Common pitfalls in ICT Audits

Technology has evolved from being an enabler of business processes to becoming a key driver of business strategy. For Financial Services (FS) organisations, technology can provide a competitive advantage as customers demand increasingly personalised services. Most FS organisations are beginning to take an integrated view of business strategy, customer experience and technology to help them manage fast-paced changes in customer demands. At the same time, they are also looking to effectively harness the potential of emerging technologies and automation to transform internally, moving from legacy systems to more agile processes, digital and cloud-based application infrastructure and platforms to optimise technology costs. The dynamic changes to the technology landscape affecting FS organisations have significantly affected risk profiles and heightened regulatory scrutiny. Now, FS organisations need to pay closer attention to their risk management and assurance mechanisms. FS organisations must focus on compliance in addition to managing risks associated with potential cyber-attacks, fraud, money laundering, data misuse and the complexity of their evolving technology infrastructure. These risks and challenges continue to unfold even as the digital landscape's borders blur in response to remote working and remote services. While most technology risks are not necessarily new, the stakes are now much higher. Now more than ever before, C-suite executives and the Board need to understand the risk profile of their organisations and confirm that their systems and processes are adequate and capable of managing risk within acceptable tolerance levels. Meanwhile, internal and external stakeholders have heightened expectations of assurance providers and internal audit functions, which must evolve from being the fault-finders to trusted advisors. Below are pitfalls in Information and Communication Technology (ICT) or Digital Trust Audits which affect the level of assurance that they can deliver to C-suite executives, board members and other stakeholders.

  • Monitoring residual IT risk levels in the wrong places Typically, monitoring for residual IT risk levels in the wrong places is the result of poorly maintained risk assessments both in terms of the dynamic, real-time articulation of the risk exposures given the use and lack of use of technology and digital innovations and the quantification of the risk levels. Consequently, the ICT audit plans focus areas of the assurance activities could be skewed towards assessing the residual levels of risks that either do not matter to the relevant stakeholders or do not provide the right level of confidence required by C-suite executives and board members. According to PwC's State of the Internal Audit Profession Study for 2019, the vast majority of internal audit functions in the FS industry now have to revisit their risk assessments and audit plans more frequently than they used to, given the number of changes in the business environment (and now accelerated by the pandemic environment). Some of the key questions which internal audit functions must respond to as they execute their mandate of monitoring residual IT risk levels and providing assurance include:
  • Are we monitoring and reporting on the residual IT risks levels that really matter to stakeholders?
  • Are we assisting stakeholders become smarter risk takers in the face of rapidly changing risk profiles?
  • Do we have the right synergies with other lines of defence to develop a common view on IT risks and priorities?

  • Monitoring priority IT risks with the wrong level of precision More than ever before, priority IT risks needs to be monitored on a real-time basis. For FS organisations, the volume of data generated through technology activities is increasing tremendously whereas the acceptable time margins have shortened between the identification and then the reporting and remediation of unacceptable risk levels or risk crystallization. ICT audits now have to be conducted leveraging on data and technology-driven capabilities and service offerings, such as automation for continuous auditing and data analytics for audit scoping, in order to monitor high-risk areas in real time and expand risk coverage to other areas not previously monitored. Other than these benefits, the audits are a lot more efficient and cost effective and at the same time allow the resources to focus on judgemental subjects and other value adding audit matters. In the context of many FS organisations, the aforementioned expectation is a hurdle many are grappling with as the internal audit functions find themselves limited by various data quality issues, lack of agile technology solutions and other organisational roadblocks. PwC's State of the Internal Audit Study for 2018 revealed that only 14% of internal audit functions are advanced in their technology adoption while as high as 46% were only taking notice and following at a slower pace. Two years down the line, the statistics have not changed. Some of the key questions that internal audit functions can address to include:
  • What degree of assurance does our 'sample based point in time' audit approach provide on high-risk IT areas?
  • Are data governance audits an area of focus in ICT audits?
  • Do we have a clear roadmap for a technology-enabled audit which fosters real-time risk monitoring and reporting and is aligned to the pace of digital initiatives within the organisation?
"Financial Services organisations must continue to ascertain and test for the most critical risks that could impact shareholder value, reputation and trust from a legal, compliance and reporting standpoint. Common pitfalls can be avoided with the right training, tools and strategy."
  • Mismatch between today's audit skills requirements and the auditors entrusted to provide assurance

