Transcript | Navigating a Technology Risk-Filled Horizon Listen The results from this year's Global Technology Audit Risks Survey, conducted by Protiviti and The Institute of Internal Auditors, reveal a complex and multifaceted landscape of technology risks. Cybersecurity is the top priority and by a wide margin. AI is an emerging risk with gaps in organisational preparedness and audit proficiency. The talent gap in IT is a growing concern and data privacy is a growing regulatory challenge. Protiviti and The IIA recently published a research report on the results of this survey, Navigating a Technology Risk Filled Horizon. For this episode, we talk with Protiviti Managing Directors Lindsay Gleeson and Angelo Poulikakos about the results of the survey and their insights about the findings and the trends they reveal.Angelo is global leader of Protiviti’s Technology Audit and Advisory practice. His specific areas of concentration include technology risk management, cybersecurity, IT compliance, internal audit and automation. Angelo has more than 18 years of experience in all facets of internal controls and frequently works with CIOs, CISOs, CAEs and other leaders to mature their technology risk management and audit capabilities.Lindsay is a leader in Protiviti’s IT, internal audit and financial advisory practice. She has over 16 years of extensive experience with a focus in audit consulting and project management. She has managed and executed numerous projects related to internal controls and rationalisations; Sarbanes-Oxley, SOC2, NIST and HIPAA regulatory compliance pre-implementation reviews; and automation and information security governance assessments.For more information, read Navigating a Technology Risk Filled Horizon.Contact Angelo at [email protected].Contact Lindsay at [email protected]. Listen Topics Cybersecurity and Privacy Internal Audit and Corporate Governance Risk Management and Regulatory Compliance Kevin Donahue:The results from this year’s Global Technology Audit Risks Survey, conducted by Protiviti and The Institute of Internal Auditors, reveal a complex and multifaceted landscape of technology risks. Cybersecurity is the top priority — and by a wide margin. AI is an emerging risk with gaps in organisational preparedness and audit proficiency. The talent gap in IT is a growing concern, and data privacy is a growing regulatory challenge.This is Kevin Donahue, a senior director with Protiviti, welcoming you to a new edition of Powerful Insights. Protiviti and The IIA recently published a research report on the results of this survey entitled Navigating a Technology Risk-Filled Horizon. This report is available on the Protiviti and IIA websites.For this episode, I spoke with Protiviti Managing Directors Lindsay Gleeson and Angelo Poulikakos about the results of the survey and their insights about the findings and the trends they reveal.Angelo is global leader of Protiviti’s Technology Audit and Advisory practice. His specific areas of concentration include technology risk management, cybersecurity, IT compliance, internal audit and automation. Angelo has more than 18 years of experience in all facets of internal controls and frequently works with CIOs, CISOs, CAEs and other leaders to mature their technology risk management and audit capabilities.Lindsay is a leader in Protiviti’s IT, Internal Audit and Financial Advisory practice. She has over 16 years of extensive experience, with a focus in audit consulting and project management. She has managed and executed numerous projects related to internal controls and rationalisations, Sarbanes-Oxley, SOC2, NIST and HIPAA regulatory compliance, preimplementation reviews, automation, and information security governance assessments.Angelo, thanks for joining me today. Angelo Poulikakos:Kevin, it’s always great to be part of your show. I feel like I’m a veteran already. Kevin Donahue:Thanks very much. And Lindsay, it’s great to speak with you for our first time. Looking forward to it. Lindsay Gleeson:Thanks for having me, Kevin. Excited to be here. Kevin Donahue:Lindsay, we’ re going to bring you right into the deep end of the pool and ask you our first question. Cybersecurity is perceived to be the top risk issue by IT audit leaders and teams, and in terms of our scoring, it’s not particularly close. Further, among numerous technology risks, so-called next-gen cyber threats appear to present the most significant risk over the next two to three years. What do these findings say to you about the state of cybersecurity threats today? Lindsay Gleeson:Thanks, Kevin. It’s indicative of where IT is today. IT is constantly changing. It’s evolving. Obviously, cybersecurity is on all our clients’ radars. Ransomware and AI and some of the new technologies that are coming out today that are creating these new risks, from a client perspective, it’s on their radars. They know these things are coming — the impact of access, and things being put into the cloud, and how safe is our data, and how can it be breached? And if we’re breached, how do we recover that data? All these things, they