SlideShare una empresa de Scribd logo

Technology Risk Services

S
sarah kabirat
1 de 16
Descargar para leer sin conexión
Working in partnership with you to meet your IT risk assurance and advisory requirements Technology risk services
IT has been a key driver for success and operational efficiency in all industries. Innovations such as the use of social media, digital platforms, online services, cloud computing and virtualisation and new threats around data governance and cyber security have reinforced the importance of, and increased the risks associated with, the use of technology for our clients. Against the backdrop of new innovations, increasing regulatory burden and in the face of dynamic markets, tough competition, resource pressures and greater IT complexity, firms are facing increasing challenges to improve the performance and use of IT. All of these factors heighten importance of that effective risk management, internal audit and corporate governance have to play in managing the risks associated with IT. This is where Grant Thornton’s team of technology specialists can help, from the boardroom or the network, to IT strategy or system selection. This document highlights some of the IT related areas where we can help you manage your associated business risks.
Grant Thornton is one of the largest providers of professional services in the UK delivering assurance and advisory services to industries as diverse as financial services, telecoms, retail and the public sector, as well as small to medium sized enterprises (SMEs) and numerous FTSE 350 clients. Within technology risk services, our client service teams consist of highly specialised and experienced professionals with extensive experience of key risk management areas including: Technology focus IT risk management Data and digital security Data governance Project management and system development IT operations Enterprise resource planning (ERP) technology and business processes IT aspects of corporate transactions (including mergers and acquisitions) IT and business process outsourcing Data mining and analysis Business and IT resilience
Our specialist areas We combine our deep technical skills and market understanding, with a desire to collaborate with you, to manage your IT and project risks. We can support your requirements via co-source and outsource agreements or project specific engagements to suit your needs. This includes provision of resources in the following, but not limited to, specialist areas: By developing an in-depth understanding of your business, we can effectively identify and assess IT risks and propose pragmatic solutions. IT internal audit Cyber security and privacy services Data mining and analysis Business continuity and resilience Digital assurance advisory services Third party assurance Outsourcing risk management ERP advisory and assurance services Project assurance and advisory services IT due diligence
Delivering your IT internal audit requirements The role of internal audit is to provide assurance over the effectiveness of internal controls relied on by management. Internal audit helps an organisation achieve its objectives by systematically evaluating and improving the effectiveness of risk management and control processes. A strong IT audit capability is a critical component of any effective internal audit function. We can help you fully assess the IT environments within your business and develop a robust IT audit plan that supports management, the audit committee and wider stakeholders (such as the Financial Conduct Authority (FCA), Prudential Regulatory Authority (PRA), Ofcom and other regulators). We operate in line with the Chartered Institute of Internal Auditors’ standards and can work with your internal audit function to provide specialist IT auditors, via outsourced or co-sourced arrangements. This is to help ensure IT risks are better identified, assessed and managed as appropriate for your business. Our IT specialists undertake: IT internal audit case study Grant Thornton has provided outsourced and co-sourced internal audit services, including IT, to organisations of all sizes. For one blue chip banking client, we have, over the last few years, supplemented their existing internal audit team as and when required. We have provided IT auditors in the following areas: • technical infrastructure • third party risk reviews • cyber security • application reviews • programme assurance • Sarbanes Oxley (SOX) testing • payments certifications and application, infrastructure audits • associated SOX programme management • integrated audits with the business auditors • IT operational and audit planning activities. These resources were provided to meet specialist requirements, cover for leavers or maternity leave and to offer support in unforeseen circumstances. IT internal audit Integrated audits in conjunction with business auditors We can also provide specialists with platform specific experience and practical knowledge of implementing good practice frameworks such as COBIT, ITIL and ISO 27001. Standalone specialist reviews in IT governance and strategy Application, infrastructure and IT operational areas Data security and privacy audits Data analysis COBIT - Control Objectives for Information and Related Technology ITIL - Information Technology Infrastructure Library ISO 27001 - Information Security Standard Business continuity Digital audit, eg. over the use of social media, web platforms, digital security and online journeys
Working with you to protect your organisation from cyber security threats and data theft The need for reliable and up to date security practices, supported by the development of a mature organisation wide security culture, where your staff become part of the solution, is now critical to protect organisational interests and executive reputations. We have a team of cyber security and privacy professionals who have performed many reviews including: Cyber security case study Our client, with a significant online presence, asked us to perform a company-wide assessment of the effectiveness of their information security operating model and IT governance framework. Through interviews with key staff and assessment of policies and tools in operation, including incident management and intrusion detection systems, we were able to identify a good practice practical information security operating model. We also identified a number of recommendations for enhancing the effectiveness of the client’s information security operations. Cyber security and privacy services PCI DSS - Payment Card Industry Data Security Standard Payment security Identity and access management Security vulnerability assessments and health checks In-depth analysis and benchmarking of the maturity of the security culture across a firm including information security governance reviews Third party security risk assessments Forensic IT security services Cyber crime Digital security Compliance with legislation such as the EU data protection directive, PCI DSS and frameworks such as ISO 27001 Cyber essentials
Helping you realise the value of your data As part of internal audit assignments and/or one-off reviews we have undertaken numerous engagements, using Computer Assisted Audit Techniques (CAATs) to help our clients analyse the details behind their data. We can provide customised data services including the following: Data mining and analysis case study A leading payroll service provider wanted to upgrade their ‘mission critical’ systems but knew that they had legacy data issues to resolve. We reviewed three years’ worth of transactional accounting data using our data analytical software skills. We matched over one billion pounds worth of data, contained within over 100 million records, to identify differences between the key business database and the financial accounting system. The results were analysed, accounting differences and the reason for errors identified and remedial steps implemented. This allowed effective migration to new systems. Data mining and analysis Data forensics – detailed analysis and mining of information Financial analysis – for example identification of anomalies in accounts payable/accounts receivable Payroll – identification of ghost employees, duplicate payments Tax data analysis using proprietary data scripts Fraud analytics Regulatory analytics, eg anti-money laundering, know your customer, solvency II, market abuse, transaction reporting Data model analytics
Digital assurance and advisory services Connected, online, mobile or social media activities are an inherent part of our lives. The way we communicate, obtain and share information has changed, and along with that, our buying habits and expectations have changed. We Google more, trust customer reviews and expect next day delivery. This change in behaviour may seem superficial, but it has fundamental implications for a business trying to meet or exceed these customer expectations. ‘Digital’, often used to refer to online, mobile, cloud, or social technology, is not just a technology or a channel problem; it permeates the fabric of what we know as business today. The digital platforms not only provide vast new opportunities, but also introduce risks relating to data and information security, infrastructure resilience and operational availability. Digital communication is now a norm for doing business Customer Priority, perception, place, attitude Via Intermediaries Access, support, process Access options Informative and transactional Interactive Traditional Digital Mobile PC/Online Social Document stores Personalised and static info Automated/ STP App Twitter agents Chat Video call e-mail & forms Phone & IVR F2F ATM Post Branch Regulation and Compliance People Process Controls 3rd Parties People Process Controls Security Security Data The organisation We can help you manage your digital risks associated with: • digital security • use of social media • e-commerce gateways and interfaces • on-line service portals • third party service providers • use of mobile devices • data governance and risk management. Case study – digital strategy/social media review We delivered a digital strategy review to a world class London based conference centre company who were challenging the way they operated. They wanted to reach out to their customers and maintain contact with their repeat attendees. Our digital experts identified, through a review of their social media approach, that they needed to think about the customer experience and how social media made a huge impact on the touch points with their customer base. We gave them techniques to use to create an experience that stayed in the memory of this customer base. We looked at the risks associated with social media and digital implementation so that, whilst delivering these techniques they didn’t expose the business to inappropriate risk.
