Woman pointing a data seen in a tablet

Technology assurance: assess risk, build trust and create resilience

Authors

  • Daryl Box

    EY Americas Assurance Technology Risk Leader

  • Brandon Miller

    EY Global Attestation & Certification Leader; EY Americas Technology Risk System and Organization Controls Attestation Leader

  • Jaime Kipnes

    EY Americas Cybersecurity Integration Leader

7 minute read 16 Sep 2024
Related topics
Assurance
Audit

To navigate digital transformation and compliance effectively, organizations must balance innovation with the potential for exponential risk.

In brief

  • Managing technology risk during IT modernization begins with a proactive strategy.
  • Regulatory expectations and a growing use of third parties are driving increased need for system and organization control (SOC) reporting and attestation.
  • Updated cybersecurity frameworks help organizations evolve their technology assurance approach.

Organizations are fast-tracking their digital transformation initiatives and integrating new technologies to keep up with the pace of innovation.

At the same time, companies are operating in an environment characterized by heightened regulatory expectations, increased complexity and growing cybersecurity threats. Data breaches, technology outages and cyber attacks make headlines on a weekly basis, and C-suite leaders and boards alike are looking for technology assurance and confirmation that they have the right controls and governance in place to guard against IT risk.


These drivers are placing a heightened focus on IT risks, which impact the way executives, boards and investors are thinking about trust and enterprise resilience.

Key drivers elevating focus on trust and enterprise resilience

How EY can help

  • Audit services

    We merge traditional and innovative approaches, combined with a consistent methodology, to deliver quality audit services to you. Find out more.

    Read more

In the July 2024 webcast “Strategic perspectives on IT modernization, risk and governance,” hosted by Natalie Deak Jaros, EY Americas Deputy Vice Chair - Assurance, EY teams discussed three actions to take when embarking on a technology transformation journey:

  1. Assess IT risk before undertaking systems implementations
  2. Build trust with transparency through SOC reporting and attestations
  3. Create resilience in the form of a defined plan for managing potential cyber threats 

Focusing on the ABCs of technology risk assurance can help a company achieve greater enterprise resilience.

 

1. Assess IT risk

An information technology risk assessment in the early stages of technology adoption identifies potential business risks and safeguards data integrity. Identifying gaps and taking measures to mitigate the found risks can lead to greater confidence in the new system ahead of implementation.

 

Because IT modernization initiatives often have significant impact on the accounting and finance function and related controls, early involvement by your auditor can reduce the audit risk, said Daryl Box, EY Americas Assurance Technology Risk Leader. “It’s much easier to address potential compliance or control issues early in the system implementation before you’re finished with the design or build phases,” he said.


2. Build trust with transparency

Today, business leaders, customers, regulators and investors have high expectations related to internal controls for financial reporting, data integrity and confidentiality, and uninterrupted access to products and services, said Brandon Miller, EY Americas Technology Risk SOC and Attestation Leader. He underscored the importance of SOC and attestation reports in providing an independent assessment of the controls in place related to areas like system security, processing integrity and privacy. The transparency obtained from these reports is crucial for communicating trust and building resilience and confidence with all stakeholders.


It’s important to note that reliance on these reports/attestations goes both ways — often, companies are both producers and consumers of these reports to aid in managing their own third-party risks. “Whenever you have key vendors that are supporting your critical operations, you should at least be consuming some of these reports,” Miller advised.

3. Create resilience in the face of emerging cyber risk

Cyber risks are evolving daily. Organizations spent $11.5 trillion on cybercrime in 2023 – a staggering amount sunk into something that could have been prevented, said Jaime (Kahan) Kipnes, EY Americas Cybersecurity Integration Leader. “It’s costly from both a financial perspective as well as a reputational perspective,” she said.

The National Institute of Standards and Technology Cybersecurity Framework 2.0 (NIST CSF 2.0) creates a standardized way for organizations to describe their current cybersecurity posture and prioritize areas for improvement. The updated framework, introduced in February 2024, adds a new Govern function that emphasizes integrating cybersecurity into enterprise risk management and places a greater emphasis on supply chain risk management.


Utilizing this framework, which is sector-agnostic, also streamlines how organizations communicate internally and externally during and after a cyber event, which enables organizations to act quickly. In the aftermath of an incident, there are specific time frames during which regulators must be notified as well as insurance carriers.

Continually fortifying cyber defenses and following a structured approach can help organizations maintain operational continuity and provide a coordinated response that upholds stakeholder trust.


Summary

Technology assurance should be approached strategically early in the planning phase with proactive technology risk management. This can significantly reduce risks and costs while increasing efficiency and innovation, helping companies keep up with today’s accelerated pace of change. Building and communicating transparency, resilience and confidence into tech transformation efforts will better position organizations to succeed.

About this article

Authors

  • Daryl Box
    EY Americas Assurance Technology Risk Leader
  • Brandon Miller
    EY Global Attestation & Certification Leader; EY Americas Technology Risk System and Organization Controls Attestation Leader
  • Jaime Kipnes
    EY Americas Cybersecurity Integration Leader
Related topics
Assurance
Audit

Related articles

How boards can embrace and oversee AI with curiosity and care

Lessons from the 2024 EY Board Strategy Summit: Board oversight of AI from

Ted Acosta, II + 1

Strategic perspectives on IT modernization, risk and governance

Panelists discuss how organizations must adapt to fast tech growth, global expansion and evolving regulations for resilience and transparency.

Strategic AI integration, governance and risk in finance

Businesses are preparing to incorporate AI into the finance function and anticipating how to manage risks. Read more.

Natalie Jaros

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.