordingly GenAI risk management, will continue to be a hot topic for internal audit teams throughout 2024 and beyond.

GenAI is a subset of artificial intelligence in which machines create new content in the form of text, code, voice, images, videos, or processes. Large language model (LLM) capabilities are powering an easily accessible interface that enable GenAI to have its breakthrough moment and surprise even specialists in the field.

To mitigate and minimise these risks, organisations are actively investing in the development of controls to enable them to innovate with confidence. AI controls are managing data privacy and security risks, as well as ethical considerations and concerns about the reliability of outputs created by GenAI. Internal audit functions are also looking at the developing regulatory landscape and assuring that their organisation is preparing for the arrival of this regulation.

In conjunction with the publication of regulations and guidance, the pace of AI development and deployment for the UK is expected to intensify, as the UK government pushes to be a global leader in AI development.

What’s new?

With the recent release of GenAI systems such as ChatGPT in November 2022, Bard by Google in March 2023, and Amazon’s release of its open source LLM called Falcon in June 2023 the interest around GenAI has increased with organisations and individuals exploring how they can utilise the tools. Further there have been changes this year to the AI regulatory landscape, and guidance has been published to aid people and organisations as they navigate the use not only of GenAI, but all forms of AI.

The EU AI Act (latest development from June 2023)

The European Parliament AI Act, which is expected to come into action in Q1 2024, is a regulatory risk-based approach to classify AI systems and manage the development, distribution, and use of AI systems.

AI regulation: a pro-innovation approach white paper (published in March 2023)

Following the collaboration of multiple UK government departments, the National AI Strategy outlines an innovation focussed approach to AI development. Investing in the long term needs of AI ecosystems, and supporting the transition to an AI enabled economy, can establish the right national and international governance of AI technologies. The white paper outlines the Government’s plans to regulate artificial intelligence, identifying AI as a critical technology. A new framework will encourage innovation in a responsible manner to drive growth and public trust making the UK a global leader in AI.

ISO AI risk management framework (published in February 2023)

ISO published risk management guidance for organisations that are developing and deploying AI.

NIST framework (published in January 2023)

The National Institute of Standards and Technology (NIST) has collaborated with organisations from both public and private sectors to develop the NIST AI risk management framework. The guidance is voluntary and aims to help organisations understand the considerations that should be made during the design, development, use, and evaluation of AI systems.

What should internal audit be doing?

While GenAI technology is still developing, it is already being adopted by organisations at pace. Internal audit functions are understanding to what extent their organisation is using this technology, and to what extent they are planning to invest in it. Internal audit teams are upskilling themselves to understand the risks associated with GenAI, which include the full suite of existing risks associated with IT, but also GenAI specific considerations such as ‘hallucinations’, ethical AI, transparency and AI accountability.

As AI technology advances, internal audit teams must stay abreast of the developments and ensure they have the required skills and capabilities to provide the necessary insight to senior leadership teams.

1. Digital Consumer Trends 2023 | Deloitte UK
2. Regulating AI: Can the UK’s proposed approach achieve both flexibility and clarity? | Deloitte UK
3. Navigating the EU AI Act: a guide for Chief Data Officers | Deloitte UK
4. A Pro-Innovation Approach to AI Regulation | GOV.UK
5. ISO/IEC 23894:2023 Artificial Intelligence - Guidance on risk management
6. Artificial Intelligence Risk Management Framework | NIST

Why is it important?

The power of cloud continues to be a key driving force in enabling accelerating digital transformation. It allows for agility, scalability, availability as well as security and compliance, all of which are crucial to successful transformation and achieving the aim of allowing organisations to operate more efficiently and effectively. There is a risk that poorly governed cloud adoption can lead to an inefficiently designed and operated cloud; this can raise both cloud costs and carbon usage, causing a negative impact on your overall sustainability strategy.

This can be observed in practice: as cloud adoption has soared (Gartner predict that by 2025, 95% of all new workloads will be based in the cloud), and as a size and complexity of enterprise cloud estates, along with the related cost, has duly increased. Tied with the fact that many current cloud estates are often a result of earlier organic and ungoverned adoption (with surveys suggesting that 30% of cloud spend is wasted), some of the above noted benefits of cloud haven’t been fully realised, notably that of efficiency.

From the perspective of sustainability, pressure from both regulators and increasing consumer preferences for sustainable and carbon-efficient outcomes has led many organisations to develop sustainability strategies. Often included are dedicated investments, net zero targets and carbon reduction initiatives. These have further accelerated many organisations’ moves to the cloud. Cloud is primarily a ‘greener’ IT model due to the economies of scale available to vendors, therefore establishing an enterprise’s cloud estate as an essential component of its broader sustainability strategy. However, the increasing demand for cloud has in turn led to concerns about the size of organisations cloud carbon footprint, which is often larger than is necessary as sustainability objectives may not have been taken into account.

What’s new?

Entering 2023, many organisations reported that their cloud usage and spend were higher than planned, with ‘managing cloud spend’ ahead of ‘security’ as the top cloud challenges across all organisations[1]. At a high level, by taking steps to improve and maintain their cloud architecture, reduce service and resource wastage, and implement cloud best practices, organisations can reduce their cloud costs, energy usage and carbon footprint.

These objectives are facilitated by the increasing availability of native toolsets, such as Amazon Web Services (AWS)’ ‘Customer Carbon Footprint Tool’ and ‘Cost Explorer’, Google Cloud Platform (GCP) ‘Carbon Footprint’ and ‘Cloud Billing Reports’, and Azure’s ‘Emissions Impact Dashboard’ and ‘Cost Manager’.

The tools allow organisations to gain visibility over their cost and carbon overheads, and to take remediating steps. However, the responsibility lies with the consumer to take these actions.

Through the datasets these tools provide, there is the opportunity to apply analytics to cost and carbon trends, allowing for greater and more impactful changes to be made. Organisations need to ensure that any steps taken are sponsored by senior leadership and supported through education to ensure that relevant cloud stakeholders understand the link between cloud usage, cost and carbon and how these tie back to broader enterprise and IT strategies.

The increasing focus on cloud cost optimisation and sustainability sits alongside a range of existing cloud challenges that still need be actively managed to minimise risk in the cloud, such as ensuring a safe and effective cloud migration, building of effecting cloud controls, and the integration of cloud controls into existing IT risk frameworks. Ensuring these significant challenges are effectively managed and governed is key to laying the groundwork for a safe and efficient cloud.

1. Cloud Will Be the Centerpiece of New Digital Experiences | Gartner
2. State Of The Cloud Report | Flexera
3. Flexera 2023 State of the Cloud | Report