Professional Documents
Culture Documents
Deloitte Uk Deloitte Itia Hot Topic Report Digital
Deloitte Uk Deloitte Itia Hot Topic Report Digital
Contents
1 2 3
Foreword Executive Our survey through
Summary the years: 2012-2023
4 5 6 7
IT Internal Audit Where next for Appendices Contacts
Hot Topics 2023: Internal Audit?
A viewpoint
02 | Riding the wave | 2023 Hot Topics for IT Internal Audit
1
Foreword
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
03 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
04 | Riding the wave | 2023 Hot Topics for IT Internal Audit
2
Executive
Summary
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
05 | Riding the wave | 2023 Hot Topics for IT Internal Audit
In the past two years our This year, the repercussions from these events Table 1. IT Internal Audit Hot Topics 2023
to act quickly to respond to governance and control. 6 Business Critical IT Controls Third-Party Risk Management IT Strategy and Governance
the uncertainty unleashed by
• Our survey was performed across all UK
the pandemic. Internal Audit sectors, but one thing that transpired was
7 Third-Party Risk Management IT Strategy and Governance Cloud Hosted Environments
functions were also called that – except for in a couple of domains Identity and Access Identity and Access
upon to provide well-needed – we did not notice a significant disparity 8 IT Strategy and Governance
Management/Privileged Access Management/Privileged Access
amongst priorities and areas of challenges
assurance over risks, as Identity and Access
across functions surveyed. 9 Business Critical IT Controls Operational and IT Resilience
decisions were made at pace, Management/Privileged Access
many of them with technology 10 Digital Risk: Artificial Intelligence Payments Digital Risk: Artificial Intelligence
at their heart.
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
06 | Riding the wave | 2023 Hot Topics for IT Internal Audit
• Cyber security remains the number one • The post-pandemic activity around digital • FS regulation has continued to intensify and • On the other hand, non-financial services
‘hot topic’, continuing the trend over the change and transformation has resulted evolve, touching on key technology areas organisations placed hot topics around
past few years; we notice how organisations in heightened risks around change delivery, such as cyber security, cloud, resiliency, business-critical controls (in the context
continue to evolve their thinking around strategy, and planning, where greater and third-party risk. It is interesting of recent UK reforms), higher in the
managing this risk as the broader cyber integration between business and IT to explore how these IT risk disciplines ranking. This is driven by the journey
risk landscape continues to mature and strategy will be paramount – more than coalesce across the organisations’ control of reforming and re-emphasising UK
diversify. Cyber-attacks in the form of data ever before. Organisations are embracing environment, as well as being key hot topics corporate governance, whereby companies
theft, compromised accounts, ransomware, digital transformation as a key driver in their own right, that need to be suitably and auditors are expected to face even
social engineering attacks is “top-of-mind” for growth. With the uncertainty in the risk assessed and assured against. This also tougher obligations that will re-shape
across organisations and industry sectors. economic environment, we’re seeing a lot requires IT Internal Auditors to stay close the approach to internal controls. These
Topics such as ransomware and incident more interest in technology spend that to the changing regulatory environment recommendations (also known as UK
response were popular across all sectors will impact the bottom line, whether that’s around these areas, and Internal Audit SOX) reflect a wider, global sentiment
in our survey, while FS organisations driving additional operational efficiency leaders to ensure the combination of skills from society that stronger internal control
also raised topics such as data leakage through cloud, analytics, and cyber risk in the team is keeping pace with emerging environments are needed to prevent
prevention, threat intelligence, and insider management. This creates new areas of risk themes. material fraud and unexpected company
threat. Other corporates highlighted a focus risk, as well as opportunities to streamline failures. With technology environments
on cyber strategy and maturity, vulnerability governance and control processes, making both being ever pervasive and becoming
management, security operations. it increasingly important that Internal more complex, it will be important for
Audit engage with the programme teams Internal Audit to ensure senior management
early on in and continually throughout the demonstrate they understand how these
lifecycle to help organisations manage risks core controls are implemented across the
appropriately and proactively. technology estate, how their effectiveness
and suitability is being monitored and how
they can support compliance.
