Weitere ähnliche Inhalte
Ähnlich wie Re-imagine-Risk-Strategies-for-Success-IT-Internal-Audit-Conference-Highlights-Autumn-2011-secured
Ähnlich wie Re-imagine-Risk-Strategies-for-Success-IT-Internal-Audit-Conference-Highlights-Autumn-2011-secured (20)
Re-imagine-Risk-Strategies-for-Success-IT-Internal-Audit-Conference-Highlights-Autumn-2011-secured
- 1. | 2
I-4 Advanced Persistent Threats: Stage 1 Good Practice Report
Re-imagine Risk
Strategies for Success
IT Internal Audit Conference
Highlights Autumn 2011
kpmg.co.uk/technologyriskconsulting
- 2. OUGH SINCE 2008. THE FUTURE DOES
FOR ORGANISATIONS THROUGHOUT THE
PRIVATE AND PUBLIC SECTORS LIFE’S BEEN
TTOUGH SINCE 2008. THE FUTURE DOES
NOT SHOW ANY SIGN OF IMPROVING
EITHER, WITH CONTINUED ECONOMIC
UNCERTAINTY FEEDING ALMOST
RECORD-BREAKING LEVELS OF
UNEMPLOYMENT; SOCIAL UNREST
IN THE SHAPE OF OCCUPY LONDON
AND UK UNCUT; CENTRAL BANKS
PUMPING MONEY INTO THE
GLOBAL FINANCIAL SYSTEM AND
A SIGNIFICANT DOWNTURN IN
CONSUMER CONFIDENCE.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
- 3. RISK IS
TODAY’S
REALITY
INTRODUCTION
Senior decision-makers working in the Financial Services
sector are contending with a tidal wave of regulatory
demands in the shape of Solvency II, FATCA, Basel III,
Dodd-Frank, RDR and Living Wills and, all the while,
doing so against a rising trend in major cost efficiency
drives and the emergence of technology fuelled social
networks that promote openness over data security.
Senior Executives working across commercial and public
service organisations are wrestling with data leakage
issues, social networks, cyber threats, disruptive
technologies and major organisational change. These
of course present a number of risks but, for forward-
thinking IT internal audit professionals, opportunities too.
THE GROWING WAVE
Technology is growing at an unprecedented rate. PC sales
hit the one billion mark almost a decade ago according to
Gartner, who also forecast that the second billion mark will
be reached sometime in 2014. However, this rate of growth
is matched – and according to some – outstripped by the way
technological use is changing. The explosion in smartphone
and tablet sales; the widespread adoption of social networks
as an everyday form of communication and the increasing
implementation of cloud services are breaking down old
certainties. This is especially apparent in the commercial
world, where traditional means of safeguarding data and
technology are becoming obsolete.
For IT internal auditors this presents a number of
challenges in protecting their organisations and
clients against financial and reputational losses –
and in helping them construct a clearer insight into
governance, risk and compliance strategies.
STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE
3
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
- 4. of what KPMG terms the IT Risk
Universe looking at mature internal
controls and change management
programmes. However, there is
increasing focus from boards and
clients on new and emerging risks,
in areas like social media, cyber
crime, and disruptive technologies.
It is in helping boards understand
and manage these risks where
IT internal auditors can really add
value to their organisations.
Social networks and personal devic
like smartphones and tablets have
crossed the commercial frontier
thanks to the phenomenal wave of
consumerisation, led by Apple and
Samsung. Indeed, according to pre
reports1
, tablets are expected to sel
60 percent as many units as PCs in
just three years time. Individuals no
view them as a key tool for work an
the line between home and office
use; and the way we communicate
with colleagues, professional
networks, clients and friends, has
blurred – which is why businesses
must adapt and re-evaluate the way
they consider risk.
While the risks of unsecured
personal computing brought into
the heart of commercial operations
do not need to be spelled out, it
should not be forgotten that social
networks, smartphones and other
innovative technologies also offer
huge opportunities.