Business resilience Does your organisation have the resilience to stand up to a high profile incident? Business resilience is the ability of an organisation to minimise disruption and be able to function during an incident. It covers all aspects of business continuity, technology disaster recovery, incident management and financial resilience. Business resilience is pivotal to maintaining business activities in the modern age of inter-connected global operations, just in time production and complex operational relationships. Maintaining your reputation and delivering on time are fundamental to all professional relationships. Organisations need to anticipate and have proven strategies to effectively respond to disruptive events, maintain critical operations and learn from events to better prepare for future challenges. By partnering with organisations and using our wealth of experience, we can better prepare organisations to face the challenges that these disruptive events create. Crisis management Incident management Cyber resilience Business continuity Disaster recovery IT resilience Industry guidance Our business resilience services are based on the guidance contained in relevant British and international standards, including: Crisis management: guidance to good practice BS 11200 Organisational resilience: guidance BS 65000 Business continuity management systems: requirements ISO 22301 Business continuity management systems: guidance ISO 22313 Business resilience case study Grant Thornton supported a FTSE 250 construction firm in assessing and reporting on the level of resilience in the organisation and provide recommendations for any potential improvements and efficiencies. Using a hybrid approach of documentary review, onsite inspections, evidence gathering interviews from key stakeholders, we benchmarked the client’s resilience against industry good practice, the relevant British Standard BS 65000:2014 Guidance on organizational resilience and Grant Thornton intellectual property. We identified tactical and strategic improvement opportunities to the resilience programme, relating to programme efficiencies and risk management enhancements and were able to help develop a standardised approach across the organisation.
AAF 01/06 Audit and Assurance Faculty of ICAEW 01/06 ISAE 3402 International Standards for Assurance Engagements 3402 SSAE 16 Statement on Standards for Attestation Engagements 16 SAS 70 Service Organisation Auditing Standards 70 ITF 01/07 Information Technology Faculty of ICAEW 01/07 Outsourcing a service to a third party does not outsource responsibility The growing diversity of third party service providers has increased the breadth of a company’s footprint but has also introduced new risks. Third party service providers can range from traditional outsourcing of IT and payroll and financial processing to newer services such as web hosting and cloud computing. All third party agreements introduce new risks. We can help you manage these by: Third party assurance case study Grant Thornton has helped many clients in obtaining service auditor reports against the AAF, ISAE3402 and SSAE 16 frameworks. For one FTSE 350 services client we initially held communications/understanding workshops to enhance awareness and communicate the implications of a service auditor report. We then facilitated identification of in- scope control objectives and associated control activities before performing a gap analysis. We have subsequently completed a number of type 1 and type 2 AAF reports in different parts of the client’s business. Third party assurance Our IT specialists have cross market experience covering all industries including financial services, retail, telecommunications and the public sector. We are confident that we can get the right combination of technology, engagement and industry experience to meet your IT risk management needs. Delivering independent assurance over outsourcing programmes/ projects Assessing the effectiveness of service level monitoring and third party cost verification Providing service auditor reports. These give operational assurance over third party services, using established standards such as AAF 01/06, ISAE 3402, SSAE 16 (previously SAS 70), and ITF 01/07
Outsourcing risk management Third party risk management activities are a key means for managing a company’s exposure arising from their service providers and business partners Third party process risk management There are many risks associated with use of third parties in financial, regulatory and operational terms. Whilst processes and services can be outsourced or shared, each organisation still owns the ultimate responsibility for their organisation’s risks, emanating from those activities. Many organisations are now using third parties to provide functions that were previously deemed to be core activities. This can be a cost effective and efficient strategy, but it can also add a considerable degree of complexity to the design and implementation of the appropriate governance, risk and controls framework. In addition to the relevant regulatory requirements from the OCC and FCA / PRA, other international regulators’ requirements may also need to be considered. The subsequent challenges for global firms can be complex and considerable when designing a framework that is fit for purpose across a diverse portfolio of regulatory jurisdictions. We have a team of risk management specialists who have undertaken various third party risk management reviews of outsourcing projects and operational contracts, and who have helped to identify operational risks and improvement opportunities. We have performed the following third party risk management reviews: • risk reviews of IT outsourcing projects • outsourcing contract reviews • project reviews over outsourcing programmes • reviews over vendor management and governance • cost verification audits • third party functional and IT performance audits • third party business resilience reviews Recent research Recent research has found that the use of third party internet based services without approval is widespread. 76% of CIOs are aware of the commission and use of third party cloud based products with no input from the technology department (British Telecom’s ‘Creativity and the modern CIO’ December 2014). The risks associated with the use of such services significantly increases the risk of operational or cyber failures. Case study A review was performed of a leading financial services firm’s risk management approach in relation to their monitoring of the information security practices of the firm’s suppliers and sub-contractors. During the review, we confirmed that the firm had a robust due diligence process in relation to the selection and appointment of the service providers, but that there were no processes for classifying the criticality of the services provided, performing periodic reviews of the information security postures of the service providers or for escalating and focussing attention when relevant issues were identified. The firm immediately implemented a revised approach with associated programme improvements that addressed these identified issues. Case study – cloud computing We were engaged to help the internal audit department of a leading utility company to identify weaknesses in the company controls for their cloud service providers. We created a tailored set of questionnaires according to the established cloud service model, (software, platform or infrastructure as a service). We identified a large sample of cloud providers available in the market and benchmarked them against the list of suppliers listed in purchase orders raised. This allowed us to identify cloud solutions that the IT department was not aware of. Additionally, a review of contracts for selected providers was performed and we were able to identify weaknesses in the contract designs. A lack of definition on the minimum requirements for cloud solutions led to contract agreements with no standardisation on the minimum controls that the provider needed to comply with.
ERP implementation and maintenance can be complex and complexity inevitably increases risk Statutory compliance is an ever-increasing burden and organisations may have fewer resources to identify weaknesses that can lead to non-compliance. We have SAP and Oracle E-Business Suite specialists, with real world experience of implementing these systems, in both the public and private sector and can help your business in the following areas: ERP advisory and assurance services case study We were invited by a global media client to train their internal audit department on how to understand and audit SAP security and, in addition, to carry out a one off SAP security audit, in advance of their annual statutory audit. Part of the knowledge transfer process was an analysis of the client’s segregation of duties controls. This analysis enabled them to understand the SAP role concept and develop their own tools by using IDEA based scripts. An important component in the knowledge transfer process was ensuring that the client was left with sufficient practical knowledge to understand the complexities of the SAP authorisation and security model. This enabled them to undertake deep dive audits and liaise effectively with their internal SAP support organisation, and improve the IT controls that support financial reporting. This project demonstrated our expertise in SAP and our level of commitment to the client. As a result we were invited back to further assist the client with reviewing project and security controls for a £40 million SAP ECC6 upgrade. Enterprise resource planning advisory and assurance services Data mining, SOD and fraud analytics ERP project and programme assurance and support Business process improvement Governance risk and compliance Application and infrastructure security
