Hearing the word “audit” can raise the blood pressure of any financial services company’s chief information technology officer or chief risk officer. But voluntarily undergoing an audit, and approaching it in a spirit of openness and collaboration, is among the most effective ways for a company to improve its IT security and ensure compliance with the relevant European Banking Authority’s (EBA) guidelines.
Will Finn and Brendan Dougan in fscom’s technology risk team have many years of IT and cyber security auditing between them, specialising specifically in the financial services sector. They led a recent webinar to demystify the auditing process and explain how firms should prepare and what to expect from an IT security audit. This blog summarises their key takeaways for any financial services institution looking to strengthen its IT security and ensure compliance with the relevant guidelines.
What is an IT security audit?
An IT security audit is a test of a company’s information systems and processes to determine four main things:
1. Compliance with applicable laws, regulations, contracts and industry guidance
2. Compliance with internal governance, risk management and IT and security related policies and procedures within the company
3. Whether data is managed to appropriate levels of confidentiality, integrity and availability
4. Whether information security operations are being carried out efficiently and effectively.
Auditors are bound by standards and professional guidelines. They should be independent and not involved in delivering or managing an organisation’s controls or risk assessment. They should have a good understanding of IT platforms and systems and how these are used in the financial services industry. Auditors must observe confidentiality, and – crucially – serve the interest of the firm they are auditing in a lawful manner. Audits are not like “exams” at school, but a way to help firms identify areas where they can do better in the future.
Why should financial services firms seek an audit?
The primary reason firms should undertake an audit is because they are required to, both by the regulators and for their own assurance of good internal governance. A number of regulations and laws at both EU and UK level require firms to be able to demonstrate good information security practices and compliance. UK firms are directed by the FCA to take note of EU guidance because there has not yet been a significant divergence of UK and EU laws since Brexit.
For example, the European Banking Authority’s (EBA) guidelines require firms to carry out an audit, have an audit plan in place, and demonstrate how they are governing the process. Firms are therefore mandated to carry out audits and put in place remediation plans to act on them and monitor progress.
But there are other good reasons why firms should approach an external or independent auditor to carry out an IT security audit:
- An incident indicates that specific controls are not working as intended and are not effective in mitigating risk
- When an organisation has undergone significant change such as the development and launch of a new product, the on boarding of a new outsourced IT platform or service, or a merger with an acquired business
- Undertaking an audit can demonstrate to a client that the company has a high awareness of risk and preparedness to meet potential challenges that may arise
- An audit can also reassure stakeholders that the company practices good governance and has high ethical standards.
What to expect during an audit
The audit process follows five broad steps:
Audits typically take place within a wider organisational and governance context. Audits are typically scheduled as part of a risk-driven, internal audit plan but can be ad hoc to respond to a specific event or a requirement, such as an IT security incident or a demand from a third party as part of their due diligence process.
The auditor will work with the client to decide the scope and purpose of the audit. The auditor will seek to understand where the client’s controls and risk management strategy and plans are, before going into more detail.
The auditor engages with the firm and gathers documents which state their key policies, strategies, and plans in relation to IT security risk. These are reviewed to assess their design effectiveness. The auditor will then assess how the IT security controls are implemented by carrying out interviews, observing procedures, examining evidence, and testing the company’s IT security performance. Their methods range from manual to technological, and auditors increasingly use bespoke data analytics software and other computer-aided tools.
The auditor documents their findings and recommendations, providing a clear description of the control design and effectiveness of each control in comparison to the specific regulations or policy requirement. They also make recommendations for remediation. This report is presented to the client, whose management should respond to each finding.
The EBA guidelines require firms to act on their audit findings. This might mean improving a control to mitigate risk; redoing a risk assessment with stronger controls; updating or ending contracts with third-party suppliers; and overseeing and tracking progress to implement corrective actions against target dates.
fscom’s tips for a successful audit
Companies should do the following to make an audit as useful as possible for them:
1. Prepare thoroughly
The preparation before an audit is important. You should have an internal audit plan which records when audits are scheduled to allow for effective planning. Then alert those who will be required to participate to reserve their time and ensure they understand their role and are familiar with the firm’s controls. Holding a ‘mock’ audit is one way to test that.
2. Respond quickly
Audits have a deadline because they aim to capture your preparedness at a single point in time, so it is essential that you respond quickly to any queries from the regulator during the process. If you can’t answer a question immediately, you can simply tell the auditor that you will let them know before the deadline. If an auditor does make a finding in their preliminary report then, if you can correct the weakness before the deadline, it will no longer count as a finding.
3. Approach it openly
You should work collaboratively with your auditors, who are there to help you identify your strengths and weaknesses and, ultimately, improve your IT security. You should expect them to come up with findings – this is the sign of a useful audit.
4. Act on the findings
After an audit, you should review the findings and put plans in place to improve in the relevant areas, and review your company-wide risk assessment in light of the results.
The future of audits
Several trends are likely to make audits even more important to regulators, and companies, in the future. One is that IT security risk is perceived to be greater now than ever before, so regulators are introducing more reporting requirements. Another is that more and more data about risk and how controls are operating is becoming available, which the regulators will expect to see firms take into account in their risk assessments.
A striking trend is a move away from audits which assess a company’s compliance at a point in time, which will be replaced by continuous auditing. This sounds onerous, but it is made easier by new automation tools which can help companies to carry out data collection, monitoring and testing. Firms should investigate automation and other technologies to help them to stay ahead of regulatory expectations and, in doing so, bolster their IT security.
Contact fscom today for a consultation on your IT security and to explore your readiness for an audit.