A DIFFERENT VIEW
So while organisations need to
continue to adapt to exploit the
business opportunities afforded by
technology it is the responsibility
of IT internal audit leaders to
help them look at the risks involved
in a different way; helping them
turn it to their advantage. Most IT
internal audit teams spend most
of their time in the quadrant
es
ss
l
w
d
INTRODUCTION continued
4 STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
MULTIPLE RISKS
There are a number of IT risk areas:
• Social networks which are
changing the relationship between
users and technology, and the
way businesses and organisations
protect their IT systems.
• Cyber threats that are multiplying
and which come from a variety of
sources including organised
crime, state-sponsored groups
and hacktivists.
• Disruptive technologies that
if misread have the potential to
fundamentally change marketplaces
and leave once dominant players
next to worthless.
In this white paper we explore these
risks in more detail and, in doing so,
show how IT internal auditors can
be in the driving seat when it comes
to keeping their organisations ahead
of the curve. Executive boards are
often all too aware of the possibilities
of new technologies, and the risks.
However, there is a greater need to
understand their organisation’s risk
profile and appetite for risk, in order
to develop a sound risk strategy that
is aligned to key business priorities.
Some leading boards insist on IT risk
briefings as a matter of course. By
proactively seeking out and analysing
such dangers, IT internal auditors
have the opportunity to play a key
role in protecting their organisations
and underscoring their value.
Stephen Bonner, Partner,
Information Protection,
+44(0)20 7694 1644,
stephen.bonner@kpmg.co.uk
Martin Jordan, Head
of Cyber Response,
Information Protection,
+44(0)20 7311 1000,
martin.jordan@kpmg.co.uk
If you would like to attend similar
events in the future, then please
contact charmaine.servado@
kpmg.co.uk
Adam Bates, Partner,
UK Head of Risk
Consulting,
+44(0)20 73113934,
adam.bates@kpmg.co.uk
SOURCE: 1
http://www.guardian.co.uk/technology/2011/sep/22/tablet-forecast-gartner-ipad
- 5. 5STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE
CONTENTS
GETTING SOCIAL
CYBER THREAT
DISRUPTIVE
TECHNOLOGIES
CONCLUSION
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
- 6. O ONE ANALYST THERE ARE 50
SOCIAL NETWORKING HAS RECORDED
INCREDIBLE GROWTH PATTERNS WITH ITS
POPULARITY ENCOMPASSING ALL SOCIAL
CLASSES. IT IS NOT RESTRICTED TO THE
YOUNG EITHER, WITH INCREASING NUMBERS
OF BABY BOOMERS EMBRACING THE
TECHNOLOGY – IN THE US2
THE NUMBER
OF OVER 50S USING SOCIAL MEDIA
NEARLY DOUBLED IN ONE YEAR. IT IS
ALSO CROSSING BORDERS. ACCORDING
TTO ONE ANALYST THERE ARE 50
MILLION USERS OF SOCIAL MEDIA IN
INDIA, WHO SPEND MORE TIME ON
THESE NETWORKS THAN ON ANY
OTHER ONLINE ACTIVITY.
Presented by Stephen Bonner, Partner,
Information Protection, +44(0)20 7694 1644,
stephen.bonner@kpmg.co.uk
SECTION
SOURCE: 2
http://www.pewinternet.org/Reports/2010/Older-Adults-and-Social-Media/Report.aspx
6 STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
- 7. GETTING
SOCIAL
STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE 7
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
- 8. 01
GETTING SOCIAL
OPEN FOR BUSINESS
Businesses have been quick
to recognise the benefits of
social media, especially around
marketing and customer service.
One international airline recently
undertook a 24-hour campaign that
promised live responses within
an hour to any tweets, Facebook
posts or messages to Hyves – a
Netherland’s-based social network.
A worldwide IT firm is using social
networking to boost internal
collaboration, while a US broadcaster
is using Facebook to give viewers
exclusive content about a new show.
Social networking is also a valuable
recruitment tool, with 533
percent
of companies admitting to using
it to research and profile potential
employees. LinkedIn4
– with its
stated 135 million global members
– is also proving a valuable hunting
ground for recruitment and HR teams
looking to capture talent.
Social media is also a mine of
customer information. Location,
gender and language are all areas
that some data companies can
analyse, but they can also dig much
deeper, looking for responses
governing sentiment and influence.