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
07 | Riding the wave | 2023 Hot Topics for IT Internal Audit
The two key challenges that Internal Audit 02. The ability to appropriately harness The core focus of Internal Audit functions should
functions are, or will be, facing this year, the pace of change: we live in an remain on increasing their impact and influence
are illustrated below in word-cloud, environment of constant change, in their respective organisations, by not only
based on survey responses. particularly in the technology and digital providing assurance, but also educating and
domain, accompanied by relentless advising management and anticipating risks.
01. People, skills and talent: resourcing regulatory attention and intervention The sections of our report that follow cover
remains a challenging area, as the in many sectors. The macro-economic the ‘hot topics’ for 2023 in more detail, aiming
desirable skills (or combination of skills) environment of uncertainty, and indeed to provide perspectives and insights on how
are hard to find and retain, against a the expected headwinds to business functions can best achieve that.
backdrop of an exceptionally competitive performance, certainly exacerbates the
market for skills. From conversations with concern. We see functions continuing to
Figure 1. Word cloud of responses: challenges facing Internal Audit functions in 2022-2023
Internal Audit leadership, it is very difficult explore transformation and innovation
to identify and recruit key technology options to stay relevant, continuing to add
and digital skills in the market, but also value in a cost-effective way, so that they Tools and technology
to retain existing talent. Functions try effectively “ride the wave” of uncertainty Regulatory change Integration with 2LOD Stakeholders
alternative delivery and resourcing models processes, such as risk assessment or Quality of data
Pace of technology change Upskilling and training
Complexity of IT estate
such as contingent staff, guest auditors, horizon scanning.
contractors, and third-party co-source. Recruitment Talent and skills Co-source skills
Agile
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
08 | Riding the wave | 2023 Hot Topics for IT Internal Audit
3
Our survey
through the
years: 2012 – 2023
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
09 | Riding the wave | 2023 Hot Topics for IT Internal Audit
We noted the continued presence of ‘Cyber We also observe the impact from the
Security’ at the top of our list for the best part post-pandemic drive to introduce disruptive
of a decade now, as well as the continued focus technologies enabling digital business models
from functions on ‘Cloud’ (and what it means and transformation initiatives. On the other
from an internal audit coverage standpoint), hand, the presence of more traditional areas,
‘Digital Transformation’, ‘Third-Party Risk’, such as “Data Management” and “Privileged
‘Operational and IT Resilience’. The final two Access”, reflect the ongoing struggle of
boosted in the ranking by a recent emphasis, organisations across sectors to improve
particularly in the financial services sector in their internal control environment in those,
response to FS regulation. undoubtedly very complex, areas.
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
10 | Riding the wave | 2023 Hot Topics for IT Internal Audit
Rank 2023 (All sectors) 2022 (FS) 2021 (FS) 2020 (FS) 2019 (FS) 2018 (FS) 2017 (FS) 2016 (FS) 2015 (FS) 2014 (FS) 2013 (FS) 2012 (FS)
Third-Party
1 Cyber Security Cyber Security Cyber Security Cyber Security Cyber Security Cyber Security Cyber Security Cyber Security Cyber Security Large Scale Change Cyber Threat
management
Digital Technology
Cloud Governance Operational and IT Transformation and Disaster Recovery IT Governance and IT Identity and Access Complex Financial
2 Transformation and Transformation and Strategic Change Strategic Change Strategic Change
and Security Resilience Change and Resilience Risk Management Management Models
Change Change
Identity and Access
Data Management Operational and IT Operational Data Protection and Data Management Data Management Third-Party Data Governance
3 Cloud Governance Large Scale Change Management and Data Leakage
and Governance Resilience Resilience Governance and Data Governance and Data Governance Management and Quality
Data Security
Enterprise
Cloud Hosted Extended Enterprise Extended Enterprise IT Disaster Recovery Third-Party IT Disaster Recovery Data Governance and Data Governance
4 Data Governance Technology Resilience Technology Large Scale Change
Environments Risk Management Risk Management and Resilience Management and Resilience Quality and Quality
Architecture
Information Security/
Operational Transformation and Transformation and Extended Enterprise IT Disaster Recovery Data Management Third-Party Third-Party Rogue Trader and
5 Digital Technologies Identity and Access Cyber Security
and IT Resilience Change Change Risk Management and Resilience and Data Governance management management Access Segregation
Management
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
11 | Riding the wave | 2023 Hot Topics for IT Internal Audit
4
IT Internal Audit
Hot Topics 2023:
A Viewpoint
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
12 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
13 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
14 | Riding the wave | 2023 Hot Topics for IT Internal Audit
• The use of agile tools continues to gain popularity, with a focus to improve collaboration
and cohesiveness across the project teams. Adoption of Agile and Continuous
monitoring methodologies is seen as one of the most effective ways to reduce delays in
the programme delivery.