start to snowball as we start to think about cyber, what we knew it as two to three years ago. What is our NIST, and what are our protocols, and thinking of those new technologies and how they’re transforming that space. Angelo Poulikakos:Lindsay, I agree with everything you said just now. I found it interesting how our survey results showed a high level of preparedness around cyber. I don’t think you could ever be overly prepared for cyber, but over the last five years, organisations have probably spent more money on cybersecurity than ever before. They’re obviously seeing a lot of attention to that space. They’re building partnerships with providers that they never previously would have thought of working with, that strictly do cybersecurity as a managed service. I’m excited to see that a lot of organisations I work with now include cyber as part of an ongoing audit agenda item, as part of audit committee meetings. They’re not just performing one cyber audit a year, but they’re performing more regular audits around cyber. Preparedness, to me, is also indicative that it’s an auditable area. There is something to audit and for internal audit to assure around. Lindsay Gleeson:Those are great points, Angelo. We look at audit plans coming up and the conversations I’m having with my clients right now as they’re focusing on next year. Number one is cybersecurity. And they’re, like, “We’ve audited it a hundred ways, but how can we think about it differently? How do we still provide value, and how do we become more prepared?” Kevin Donahue:Angelo, I’m going to circle back to preparedness and proficiency views on cyber and other risks shortly, but I first want to ask you about AI and generative AI. These areas, along with machine learning, are not viewed by most as posing significant threats today, according to the results of our survey. But the threat level ramps up within a two- to three-year timeline. Tell us what you’re seeing today and what you anticipate will develop in the coming years around AI technologies. Angelo Poulikakos:I did find it interesting, when we got a preview of the results and finalised the results, that AI wasn’t high on the risk radar list for the next year, but that was based on people’s responses in June. If we were to resurvey them now, we would have seen those results climb. That was indicative from one of the questions we asked: What do you see as a risk trending over the next two to three years? AI was pretty high on the list. In the last three months, many of my clients have started to introduce, and give the power of, AI to a lot of their employees, creating Chat GPT-like environments. That is allowing organisations to use generative AI in a more secure manner because the prompts and the responses are going to live within the four walls of the organisation.Maybe at the time we asked participants on their views of risk on AI, they didn’t think it was so high on the list, but it is definitely climbing. It’s probably going to be the one with the greatest velocity. We are seeing a lot of our internal audit clients come to us right now and ask us about the related risks, and what can they be doing to help organisations prepare, because this isn’t something that’s auditable at most organisations yet. This is an opportunity for internal audit departments to do more advisory projects, consultative projects, partnering with the business and thinking through the risks around the use of large language models, whether it’s data privacy, confidentiality risks, risks related to folks using it as a crutch, maybe overreliance. That could certainly be a concern. Noncompliance.A lot of the regulatory requirements around the use of generative AI haven’t been fully fleshed out yet, but we have a good feeling that is coming. This is where internal audit departments could help think about and devise control frameworks, and tailor those frameworks based on the organisation’s planned use of AI. There are already a lot of good resources available. The NIST released an AI governance framework that could be leveraged, one very similar to the NIST cybersecurity framework. There is an AI risk management framework, very robust, a lot of guidance. It might be overwhelming guidance for most to consume, but they can leverage that as a tool to help create a more tailored framework the organisation could align to and work to implement as they also work to implement AI within the organisation. Kevin Donahue:Based on some other research Protiviti is conducting, we are seeing use of generative AI ramp up in finance organisations and other groups. Angelo, that aligns exactly to what you’re saying. There’s been a lot of growth in the past few months, and that’s going to continue. Angelo Poulikakos:We’re also seeing that just about every software vendor that’s out there is looking to introduce AI into its platform. Even a lot of the audit-oriented platforms, I can anticipate they’re going to think of ways of introducing AI. That’s an exciting thing for the community of internal auditors and risk management professionals. We’ve seen firsthand