How can internal audit help manage IT risk

What is an IT risk?

When researching for a common definition of IT risk, there is a lot to consider. To simplify the discussion, let us break this down into the following components.

IT: Information technology, the business unit responsible for deploying and managing applications, databases, operating systems, and infrastructure used by employees, customers, vendors, and other stakeholders of the enterprise every day. No matter where you work, most, if not all, business processes leverage technology in some way, shape, or form.

Risk: The International Organization for Standardization (ISO) defines risk as “effect of uncertainty on objectives”. A principal objective of the IT function is to provide technology services and solutions for how our organizations collect and maintain information used for decision making. Therefore, in an IT context, risk can generally be grouped using the acronym CIA – confidentiality, integrity, and availability – to describe the likelihood and impact a particular IT risk has on this core objective. As internal auditors, we would expect to see management design and implement internal controls over IT risk. Common IT controls include passwords (confidentiality), program change (integrity), and data replication (availability).

Now that we have defined what IT risk is, the diagram below will help to further simplify the overall types of IT risk. It comes from the ISACA’s Risk IT Framework, 2^nd Edition. The bottom row identifies how IT risk is grouped across four buckets. The diagram also clarifies how IT risk is embedded within common enterprise-level risk pillars and the wide-ranging impact IT business processes typically have on organizational objectives. In my opinion, this is a reminder that IT risk management plays a vital role in overall risk management and that technology remains a fundamental component of running an organization.

What are examples of IT risk?

Let’s continue by breaking down the four IT risk buckets shown in the ISACA figure above. It’s important to remember that with IT risk, the risk statement can be “big picture” or very granular. By no means is the following an exhaustive list, but I will provide examples for each of the four categories and challenge you to review a few of your own risk and control matrices to see what you can come up with.

• IT benefit/value enablement risk: If the proposed technology solution does not deliver value, the organization could lose money on the investment. I often see this type of IT risk aligned with the software development lifecycle business process, usually before the solution is developed or purchased. Common IT risk could include a lack of due diligence performed on a software vendor, or if a solution is developed internally, not clearly addressing the core business problem the solution is supposed to solve.
• IT program project-delivery risk: Technology solutions are often complicated and time intensive investments, and if not delivered effectively, could cause time and financial overages. Similar to IT Benefit/Value Enablement Risk, I often see IT Program Project-Delivery Risk aligned with the software development lifecycle business process. Common IT risk could include a lack of governance over the development or implementation of IT assets.
• IT operations and service-delivery risk: As a former IT auditor, I spent many years evaluating “what could go wrong” with IT business processes such as logical access, program change, and computer operations. Common IT risk here includes unauthorized access to technology resources, inadequate governance of changes made to existing systems, and information not being backed up in case of an outage.
• Cyber and information security risk: ISACA embeds Cybersecurity and Information Security under the Information Technology umbrella. According to ISACA’s “Getting Started with Risk Management” white paper, “cybersecurity is related to IT, because technology is often the vector through which cyber risk is realized”. Several more granular issues, such as security breaches, data loss or corruption, and malware, fit into this bucket. The cyber and information security risk space is often the headline generator, where if something goes wrong for an organization, more likely than not, it’s because of a breakdown in this space.

Take another look at the above graphic and see what other risks you can derive from this analysis. What patterns do you see? Do the patterns fall more into known, formally documented risks, or more emerging risks, such as AI?

What are typical strategies to manage IT risk?

The good news is, regardless if we are dealing with existing or emerging IT risk, the strategies available are tried and tested. Management can choose to either avoid, mitigate, transfer, or accept IT risk.

In addition, a solid risk management program is at its best when The Three Lines of Defense are working together. IT risk is no exception, where IT Management (first line), IT Assurance, Enterprise Security, or Enterprise Risk Management (second line), and internal audit (third line) can work together to provide a continuous feedback loop on risk management. Some examples to help manage IT risk include:

• Employee training and awareness: All Three Lines of Defense can participate in this activity. For example, periodic email phishing tests can provide IT management rapid line of sight and feedback on where gaps may be in identifying real versus threat actor emails.
• Routine IT Risk Assessments: Depending on your organization’s structure, the first line management functions are often the best bet to pinpoint and identify IT risk, given their role of managing day-to-day operations. If your organization has a second line risk management function, such as IT assurance or enterprise security, those resources can help design IT risk management processes and systems where risks are identified and prioritized, and controls can be tested for real-time feedback. In the third line, internal audit can provide assurance to determine if the IT risk and control processes are designed and operating effectively.

What is an IT risk assessment?