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
15 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
16 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
17 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
18 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
19 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
20 | Riding the wave | 2023 Hot Topics for IT Internal Audit
Why is it important? Whilst the past 12 months have been very • Scenario Stress Testing: Testing is likely to be the key area of Operational Resilience
This remains a particular hot topic for the demanding, the resilience journey is only just policy expectations which continue to evolve throughout the period up to 31 March
financial services industry. The recently beginning. The three-year ‘transition period’ 2025, as firm’s gain experience in the stress testing necessary, and the Regulators
published Prudential Regulation Authority for the policy runs until 31 March 2025, and assess and feedback on the approaches being followed.
(PRA) and Financial Conduct Authority (FCA) the actions that firms take in that time will
Business Plans for 2022/23 demonstrate be critical to their success. Their focus must • Third Party Risk Management: Third party dependencies pose a significant threat
that Operational Resilience remains a top now shift to addressing the initial operational to a firm’s operational resilience. Visibility, oversight, and assurance is imperative to
UK supervisory priority. By 31 March 2022 vulnerabilities identified, expanding the depth adequately understand and manage the risks posed by third party and outsourced
firms were expected to identify and map and breadth of mapping and testing to detect arrangements (including technology giants and those responsible for providing
their Important Business Services, set Impact and address additional vulnerabilities, and IT services). Boards and senior Management cannot outsource their ultimate
Tolerances, commence scenario stress testing embedding Operational Resilience into the accountability and responsibility for their Operational Resilience and therefore need
programmes to identify vulnerabilities, produce whole operating model to withstand severe to gain assurance over the risks posed by the web of third and fourth parties in the
‘Self-Assessments’, and ensure appropriate but plausible disruptions. service chain, especially when the service being provided is critical in providing a firm’s
governance arrangements are in place. Important Business Service.
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
21 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
22 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
23 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
24 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
25 | Riding the wave | 2023 Hot Topics for IT Internal Audit
• Regulatory focus: While financial services Internal Audit functions will already
be aware of a number of regulatory requirements, there have been significant
new regulatory developments in 2021/22 on third-party risk that have broadened
requirements for firms.
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
26 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
27 | Riding the wave | 2023 Hot Topics for IT Internal Audit
• His Majesty’s Treasury (HMT) published a • The PRA’s Supervisory Statement (SS) • Internal Audit should consider if the • Organisations have made incremental
policy statement on 8 June 2022 proposing 2/21, ‘Outsourcing and third-party risk firm has an adequate Outsourcing and improvements to the way they manage
the approach to mitigate risks from critical management’, was published in March Third-Party Risk Management (TPRM) third party relations, from an efficiency,
third-parties, such as cloud-based service 2021 and has come into effect since 31 framework embedded across the business, cost effectiveness and decision-making
providers, to the UK finance sector. Under March 2022. The statement makes it more and assess adherence to key regulatory perspective. Hindered by functional silos
this proposal, HMT, in consultation with the explicit that firms are expected to assess requirements, including the and decentralised systems, they aspire
financial regulators and other bodies, will the risks and materiality of all third-party to develop a more holistic and integrated
designate certain third-parties that provide arrangements, including those that do not – FCA’s SYSC 8.1 general outsourcing approach. Greater alignment between
services to firms as “critical”. Once a third- fall within the definition of ‘outsourcing’ requirements; risk management and legal and contract
party service provider has been given a and have clearly articulated that materiality, management processes represents a
‘critical’ status, the financial regulators can outsourcing and risk must be independently – FCA’s Senior Managers and Certification critical milestone in the journey towards
exercise a range of powers over the provider. assessed and considered as part of a Regime; fully integrated third-party management.
proportionate and risk-based approach.