SOURCE: 3
This stat came from http://www.careerbuilder.co.uk/UK/share/aboutus/pressreleasesdetail.aspx?id=pr28&sd=1%2f13%2f2010
&ed=12%2f31%2f2010&siteid=cbpr&sc_cmp1=cb_pr28_
4
http://press.linkedin.com/about
8 STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
- 9. OPEN ALL HOURS
Social media is built on immediacy
and openness and therein lies the
risk. It was not designed for the
commercial world and neither are
many of the devices that people
use to access it. Governments
discovered the fact early on; the
US experienced untold reputational
damage when pictures of the abuses
carried out at Abu Ghraib went viral
and, as can be seen during the Arab
Spring, the authorities have failed
to keep a lid on video imagery of
state brutality. In some cases it may
be possible to exercise some kind
of control over the online flow in
and out of countries, but it remains
difficult to stop people from posting
content on social forums.
In the commercial world the results
of poor controls for devices and
social networks are legion.
• In September of this year one US
broadcaster had its twitter account
hacked with fake reports sent out
about an attack at Ground Zero.
• An Australian bank found that a
hacker had infiltrated its social
network channel and had been
contacting customers for account
information.
Accidental error is also a risk. Unlike
more traditional forms of marketing,
with their well-established approval
procedures, posting to a social
network can be done in seconds. A
leading telco found this to its cost
recently and had to apologise for an
inappropriate message originating
from a member of staff.
There is also the chimera of
anonymity that the entire online
experience has fostered.
Anyone with a computer, smartphone
and broadband connection can post
content under any personality and
name they wish, however, as history
shows things will leak.
A third risk is an increase in
consumer power. There was
a time when companies could
pretty much guarantee they would
emerge victorious from a dispute
with an individual member of the
public. However, social networks
can transform a small dispute, into
a major and possibly catastrophic
public relations disaster.
• When one customer found that an
airline would not reimburse him
for a guitar it had broken, he
wrote a song and filmed a video,
which he posted on YouTube.
The exercise was a PR disaster for
the airline and the video has been
viewed 11 million times.
WHAT CAN BE DONE?
• Establish a governance group that includes all
departments using social networking for a more
balanced view.
• Create policies that cover customer privacy;
responsible network use, copyright and stress the
care employees should exercise when posting
personal information or pictures.
• Create an inventory of every social network
currently in use across your organisation, including
sector-specific and function-specific sites.
• Regularly test your organisation’s social networks to
ensure they are safe and not delivering bad links or
malware to your audiences.
• Establish a thorough records management system
that can log the name of the person posting to a
social network and the content uploaded.
• Develop a comprehensive plan that details how to
respond to a mistaken or rogue posting, or a social
networking campaign against your organisation.
• Invest in a multi-lingual monitoring service to look at
social network flows across multiple countries.
• Build a local community through transparency and
honesty that will listen to your position in the case of
any allegations. A media company’s social networks
were flooded with supportive comments when its
nature programme was accused of faking footage.
STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE 9
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
- 10. MALWARE ATTACKS HAVE BEEN ON THE
UPWARD CURVE SINCE THE WIDE ADOPTION
OF HOME COMPUTERS AND 2011 SHOWS A
SIMILAR TREND. IN THE ‘GLOBAL SURVEY OF
SOCIAL MEDIA RISKS’, CONDUCTED BY THE
PONEMON INSTITUTE, OCTOBER 2011,
52 PERCENT OF ORGANISATIONS STATED
THAT AN INCREASE IN MALWARE
ATTACKS WERE A DIRECT RESULT OF
EMPLOYEE USE OF SOCIAL MEDIA.
Presented by Martin Jordan, Head of Cyber Response,
Information Protection,+44(0)20 7311 1000,
martin.jordan@kpmg.co.uk
10 STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
SECTION
- 11. CYBER
THREAT
STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE 11
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
- 12. 02
CYBER THREAT
12 STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Cyber attacks are now seen
widespread across the media,
infiltrating our personal as well as
professional lives. For example,
burglars are making use of social
networks to plan raids, especially
twitter and Facebook where people
post their whereabouts and holiday
news – and as such announce that they
are not at home. A computer virus has
even affected the computer systems
at Creech Air Force base in Nevada,
where pilots from the US Air Force
remotely fly drones in Afghanistan.
