Tech assurance

Our IT Internal Audit service provides specialist risk-based independent and objective audit and assurance over technology risks including those relating to the confidentiality, integrity and availability of Cloud and Digital systems and data. We believe that IT Audit should be seen as a strategic function that provides robust independent assurance, intelligent insight and value-added perspectives to Executive Boards and Audit Committees. This means performing reviews that get to the heart of issues, and providing recommendations that deliver scalable and lasting improvement. 

• Specialist risk-based IT Internal Audit services both as co-sourced and out-sourced partnerships 
• Development of IT Internal Audit Universe and risk-based plans 
• Integration of IT Risk, Assurance and Compliance (Integrated Assurance) 
• Training for IT audit and risk professionals 
• External Quality Assessment (EQA) of IT Internal Audit function 

What we offer

Your IT audit partner 

We build genuine lasting relationships with our clients, operating as a trusted assurance partner that can navigate technical complexity to deliver high quality impactful outcomes. We listen, respond and collaborate to make sure that you maximise your investment in IT Internal Audit at a time when this discipline has never been more important. We know that sometimes difficult messages need to be given – we don’t hide from that and can be relied on to not only highlight the issues but find the solutions. 

All our clients consistently provide the same feedback to us - that we put their needs first and that we go above and beyond. We respond and support them during challenging situations, whether that is responding overnight to a cyber-attack with incident response support or course-correction during a digital transformation project not going according to plan. 

We don’t just provide IT Internal Audit services when you work with us; we help you holistically manage your technology risks and stay ahead of the risk curve. 

Tailored approach: 

We tailor our services to match your specific needs while fostering a robust partnership with you. We work as an extension of your team, whether in a co-source or fully outsource capacity, and provide specialist IT Internal audit support to develop IT Internal audit universe and risk-based plans. 

Our approach is proactive and flexible, allowing to initiate and introduce innovations and continuously improve. 

While we readily align with your requirements methodology and tools, we also bring a fresh perspective to the table, enriching the process with new insights. For example, 

We provide ongoing thought leadership to your sector, including C-Suite level surveys/reports, Head of Internal Audit forums and perspectives on key challenges facing organisations. 

We also provide guidance and training to the in-house Internal audit teams, Risk and compliance functions, Executive Board and Audit Committees on emerging risks and topics such as Artificial Intelligence, Internet of Things and Quantum Computing. 

We provide guidance, support and challenge to second line risk assessment, and embed integrated assurance approaches to maximise the value in assurance coverage. 

Technical expertise 

We bring high-quality teams and will go beyond the immediate challenge to find the answer that works best for you and your business. And we do that with an approach that respects who you are and how you work. 

We leverage Subject Matter Expertise (SME) capability to provide market leading insight and perspective in areas such as Cyber Security, Cloud and Data Privacy, providing a view on “what good looks like”. 

We provide real-time and agile assurance over technology risks and use continuous audit tools such as Tanium and Curious to assess environments end-to-end, providing in-depth examination of control compliance in critical areas (such as patching and vulnerability management).

Sector: financial services

Due to the rise in ransomware attacks, a financial services company worked with Forvis Mazars to conduct a ransomware readiness assessment. This assessment aimed to assess the efficacy of their cyber security policies, procedures, and controls (technical and non-technical) in preventing ransomware attacks. Forvis Mazars conducted documentation reviews and workshops with key security stakeholders to understand the company’s security posture. The assessed areas included minimising phishing attempts, vulnerability management, and recovery planning. 

Following this exercise, the company conducted a full cyber security review incorporating all the recommendations and implemented technical changes to reduce a potential ransomware attack. This exercise played a vital role in ensuring that the cyber security team received appropriate funding to implement the relevant tools to protect themselves, e.g. tools to monitor mass file encryption. In addition, by remediating the findings outlined by Forvis Mazars, the company is in a significantly better position to defend against a ransomware attack while also having a comprehensive understanding of vulnerabilities within their estate and how to remediate them. 

Sector: public sector

We have a co-sourced Internal audit contract with a Council based in London. Every three years we conduct an IT Audit Needs Assessments (ANA) to evaluate the technology risks facing the Council. The audits selected usually form a blend of topics such as those related to core IT services (such as Cyber Security or Information Security Vendor Management), strategic initiatives (such as Cloud Strategy or Digital Transformation) and those related to critical IT application services (such as implementation of the Social care management systems). This mix of audits supports the Council’s Head of Internal Audit (HoIA) in providing an opinion on internal control that reflects their heavy use of technology to provide services to the public.  

In addition to assessing the effectiveness and efficiency of internal controls per the risk-based annual IT audit plans, the HoIA periodically reaches out to us for ad-hoc advice during significant business changes/ disruptions. For example, one of the schools under the Council suffered a ransomware attack and the HoIA contacted us for advice. We immediately involved our Cyber incident response specialists, who supported the Council with incident response following the cyber-attack, and provided recommendations that were implemented. Some of these suggestions included engaging with a Penetrating testing partner, a 24/7 Security Operations Centre (SOC), gathering threat intelligence and assessing exfiltration of data. We searched the dark web and found certain data leaked and shared this with the Council who were unaware of this. We also provided our insights into the specific threat group and trends in the cyber risk space that the Council should be aware of. 

