As technology continues to develop, with this the regulatory environment evolves to meet the changing risks. For example, the GDPR brought changes in the scope of the data protected and significant increases in the sanctions available to the regulator. As regulations change, how the Board and business stakeholders stay abreast of the requirements to assess the adequacy of the controls in place will be key to the future vulnerabilities faced by each business.
BDO has developed a methodology to help businesses untangle the regulations impacting IT services, the vulnerabilities they bring to each organisation and the controls or procedures that will minimise the risk of a regulatory breach.
The approach focuses on three basic principles:
- Which regulations create the greatest threats to your business (software licence breach, data protection, copyright)?
- Does the Board or Senior Management receive appropriate insight to help them understand the vulnerabilities associated with the requirements pertaining to each regulation? Are the IT controls adequate and effective to minimise the risks faced
- Where third party service providers are managing the risks on behalf of the business is there an appropriate assurance approach in place (for example, ISAE3000, ISAE3402 or ISAE16 reports to provide independent assurance over the third party’s IT controls)?
Where limited assurance exists, we can work with you to assess the controls in place, whether in-house or by providing an ISAE300, ISAE3402 or ISAE16 report across a third party service provider. The scope of any review is key to the robustness of the assurance provided. Typically we tailor our work to meet to your needs and could include the following:
Entity level controls
Are senior management aware of the regulatory risks impacting IT? Is there appropriate management information to help inform management of the maturity of the controls in place? Does the assurance programme ensure controls are assessed and tested regularly?
IT General Controls
With specific focus on user access management, change management, interface and batch processing management and data integrity management.
Deeper expert reviews
including Cyber security, technology resilience, data protection health checks, assessment of security configuration across key systems or data environments.