Applying industry standards and best practices, combined with practical experience, to minimise the risk of project failure Our project risk management specialists have a wealth of cross industry project management and project assurance expertise that can help our clients’ transformation projects throughout the project lifecycle; from project initiation through to post implementation. Areas in which we have provided clients with assurance or project support include: Project assurance and advisory services case study Grant Thornton was engaged to review the lifecycle of a major business transformation programme within a large multi-national investment management firm. The core business objective was to redefine the firm’s complex functional operating model in order to provide integrated and simplified processes and fit for purpose systems. Enhanced processes and capability were delivered to front, middle and back office services which allowed the firm to meet their on-going risk and the regulatory requirements. This included compliance with Capital Requirements Directive IV (CRD IV) and Foreign Account Tax Compliance Act (FATCA). Grant Thornton also delivered independent project review audits, providing management with an understanding of the risks associated with the overall project planning/design, functional testing, acceptance testing and technology and business parallel runs before ‘go live’. Project assurance and advisory services Programmes and system development governance review Programme/ project frameworks for managing substantial change Systems specification selection and implementation Project gateway reviews Pre-go live review Post-implementation reviews Project risk reviews Project critical friend
Technology is a key enabler for many organisations today and this can be enhanced as a result of mergers or acquisitions Products and services are often integrated with associated applications and systems. It is therefore very important, when executing effective IT due diligence, to identify IT synergies and risks as part of the transaction. Our specialist team works with the buyer and target organisation to establish the benefits and risks related to the technology environment as part of the proposed transaction. IT assets, contracts, business processes and products or lines of business are analysed to understand the potential risks and impact of these on future cash flow and may include: IT due diligence case study A large insurance company was undertaking due diligence over a medical assist business that serviced British tourists on holidays abroad. As part of a broader buy side engagement, our IT due diligence team completed an assessment of integration risks to confirm that the acquisition technology environment was fit for purpose and aligned to the acquirer IT environment. We performed technology risk assessments over applications, the infrastructure, operations and people. We identified risks relating to third party contractual arrangements that the target was tied into which could potentially cause unexpected costs and operational problems for our client after the acquisition. We also identified licensing implications associated with hardware and software that would have significant cost implications if the target was acquired. As well as identifying several technology integration risks, our report highlighted a variety of concerns that played a material impact on the offer price for the medical assist business that was made. IT due diligence Consolidation plans for business processes, applications and technical infrastructure IT organisational structure and the impact of proposed changes Network, application and information architecture Data centres, premises and facilities Contracts with staff, vendors, partners, customers and business process service providers Technology directions and trends Feasibility studies and reality checks performed Enterprise position on risk, time-to- market and IT quality requirements
We further demonstrate our IT risk and audit capabilities by providing two examples of some of the work we have delivered. Adding value Case study – Large integrated mining group Our client, a FTSE 100 equivalent integrated mining group, acquired a number of mines across the globe. As a result, the focus of its internal audit work changed with greater emphasis on providing comfort that the new businesses and their related change programmes were being managed effectively. We delivered to the client best practice risk and internal audit services and facilitated board and site level risk workshops to develop comprehensive and focused transparency over key risks and sources of assurance. We also completed a number of IT general controls, ERP application audits and also provided project advice associated with an ERP data centre migration. Our development of a web based tool helped us to gauge the risk and control maturity of the combined business, using this to provide insight into the level of, and importantly, the divergence in, risk understanding across the combined business and how well this had been embedded. Our internal audit service has delivered value through consistently anticipating and responding to the needs of the business. This was achieved by proactively engaging with management to understand and address key risks in a way which has enabled focused, timely and proportionate audits across finance, operations and IT. We have kept our reporting lines short across the international team and maintained team continuity. This means we have become truly integrated with our client and have supported them with the right resources, at the right time, to provide both objective assurance to the audit committee and value add to the business. Case study – global banking group We have worked with our banking client for several years, delivering over 2000 man days of internal audit programmes. Our team has performed a range of product and thematic reviews across the client’s global markets and wealth management areas from both a business and technology perspective. A number of technology areas were covered such as windows and mainframe infrastructure, integrated IT and business audits (including application reviews across all core business areas), and reviews of information security and change management. We have also undertaken SOX controls testing and programme management responsibilities and supported planning and progress tracking associated with annual audit plans. By consistently meeting the client’s requirements for skilled and experienced internal audit specialists we have become the preferred supplier for the client’s SOX and internal audit co-sourcing requirements. We are flexible to their changing needs and by providing continuity in our staffing we ensure that our team can deliver real insight and value through their work.
How we can help Grant Thornton UK LLP can provide assistance in various forms to meet your organisation’s specific requirements. Our assistance can range from providing a single additional expert resource to supplementing an internal IT function or to providing a completely outsourced service for the provision and support of audit or consulting services. We can provide a comprehensive team of multi- skilled technology practitioners to provide services across agreed functions and to deliver a complete end to end solution. We have considerable experience of providing these services in the financial services, corporate and public sector. Why Grant Thornton? Our team has experience of undertaking significant IT assurance and advisory engagements, within professional services that is supplemented with real industry experience. We have developed a team of specialists in IT audit, security, data, project and third party assurance. We have worked with organisations of all sizes across all industries and can tailor our services to meet client needs. Grant Thornton UK LLP is the UK member firm of Grant Thornton International, one of the world’s leading international organisations of independently owned and managed accounting and consulting firms. This provides access to an international network and global wealth of multidisciplinary experience, offering comprehensive solutions to help you respond effectively to changing risks within and outside the organisation in order to achieve your business goals. We have worked with clients across all industries and all sizes of clients, including third parties, and we can tailor our services to meet client needs. Our professionals understand your business. Commercially minded and risk focused, our team of independent thinkers offers, we believe, the best combination of quality, expertise and value. We aim to work in partnership with you to deliver incisive, value-adding results. Our team features experienced audit and risk experts, who have held senior positions in leading organisations. Who should I contact for assistance? To understand more about our technology risk services or a wider range of our consulting services, please contact: © 2015 Grant Thornton UK LLP. All rights reserved. ‘Grant Thornton’ refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton UK LLP is a member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication. grant-thornton.co.uk V25301 Sandy Kumar Partner Head of Business Risk Services T +44 (0)20 7728 3248 E sandy.kumar@uk.gt.com Ravi Joshi Director Head of Technology Risk Services T +44 (0)20 7865 2571 E ravi.joshi@uk.gt.com Tim Foster-Key Director Large Corporates T +44 (0)23 8038 1143 E tim.foster-key@uk.gt.com Manu Sharma Director Cyber Security and Privacy Services T +44 (0)20 7865 2406 E manu.sharma@uk.gt.com

