Internal audit is all about managing risk. What impact can new technology have on that?
Our technology driven world moves faster than ever, so you have to be aware of disruptive technology whatever sector you work in. But do you need to change how you have always audited?
With or without disruptive technology, you need to identify risks, decide whether to accept them and also mitigate them. Is the risk more dynamic with disruptive technology?
What is disruptive technology?
Disruptive technology is generally defined as innovation that creates an entirely new market and value proposition, disrupting the old established market and significantly altering the way businesses operate.
Netflix almost singlehandedly destroyed companies such as Blockbuster over only a few years by delivering content as opposed to physical product. Uber tackled the taxi industry without owning any cars or hiring any drivers by purely offering logistic and payment services.
Open banking has the potential to dramatically change the financial marketplace by allowing companies to offer financial services traditionally only offered by banks, and allowing customers to choose how their finances and data from multiple providers is managed.
Banking itself has moved away from the traditional bricks and mortar bank buildings towards digital offerings, and for some digital banks, no physical presence at all.
Cryptocurrencies, while still speculation in the main currently, have taken over certain payment functions, and are seen by many as an effective way to avoid regulation or existing financial services. P2P services of all kinds are springing up, including peer to peer lending, delivery services, sales, payments – and other decentralisation services are further set to disrupt industry.
Pace of change
These all bring revolution to an industry or business area. Disruption has come to industries throughout the ages, just think of the internal combustion engine, or flight, or the telegraph, but the technological age is dramatically accelerating all change.
Computers allowed much more accurate and rapid calculation, modelling and storage of data. The internet allowed an unprecedented level of connectivity with other businesses and customers. And now the advent of cloud services and ways to connect globally has dramatically increased the pace of change recently.
Companies that are comfortable with high levels of risk are often able to realise the potential of disruptive technologies and can speculatively build innovative processes in order to gain business advantage, while companies that are more risk averse and leave innovation to others may find the cost of being late to market outweighs the risk if the disruption is significant.
Changed business models lead to a range of problems for audit and risk teams. Process maps for traditional ‘bricks and mortar’ businesses are well understood, and risk areas can be identified through quantitative and qualitative methods with a reasonable degree of confidence.
New technologies bring new or changed concerns:
methods that may have previously identified high risk processes may no longer work
key control deficiencies may not be evident, and in fact gaps in controls may be difficult to identify
reconciliation of ledgers against inventory may be impossible if any inventory sits with third parties.
Of critical importance to the examples listed above, and countless others, are connectivity and big data. If your key data processing is handled ‘in the cloud’ and you rely on it real-time, then connectivity is essential. Single points of failure, whether internet points of presence or third parties providing processing, analysis or storage as a service, should be assessed for criticality.
Volumes of stored data are considerably larger than ever before, and moving the value proposition towards analysis of metadata brings new points of interest, especially when looking at security or privacy controls.
While the core requirements for protecting data at rest are broadly understood, with the move towards analysing that data, using tools based within an organisation, at third parties, or in the cloud, the metadata, analysis results or aggregate store may now be the ‘crown jewels’ for an organisation. Protecting the crown jewels appropriately to ensure confidentiality, integrity and availability are maintained often requires a change in focus when disruptive technologies are implemented.
Where should your focus be?
Auditing technical controls?
Many technical controls remain the same, or at least similar to those used in organisations with traditional technology. Access controls, user permissions, security controls, single points of failure and so on can be assessed using the same methodologies and tools as previously used.
Ledgers will still exist, so should be audited accordingly, whether they sit in-house, with third party service organisations, or distributed amongst end points or in the cloud.
Managing technical risks?
An obvious question here is, ‘Do you understand the process changes with any new technologies?’ For example, if no one in your audit or risk teams is experienced in the mathematics underlying cryptocurrency or blockchain, how will you assess the implementation?
Instead, look at the controls mitigating the risk of an error in implementation, such as code review and validation, development frameworks, penetration testing and so on.
Managing innovation risks?
As mentioned, innovative organisations tend to tolerate higher risk in order to innovate. Often this risk tolerance is endemic to the organisation, or at least to innovation teams, so a company with a high acceptance of risk may require reviewing governance processes more closely across the entire audit and risk universe.
Understanding process flow?
If the company doesn’t have an end to end model for new business processes, understanding and assessing the risk from them is going to be considerably more onerous. Working with the business to map this out is essential, but will require experienced team members or consultancy – this is unlikely to be a simple, checklist-based exercise.
Policy often doesn’t keep up with the pace of change of disruptive technology – auditing against policy is one part of the picture, but as a professional, assessing the policy against industry and regulatory standards, as well as leading practice, may be more useful to your organisation, highlighting weaknesses that require remediation in policy.
Do you need to worry about it?
You do need to understand the changes to existing risk management techniques and methods, and invest where needed to boost capability.
Understanding the risk from disruptive technologies requires significant additional focus on technology elements, changes to business processes, risk appetite and policy, but current controls should continue to be assessed using existing methodologies.
Treat audits of disruptive technology as significant complexity and staff accordingly, drawing on highly technical teams, or investing in training and development of audit plans to cover these new and disruptive areas.
And as I mentioned before, the pace of change of technology continues to increase, so building in a continuous development and assessment process for your audit capability is useful.
Rory Alsop, FInstISP, CRISC, C|CISO, CISM, CIPM – director, Information Security Forum; research director - ISACA Scotland and deputy chair - Scottish Branch of the Institute of Information Security Professionals