Internal Audit: delivering value for technology companies

Technology companies of all sizes and scale are increasingly finding themselves operating in a challenging, innovation-oriented landscape facing growing business disruption and an ever-tightening legal and regulatory compliance regime.

The Internal Audit function is not only to provide assurance over the key activities and risks, but also advise on the design and effectiveness of the risk, control and governance arrangements, traditionally using the three lines of defence[1] (3LOD) model. It helps stimulate innovative solutions to improve an organisation’s ability to anticipate and manage its risks.

After over a decade of uncertainty following the financial crisis, the pandemic has established a whole suite of ‘new-normal’ processes but the organisational impact is still to be fully understood. Necessity has always driven greater innovation, and the pandemic has meant a greater use of technology in the way companies operate. From the ability to work remotely, to the use of automation and the ‘as-a-service’ cloud revolution, companies have had to adapt and push traditional boundaries, taking on more risk in the process. We see many technology organisations increasingly using the 3LOD approach as a framework to assess the level of their maturity in how they are managing their risks.

[1] the Three Lines of Defence model, published by the Institute of Internal Auditors, provides a framework to consider the overall arrangements for managing risk and exercising control within an organisation.

Current areas of Internal Audit focus

Many of the challenges that technology companies grapple with are not entirely unique to the sector they operate, nonetheless, our experience highlights that there are several business issues they face as they develop their strategies and make investments.

Cybersecurity – the ever-shifting threat landscape is a key focus point for many technology companies. The rapid shifts in technology, the continued movement to PaaS and SaaS cloud solutions, increased and diverse regulatory environments and changes in corporate culture means that technology companies need to be on the front foot when it comes to the protection of their systems and data. Ensuring that the fabric of security over the company’s network, applications and information is proportionate to manage the threat of cybercrime, cyber-attack and/or cyber-terrorism is critical to technology companies.

Operational resilience – ensuring that there are sufficient and appropriate mechanisms to mitigate the risk of business disruption has become ever more critical for technology companies. Building and instilling resilience in an organisation’s people, processes and technology infrastructure that is both proportionate but sufficiently robust can be problematic. Technology companies need to consider continuity and disaster recovery plans to cover data security attacks, IT outage and denial of access to critical people, premises, systems and technology.

Data governance – the dependence on and importance of data being captured, stored, used and protected cannot be underestimated, and technology organisations are at the forefront of leveraging the power of big data. Organisations that have or are unleashing the potential of their data are starting to see some real benefits, however there are real security and methodological risks and the regulatory demands on organisations can have significant financial and reputational impacts to those organisations that do not put in place sufficient data governance protocols.

Mergers and acquisition – the ability to manage strategy execution risk more effectively is leading many technology companies to put in place additional rigour over their merger, acquisition and divestiture programmes to ensure there is a fact-based and well-controlled diligence, valuation, planning and execution process.

System implementation – technology companies are making much greater use of cloud services (whether SaaS; PaaS, or IaaS) and organisations face risks and challenges when moving their IT infrastructure to the cloud. These include risk of cloud systems implementations not delivering the intended value/benefits; overlooking processes or parts of the business on the journey and managing any resistance to change.

Legal & Regulatory framework – whilst not heavily regulated when compared to other sectors, technology companies innovate and disrupt several highly regulated industries and therefore face the challenges of understanding and complying with a wide range of legal and regulatory requirements. For some technology companies, implementing a global compliance framework may be a logical progression along their compliance journey.

Third party risk – increasingly, organisations leverage third parties to provide a variety of services such as product sales, distribution, data storage, marketing, finance, HR, payroll and even customer service. Outsourcing frees up organisational resource to focus on the core strategies (and outcomes) of the business, as well as reduce costs.

How can Smith & Williamson help?

Smith & Williamson’s Risk Advisory practice supports, advises and provides assurance services to technology companies with internal audit services. Our professionals bring deep technical and industry experience, allowing you to strengthen your key governance, risk management and control, and at the same time enhance business performance.

We have worked with organisations to:

• Establish an Internal Audit function, build the approach, methods, tools, strategy, programme of work, and support in the appointment of a team that then delivered the services themselves.
• Operate as a fully outsourced provider of internal audit services.
• Operate as a co-sourced provider in a hybrid delivery model. This has included providing a Head of Internal Audit and secondee/s to support an in-house team, utilising the resources from within your organisation to deliver.

Smith & Williamson LLP
Regulated by the Institute of Chartered Accountants in England and Wales for a range of investment business activities.
Smith & Williamson LLP is a member of Nexia International, a leading, global network of independent accounting and consulting firms. Please see https://nexia.com/member-firm-disclaimer/ for further details.
Smith & Williamson LLP is part of the Tilney Smith & Williamson group.
Registered in England No. OC 369631.

Ref: 22037799