the power of AI and how it can accelerate internal audit–related and risk management–related activities. Having those capabilities embedded into some of these tools is going to make things a lot more exciting. It’s going to allow internal audit departments to do a lot more from a technology audit perspective. No one technology auditor could know everything. It’s going to certainly help the planning process, but teams are still going to need to leverage expertise from other places just to be able to address the variety of risks that exist today. Kevin Donahue:Lindsay, I want to switch topics and talk a bit about data privacy and compliance, and data governance and integrity. Those risk areas also stand out in the results of our survey. What types of questions and concerns about data-related areas are you hearing from the companies you work with? Lindsay Gleeson:In the most recent news, within the past two weeks, we’re hearing of data, and especially at MGM and Caesars, and data being held at ransom. This relates to our cybersecurity question earlier, but understanding the impacts to big data, understanding the quality of the data, the privacy around it, being able to make sure that that data is secure, to Angelo’s point, there are a lot of platforms; there are a lot of vendors. Data is moving constantly between vendors, interfacing between each other. How are we keeping the data secure? We have regulations and compliance we have to be aware of. The GDPR. HIPAA in the health industry. A lot of clients are coming in, and how do we make sure that that data is being secured?The other big piece is, what is the integrity of that data, and making sure that data is governed appropriately? Who has access to that data? How is that data being retained? How do we prevent loss of data? If it is held, or we have to be able to recover that, it’s becoming more at the forefront of being able to make sure that data is recoverable and usable in the event of a cyber breach or even just a data loss. Angelo, anything that you’re seeing with your clients? Angelo Poulikakos:There definitely seems to be a lot of focus on the notion of privacy by design. Making sure privacy is considered as part of every project — especially any type of major development where we’re building technology or we’re introducing a new business process — helps ensure that we’re in compliance with the relevant laws and regulations. Kevin Donahue:Thank you both. Angelo, I want to circle back to what I previously mentioned and you raised around organisational preparedness and technology audit group proficiency. Cybersecurity is perceived as the top technology threat, as we talked about before, but our results indicate organisations and IT audit groups are reasonably well prepared to handle it, as they report to us in our study. Conversely, we see more troubling gaps between threat and preparedness levels in areas such as third parties and vendors, transformations and system implementations, and IT talent management. There are gaps there, whereas there are not so many gaps when it comes to cybersecurity. Do those trends surprise you? Angelo Poulikakos:The survey results did surprise me at first, as it related to third-party risk management and that not being an area where organisations feel prepared. But I reminded myself that we have a wide audience base that completes our survey. We’re not having strictly Fortune 50, Fortune 100 companies complete our survey that have more mature third-party risk management programmes.I’m biased because I tend to work with a lot of Fortune 500 companies that do have relatively mature third-party risk management capabilities. For the vast majority of other companies, it’s a struggle to have dedicated focus on all of their third parties, inventorying them all, assessing them from a risk perspective, engaging them, having them complete and respond to questionnaires around their security posture, validating all those procedures, that needs resources — resources I know many organisations do not have. When I started thinking about it from the perspective of a mid-size company or a non-Fortune 500 organisation, it didn’t surprise me. And it’s unfortunate that these risks pertain to all companies, regardless of size.How do you right-size a third-party risk management programme given resource limitations, funding limitations, etc., when it comes to security? That’s where there has been a lot of focus and a lot of upskilling. I don’t think you’ll ever have someone who could address all aspects of cyber. Even within Protiviti, we’re very focused on building capabilities across the various domains of cyber. Building a specialist in attack and pen, which is one aspect of security, is very different than building specialists around identity and access management or more defensive aspects of security such as vulnerability management and patch management.Organisations feel good about what they have done — they’re patting themselves on the back. But as we know, when it comes to security, it’s going to be a journey, and you shouldn’t ever feel comfortable, because