• The Financial Conduct Authority (FCA), in – PRA’s SS2/21 Outsourcing and third-party
collaboration with Bank of England and • As per 2022 FCA Business Plan, there is risk management; and
Prudential Regulation Authority’s (PRA’s), an increased focus on improving oversight
published a joint discussion paper on 21 of Authorised Representatives (AR). An AR – Outsourcing guidelines published by
July 2022 to set out potential measures to carries out regulated activity under the European Banking Authority, European
oversee critical third-parties in a move to responsibility of an authorised firm. The Securities and Markets Authority
increase resilience of the financial services authorised firm (the Principal) is responsible and others.
sector. This paper proposes an oversight for making sure that the AR is fit and proper
regime for the supervisory authorities to set and complies with rules. The FCA is consulting
resilience standards, a testing approach, (CP21/34) on changes to their current regime
and enforcement powers for Critical and the final rules were published during
Third-Parties. The responses will be used to August 2022 via Policy Statement (PS) 22/11
inform a consultation in 2023. with implementation due in December 2022.
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
28 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
29 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
30 | Riding the wave | 2023 Hot Topics for IT Internal Audit
Why is it important? • Local administrator accounts frequently • Despite the pervasiveness of IoT, IT teams still struggle to discover and securely
One of today’s biggest cyber security risks is share the same password throughout a onboard legitimate devices at scale. Compounding this issue, IoT devices commonly
privilege misuse, which frequently causes high platform or the entire organisation due to have severe security drawbacks, such as hardcoded, default passwords and the
losses and may place companies in danger of weak password management. inability to harden software or update firmware. Furthermore, they may not have
failure. It’s also one of the most widely used attack enough processing capability on which to run Anti-virus (AV) software. PAM has a
vectors by hackers since, if successful, it allows free • Account deprovisioning can be overlooked pivotal role to play in IoT.
access to an organisation’s information and data, where local admin accounts are created
frequently without raising any red flags until the for maintenance which are often not • The DevOps emphasis on speed, cloud deployments, and automation presents many
damage is done. Key personnel of every company deleted, which leaves the accounts open for privilege management challenges and risks such as organisations may lack visibility
have access to vital business applications. attackers to exploit them. into privileges and other risks posed by containers and other new tools. Inadequate
These applications’ login credentials must be secrets management, embedded passwords, and excessive privilege provisioning are
carefully safeguarded as they contain important The more privileges and access a user, account, just a few privilege risks that are widespread across typical DevOps deployments.
information and data, and illegal access may cost or process amasses, the greater the potential
the company a significant amount of money. for abuse, exploit, or error. Particularly, this • AWS, Microsoft 365, Google Cloud etc. provide nearly boundless superuser
issue can be seen for legacy systems which capabilities, which enables users to rapidly provision, configure, and delete servers
While business privileged user accounts are are at times unable to be brought into a single at a massive scale. Within these consoles, users can spin-up and manage virtual
frequently given to specific people, many other Privileged Access Management (PAM) solution machines. Organisations need the right privileged security controls in place to
privileged account types are typically shared due to lack of system functionality and vendor onboard and manage all of these newly created privileged accounts and credentials
by several administrators. This popular tactic support. Reducing the legacy footprint within the at massive scale.
presents a number of challenges: IT infrastructure will drive down the opportunity
for threat actors to target these types of system/
• It can be difficult to hold each person accounts, which if exploited, could lead to the
accountable for the actions they take using unavailability of critical systems.
the privileged account.
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
31 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
32 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
33 | Riding the wave | 2023 Hot Topics for IT Internal Audit
• More “off the shelf” AI solutions are available in the market, such as CV screening tools. • The regulatory landscape for AI is emerging. Various guidance and frameworks exist
These solutions can act as a “black box” whereby the underlying algorithms are not (e.g., Alan Turing Institute, ICO, NIST) but the approach to regulation is still being worked
accessible to the organisation using them. through globally. The widely anticipated finalisation of the European Commission’s
Artificial Intelligence Act (AI Act) is expected in the coming year and when passed into
• The availability, and reduction in cost of AI systems can lead to ‘shadow AI’ existing in an law, it is positioned to function as a new global standard for AI regulation, given its
organisation, whereby IT, Security and Risk are not aware AI systems are being used. extraterritorial application, with a newly founded enforcement body expected to operate
in a similar fashion to the GDPR oversight operation. It aims to introduce a common
• There is increasing awareness from the public of the ethical risks associated with AI which regulatory and legal framework for artificial intelligence, with a scope that encompasses
is leading to organisations taking steps to understand their use of AI systems and put in all sectors, and to all types of artificial intelligence. The proposed regulation classifies
place processes to ensure AI is used responsibly. artificial intelligence applications by risk and regulates them accordingly.
