For organisations throughout the private and public sectors, life has been tough since 2008 and there is little sign of anything improving soon. Continued economic uncertainty feeding almost record-breaking levels of unemployment; social unrest in the shape of occupy London and UK uncut; central banks pumping money into the global financial system and significant downturn in consumer confidence all make for a bleak picture.
Senior decision-makers working in the Financial Services sector are also contending with a tidal wave of regulatory demands in the shape of Solvency II, FATCA, Basel III, Dodd-Frank, RDR and Living Wills. All the while doing so against a rising trend in major cost efficiency drives and the emergence of technology-fuelled social networks that promote openness over data security.
Senior executives working across commercial and public service organisations are wrestling with data leakage issues, social networks, cyber threats, disruptive technologies and major organisational change. These present a number of significant risks but, for forward thinking IT internal audit professionals, opportunities too.
Company survival now is far less certain than it has ever been. In 1937 the average time a company spent in the S&P 500 was 75 years, in 2011 that has dropped to 15 years and by 2025 it is predicted to be just five years. As we have seen with some organisations, being an alumnus of the index is no guarantee of survival.
It is an example that presents a salutary lesson to executives on how technology can disrupt their businesses to the point of potential extinction. Similar examples have occurred in a range of industries including retail, telecoms, music and computing and will be seen in more industries as technology enables changes in their business models.
What’s also apparent is that we’re at the start of this technology wave; developments will only get faster and the risks more pronounced. Disruptive technology has no respect for borders or sectors; executives should not be fooled into thinking that their business is safe because their immediate markets are unaffected.
For IT internal auditors this presents a number of challenges in protecting their organisations and clients against financial and reputational losses – and in helping them construct a clearer insight into governance, risk and compliance strategies.
KPMG’s recently published Executive Summary of the Autumn 2011 IT Internal Audit Conference (PDF 4.4 MB) focuses on the following three threat areas:
- Social networks which are changing the relationship between users and technology, and the
way businesses and organisations protect their IT systems.
- Cyber threats that are multiplying and come from a variety of sources, including organised
crime, state-sponsored groups and hacktivists.
- Disruptive technologies that if misread have the potential to fundamentally change marketplaces
and transform once-dominant players into also-rans.
Executive boards are often all too aware of the possibilities of new technologies, and the risks.
However, there is a greater need to understand their organisation’s risk profile and appetite for risk, in order to develop a sound risk strategy that is aligned to key business priorities.
Some leading boards insist on IT risk briefings as a matter of course. By proactively seeking out and analysing such dangers, IT internal auditors have the opportunity to play a key role in protecting their organisations and underscoring their value.
So, while organisations need to continue to adapt to exploit the business opportunities afforded by technology, it is the responsibility of IT internal audit leaders to help them look at the risks involved in a different way; helping them turn it to their advantage. Most IT internal audit teams spend most of their time in the quadrant of what KPMG terms the ‘IT Risk Universe’ looking at mature internal controls and change management programmes. However, there is increasing focus from boards and clients on new and emerging risks, in areas like social media, cyber crime, and disruptive technologies.
It is in helping boards understand and manage these risks where IT internal auditors can really add value to their organisations.