Recomendados

StoneWork Solutions Brochure _ English
StoneWork Solutions Brochure _ EnglishStoneWork Solutions Brochure _ English
StoneWork Solutions Brochure _ English
oscar_garcia_arano
 
Task 2
Task 2Task 2
Task 2
BIBEKCHAUDHARYBScHon
 
Internal Audit
Internal AuditInternal Audit
Internal Audit
Nigel Robinson
 
task 1
task 1task 1
task 1
BIBEKCHAUDHARYBScHon
 
Aggregation Platforms-White Paper
Aggregation Platforms-White PaperAggregation Platforms-White Paper
Aggregation Platforms-White Paper
Envestnet Yodlee India
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
Sarah Fane
 
Ibm odm fraud detection & management system
Ibm odm fraud detection & management systemIbm odm fraud detection & management system
Ibm odm fraud detection & management system
sflynn073
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
- Mark - Fullbright
 

Recomendados

StoneWork Solutions Brochure _ English
StoneWork Solutions Brochure _ EnglishStoneWork Solutions Brochure _ English
StoneWork Solutions Brochure _ English
oscar_garcia_arano
 
Task 2
Task 2Task 2
Task 2
BIBEKCHAUDHARYBScHon
 
Internal Audit
Internal AuditInternal Audit
Internal Audit
Nigel Robinson
 
task 1
task 1task 1
task 1
BIBEKCHAUDHARYBScHon
 
Aggregation Platforms-White Paper
Aggregation Platforms-White PaperAggregation Platforms-White Paper
Aggregation Platforms-White Paper
Envestnet Yodlee India
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
Sarah Fane
 
Ibm odm fraud detection & management system
Ibm odm fraud detection & management systemIbm odm fraud detection & management system
Ibm odm fraud detection & management system
sflynn073
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
- Mark - Fullbright
 
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Jason Dover
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
Bee_Ware
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
- Mark - Fullbright
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas Company
Eryk Budi Pratama
 
IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?
Eryk Budi Pratama
 
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Alan McSweeney
 
Tripwire PCI Customer Success Stories
Tripwire PCI Customer Success StoriesTripwire PCI Customer Success Stories
Tripwire PCI Customer Success Stories
LOGON Software
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
Managing IT Risks in Internet Banking
Managing IT Risks in Internet BankingManaging IT Risks in Internet Banking
Managing IT Risks in Internet Banking
Goutama Bachtiar
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
EMC
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to You
DATAVERSITY
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
Resilient Systems
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
IT Strategy Group
 
[ I B M] Ibm Banking Overview Final Version For F T U
[ I B M] Ibm Banking Overview Final Version For F T U[ I B M] Ibm Banking Overview Final Version For F T U
[ I B M] Ibm Banking Overview Final Version For F T U
Ecom Ftu
 
California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)
Happiest Minds Technologies
 
Symantec corporate presentation 3 28-14
Symantec corporate presentation 3 28-14Symantec corporate presentation 3 28-14
Symantec corporate presentation 3 28-14
InvestorSymantec
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
Eryk Budi Pratama
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
NetIQ
 
Strategic Insights on IT & Cyber Risk Assessments.pdf
Strategic Insights on IT & Cyber Risk Assessments.pdfStrategic Insights on IT & Cyber Risk Assessments.pdf
Strategic Insights on IT & Cyber Risk Assessments.pdf
lilabroughton259
 
Compliance Unleashed : Navigating IT Audits with Confidence
Compliance Unleashed : Navigating IT Audits with ConfidenceCompliance Unleashed : Navigating IT Audits with Confidence
Compliance Unleashed : Navigating IT Audits with Confidence
IBEX SYSTEMS
 

Más contenido relacionado

La actualidad más candente

Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
Jason Dover
 
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Alan McSweeney
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to You
DATAVERSITY
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
Resilient Systems
 
Symantec corporate presentation 3 28-14
Symantec corporate presentation 3 28-14Symantec corporate presentation 3 28-14
Symantec corporate presentation 3 28-14
InvestorSymantec
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
Precisely
 

La actualidad más candente (20)

Whitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant EnvironmentsWhitepaper - Application Delivery in PCI DSS Compliant Environments
Whitepaper - Application Delivery in PCI DSS Compliant Environments
 
Verizon 2014 pci compliance report
Verizon 2014 pci compliance reportVerizon 2014 pci compliance report
Verizon 2014 pci compliance report
 
Verizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance ReportVerizon 2014 PCI Compliance Report
Verizon 2014 PCI Compliance Report
 
Cybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas CompanyCybersecurity in Oil & Gas Company
Cybersecurity in Oil & Gas Company
 
IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?
 