• Decision making over the trade-offs associated with AI use, for example between privacy
and personalisation, is being defined by organisations with ownership and accountability
of these decisions being discussed at board level.
There has been a notable increase of adoption of AI technology; as well as an increase in the complexity of
algorithmic decision making by AI systems.
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
34 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
35 | Riding the wave | 2023 Hot Topics for IT Internal Audit
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
36 | Riding the wave | 2023 Hot Topics for IT Internal Audit
There will be further impacts for other payment types through the future introduction of the New Payments
Architecture (NPA).
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
37 | Riding the wave | 2023 Hot Topics for IT Internal Audit
– Appropriate training is in place for the • For the first year when TRA is adopted, and
new messaging standard. every three years thereafter, the audit must
be performed by an independent external
– Upgraded messaging appropriately auditor. (i.e., Internal Audit can only perform
interfaces to the new standard. this work in intervening years).
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
38 | Riding the wave | 2023 Hot Topics for IT Internal Audit
5
Where next
for internal audit?
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
39 | Riding the wave | 2023 Hot Topics for IT Internal Audit
Looking ahead, the breadth We believe the next evolution Internal Audit
is for it to be purpose-driven and digitally
of demands on Internal Audit powered. A high-level diagram of the refreshed
functions, and the pace and scale model can be found right.
of innovation in the profession,
Internal Audit 4.0
Purpose driven, digitally powered
You can read more about the Deloitte
point to the need for an update
perspectives on the function of the future and Purpose Purpose Vision Strategy
of our vision of the Internal Audit our 4.0 framework in the recently released REMIT CORE OPERATING SYSTEM
function of the future. We call this publication that can be found on our website2. Assure
Core process
Advise
Risk & assurance strategy
Position &
organisation
Internal Audit 4.0 (IA 4.0). Greatest risks External & leading practice
Process &
We believe IA should embrace digital-enabled Decision governance Anticipate
technology
transformation, foster innovation, explore the Change risk Emerging & dynamic risk
People &
Behaviours knowledge
Ongoing disruption is here to stay: power of automation and analytics, as a way Accelerate
Second line functions Organizational learning
We have all moved beyond “change is the of decreasing costs, embedding agility, and Digital technologies Management action
Performance &
communication
only constant” to an environment of ongoing adding value. A deeper digital transformation
Agile Mindset Digital
disruption. Over recent years we’ve observed and the use of data-driven auditing will not
several key lessons from functions who have be merely required by Audit Committees as a
successfully embedded a culture of continuous nice-to-have, but in our view, would be core
improvement and innovation, and our updated for the development of a resilient and a high
IA 4.0 framework brings three new features to functioning function of the future.
the forefront.
2
Deloitte Internal Audit 4.0 | Purpose driven, digitally powered:
Internal Audit 4.0 | Deloitte Global
By aligning Internal Audit’s outcomes with the
organisation’s purpose, helping accelerate
organisational change and learning, and further
embracing digital and technology enablement,
we believe Internal Audit can upgrade and
maximise its impact and the value it delivers.
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
40 | Riding the wave | 2023 Hot Topics for IT Internal Audit
6
Appendices
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
41 | Riding the wave | 2023 Hot Topics for IT Internal Audit
Appendices
A. About the survey The roles of the professionals that we Figure A. Demographic split of survey respondents by Sector
This survey’s aim was to understand the interviewed consisted mainly of the Heads of
Consumer Insurance Tech, Media Invest. Asset
key areas of IT focus across Internal Audit IT Internal Audit, but where appropriate, we 23% 12% and Telecoms Mgmt. Mgmt.
