It’s Always Been a Matter of Trust

Digital transformation is nothing new. While keeping up with the latest technology is important, it also carries risks – from data security to regulatory compliance. Your customers, business partners, investors, and regulators trust you to manage these risks because they can impact everything from efficient business operations to the integrity of your financial data. As a result, effectively managing IT risk is far more than just a regulatory compliance exercise — it’s essential to the integrity and reputation of businesses. Ensuring you have the right people, tools, and processes in place is no longer just an IT issue; it’s a priority the entire C-suite needs to keep in mind.  

A New Mandate for Managing Risk

Audit teams who analyze the risks of IT are no strangers to change. Information system audits have been around for more than 70 years — starting in the 1950s as electronic data processing platforms made time-consuming business operations move with enhanced efficiency. 

The original mandate of information system audits was simple: verify business processes worked. The primary stakeholder was typically the head of IT or business operations. Today, that mandate has expanded to include building trust among multiple stakeholders. Regulators, customers, and investors may all have different expectations about how risk should be managed. With the advent of cloud computing, mobile technology platforms, social media, blockchain, and the emerging ubiquity of artificial intelligence (AI), the scope of the traditional IT audit is expanding in ways that may leave many organizations feeling unprepared. The sheer amount of data can be overwhelming, and appropriate resources aren’t always there. This new reality is placing pressure on all auditing teams.

But with efficiency comes risk, so information systems audit teams must consistently develop new skillsets to adapt to change, manage new risks (like increased regulatory compliance), and promote trust. Companies must work hand in hand with their auditors to identify risks, strengthen internal controls, enhance compliance, and drive greater assurance. It takes a holistic approach to risk management — evaluating the organization's IT systems and its infrastructure, policies, and overall operations. The reason is simple: data cuts across everything in business today, and trust in data-driven enterprises is at a premium. Failure to proactively manage risk is not an option.

There’s a Regulation for That

On the enforcement side, data and privacy legislation has been around for more than 20 years. Most recently, the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CPPA) placed restrictions on how companies leverage data, creating additional compliance risks for industries like financial services. 

For example, fintech companies feel the effects of the Financial Data Exchange (FDX) standard, which places restrictions on the collection of consumer financial data for third-party apps. In addition, the Consumer Financial Protection Bureau's data collection rule requires financial services companies to collect and report data on small business lending activities. 

More recently, the Securities and Exchange Commission (SEC) has proposed new rules governing the use of data by broker-dealers The new rules would require broker-dealers to identify and disclose conflicts of interest, while also implementing safeguards to protect customer data.

These proposed rules are an indication of the SEC's ongoing focus on the use of data. Adding emphasis to this focus, SEC Chair Gary Gensler recently spoke about his concerns over the potential risk AI might bring to financial markets. Concerns over risks to financial markets are likely an indication of a higher degree of scrutiny — and perhaps future enforcement action — around IT compliance issues. The internal controls provisions of the 2002 Sarbanes-Oxley legislation are especially relevant here. The Public Company Accounting Oversight Board (PCAOB) has also issued several standards on IT controls. These standards are intended to help information system auditors test the effectiveness of controls in preventing and detecting material misstatements in financial reporting.

The Impact of Emerging Technology

Ironically, a beneficial approach to managing risks linked to data and digital platforms involves utilizing other emerging technologies to support the proper functioning of these systems. Data analytics tools help audit teams identify anomalies in large data sets and enhance accuracy — enhancing the quality of audits without adding work for the client. A smarter, risk-based audit streamlines processes and creates additional value. Obtaining more accurate data allows the audit team to focus on specific risks. A traditional audit may not always reveal the most pertinent data or the most pressing material risks.

Technologies like AI and bots are helping to automate time-consuming and repetitive tasks, such as data collection, sampling, and testing. As a result, auditors have more time to focus on more complex risk assessments and judgment-based decisions. The ability to analyze large volumes of data faster than ever allows the audit team to identify anomalies and trends that may indicate fraud, errors, or other serious risks.

However, the biggest impact of emerging technology may be the ability to perform continuous auditing — taking a real-time, ongoing approach to monitoring a company’s systems and processes.

What Should Enterprises be Doing to Get Ready?

AI integration into control processes is still at a nascent stage. Organizations will have to resolve compliance risks, especially around new platforms like AI, with security protocols and internal policies to confirm audit teams have access to the data they need to help mitigate and address risk efficiently. Embracing new technology in an audit takes time, but as risks are identified and mitigated more automation can be implemented. When that happens, an experienced audit team can identify IT risks a client may not have been aware of.

For large public companies, the volume of data to review can be staggering, so large data dumps often prove impractical. Companies may need to partner with independent information system auditors to set parameters, so the right information is shared at the right time. Collaboration will be the key to success. 

Any external information system auditing team needs to fully understand its client’s IT requirements and compliance issues. Meanwhile, enterprises must understand how emerging technologies can help reduce risk and enhance stakeholder trust and the importance of leveraging these tools—either internally or with knowledgeable external assistance. 

Information system audits have evolved significantly over the years, but one thing has remained constant: it’s always been a matter of trust.

BDO’s Information Systems Assurance team has deep experience collaborating with clients to identify new risks, strengthen internal controls, enhance regulatory compliance, and drive greater assurance across enterprises. Our professionals take a holistic approach to risk management, evaluating an organization’s infrastructure, policies, and overall operations. Contact us to learn more.