Add to collection(s) Add to saved
  1. No category
Uploaded by Priscilla Ojekunle

Common Pitfalls (drawbacks) of ICT Audits

advertisement 
Common Pitfalls (drawbacks) of ICT Audits
This dynamic and almost spontaneous changes in the technology landscape of Financial Services
(FS) organisations has significantly increased the risk profile and regulatory scrutiny, thereby requiring
FS organisations to pay closer attention to their risk management and assurance mechanisms.
Regulators want FS organisations to prove compliance, whilst dealing with sophisticated cyberattacks, fraud, money laundering, data misuse, and other complexities of the evolving technology
infrastructure. These risks continue to unfold as the digital landscape loses its borders with remote
working. While most technology risks are not new, the stakes are now much higher.
C-suite executives and the Board, now more than ever before, need to understand the risk profile of
their organisations and confirm that there are mechanisms in place to manage risk within acceptable
tolerance levels.
Given the heightened expectation from internal and external stakeholders and the general view of the
maturity level of many internal audit functions in the fault-finder to trusted advisor scale, we highlight
four (4) key pitfalls (drawbacks) of Information and Communication Technology (ICT) or Digital Trust
Audits conducted by internal audit functions, which overall affect the level of assurance that they are
able to deliver to C-suite executives, board members and other stakeholders.
1. Monitoring residual IT risk levels in the wrong places
This is typically as a result of poorly maintained risk assessments both in terms of the dynamic, realtime articulation of the risk exposures and the quantification of the risk levels. Consequently, the ICT
audit plans are designed with the focus areas of assurance activities skewed towards assessing the
residual levels of risks that either do not matter to the relevant stakeholders or do not provide the right
level of confidence required by C-suite executives and board members.
Some of the key questions which internal audit functions must respond to as they execute their
mandate of monitoring residual IT risk levels and providing assurance include:
 Are we monitoring and reporting on the residual IT risks levels that really matter to
stakeholders?
 Are we assisting stakeholders become smarter risk takers in the face of rapidly changing risk
profiles?
 Are right levels of synergies with other lines of defence in place to develop a common view on
IT risks and the priorities?
2. Monitoring priority IT risks at the wrong level of precision
Priority IT risks now more than ever before need to be monitored on a real-time basis. For FS
organisations, the volume of data generated from various business processes is becoming incredibly
enormous and the tolerable time margins between risk crystallization or the identification of
unacceptable risk levels and the eventual reporting and remediation is shortening. ICT audit activities
now have to leverage on data and technology-driven capabilities and service offerings in order to
monitor high-risk areas in real time and expand risk coverage to other areas not previously monitored.
Other than these benefits, data and technology-driven audits are a lot more efficient and cost effective
and at the same allow for the resources to focus on judgemental subjects and other value adding
audit matters. In the context of many FS organisations, this expectation is a hurdle many are
grappling to cross as the internal audit functions find themselves limited by various data quality
issues, lack of agile technology solutions and other organisational roadblocks. PwC's State of the
Internal Audit Study for 2018 revealed that only 14% of internal audit functions are advanced in their
technology adoption while as high as 46% are only taking notice and following at a slower pace.
Some of the key questions that internal audit functions must respond to include:
 Are data governance audits an area of focus in ICT audits?
 Do we have a clear roadmap for a technology-enabled audit which fosters real-time risk
monitoring and reporting and is it aligned to the pace of digital initiatives within the
organisation?
3. Mismatch between today's audit skill requirement and the auditor entrusted to provide
assurance
The current and future technology landscape now requires internal audit to have a blend of the
traditional skills with digital and business acumen. Such a blend of skills is even more important for
FS organisations who are actively seeking to exploit various digital initiatives and the power of data to
gain competitive advantage. Hence, internal audit must be performing at the same level as the
organisation and keep pace with the organisation's digital transformation or else the insight it can
provide and the impact it can create as trusted advisors can lose relevance.
A simple classical example was the sudden need for increased remote working following the COVID19 pandemic as a result of lock down measures implemented by governments all over the world. This
working arrangement required a modification in the infrastructure of most FS organisations to support
Virtual Private Networks (VPN), virtual collaboration and the like. Very few internal audit functions
possessed the skills and agility to provide quick end to end assurance over such significant
modification that increased the cyber threat topology as attackers sought to exploit the unprecedented
situation.
Some of the key questions which internal audit functions must respond to in designing their upskilling
programme include:
 Does our upskilling programme sufficiently support the digital skills we require to move at the
speed of the organisation?
 Do our performance metrics assess and reward new, digital ways of working?
 Do we have the right alliances with external service providers, shared services and centres of
excellence needed for digital upskilling?
4. Reporting without impact
The internal audit functions of many FS organisations are still at a level of maturity where they issue
long, untimely, reactive internal audit reports which in some cases fail to get and keep the attention of
stakeholders. In simple terms, the traditional audit report is fast reaching their useful life. Surprisingly,
only a few have embraced an agile audit approach where they are able to report on risks in real-time
with a focus on their impact on achieving strategic objectives and are able to deliver more relevant,
catalytic and forward-looking, actionable audit insights. The achievement of such a feat requires
internal audit functions to invest in data and technology that will help them correlate data differently,
tie more closely to the organisation's strategic risks, and work more cohesively with other lines of
defence in the management and monitoring of risks. Stakeholders would then be able to view, on-thego, high risk audit universes across the organisation, examine the reasons with drill down
functionalities and monitor the status of audits and management action plans.
Related documents
Exercise Chapter 15
Exercise Chapter 15
Business – Human resource management in Unit 5 business
Business – Human resource management in Unit 5 business
Look Ahead Feature To access the application that
Look Ahead Feature To access the application that
Download
advertisement