The current and future technology landscape now requires internal audit to have a blend of traditional skills as well as digital and business acumen. This is even more important for FS organisations which are actively seeking to exploit various digital initiatives and the power of data to gain a competitive advantage. Hence, internal audit must be performing at the same level as the organisation overall and keep pace with the organisation's digital transformation. Otherwise, internal audit functions can lose relevance since they are expected to provide insight and perform as trusted advisors. That level of performance speaks to resilience and agility; the sudden need for increased remote working during the COVID-19 pandemic required immediate modifications to the infrastructure of most FS organisations to support Virtual Private Networks (VPN), virtual collaboration, etc. Very few internal audit functions possessed the skills and agility to provide quick end-to-end assurance over these modifications, which in many cases increased their exposure to cyber threats as attackers sought to exploit rapid modifications and unprepared organisations. Internal audit functions that were sufficiently equipped managed to provide assurance in an agile manner, such as by supporting the establishment of secure VPN tunnels and fortified endpoint devices, improving identity and access management services, enriching employee awareness of phishing attacks and increasing patch frequency for critical infrastructure systems. A programme to digitally upskill internal audit functions and other units can help to improve resilience and agility.

Some key questions to ask include:

  • Does our upskilling programme sufficiently support the digital skills we require to move at the speed of the organisation and the market?
  • Do our performance metrics assess and reward new, digital ways of working?
  • Do we have the right alliances with external service providers, shared services and centres of excellence needed for digital upskilling?
  • Are we creatively sourcing talented people to build the function's digital skills and investing to retain and develop the talent we have?

  • Reporting without impact

Internal audit functions at many FS organisations still issue long, untimely, reactive internal audit reports which in some cases fail to earn the attention of stakeholders. In simple terms, traditional audit reports need to evolve with the times. Those internal audit functions that have embraced an agile audit approach are able to report on risks in real-time with a focus on impact and achieving strategic objectives. They deliver more relevant, catalytic and forward-looking, actionable audit insights. This level of 'reporting with impact' requires internal audit functions to invest in data and technology aligned to the organisation's strategic outlook and risk management and to work more cohesively with other lines of defence in the management and monitoring of risks. Stakeholders should be able to survey holistic, organisation-wide high-risk audit reports on-the-go and interrogate through drill down functionalities the status of a particular audit, the management of action plans and other activities. The following questions can help to guide this process:

  • What investments are we making today to prepare us for real-time residual risk monitoring?
  • How are these investments organised to create alignment with other lines of defence in order to have a common point of view on risks?

In conclusion, as most FS organisations sharpen their appreciation of emerging technologies in their bid to remain relevant and win market share, assurance providers need to evolve in lock-step. They must continue to ascertain and test for the most critical risks that could impact shareholder value, reputation and trust from a legal, compliance and reporting standpoint. Common pitfalls can be avoided with the right training, tools and strategy.

Related articles

Harnessing Tanzania’s Fintech potential

It is now very difficult to imagine a world without the internet or mobile devices. Despite the increased activity in the fintech sector in Tanzania and the positive multiplier effect in the economy, there is significant potential for further growth. PwC's Uchenna Onuoha writes

Kigali International Financial Centre supporting international investment into Africa

Some of the sectors that Rwanda Finance intends to attract, such as BPO and Fintech, will require time to develop, which is why Kigali International Finance Centre has a long-term, evolving approach to the kinds of regulations and incentives that will support the development of these and other sectors in Rwanda. PwC's Paul Frobisher Mugambwa discusses

Circumventing identity-related risks in the banking sector

The banking sector remains a pillar in the development of the country. Individuals and companies alike rely on the banking sector to conduct crucial financial transactions. Given this critical role, banks have every reason to take risk management very seriously. PwC's Robert Aswani and Josphat Muchiri discuss

Peter S. Ojekunle

Manager - Risk Assurance at

PwC Uganda T: +256 414236018 E: peter.s.ojekunle@pwc.com

Edna Gitachu

Share this article with your networks

Read the next article: COVID-19: The uninvited guest at the (Financial Services) table