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
 
Tripwire PCI Customer Success Stories
Tripwire PCI Customer Success StoriesTripwire PCI Customer Success Stories
Tripwire PCI Customer Success Stories
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Managing IT Risks in Internet Banking
Managing IT Risks in Internet BankingManaging IT Risks in Internet Banking
Managing IT Risks in Internet Banking
 
Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?Tokenization: What's Next After PCI?
Tokenization: What's Next After PCI?
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to You
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data Incidents
 
Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-Defensible cybersecurity-jan-25th-
Defensible cybersecurity-jan-25th-
 
[ I B M] Ibm Banking Overview Final Version For F T U
[ I B M] Ibm Banking Overview Final Version For F T U[ I B M] Ibm Banking Overview Final Version For F T U
[ I B M] Ibm Banking Overview Final Version For F T U
 
California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)California Consumer Privacy Act (CCPA)
California Consumer Privacy Act (CCPA)
 
Symantec corporate presentation 3 28-14
Symantec corporate presentation 3 28-14Symantec corporate presentation 3 28-14
Symantec corporate presentation 3 28-14
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
The Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA IDThe Art of Cloud Auditing - ISACA ID
The Art of Cloud Auditing - ISACA ID
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
 

Similar a Technology Risk Services

Technical Security and Penetration Testing
Technical Security and Penetration TestingTechnical Security and Penetration Testing
Technical Security and Penetration Testing
IT Governance Ltd
 
Brandon Consulting Overview
Brandon Consulting OverviewBrandon Consulting Overview
Brandon Consulting Overview
Ronan Martin
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
GrapesTech Solutions
 
Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015
sarah kabirat
 
NQA - Information security best practice guide
NQA - Information security best practice guideNQA - Information security best practice guide
NQA - Information security best practice guide
NA Putra
 
PwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital ValuePwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital Value
Eileen Chan
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
CYBER SENSE
 

Similar a Technology Risk Services (20)

Strategic Insights on IT & Cyber Risk Assessments.pdf
Strategic Insights on IT & Cyber Risk Assessments.pdfStrategic Insights on IT & Cyber Risk Assessments.pdf
Strategic Insights on IT & Cyber Risk Assessments.pdf
 
Compliance Unleashed : Navigating IT Audits with Confidence
Compliance Unleashed : Navigating IT Audits with ConfidenceCompliance Unleashed : Navigating IT Audits with Confidence
Compliance Unleashed : Navigating IT Audits with Confidence
 
Technical Security and Penetration Testing
Technical Security and Penetration TestingTechnical Security and Penetration Testing
Technical Security and Penetration Testing
 
Brandon Consulting Overview
Brandon Consulting OverviewBrandon Consulting Overview
Brandon Consulting Overview
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
DEPL Consulting Brochure
DEPL Consulting BrochureDEPL Consulting Brochure
DEPL Consulting Brochure
 
A smarter way to manage identities
A smarter way to manage identitiesA smarter way to manage identities
A smarter way to manage identities
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
 
Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015Cyber Security Privacy Brochure 2015
Cyber Security Privacy Brochure 2015
 
Crossland Advisors Services
Crossland Advisors ServicesCrossland Advisors Services
Crossland Advisors Services
 
Mastering IT - A Guide to Managed Services Excellence.pdf
Mastering IT - A Guide to Managed Services Excellence.pdfMastering IT - A Guide to Managed Services Excellence.pdf
Mastering IT - A Guide to Managed Services Excellence.pdf
 
Navigating the Digital Landscape.pdf
Navigating the Digital Landscape.pdfNavigating the Digital Landscape.pdf
Navigating the Digital Landscape.pdf
 
NQA - Information security best practice guide
NQA - Information security best practice guideNQA - Information security best practice guide
NQA - Information security best practice guide
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Optiv Security Award Write Up
Optiv Security Award Write UpOptiv Security Award Write Up
Optiv Security Award Write Up
 
PwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital ValuePwC Transforming Internal Audit to Drive Digital Value
PwC Transforming Internal Audit to Drive Digital Value
 
IT solution
IT solutionIT solution
IT solution
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
 
A Guide To IT Compliance Assessment And Management
A Guide To IT Compliance Assessment And ManagementA Guide To IT Compliance Assessment And Management
A Guide To IT Compliance Assessment And Management
 

