• Nathan Cain, Partner |
6 min read

I recently hosted our 10th annual IT Assurance Summit. These events are always a great way of getting IT auditors together to talk about the issues they’re facing and the trends they need to be aware of – but this year, we had to host the event virtually for the first time ever. But this didn’t stop it being perhaps the most interesting yet. That’s because IT assurance has never been more important. The COVID-19 pandemic has accelerated digital transformation and made every business more reliant on IT – that brings with it greater risk – and puts even greater pressure on IT auditors.

In our recent CEO Outlook Pulse survey, cyber security was identified by global CEOs as the greatest risk to company growth over the next three years.  The pressure is on IT auditors like never before. So how do you ensure resilience and mitigate the growing cyber risks attacks?

If you couldn’t make it to the event, you can watch the recordings of all the sessions on-demand, on topics ranging from remote working and cloud to auditing agile and DevSecOps. 

Here are my key takeaways.

Remote working requires zero trust

In the morning session, we heard from Ian Arnold, Head of IT Internal Audit for Private Equity and Regions and Dimitrios Petropoulos, Technical Director for KPMG Cyber on the challenges presented by remote working. The professional world has changed. We had people largely working in closed office spaces with strict policies and guidelines regulating the flow of data. Now our people are accessing data from remote locations across the world.

To tackle this, we’ve seen traditional segmentation taken to its logical extreme. Within a zero-trust security architecture, every asset has its own zone and there is no implicit trust in any communication. Trust has to be established every time entities (people and machines, or machine and machines) communicate. And that trust can’t be guaranteed through simple authentication. When it comes to IT assurance, that means moving on from traditional security parameters and focusing on ‘identity’ and what that means for technology, strategy and governance. 

You can’t just jump on the cloud and expect to fly

Businesses are accelerating their move to the cloud to provide greater agility and scalability. That brings with it a host of challenges – from understanding new technologies to managing suppliers – all of which require new skills and working methods. In our cloud session, Andrew North, Head of Public Sector and Government IT Internal Audit and Alina Timofeeva, a senior manager in our Cloud Assurance team, discussed the risks of going live with a huge number of open cloud risks – exposure to cyber-attacks, loss of customer data, customer disruption and subsequently the loss of revenue and customer trust.

Alina highlighted three areas where we often see things go wrong:

  • Firstly, exit management is too often treated as a contract clause or a paper exercise. You need to identify alternative options and develop robust transition plans to enable transfer of process and data in a controlled manner.
  • Organisations fail to adequately map roles and responsibilities. It’s vital to know who is responsible for what, both to mitigate and audit risk. And that goes beyond internal roles - you need clarity over what cloud and ‘as a Service’ providers are responsible for too.
  • And the big one – companies don’t have fit-for-purpose cloud strategies. Too often, they jump on the latest market trend without fully understanding the business drivers or setting out what they want to achieve. 

Third-party risk management is in the spotlight

The accelerated move to the cloud for greater versatility means more third-party risks. Tejas Mehta, Head of Financial Services Internal Audit, and Rohit Nag, a senior manager in our FS Risk Technology team looked at outsourcing and third-party risk management (TPRM). Businesses are up against big challenges here: they face ever-increasing regulatory expectations; and they’re having to handle a growing portfolio of third parties, covering different aspects or their digital estates.

To tackle these challenges, TPRM is evolving. It’s harnessing data analytics and automation to become more connected and continuous. To fully understand the risks, it’s also drawing functions from across a business into the process.

Internal audit will be a crucial factor in providing assurance on TPRM. Tejas and Rohit suggested this should be done on three levels: overall governance and framework; assurance of a specific business service that relies on third parties; and assurance over the management of a critical third party. 

Ask the questions and challenge assumptions

We were incredibly pleased to welcome Dr Anne-Marie Imafidon MBE as our guest speaker. She shared her views on how we can prepare for risks that could come from futureproofing the workplace. For her, this went beyond listening to the future workforce – we also need to empower them.

It was fascinating to hear her views on how artificial intelligence (AI) is going to impact, and is already impacting, the way we work – and what that means for IT assurance. For her, the possibilities of AI are endless – from discovering antibiotics to automatically appealing a car parking ticket. She’d experienced using AI to remove bias from the recruitment process and better manage talent.

For me, the key takeaway from her session was that as auditors, we need to ask uncomfortable questions. To effectively harness technology, it’s essential that we challenge intentions and assumptions, and can identify any blind spots and limitations. 

Get ready for UK SOx now

In the final session of the day, Mark Gee, IT Controls Transformations specialist, and Nehal Jilka, Partner, provided an overview of the government’s whitepaper on corporate governance and what it means for businesses and IT assurance. This is commonly being referred to as UK SOx, reflecting the US Sarbanes-Oxley Act.

Mark and Nehal ran through the three available options for implementation:

  • The Government’s preferred option is to requires an explicit directors’ statement about the effectiveness of the internal control and risk management systems, including reporting of deficiencies.
  • The second option mirrors US SOX, with an additional requirement for external auditors to comment.
  • The third option is a formal external audit.

It’s going to be important that organisations stay up to date with the consultation and get ready for the changes when they’re finally implemented. This requires a cultural shift that starts at the top, with communications that filter down from the board. Don’t just see SOx as a compliance burden – be clear on the business benefits from standardisation and automation.

IT audit is critical to business success

What came through very clearly to me is that IT auditors have an even bigger role to play now than in the past. It’s a role that’s vital to businesses managing risk, and that makes you vital to your businesses’ success.

If you want to gain the full insights from the day, you can listen to all the sessions on demand – that includes our breakout sessions on auditing cyber security and DevSecOps, harnessing data analytics, automating audit and auditing agile.

Please also watch out for our further blog posts, where we’ll be sharing more insights and reflections on the day. And, of course, if you’d like to discuss any of these topics further, please feel free to contact me.