Examining business use of technology to understand where potential vulnerabilities lie and when to resource internal audit teams to ensure threats to business resilience are prevented.
A total reliance on technology can be a double-edged sword. Excellent for efficiency – but also a threat to business resilience. So an organisation, and its Internal Audit team, should be able to pinpoint exactly where all its tech dependencies lie. That calls for robust expertise in both system architecture and technology risks.
The use of technology has soared in the past 20 years. It’s moved from helping us do our jobs more efficiently to taking over much of the actual work. And it has also become central to the very infrastructure of a business –
perhaps even the central factor in business resilience.
“The massive increase in connectivity underpins that change,” says Andrew Shefford, Head of IT Internal Audit at KPMG. “And that continues to shift the criticality of technology.
Enhanced connectivity is therefore a key resilience issue. But internal audit (IA) also needs to monitor the emerging technologies that use will form part of this connectivity. “In a couple of years, robotic process automation (RPA) will be commonplace – and artificial intelligence (AI) will be where RPA is today,” says Shefford.
“Another five years down the road, AI will be starting to take many mission-critical decisions without any human intervention. That poses interesting questions for the audit profession — especially when breakdowns in these increasingly important systems present a threat to resilience and even viability.”
An assessment of these three technologies – cloud, RPA, AI – highlights where internal audit should be focusing its scrutiny.
On the first (and perhaps most pervasive) technology, cloud, IA must understand where dependencies lie. “Assurance over the cloud comes largely from providers at the moment,” says Shefford. “Their own investments in resilience and disaster mitigation is impressive – and they’re a great source of recommendations to client businesses to improve their own resilience.”
But while it’s common to outsource to third-party cloud service providers (CSPs) to boost resources and manage costs – effectively handing them responsibility for technical risks – accountability for third-party risk and control management framework remains with the client business – and that’s unlikely to change.
“The challenge for IA is to understand what a good third-party management risk and control framework looks like, and what assurance should be requested and provided by the CSP in order to satisfy one’s own audit and assurance requirements,” says Shefford.
A risk and control framework should at least cover due diligence, transition, contract set-up, on-going oversight management and significant risks such as resilience, complexity, data security (especially GDPR/DPA), legal and regulatory requirements. It is useful for IA to reference recognised international standards that organisations might expect to be in place at CSPs, such as the ISO 27000 series and guidance from the Cloud Security Alliance.
“Another layer of risk comes from a supply chain perspective,” says Shefford. “Some emerging CSPs are beginning to act as an intermediary service by moving the business infrastructure to top-end CSPs, like AWS, IBM, or Google. While the emerging CSPs can offer lower cost solutions with a personalised service –as they work on a volume basis – it is still a financial probity and resilience risk of the fronting IT service provider.”
With RPA technology, the picture is a little more complicated. “We’re doing a lot of automation work with clients right now, especially larger organisations, and it has to be handled carefully,” says Shefford. “Encryption, security and change protocols all have to be part of the plan, just as with any system.”
“An insurer, say, might look to use RPA to aggregate customer data from seven different systems into a single customer service screen,” says Shefford. “That’s brilliant. But what happens if the wrong person’s data is aggregated into that screen and shared? We developed a new audit approach for a client in just that situation, addressing the potential data issues related to a new RPA agent.”
RPA may not be a major new resilience issue, even with some of the serious consequences stemming
from data misuse. AI presents more of a challenge.
“In IT Internal Audit, we ask two key questions,” says Shefford. “First, can a system or programme be changed without authorisation? And second, how well controlled is access to the underlying data? I can test those questions as an auditor on cloud, on RPA, with apps. But with the coming generation of AI? It’s murkier.”
Take a neural network that’s constantly learning from transactions and passive data, for example. Without a new control framework, neither the operator, nor compliance, nor an internal auditor can easily check what it’s learned and how it has adapted its processes as a result. The risk and control framework therefore has to be completely redesigned.
When AI systems are actually rewriting code to adapt to new requirements and opportunities that no human operator has identified, it will become harder to even identify that systems pose a resilience issue – let alone whether those risks are being properly managed.
“There are some technology risks to resilience that are much harder to test and mitigate,” warns Shefford. “Just recently, for example, the media latched onto the vulnerability of undersea cables carrying internet traffic. The question broached was if those were cut by a state actor, how many businesses would struggle to operate as usual? Or cyberattacks like the famous incident last year – the WannaCry ransomware attack — the US has blamed North Korea, should businesses take another look at geopolitical risks via tech vectors?”
“That’s symptomatic of a wider challenge for business resilience, directly related to connectivity. A good example of a market-wide approach is the Bank of England’s certified Cyber resilience testing regime for banks, CBEST and we are working with other sectors where similar schemes are planned. Running it across other sectors should help us all understand where potential vulnerabilities lie.”
Company boards must understand these technology risks, implement policies to manage exposure – and resource internal audit teams sufficiently to give them assurance that the threat to resilience is understood and managed.