Technology Risk Services

  • 1. Working in partnership with you to meet your IT risk assurance and advisory requirements Technology risk services
  • 2. IT has been a key driver for success and operational efficiency in all industries. Innovations such as the use of social media, digital platforms, online services, cloud computing and virtualisation and new threats around data governance and cyber security have reinforced the importance of, and increased the risks associated with, the use of technology for our clients. Against the backdrop of new innovations, increasing regulatory burden and in the face of dynamic markets, tough competition, resource pressures and greater IT complexity, firms are facing increasing challenges to improve the performance and use of IT. All of these factors heighten importance of that effective risk management, internal audit and corporate governance have to play in managing the risks associated with IT. This is where Grant Thornton’s team of technology specialists can help, from the boardroom or the network, to IT strategy or system selection. This document highlights some of the IT related areas where we can help you manage your associated business risks.
  • 3. Grant Thornton is one of the largest providers of professional services in the UK delivering assurance and advisory services to industries as diverse as financial services, telecoms, retail and the public sector, as well as small to medium sized enterprises (SMEs) and numerous FTSE 350 clients. Within technology risk services, our client service teams consist of highly specialised and experienced professionals with extensive experience of key risk management areas including: Technology focus IT risk management Data and digital security Data governance Project management and system development IT operations Enterprise resource planning (ERP) technology and business processes IT aspects of corporate transactions (including mergers and acquisitions) IT and business process outsourcing Data mining and analysis Business and IT resilience
  • 4. Our specialist areas We combine our deep technical skills and market understanding, with a desire to collaborate with you, to manage your IT and project risks. We can support your requirements via co-source and outsource agreements or project specific engagements to suit your needs. This includes provision of resources in the following, but not limited to, specialist areas: By developing an in-depth understanding of your business, we can effectively identify and assess IT risks and propose pragmatic solutions. IT internal audit Cyber security and privacy services Data mining and analysis Business continuity and resilience Digital assurance advisory services Third party assurance Outsourcing risk management ERP advisory and assurance services Project assurance and advisory services IT due diligence
  • 5. Delivering your IT internal audit requirements The role of internal audit is to provide assurance over the effectiveness of internal controls relied on by management. Internal audit helps an organisation achieve its objectives by systematically evaluating and improving the effectiveness of risk management and control processes. A strong IT audit capability is a critical component of any effective internal audit function. We can help you fully assess the IT environments within your business and develop a robust IT audit plan that supports management, the audit committee and wider stakeholders (such as the Financial Conduct Authority (FCA), Prudential Regulatory Authority (PRA), Ofcom and other regulators). We operate in line with the Chartered Institute of Internal Auditors’ standards and can work with your internal audit function to provide specialist IT auditors, via outsourced or co-sourced arrangements. This is to help ensure IT risks are better identified, assessed and managed as appropriate for your business. Our IT specialists undertake: IT internal audit case study Grant Thornton has provided outsourced and co-sourced internal audit services, including IT, to organisations of all sizes. For one blue chip banking client, we have, over the last few years, supplemented their existing internal audit team as and when required. We have provided IT auditors in the following areas: • technical infrastructure • third party risk reviews • cyber security • application reviews • programme assurance • Sarbanes Oxley (SOX) testing • payments certifications and application, infrastructure audits • associated SOX programme management • integrated audits with the business auditors • IT operational and audit planning activities. These resources were provided to meet specialist requirements, cover for leavers or maternity leave and to offer support in unforeseen circumstances. IT internal audit Integrated audits in conjunction with business auditors We can also provide specialists with platform specific experience and practical knowledge of implementing good practice frameworks such as COBIT, ITIL and ISO 27001. Standalone specialist reviews in IT governance and strategy Application, infrastructure and IT operational areas Data security and privacy audits Data analysis COBIT - Control Objectives for Information and Related Technology ITIL - Information Technology Infrastructure Library ISO 27001 - Information Security Standard Business continuity Digital audit, eg. over the use of social media, web platforms, digital security and online journeys
  • 6. Working with you to protect your organisation from cyber security threats and data theft The need for reliable and up to date security practices, supported by the development of a mature organisation wide security culture, where your staff become part of the solution, is now critical to protect organisational interests and executive reputations. We have a team of cyber security and privacy professionals who have performed many reviews including: Cyber security case study Our client, with a significant online presence, asked us to perform a company-wide assessment of the effectiveness of their information security operating model and IT governance framework. Through interviews with key staff and assessment of policies and tools in operation, including incident management and intrusion detection systems, we were able to identify a good practice practical information security operating model. We also identified a number of recommendations for enhancing the effectiveness of the client’s information security operations. Cyber security and privacy services PCI DSS - Payment Card Industry Data Security Standard Payment security Identity and access management Security vulnerability assessments and health checks In-depth analysis and benchmarking of the maturity of the security culture across a firm including information security governance reviews Third party security risk assessments Forensic IT security services Cyber crime Digital security Compliance with legislation such as the EU data protection directive, PCI DSS and frameworks such as ISO 27001 Cyber essentials
  • 7. Helping you realise the value of your data As part of internal audit assignments and/or one-off reviews we have undertaken numerous engagements, using Computer Assisted Audit Techniques (CAATs) to help our clients analyse the details behind their data. We can provide customised data services including the following: Data mining and analysis case study A leading payroll service provider wanted to upgrade their ‘mission critical’ systems but knew that they had legacy data issues to resolve. We reviewed three years’ worth of transactional accounting data using our data analytical software skills. We matched over one billion pounds worth of data, contained within over 100 million records, to identify differences between the key business database and the financial accounting system. The results were analysed, accounting differences and the reason for errors identified and remedial steps implemented. This allowed effective migration to new systems. Data mining and analysis Data forensics – detailed analysis and mining of information Financial analysis – for example identification of anomalies in accounts payable/accounts receivable Payroll – identification of ghost employees, duplicate payments Tax data analysis using proprietary data scripts Fraud analytics Regulatory analytics, eg anti-money laundering, know your customer, solvency II, market abuse, transaction reporting Data model analytics
  • 8. Digital assurance and advisory services Connected, online, mobile or social media activities are an inherent part of our lives. The way we communicate, obtain and share information has changed, and along with that, our buying habits and expectations have changed. We Google more, trust customer reviews and expect next day delivery. This change in behaviour may seem superficial, but it has fundamental implications for a business trying to meet or exceed these customer expectations. ‘Digital’, often used to refer to online, mobile, cloud, or social technology, is not just a technology or a channel problem; it permeates the fabric of what we know as business today. The digital platforms not only provide vast new opportunities, but also introduce risks relating to data and information security, infrastructure resilience and operational availability. Digital communication is now a norm for doing business Customer Priority, perception, place, attitude Via Intermediaries Access, support, process Access options Informative and transactional Interactive Traditional Digital Mobile PC/Online Social Document stores Personalised and static info Automated/ STP App Twitter agents Chat Video call e-mail & forms Phone & IVR F2F ATM Post Branch Regulation and Compliance People Process Controls 3rd Parties People Process Controls Security Security Data The organisation We can help you manage your digital risks associated with: • digital security • use of social media • e-commerce gateways and interfaces • on-line service portals • third party service providers • use of mobile devices • data governance and risk management. Case study – digital strategy/social media review We delivered a digital strategy review to a world class London based conference centre company who were challenging the way they operated. They wanted to reach out to their customers and maintain contact with their repeat attendees. Our digital experts identified, through a review of their social media approach, that they needed to think about the customer experience and how social media made a huge impact on the touch points with their customer base. We gave them techniques to use to create an experience that stayed in the memory of this customer base. We looked at the risks associated with social media and digital implementation so that, whilst delivering these techniques they didn’t expose the business to inappropriate risk.