CPS FS 8% 6% 5%
functions, obtain perspectives on common interviewed Chief Internal Auditors, Heads of CPS CPS FS
challenges, and provide our insights regarding Internal Audit, IT Audit Directors.
these emerging IT risks that could help support
audit planning process cross the industry. This survey was commissioned by Deloitte Building Society
6%
LLP and was conducted by our senior Risk FS
Energy, Resources
We surveyed senior audit professionals Advisory practitioners either via direct Banking and Industrials Non-Profits and
17% Charities
from 66 organisations, and for the first time interviews or through our online survey tool; FS
11%
CPS Government and 5%
CPS
the survey was not focused on the financial the data was collected between May and July Public Services
6%
services sector only but was extended to 2022. As well as capturing the key IT Internal CPS Health and LS
3%
the wider private sector as well as the public Audit risks noted by senior audit professionals, CPS
sector. Figure A illustrates the sectors, and our research team has also leveraged the
sub-sectors of respondents. quantitative and qualitative data provided to
understand themes and trends developing Figure B. Demographic split of survey respondents by FTEs in the IT Internal Audit function
The size of functions in the companies we across Internal Audit functions. Number of IT internal audit FTEs
Figure B captures this breakdown. the IT Internal Audit Hot Topics as identified by 11 (17%)
10-20
industry experts, alongside our perspectives
on why these areas are important, recent 21-50 2 (3%)
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
42 | Riding the wave | 2023 Hot Topics for IT Internal Audit
Appendices (continued)
B. Additional sources and references 04. Cloud Hosted Environments 07. IT Strategy and Governance
01. Cyber Security • Closing the cloud strategy, technology, and • Tech Trends 2022: Tech Trends 2022 Deloitte
innovation gap | Deloitte Future of Cloud
• Future of cyber survey: Deloitte Future of Survey Report: Future of Cloud Strategy 08. Identity and Access Management/
Cyber survey | Global Survey Report | Deloitte Privileged Access
• Deloitte CISO programme: Deloitte CISO • Taking a Cloud Journey Without Risky • Future of cyber survey: Deloitte Future of
programme | Deloitte UK Detours: Taking a Cloud Journey Without Cyber survey | Global
Risky Detours (deloitte.com)
02. Digital Transformation and Change 09. Business critical IT controls
05. Operational and IT Resilience
• Tech Trends 2022: Tech Trends 2022 Deloitte • Deloitte Future of Controls: Future of
• Operational Resilience: The opportunity Controls | Deloitte UK
03. Data Governance for Internal Audit to support Operational
Resilience implementation: Operational 10. Digital Risk: Artificial Intelligence
• Do businesses require additional support to Resilience: The opportunity for Internal
construct and deliver on data governance?: Audit to support Operational Resilience • Tech Trends 2022: Tech Trends 2022 Deloitte
Effective data governance | Deloitte Insights implementation | Deloitte UK
11. Payments
• Data governance for next-generation 06. Third-Party Risk Management
platforms: us-big-data-governance.pdf • Payments trends 2022: Payments Industry
(deloitte.com) • Emerging stronger: The rise of sustainable Trends | Deloitte US
and resilient supply chains | Global
• Modernising data infrastructure with data third-party risk management survey 2022:
management tools, the CFO guide to data Third Party Risk Management Survey 2022 |
management strategy: Data Management Deloitte UK
Strategy | Deloitte US
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
43 | Riding the wave | 2023 Hot Topics for IT Internal Audit
7
Contacts
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
44 | Riding the wave | 2023 Hot Topics for IT Internal Audit
Contacts
Financial Services
IT INTERNAL AUDIT
OUR SURVEY THROUGH WHERE NEXT FOR
1 FOREWORD 2 EXECUTIVE SUMMARY 3 4 HOT TOPICS 2023: 5 6 APPENDICES 7 CONTACTS BACK NEXT
THE YEARS: 2012-2023 INTERNAL AUDIT?
A VIEWPOINT
This publication has been written in general terms and we recommend that you obtain professional advice before acting or
refraining from action on any of the contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any
person acting or refraining from action as a result of any material in this publication.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its
registered office at 1 New Street Square, London EC4A 3HQ, United Kingdom.
Deloitte LLP is the United Kingdom affiliate of Deloitte NSE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK
private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent
entities. DTTL and Deloitte NSE LLP do not provide services to clients. Please see www.deloitte.com/about to learn more about
our global network of member firms.