Financial Services Internal Audit Planning Priorities 2022
Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2022. We hope this informs your 2022 planning and assurance approach.
The pandemic has accelerated the societal trend for increased use of digital services by both corporate and personal customers, across the UK and global economy, and financial services (FS) has been no exception to this. FS businesses across all sub-sectors of the FS marketplace are having to consider their digital strategies and utilise new digital services offerings more than ever before, in order to ensure they continue to offer what their customers need, when they need it. Whilst the transformation of digital services has not been as pronounced in FS as in some sectors as a result of the COVID-19 pandemic (retail for example), those FS organisations which have embraced digital services to a greater degree have been better placed to adapt and respond to these changing consumer demands. Fast paced change and adoption of digital services do, however, bring with them a plethora of risks to be managed, and many businesses are challenged to evolve as required, whilst also managing these risks effectively.
Cloud services have continued to be adopted rapidly across all sub-sectors of the financial services (FS) industry in 2021, and are becoming ubiquitous, with IT service delivery across the sector enabling organisations to adapt business models, products and channels. Risk and control functions, including Internal Audit, are often struggling to keep up with rapid transition to cloud technologies at many organisations. There are significant regulatory pressures around moving to the cloud, and these are increasing rapidly, and many organisations have significant cloud migration programmes coming to fruition which require suitable related assurance regimes.
The financial services sector is the most targeted because of its obvious access to accounts and funds. Any organisation would potentially suffer numerous and substantial consequences from a successful hack or security event that could include one or all of the following: breach of GDPR and hence significant fines for loss of data, loss of confidential information, loss of key operational systems and a reduction in customer confidence. The reputational risk factor in this sector is very high and any loss of trust could have a highly negative impact.
The sector also relies on multiple third parties which increases the risk of third party hacking, i.e. an attacker gains access to their systems and data by attacking one of their suppliers or partners.