Commercial anti-virus and data
protection vendor Sophos says that
it catches 95,000 pieces of malware
every day, double the number on the
previous year. Vendors like Sophos
and others are always playing catch-up
and readily admit they are involved in
a continuing and never-ending battle
with hackers for supremacy.
Hacking now is primarily carried out by
three groups:
• Organised criminal gangs
• State-sponsored organisations
• Hacktivists.
For organised crime the rewards are
huge, with a recent attack netting one
gang US$13m in just one-day. Gangs
like the Russian Business Network,
which offer technology and hosting
services to criminals around the world
are well documented, as are the
almost non-existent consequences of
getting caught. Early 2011 a 27-year
old male received five-months
probation, despite pleading guilty to a
US$10m fraud that involved hacking
into a bank and stealing credit card
and PIN details, which he and his
gang then cloned onto new cards and
used at ATMs.
State-sponsored cyber attacks are
becoming more frequent and more
complex. Norway recently revealed
that oil, gas and defence firms
across the country had been hit by
a series of sophisticated attacks
that stole industrial secrets and
information on contracts.
During the 2008 war between Russia
and Georgia, Moscow was widely
suspected of being behind various
cyber attacks against its neighbour,
while the US Government has
officially designated cyberspace
a warfare domain, alongside land,
sea, air and space. In October 2011
year, computers in the Japanese
Parliament were infected with a virus
“For organised crime the rewards are
huge, with a recent attack netting
one gang US$13m in just one-day.”
- 13. designed to steal passwords and
other information, with the attack
traced back to a server in China.
Hacktivism has been on the rise
over the last couple of years, with
groups like Lulzsec and Anonymous
making headlines for attacks on a
disparate range of victims including
government media and financial
services. While Hacktivism is in
many cases a loose-collection of
like-minded individuals – Anonymous
for instance has no leaders or
structure – they do tend to share
an ideology, which of late has been
painted as anti-capitalist.
SIMPLE WEAPON
Cyber attacks come in many shapes
and sizes: social engineering, infected
websites, phishing and spam to name
just a few, but in one case the weapon
comes from within organisations’
themselves.
Public documents, such as
downloadable PDFs, can reveal a
great deal about the inner workings of
an organisation’s IT infrastructure, with
the metadata recording who created
it, their user name, the software
version they used and even the name
of the last printer they accessed.
WHAT CAN BE DONE?
Putting in place a coherent, well-
resourced strategy involving a
specialist vendor of anti-malware and
data protection technology is of course
on top of the list, closely followed
by a comprehensive usage policy.
However, there are also a number of
additional, day-to-day precautions that
is worth taking on board.
• Assess what information about
your organisation is publicly
available on the web, including
names, structures, financials and
partnerships. Then put in place a
policy to minimise the corporate
information you may not want
made public.
• Put in place a process whereby all
metadata is cleansed from public
documents as a matter of policy.
• Patch every computer within
your organisation – not just the
web-facing ones – as attacks are
often written to exploit known
weaknesses in computer code.
In some cases, it’s not just
computers that are at risk either,
but other machines including printers.
• Put in place a plan that details
the responses to every possible
cyber attack.
• Educate all users – from mailroom
to boardroom – in sensible web
and email behaviour.
STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE 13
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
- 14. TECHNOLOGY RISK IS NOT JUST ABOUT
SECURITY ATTACKS AND THE PREVENTION
OF CYBER ATTACKS. THE EMERGENCE
OF NEW TECHNOLOGIES AND USER
BEHAVIOUR CAN SOUND THE DEATH
KNELL FOR COMPANIES WHO FAIL TO
SEE WHERE IT MIGHT LEAD.
Presented byAdam Bates, Partner,
UK Head of Risk Consulting,
+44(0)20 73113934,
adam.bates@kpmg.co.uk
14 STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
SECTION
- 15. STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE 15
DISRUPTIVE
TECHNOLOGIES
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
- 16. 03
DISRUPTIVE TECHNOLOGIES
STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE16
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
WHERE THE
FUTURE LIES
Company survival now is far less
certain than it has ever been. In 1937
the average time a company spent in
the S&P 500 was 75 years, in 2011
that has dropped to 15 years and by
2025 it is predicted to be just five
years5
. As we have seen with some
organisations, being an alumnus of
the index is no guarantee of survival.