the landscape is always evolving and maturing, and the threat actors are just getting a lot more sophisticated with the techniques they’re using.Our survey provides a lot of averages, and it considers averages across all industries, all organisation types. It’s a data point, but there is value in organisations, on their own, assessing their perceived threat level as it relates to a variety of risks, then assessing their organisational preparedness and finally their IT audit team’s proficiency, because that could help reveal areas where internal audit should not just perform an audit in an area where the business unit does not feel prepared. It often takes a shoot-the-wounded approach to the audit, where internal audit also wears a very important advisory role in its responsibility.Where capabilities are less mature, where our surveys may have suggested less preparedness, that is where internal audit should perform more of an advisory role, a partnership with the business to help perhaps create a control framework, help understand current states, help define a target state that is reasonable based on the risks facing the company, as opposed to a more traditional audit with issues, levels of risk, action items, target remediation dates, etc. You should still obviously do some of that as part of an assurance engagement, but the framing is important. And then, finally, understanding gaps between proficiency and risk level helps an organisation understand where they may need to seek out some external expertise. Kevin Donahue:Thanks, Angelo, and this is a great time to plug our report Navigating a Technology Risk-Filled Horizon from Protiviti and The IIA. That report is available on our respective websites, and for companies interested in having the survey questions applied to their own organisation, we can certainly help with that.Lindsay, I want to raise the topic here of the use of technology tools as well as adoption barriers. Two areas stand out in our results: First, collaboration tools are being used in a majority of technology audit groups, which is great to see. Second, technology audit groups that employ data analytics tools appear to be more proficient in their ability to handle key tech risks than those groups not using such tools are able to handle. What are your thoughts on how these tools, collaboration, data analytics and others are being employed today? Lindsay Gleeson:From a data analytics perspective, the tools that are being leveraged — such as Power BI and Tableau — are allowing audit teams to get more insights into their data. There’s a lot of data out there coming from multiple sources, and these tools are allowing teams to identify where there are outliers. Maybe there are potential fraud cases the data is going to show them. It’s giving you the ability to look at more, so you’re able to look at full populations instead of sample-based testing, where you might be only getting a snippet of information.The ways the tools are used today are going to continue to evolve into audits, more continuous monitoring. We see a lot of audit shops saying, “I don’t want to audit a point in time. I want to be able to continue to see the data on a monthly basis or understand real time and provide that value back to the business and say, ‘These are the things we’re seeing as a snapshot in time.’”Obviously, as we talk to clients, there are budget constraints. Not all clients can adopt all tools, so it’s important for clients to understand what’s best for them. Angelo referenced earlier the size of our clients. They’re not all Fortune 500, but being able to integrate some of these tools does help clients save costs and save time as they’re trying to look at more data and cover more audit areas. Kevin Donahue:Angelo, you mentioned this before — one area to make sure to explore is whether the organisation has access to an enterprise license on a particular tool or technology that the audit group is not using today but should explore using. Angelo Poulikakos:There’s a lot of opportunity for technology audit teams to take a look at what’s available to them already. In many cases, the tech audit group or broader internal audit group will be able to benefit from an enterprise license so they don’t have to acquire some new license or software that adds cost within their department. Many of these tools are fairly agnostic. They work across business functions — Alteryx, Power BI, the whole Microsoft Power platform, which we know many of our clients generally have access to, just to name a few. There’s a lot of good training around these types of platforms as well that helps everyone upskill themselves with a very well defined training curriculum. Lindsay Gleeson:Some tools that may not be as readily available but that we’re seeing that are upcoming more, they might not have hit the top of the list respondents are using, but they are upping the scale of tools such as process mining and RPA. Obviously, AI — we talked about ChatGPT already, but those tools are going to start to click up more as we see surveys. Kevin Donahue:This has been a