Challenges for IT Internal Audit Functions

Technology and the impact of disruption on the Financial Services sector is fast becoming a top priority for organizations alongside regulatory compliance. Financial institutions are feeling the burden of the ever-increasing threat of cyber-attacks, the imperative to innovate to keep pace with maturing FinTech combined with increased focus from regulators on the management of IT, data and the operational resilience of the financial system. As a result, there is pressure on IT Internal Audit functions to ensure that there is adequate and appropriate assurance coverage of this evolving IT risk landscape and to adapt in order to make an impact both from an assurance perspective and value-add input to management as a business partner.

In previous years Heads of IT Internal Audit listed ‘getting the right resources at the right time’ as their main challenge. Recruitment, management and retention of specialist resources in particular continues to present a challenge, particularly as observation found that salaries for “scarce” skills are on the rise while Internal Audit functions are under increasing pressure to “do more with less”.

Data analytics has been on the agenda for Internal Audit functions for several years, however few functions have effectively embedded the use of data analytics in their audit practices. Typically, this is linked to the availability of reliable data sources from the business and, as the quality of these sources improves, Internal Audit functions should ensure that they have built a capability to use these data sources particularly in areas that would enable the use of automated auditing techniques with the intention of freeing up resources from routine audits in order to focus on emerging risk areas. Internal Audit has the opportunity to demonstrate the use of automated auditing and/or monitoring approaches to 1st and 2nd line oversight functions as further means of adding value to the organization

Respondents also mentioned the increased difficulty of staying abreast of multiple emerging risk areas while adapting to new business processes. IT Internal Audit functions must ensure there is an appropriate investment in talent development to ensure that they are able to retain an appropriately skilled team to focus on key emerging risks with the ability to call on specialist resources for non-key emerging risks. There is also a requirement, while adapting to new business processes and ways of working, to ensure that the IT Internal Audit approach remains relevant. Particularly when considering large scale Strategic Change, IT Internal Audit functions are increasingly moving away from the traditional “point in time” audits at the conclusion of events, but are performing more real-time reviews in a quest to remain both relevant and to provide added value to the organization they serve.