It is an example that presents a
salutary lesson to executives on
how technology can disrupt their
businesses to the point of potential
extinction. Similar examples have
occurred in a range of industries
including retail, telecoms, music and
computing and will be seen in more
industries as technology enables
changes in their business models.
What’s also apparent is that we’re
at the start of this technology wave;
developments will only get faster and
the risks more pronounced.
Disruptive technology has no respect
for borders or sectors; executives
should not be fooled into thinking that
their business is safe because their
immediate markets are unaffected.
All threats begin life over the
horizon and it is the job of IT internal
audit to ensure their organisation
maintains a sharp view of ongoing
technological developments.
Examples of possible disruptive
technology are everywhere. In Kenya
M-Pesa is a microfinance system
that allows individuals without bank
accounts – which accounts for
77 percent of the adult population –
to undertake basic banking functions
from specialist kiosks and mobile
phones. It is operated by a Vodafone
affiliate and completely bypasses the
traditional banking structure, with 14
million users and year-end revenue
growth rates of 56 percent. Other
countries have also begun working
on their own systems, which begs
the question how will the banking
industry react when – and not if –
this technology begins encroaching
on more established markets?
- 17. Nanotechnology and additive
manufacturing (3D printing) are
further sources of disruption where
emerging technologies could
seriously impact the healthcare and
pharmaceutical market and make
existing players more vulnerable.
It might sound like something straight
out of Star Trek, but researchers are
already using 3D printing to produce
human organs and muscles for
research. While the mass production
of living human tissue is years
away, at some point in the future it
may be a fact of life, and will have
a significant impact on companies
who manufacture kidney dialyses
machines, and even insurance
companies will need to factor
in increased life expectancy.
DISRUPTING THE DISRUPTORS...
WHAT CAN BE DONE?
Disruptive technology is not just a risk, but an opportunity
too. Telematics for instance is increasingly being used by the
insurance industry as a way of targeting young drivers who have
been priced off the road by excessive premiums. By monitoring
how safely an individual drives – for example whether they are
avoiding driving when dark – a tailored premium can be provided.
These companies are showing how new technologies can be
harnessed to drive revenues and business.
Harnessing technology to enhance rather than disrupt your
organisation cannot be the preserve of one team as it crosses
multiple disciplines such as R&D, marketing, sales and business
strategy. IT internal audit professionals can encourage their
boards to bring together cross-functional teams to maintain an
up-to-date analysis of the market.
• Undertake regular horizon scanning of your sector and any
related industries, including trade media, individual blogs and
social media.
• Begin research on potential competitors sooner rather than
later. Be aware that new competitors could come from
non-traditional sources.
• When dealing with new technology take the time to really
understand its potential benefits and pitfalls. Ensure the
opportunities and risks of being an early adopter of the
technology, a fast follower or doing nothing are understood,
when planning or reviewing strategy.
• Ensure the agenda is not dominated by a small group of
enthusiasts who could skew the discussion. Involve a wide
range of relevant stakeholders.
• Keep in mind that computer performance doubles
approximately every two years, with that in mind, five and
ten-year plans will always be out of date.
STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE 17
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
- 18. CONCLUSION
04
So, are the executives in your
organisation sleepwalking into the
future – unaware that there are
technological risks that can literally
kill their business?
Technology is of course a great
enabler and presents a myriad of
business opportunities. Over a
billion of the world’s population uses
a social network6
, almost one-in
seven of the world’s total population7
, with social networking revenues
reaching almost $15bn in 2012
according to Gartner8
. The growth in
smartphones and tablets has seen
methods of network interaction
change, with obvious dangers to
commercial infrastructure that now
cannot rely solely on firewalls and
anti-virus software to protect itself.
The cyber threat remains real – the
barbarians are always at the gate
and their technological resources
are greater than that of the average
organisation.
Finally, there are technologies
under development that have the
ability to significantly impact your
organisation, however market-
entrenched and successful it is at
the moment.
The message is clear, technological
risk must become a regular
boardroom issue, on a par with
finance reporting, regulatory issues
and strategic direction. Indeed, it
must become embedded within
your organisation’s strategy.