fantastic conversation. Thank you both again for joining me. I have one final question. Angelo, I’ll toss this one to you, but Lindsay, feel free to chime in on it as well. In taking a high-level view of our research results and key findings, what do you see as the opportunities for technology audit groups to improve their capabilities and how they support management and their enterprises overall? Angelo Poulikakos:At the highest level, technology audit groups need to be focused on the business and the business priorities to understand what are their emerging risks, or what are the risks they do not feel comfortable in addressing today? This is going to require major upskilling and uplifting within the technology audit organisation, which we know can run lean at many companies. But when you consider all the domains a technology auditor needs to know about, whether it’s cloud, data governance and privacy — we talked about AI — cybersecurity, in itself, can go deep providing advice on major strategic initiatives. There’s a plethora of skills a technology auditor is expected to know these days, and I don’t know if that’s realistic. The internal audit group, or the overall organisation, needs to allocate time and support the upskilling of the technology auditor, but also recognise that no one technology auditor can do it all.It’s important for organisations to foster a culture of innovation and give individuals some room to fail. Give them that freedom that you’re not always going to hit a home run. Sometimes, a bunch of base hits is good enough, but it’s only through that trial and error and repetition that you start gaining success and using some of the enabling technology we were talking about earlier.Finally, we’re in the business of relationship-building. That’s probably the most important of all. Working remotely the past two, three years — and some organisations are persisting with it — may have caused us to lose that focus. We need to maintain a focus of engaging with management, engaging with other stakeholders, to understand their expectations, to understand what keeps them up at night, to be able to provide insights, to be able to provide recommendations that truly add value. Relationship-building is what helps someone in the audit field know what is potentially a top risk and how they can help.At times, with working remotely, you’re not able to walk the halls; you’re not able to have any cooler side conversations. I would make that a number-one focus because we’ve lost a little focus on that. And that is what sometimes helps us provide value in our roles as technology auditors — make sure there’s an open line of communication, make sure there’s a mutual level of trust and respect for one another. Sometimes folks, when they hear an audit is coming their way, it’s easy to put their defenses up. But if we could come to it from a perspective of wanting to help, wanting to help add value, wanting to justify spend and budgets for next year to invest in the capabilities we need, that is what auditors are trying to do — better help the organisation, better mitigate risk and drive value in the recommendations they’re providing. Lindsay, would you like to add anything? Lindsay Gleeson:You hit the nail on the head. Relationships are key, and if we’re going to want to understand what’s happening in the business, having those open relationships and that open dialogue is going to be a lot easier and more comfortable as you get into the hard conversations than surprising somebody on an audit and saying, “Tell me everything that’s wrong.” It’s definitely key to maintain that value with management as we go into the future audits. Angelo Poulikakos:Kevin, we didn’t necessarily survey on how people feel about their relationships today. Maybe that’s something we include in next year’s survey. But that is loud and clear. Also what was loud and clear is the need for upskilling. And the reality is, no organisation, no internal audit function, is likely going to have every skill they need. That is why they need to have some good partners available to them, whether they’re within the business or outside of the business — a third party. All that makes good sense. Kevin Donahue:That was a great discussion, and I want to thank Angelo and Lindsay for joining me to discuss the results of our survey. My key takeaway is that technology auditors have a lot going on. They’re dealing with cyber threats; the emergence of AI into the business mainstream; data privacy, governance and compliance; third-party risk management; and much more. We know they need the right talent, skills and technology tools to meet our high expectations and excel in their roles in today’s challenging business climate.For more information, I encourage you, again, to please download and read Navigating a Technology Risk-Filled Horizon, the report produced by Protiviti and The IIA on the results of the latest Global Technology Audit Risks survey. And finally, I encourage you to please subscribe to our Powerful Insights podcast series and review us wherever you get your podcast content.