  • 9. Business resilience Does your organisation have the resilience to stand up to a high profile incident? Business resilience is the ability of an organisation to minimise disruption and be able to function during an incident. It covers all aspects of business continuity, technology disaster recovery, incident management and financial resilience. Business resilience is pivotal to maintaining business activities in the modern age of inter-connected global operations, just in time production and complex operational relationships. Maintaining your reputation and delivering on time are fundamental to all professional relationships. Organisations need to anticipate and have proven strategies to effectively respond to disruptive events, maintain critical operations and learn from events to better prepare for future challenges. By partnering with organisations and using our wealth of experience, we can better prepare organisations to face the challenges that these disruptive events create. Crisis management Incident management Cyber resilience Business continuity Disaster recovery IT resilience Industry guidance Our business resilience services are based on the guidance contained in relevant British and international standards, including: Crisis management: guidance to good practice BS 11200 Organisational resilience: guidance BS 65000 Business continuity management systems: requirements ISO 22301 Business continuity management systems: guidance ISO 22313 Business resilience case study Grant Thornton supported a FTSE 250 construction firm in assessing and reporting on the level of resilience in the organisation and provide recommendations for any potential improvements and efficiencies. Using a hybrid approach of documentary review, onsite inspections, evidence gathering interviews from key stakeholders, we benchmarked the client’s resilience against industry good practice, the relevant British Standard BS 65000:2014 Guidance on organizational resilience and Grant Thornton intellectual property. We identified tactical and strategic improvement opportunities to the resilience programme, relating to programme efficiencies and risk management enhancements and were able to help develop a standardised approach across the organisation.
  • 10. AAF 01/06 Audit and Assurance Faculty of ICAEW 01/06 ISAE 3402 International Standards for Assurance Engagements 3402 SSAE 16 Statement on Standards for Attestation Engagements 16 SAS 70 Service Organisation Auditing Standards 70 ITF 01/07 Information Technology Faculty of ICAEW 01/07 Outsourcing a service to a third party does not outsource responsibility The growing diversity of third party service providers has increased the breadth of a company’s footprint but has also introduced new risks. Third party service providers can range from traditional outsourcing of IT and payroll and financial processing to newer services such as web hosting and cloud computing. All third party agreements introduce new risks. We can help you manage these by: Third party assurance case study Grant Thornton has helped many clients in obtaining service auditor reports against the AAF, ISAE3402 and SSAE 16 frameworks. For one FTSE 350 services client we initially held communications/understanding workshops to enhance awareness and communicate the implications of a service auditor report. We then facilitated identification of in- scope control objectives and associated control activities before performing a gap analysis. We have subsequently completed a number of type 1 and type 2 AAF reports in different parts of the client’s business. Third party assurance Our IT specialists have cross market experience covering all industries including financial services, retail, telecommunications and the public sector. We are confident that we can get the right combination of technology, engagement and industry experience to meet your IT risk management needs. Delivering independent assurance over outsourcing programmes/ projects Assessing the effectiveness of service level monitoring and third party cost verification Providing service auditor reports. These give operational assurance over third party services, using established standards such as AAF 01/06, ISAE 3402, SSAE 16 (previously SAS 70), and ITF 01/07
  • 11. Outsourcing risk management Third party risk management activities are a key means for managing a company’s exposure arising from their service providers and business partners Third party process risk management There are many risks associated with use of third parties in financial, regulatory and operational terms. Whilst processes and services can be outsourced or shared, each organisation still owns the ultimate responsibility for their organisation’s risks, emanating from those activities. Many organisations are now using third parties to provide functions that were previously deemed to be core activities. This can be a cost effective and efficient strategy, but it can also add a considerable degree of complexity to the design and implementation of the appropriate governance, risk and controls framework. In addition to the relevant regulatory requirements from the OCC and FCA / PRA, other international regulators’ requirements may also need to be considered. The subsequent challenges for global firms can be complex and considerable when designing a framework that is fit for purpose across a diverse portfolio of regulatory jurisdictions. We have a team of risk management specialists who have undertaken various third party risk management reviews of outsourcing projects and operational contracts, and who have helped to identify operational risks and improvement opportunities. We have performed the following third party risk management reviews: • risk reviews of IT outsourcing projects • outsourcing contract reviews • project reviews over outsourcing programmes • reviews over vendor management and governance • cost verification audits • third party functional and IT performance audits • third party business resilience reviews Recent research Recent research has found that the use of third party internet based services without approval is widespread. 76% of CIOs are aware of the commission and use of third party cloud based products with no input from the technology department (British Telecom’s ‘Creativity and the modern CIO’ December 2014). The risks associated with the use of such services significantly increases the risk of operational or cyber failures. Case study A review was performed of a leading financial services firm’s risk management approach in relation to their monitoring of the information security practices of the firm’s suppliers and sub-contractors. During the review, we confirmed that the firm had a robust due diligence process in relation to the selection and appointment of the service providers, but that there were no processes for classifying the criticality of the services provided, performing periodic reviews of the information security postures of the service providers or for escalating and focussing attention when relevant issues were identified. The firm immediately implemented a revised approach with associated programme improvements that addressed these identified issues. Case study – cloud computing We were engaged to help the internal audit department of a leading utility company to identify weaknesses in the company controls for their cloud service providers. We created a tailored set of questionnaires according to the established cloud service model, (software, platform or infrastructure as a service). We identified a large sample of cloud providers available in the market and benchmarked them against the list of suppliers listed in purchase orders raised. This allowed us to identify cloud solutions that the IT department was not aware of. Additionally, a review of contracts for selected providers was performed and we were able to identify weaknesses in the contract designs. A lack of definition on the minimum requirements for cloud solutions led to contract agreements with no standardisation on the minimum controls that the provider needed to comply with.
  • 12. ERP implementation and maintenance can be complex and complexity inevitably increases risk Statutory compliance is an ever-increasing burden and organisations may have fewer resources to identify weaknesses that can lead to non-compliance. We have SAP and Oracle E-Business Suite specialists, with real world experience of implementing these systems, in both the public and private sector and can help your business in the following areas: ERP advisory and assurance services case study We were invited by a global media client to train their internal audit department on how to understand and audit SAP security and, in addition, to carry out a one off SAP security audit, in advance of their annual statutory audit. Part of the knowledge transfer process was an analysis of the client’s segregation of duties controls. This analysis enabled them to understand the SAP role concept and develop their own tools by using IDEA based scripts. An important component in the knowledge transfer process was ensuring that the client was left with sufficient practical knowledge to understand the complexities of the SAP authorisation and security model. This enabled them to undertake deep dive audits and liaise effectively with their internal SAP support organisation, and improve the IT controls that support financial reporting. This project demonstrated our expertise in SAP and our level of commitment to the client. As a result we were invited back to further assist the client with reviewing project and security controls for a £40 million SAP ECC6 upgrade. Enterprise resource planning advisory and assurance services Data mining, SOD and fraud analytics ERP project and programme assurance and support Business process improvement Governance risk and compliance Application and infrastructure security