IT internal auditors stake a claim
in this space if they put in place
now the processes to give them
proactive visibility of not just current
trends, but technology that hasn’t
been invented yet. It’s now easier
than ever through organisations like
TED to discover ideas that could
change your organisation’s world,
even if they sound far-fetched at
the moment. Research9
is already
showing email use dropping among
12 to 17-year-olds, which of course
will alter the digital communication
strategies of those organisations
looking at the horizon. In fact it’s
happening already, with French IT
services company Atos announcing
that it intends to ban staff from using
internal email and turn to instant
messaging and social networking
technologies instead10
.
Information and Technology risk
management isn’t just about
security and regulatory compliance.
We need to shift our focus in the IT
Risk Universe away from the mature
controls and change management
programmes and processes we
take comfort in, and re-imagine IT
risk. How organisations leverage
technology will determine financial
viability, performance and outcomes.
KPMG can help you make difficult
decisions with greater confidence.
Our Technology Risk Consulting
team takes a forward view of our
client’s business and de-risks the
impact of change, unlocking value
and building confidence.
SOURCE: 5
The Economist, April 16, 2011
6
http://www.strategyanalytics.com/default.aspx?mod=reportabstractviewer&a0=6818
7
http://esa.un.org/unpd/wpp/Excel-Data/population.htm
8
http://www.gartner.com/it/page.jsp?id=1820015
9
http://www.comscore.com/Press_Events/Press_Releases/2011/1/Web-based_Email_
Shows_Signs_of_Decline_in_the_U.S._While_Mobile_Email_Usage_on_the_Rise
10
http://www.telegraph.co.uk/technology/news/8921033/Staff-to-be-banned-from-sending
emails.html
STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE18
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
- 19. CONTACTS
Financial Services
Jon Dowie, Partner,
Technology Risk Consulting
T +44 (0)20 7311 5295
E jon.dowie@kpmg.co.uk
Michael Elysee, Partner,
Technology Risk Consulting
T +44 (0)20 7311 5429
E michael.elysee@kpmg.co.uk
Ameet Sharma
Director, IT Internal Audit
T +44 (0)20 7694 4073
E ameet.sharma@kpmg.co.uk
Corporates
Gerry Penfold, Partner,
Technology Risk Consulting
T +44 (0)20 7311 8489
E gerry.penfold@kpmg.co.uk
Mohammed Rahman, Partner,
Technology Risk Consulting
T +44 (0)121 232 3301
E mohammed.rahman@kpmg.co.uk
Andrew Shefford
Director, IT Internal Audit
T +44 (0)20 7694 5507
E andrew.shefford@kpmg.co.uk
Public Sector
Keith Bannister, Partner and UK
Head of Technology Risk Consulting
T +44 (0)20 7311 6558
E keith.bannister@kpmg.co.uk
David Timms
Senior Manager, IT Internal Audit
T +44 (0)20 7311 6618
E david.timms@kpmg.co.uk
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
STRATEGIES FOR SUCCESS
IT INTERNAL AUDIT CONFERENCE 19
- 20. ABOUT KPMG
KPMG’s Technology Risk Consulting practice brings together specialists
with skills focussed on the Information and Technology Risk agenda. We
have member practices of over 3,500 professionals advising clients across all
markets and geographies of the technology and data risks they face. We are
part of KPMG’s global network of over 140,000 professionals in 150 countries.
We help clients to identify, prevent and remediate Information and Technology
failures and ensure systems are fit for the future. KPMG firms’ independent
advice and advanced technology capabilities help our clients manage their
technology risks and use their data to its full potential.
• We bring technology risk awareness to the boardroom
• We provide insight from data and help to embed genuine technology risk
management into organisations
• Our tailored services are designed to keep information assets secure,
systems functioning and controls operating effectively
For more information visit www.kpmg.co.uk/technologyriskconsulting
The information contained herein is of a general nature and is not intended to address the circumstances of any particular
individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such
information without appropriate professional advice after a thorough examination of the particular situation.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG
network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Printed in the United Kingdom.
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
www.kpmg.co.uk RR Donnelley I RRD264567 I February 2012 I Printed on recycled material.