This is based on our survey and discussions over the past six months with Chief Internal Auditors and Heads of IT Audit across UK financial services organisations, who have openly shared their areas of focus and the organisational challenges in relation to their firms’ technology control environment.

CIOs and technology leaders played, and continue to play, significant roles during the recent crisis by leading recovery plans, acting as ‘change’ agents, and stepping beyond their functional leadership role. COVID-19 will continue to have significant implications for businesses, leading them to accelerate the move from physical to virtual ways of operating. Technology leaders are expected to architect significant enterprise changes as part of digitalisation programmes that may touch on customer channels, products, and ways of working.

These priorities are reflected in our paper, with this year’s top-10 topics presented under a lens of “lessons learned” from the crisis thus far.

The impact of digitalisation is reflected in an elevated focus on cloud, digital risk and transformation topics. That said, Cyber continues to be the at the top of the list, not surprisingly perhaps, as organisations struggle to deal with a notable increase of attacks, at a time when the organisational set up has completely changed with the prevalence of remote and mobile working.

Operational resilience, now more than ever, is a key area of regulatory and business focus. Heads of IT Internal Audit need to examine how management is planning to ride the uncertain times ahead and rebuild confidence for the future by ensuring their response is resilient, safeguards the welfare and well-being of people, and is able to adapt to demand and supply challenges.

One of the principal lessons we have seen arising from the crisis, is that the more analytics-savvy and digitally mature functions performed better. They continued to provide assurance in a nonintrusive manner, analysing available data (e.g. business performance, incidents, customer complaints, cyber-attacks) in a manner that provided a level of visibility over the nature of risks faced by the organisation as well as the effectiveness status of key controls that was imperative at the time. In an environment where some functions had to pause all auditing activity, or were told to defer meetings with key staff during the initial phase of the crisis, the use of analytics and digital tools helped separate the truly ‘resilient’ functions.

We see IA functions of the future embracing digital-enabled transformation, continuous risk assessment, automated testing, exploratory analytics, and more broadly, agile methods as a way of decreasing costs and adding value. A deeper digital transformation and the use of data-driven auditing will not be merely required by Audit Committees as a nice-to-have, but in our view would be core for the development of a resilient and a high functioning function of the future.

In the graph below, the size of the bubble reflects the ranking in this year’s list, while the horizontal axis shows the threat environment - internal or external to the organisation. The vertical axis classifies the topics across the spectrum of existing/known, new and emerging risks.

Source : Deloitte Website

Date of Input: 14/04/2021 | Updated: 14/04/2021 | nurmiera