  • 13. Applying industry standards and best practices, combined with practical experience, to minimise the risk of project failure Our project risk management specialists have a wealth of cross industry project management and project assurance expertise that can help our clients’ transformation projects throughout the project lifecycle; from project initiation through to post implementation. Areas in which we have provided clients with assurance or project support include: Project assurance and advisory services case study Grant Thornton was engaged to review the lifecycle of a major business transformation programme within a large multi-national investment management firm. The core business objective was to redefine the firm’s complex functional operating model in order to provide integrated and simplified processes and fit for purpose systems. Enhanced processes and capability were delivered to front, middle and back office services which allowed the firm to meet their on-going risk and the regulatory requirements. This included compliance with Capital Requirements Directive IV (CRD IV) and Foreign Account Tax Compliance Act (FATCA). Grant Thornton also delivered independent project review audits, providing management with an understanding of the risks associated with the overall project planning/design, functional testing, acceptance testing and technology and business parallel runs before ‘go live’. Project assurance and advisory services Programmes and system development governance review Programme/ project frameworks for managing substantial change Systems specification selection and implementation Project gateway reviews Pre-go live review Post-implementation reviews Project risk reviews Project critical friend
  • 14. Technology is a key enabler for many organisations today and this can be enhanced as a result of mergers or acquisitions Products and services are often integrated with associated applications and systems. It is therefore very important, when executing effective IT due diligence, to identify IT synergies and risks as part of the transaction. Our specialist team works with the buyer and target organisation to establish the benefits and risks related to the technology environment as part of the proposed transaction. IT assets, contracts, business processes and products or lines of business are analysed to understand the potential risks and impact of these on future cash flow and may include: IT due diligence case study A large insurance company was undertaking due diligence over a medical assist business that serviced British tourists on holidays abroad. As part of a broader buy side engagement, our IT due diligence team completed an assessment of integration risks to confirm that the acquisition technology environment was fit for purpose and aligned to the acquirer IT environment. We performed technology risk assessments over applications, the infrastructure, operations and people. We identified risks relating to third party contractual arrangements that the target was tied into which could potentially cause unexpected costs and operational problems for our client after the acquisition. We also identified licensing implications associated with hardware and software that would have significant cost implications if the target was acquired. As well as identifying several technology integration risks, our report highlighted a variety of concerns that played a material impact on the offer price for the medical assist business that was made. IT due diligence Consolidation plans for business processes, applications and technical infrastructure IT organisational structure and the impact of proposed changes Network, application and information architecture Data centres, premises and facilities Contracts with staff, vendors, partners, customers and business process service providers Technology directions and trends Feasibility studies and reality checks performed Enterprise position on risk, time-to- market and IT quality requirements
  • 15. We further demonstrate our IT risk and audit capabilities by providing two examples of some of the work we have delivered. Adding value Case study – Large integrated mining group Our client, a FTSE 100 equivalent integrated mining group, acquired a number of mines across the globe. As a result, the focus of its internal audit work changed with greater emphasis on providing comfort that the new businesses and their related change programmes were being managed effectively. We delivered to the client best practice risk and internal audit services and facilitated board and site level risk workshops to develop comprehensive and focused transparency over key risks and sources of assurance. We also completed a number of IT general controls, ERP application audits and also provided project advice associated with an ERP data centre migration. Our development of a web based tool helped us to gauge the risk and control maturity of the combined business, using this to provide insight into the level of, and importantly, the divergence in, risk understanding across the combined business and how well this had been embedded. Our internal audit service has delivered value through consistently anticipating and responding to the needs of the business. This was achieved by proactively engaging with management to understand and address key risks in a way which has enabled focused, timely and proportionate audits across finance, operations and IT. We have kept our reporting lines short across the international team and maintained team continuity. This means we have become truly integrated with our client and have supported them with the right resources, at the right time, to provide both objective assurance to the audit committee and value add to the business. Case study – global banking group We have worked with our banking client for several years, delivering over 2000 man days of internal audit programmes. Our team has performed a range of product and thematic reviews across the client’s global markets and wealth management areas from both a business and technology perspective. A number of technology areas were covered such as windows and mainframe infrastructure, integrated IT and business audits (including application reviews across all core business areas), and reviews of information security and change management. We have also undertaken SOX controls testing and programme management responsibilities and supported planning and progress tracking associated with annual audit plans. By consistently meeting the client’s requirements for skilled and experienced internal audit specialists we have become the preferred supplier for the client’s SOX and internal audit co-sourcing requirements. We are flexible to their changing needs and by providing continuity in our staffing we ensure that our team can deliver real insight and value through their work.
  • 16. How we can help Grant Thornton UK LLP can provide assistance in various forms to meet your organisation’s specific requirements. Our assistance can range from providing a single additional expert resource to supplementing an internal IT function or to providing a completely outsourced service for the provision and support of audit or consulting services. We can provide a comprehensive team of multi- skilled technology practitioners to provide services across agreed functions and to deliver a complete end to end solution. We have considerable experience of providing these services in the financial services, corporate and public sector. Why Grant Thornton? Our team has experience of undertaking significant IT assurance and advisory engagements, within professional services that is supplemented with real industry experience. We have developed a team of specialists in IT audit, security, data, project and third party assurance. We have worked with organisations of all sizes across all industries and can tailor our services to meet client needs. Grant Thornton UK LLP is the UK member firm of Grant Thornton International, one of the world’s leading international organisations of independently owned and managed accounting and consulting firms. This provides access to an international network and global wealth of multidisciplinary experience, offering comprehensive solutions to help you respond effectively to changing risks within and outside the organisation in order to achieve your business goals. We have worked with clients across all industries and all sizes of clients, including third parties, and we can tailor our services to meet client needs. Our professionals understand your business. Commercially minded and risk focused, our team of independent thinkers offers, we believe, the best combination of quality, expertise and value. We aim to work in partnership with you to deliver incisive, value-adding results. Our team features experienced audit and risk experts, who have held senior positions in leading organisations. Who should I contact for assistance? To understand more about our technology risk services or a wider range of our consulting services, please contact: © 2015 Grant Thornton UK LLP. All rights reserved. ‘Grant Thornton’ refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton UK LLP is a member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occasioned to any person acting or refraining from acting as a result of any material in this publication. grant-thornton.co.uk V25301 Sandy Kumar Partner Head of Business Risk Services T +44 (0)20 7728 3248 E sandy.kumar@uk.gt.com Ravi Joshi Director Head of Technology Risk Services T +44 (0)20 7865 2571 E ravi.joshi@uk.gt.com Tim Foster-Key Director Large Corporates T +44 (0)23 8038 1143 E tim.foster-key@uk.gt.com Manu Sharma Director Cyber Security and Privacy Services T +44 (0)20 7865 2406 E manu.sharma@uk.gt.com