How IT audit can get the job done

When it comes to information technology, financial institutions face a great deal of risk today. While they are challenged by issues ranging from a deluge of new regulations to relentless cybercriminals, many banks are struggling to both implement new programs and gain overall visibility of their current projects so they can continually monitor their key risks.

The risk of failed business and technology project implementations that miss deadlines, go over budget, and do not deliver their promised benefits is very real.

In fact, nearly three-quarters (73%) of executives believe their businesses are increasingly challenged to assess the risks and returns of major programs, according to 2013 research by Independent Project Analysis, Inc.

Perhaps because of this, 39% of projects succeeded (e.g., delivered on time, on budget, with required features and functions); 43% were challenged (e.g., late, over budget, and/or with less than the required features and functions); and 18% failed (e.g., cancelled prior to completion or delivered and never used), per a 2013 study published by The Standish Group. 

What’s the solution to reducing risk in these strategic, transformative IT programs?

One answer is for banks to optimize the usage of their IT Internal Audit function and personnel. The role of this function, ITIA, is to perform both enterprise-level and business unit-level independent assessments focused on technology risks, governance, controls, internal communication and compliance. ITIA also focuses on understanding and assessing key risk indicators, which are critical steps to keeping projects ahead of the curve, on time, and under budget.

Why internal audit?

At first, it may seem counterintuitive to bring ITIA to a true “seat at the table” when it comes to participating in game-changing decisions about major system initiatives. However, there are several advantages ITIA holds that banks can leverage to gain the critical benefits mentioned above.

ITIA serves as the so-called third and last line of defense in an organization’s risk management framework.

The first line comprises the individual departments expected to identify risks and implement mitigants across functions such as accounting, finance, operations, and technology.

The second line is the Enterprise Risk Management (ERM) and Compliance functions, which interpret regulations, establish policies to guide the departments, and/or monitor compliance. The second line also summarizes this information via aggregate risk reporting for executive management and the board.

As the third line, ITIA is the backbone to promote the effectiveness of controls and validate control adherence throughout the bank.

Due to these unique responsibilities and positioning, ITIA has a distinctive point of view to maximize previously established relationships and synergies across various departments, particularly among business groups, IT, project management office(s), and the risk function.

This gives ITIA a one-of-a-kind opportunity to bring enhanced visibility to system initiatives. ITIA can continually monitor them to better understand the interconnectedness of projects and ultimately enhance audit coverage based upon the organization’s risk.

Steps to success

There are practical, proactive measures that an organization can begin instituting today to leverage ITIA’s vantage point and expertise to provide decision-makers—particularly the bank’s Board and Audit Committee—with better visibility into prior, current, and future system initiatives. These steps will also help banks limit resistance from key stakeholders who seek to avoid “interference.”

1. Taking stock: Based on the nature, inherent risks and downstream implications of each initiative, ITIA can profile the inventory of system initiatives to determine the appropriate level of ITIA involvement at varying periods of the project lifecycle (e.g., prior to deployment, following deployment or via continuous monitoring).

2. Making connections: With sponsorship from a bank’s senior leaders, ITIA can add value from its broad vantage point to implant itself in critical governance, steering committee and strategy meetings. This allows ITIA to remain aware of the portfolio of technology and business activities that may warrant its attention and leverage its ability to identify connections that may not be visible within the individual departments.

3. A new approach: ITIA needs to establish a risk-based approach and methodology to consistently determine the level of effort it requires to dedicate to proactively monitoring system initiatives and enhancing real-time reporting. In general, the greater the risk of the system initiative, the greater the level of focus ITIA should proactively assign to it.

4. Creating alignment: ITIA should be aligned with a bank’s ERM framework to reconcile risk taxonomies, as well as maximize the relationships and work conducted between the three lines of defense mentioned above.

Two key areas of focus

Recent trends have shown an increased appreciation for and involvement of ITIA at two critical quality junctures in any major system initiative. These milestone steps are the “analyze-and-design” phase and the “test” phase. ITIA is in a position to challenge the work done in these phases in real time, which presents opportunities to identify and address risks before a system is deployed.

Specifically, these are the types of questions ITIA should be asking at these quality junctures:

• Analyze-and-design: Has the project team evaluated gaps in the current business process and functionalities? Has the team established solutions for these gaps? Has it also determined/documented configurations and customizations that consider future-state controls to address security, architectural, regulatory and operational concerns?

• Test: Have the project team and user community performed detailed testing (e.g. stress, regression, performance) to validate that the functionalities are operating as intended and align with the business/functional specifications? How are errors/issues in testing evaluated and addressed?

The bottom line

With a bank’s ITIA function working more proactively as described above, it can play an instrumental role in two areas:

1. Understanding and communicating the landscape of system initiatives for improved audit coverage decision-making.

2. Addressing the needs and concerns of the constituents focused on the progress of system initiatives and the effectiveness of risk mitigation measures enforced.

As important, ITIA can help assess whether or not a bank’s system initiatives have the recommended resources, competencies, and rigor to address many of the increased internal and external pressures on them, and, at the end of the day, realize the business benefits of these programs.

About the author

David Kahan is a consultant in IT Risk Advisory at EY. The views expressed by the author are not necessarily those of Ernst & Young LLP.