According to ISACA’s Risk IT Framework, 2^nd Edition, an IT Risk Assessment is a systematic process to identify, assess, analyze, evaluate, respond, and report on risk. I find this framework useful because IT risk can be complicated, ambiguous, and hard to qualify. Further, in the internal audit function, it can be detrimental if we try to rank IT risk without having a formal way to catalog and collaborate with our business partners to truly understand the essence of IT risk. The framework gives us a structured, repeatable process that we can use to revisit, refine, and potentially re-prioritize risk response measures, considering the rapid advancement of technology to run our organizations.

What should an IT risk assessment include?

Breaking down the above components of an IT risk assessment, it’s good to keep in mind that given the ongoing, repeatable steps, this framework can apply to existing and emerging IT risk.

• Risk identification and assessment: Start and re-engage the process by identifying the population of potential technology risks that could impact the organization. IT risk is often a moving target, so tracking this information in a centralized repository, like TeamMate+, can help stakeholders identify, collaborate, and assess risk real-time.
• Risk analysis and business impact evaluation: Assess the likelihood and potential impact of each identified IT risk. This will help prioritize risk based on severity and potential consequences. For example, let’s say your organization is considering the use of a LLM, such as ChatGPT, to support the customer service function. The IT risk is the LLM provides incorrect and misleading information, which leads to customer dissatisfaction with service. If the LLM is relatively new and untested by management, the likelihood that the LLM provides incorrect and misleading information could be reasonably classified as “high” and the impact on customer service as “high”. Therefore, the organization would need to prioritize this risk and consider testing and piloting the functionality adequately to reduce both factors within the organization’s risk appetite.
• Risk response: Using the strategies outlined above, the organization can choose to avoid, mitigate, transfer, or accept the risk. In the prior ChatGPT for customer service example, the organization could choose to avoid the risk of using ChatGPT. The benefit of doing so would be no commitment of time and resources to control and monitor the use of ChatGPT; but the drawback is management would forego their estimated time savings of 50% when responding to customer inquiries.
• Risk reporting and communication: This is the key step in the entire process and likely requires the most labor to strike the right balance of just enough information to make timely decisions. When too much information is provided, stakeholders may tune out. If not enough information is presented, stakeholders run the risk of getting blindsided with unfortunate surprises.

How can internal audit help manage IT risk?

While management owns IT risk, internal audit can bring ideas to the table throughout the audit lifecycle.

Let’s start with some strategies that you can adopt immediately:

• Read up! I subscribe to newsletters from the IIA, ISACA and AICPA, as well as a variety of additional industry LinkedIn pages and groups. I also keep up with business news as a source of what is happening on a global and local scale.
• Network! Attend webinars, lunch and learns, and conferences to take a deeper dive into these topics at a risk management level.
• Relationship building in your organization. Get a pulse on what the Board and Audit Committee (or equivalent) is thinking about regarding IT risk. Those individuals are charged with setting the tone with overall governance and can provide insight into the big picture.
• Check in periodically with IT leadership to take a pulse on opportunities and threats. This can be informal lunches and more formal risk assessments. IT leaders and their teams are on the ground solving business problems through technology. These individuals are a vital resource to understand IT risks at a more granular level.
• Invite internal technologists to present a topic to your internal audit team. It’s a tactical way to build relationships and allow staff to ask questions about a particular topic outside of an audit. During my time in professional internal audit practice, I invited a subject matter expert to talk to the internal audit team for 30-60 minutes about how emerging technologies are impacting the business processes they support.

What about during the audit plan year?

• Read up on enterprise-wide and local business unit business plans. These are an excellent resource to understand local business conditions and how IT services are consumed by business units.
• Attend and participate in your organization’s risk management meetings to get a sense of management’s risk appetite and how technology is impacting strategic and operational objectives.
• Consultative engagements: See if your internal audit team can sit in while new technologies are being considered at the organization. Project steering committee meetings are an effective way to get a sense of how the technology solution will support the business process, and if any glaring weaknesses exist. It’s typically easier to address unmitigated IT risk at this stage, as opposed to post internal audit kick off.
• Periodic IT risk assessments: TeamMate+ can facilitate this process through features such as entity, risk and/or control self-assessments. This functionality allows stakeholders across the Three Lines of Defense to update risk statements and control activities and allows first line stakeholders to disclose management identified issues before an engagement begins. This path can be used to reinforce ownership of the risk management framework and allows teams to collaborate in real-time.
• Assurance engagements: Keep testing the ongoing IT business processes governed by IT general controls. For emerging risks, add engagements such as vendor risk management, information security, and penetration testing to the audit plan. Ongoing feedback to management and those charged with governance is vital to managing IT risks!

Conclusion

IT risk is an ongoing and evolving business discipline. For internal audit, it’s a great opportunity to take stock and re-examine how emerging technologies impact IT risk for our enterprises. The good news is, we can continue to follow existing IT risk management frameworks that allow us to partner with management to understand these risks. Further, we can revisit and refine our strategies to design consultative or assurance engagements to provide real-time feedback to our governance and management teams.