We can help you build an integrated risk and compliance framework that transforms siloed and manual processes into a common control framework, that can help you meet regulatory requirements, manage key risks and achieve effective cross-functional integration. 

Our Technology Risk and Compliance services can help you effectively manage risks while maximising returns and efficiencies in an ever-changing business landscape. This holistic approach helps you: 

• Understand and manage your technology risks through accountability 
• Meet your regulatory and compliance requirements 
• Ensure technology investments and initiatives support business objectives and growth 
• Break organisational silos and improve operational efficiencies 

Technology risk management 

Specialist expertise to guide, support and challenge management in their approach to effectively manage digital and cloud technology risks. Our service aims to elevate strategic technology risk management across the organisation, ensuring risks receive sufficient focus and investment from the Executive. 

Our services: 

• IT Risk as-a-service (outsource/ co-source): 
  • Design, implementation and embedding of technology risk and control frameworks 
  • Technology risk monitoring and risk reporting 
  • Support Governance Risk and Compliance (GRC) tooling 
  • Building integrated risk and compliance frameworks 
  • Governance and reporting on technology risks 
  • Audit readiness assessment and support, including documentation of controls 
  • Integrated risk and compliance framework development 

IT compliance 

Our IT Compliance service helps you maintain compliance with internal and external obligations with regard to the technology and digital services you consume and provide. Our aim is to help you achieve compliance both efficiently and effectively, ensuring you maintain compliance while minimising the burden in achieving this. 

Our services: 

• Internal control framework implementation: 
  • IT SOX compliance 
  • UK Corporate Governance code 
• Internal control advisory: 
  • IT SOX compliance 
  • UK Corporate Governance code 
• IT compliance attestation and assessments: 
  • SWIFT 
  • PCI DSS 
  • ISO27001 
• IT compliance monitoring 
• Integrated risk and compliance framework development 
• Documentation of policy/ procedures and frameworks 

Sector: industry and services

Forvis Mazars worked with a leading digital marketing company to significantly advance its risk management capabilities by implementing a sophisticated Technology Risk Register tailored to encapsulate IT and Cybersecurity risks in alignment with the firm's risk appetite. The initiative, characterised by interactive workshops with control owners and an in-depth analysis of their operational landscape, led to developing a dynamic risk management framework. This strategic framework includes governance controls to mitigate risks, a proactive risk treatment plan, designated risk ownership, targeted risk scores, and a timeline for action plans. This comprehensive exercise fortified the client's strategic objectives and enhanced Enterprise Risk Management (ERM), streamlining the decision-making process, reducing uncertainty, and strengthening the company's reputation among key stakeholders. 

Sector: financial services 

A national bank with a London branch got in touch with Forvis Mazars to carry out an independent assessment of their SWIFT infrastructure security controls in compliance with the SWIFT Customer Security Programme (CSP) requirements. Forvis Mazars initially carried out an assessment of their architecture and identified that requirements had changed, so the assessment scope had to be increased to cover additional controls and SWIFT components. Forvis Mazars carried out the assessment fieldwork at the client’s premises over a few days, followed by a closing meeting to present findings and write a formal report as well as a completion letter. Forvis Mazars recommended several best practice actions for the client to enhance their security controls and improve their security posture within their SWIFT environment. The client was pleased with Forvis Mazars's work, especially at our flexibility and pace as this was a last-minute request to meet the 31st of December deadline

Effective transformation assurance should be anchored in the specific risks facing your technology programme. Our risk-based approach is most effective when considered as part of a wider integrated assurance model. This means really understanding your technology programme so we can leverage all available sources of assurance across all three lines of defence to focus our effort and attention on the areas that matter most. Our integrated assurance approach is made up of four building blocks: 

• Programme governance and health: This component of our approach will help ensure your programme delivers against established standards, quality frameworks and timescales at the transformation level. We work with programme management PMOs to understand and assist in the identification of risks, issues, assumptions and dependencies on the programme, suggesting timely and appropriate interventions. 
• Independent checkpoint governance: This component validates that formal programme stage-gate governance is in place and operating effectively. We can ensure that the appropriate activities per the programme plan have been completed at the different stage gates. 
• Specialist ‘deep dives’: This part of our approach will typically be pointed at one (or a group) of workstreams that make up a technology programme. It includes specialist deep dives and health checks at the workstream level. 
• Cutover and go-live assurance: This activity will assure activities leading up to a migration or release looking for adequate communication, definition of roles and responsibilities and smooth transition to Business-as-Usual (BaU) operations and user acceptance. 

• Integrated assurance planning. 
• Programme launch reviews. 
• Programme, project and workstream level health-check assessments. 
• Independent checkpoint governance reviews. 
• Cutover and go-live assurance. 
• Deep dive reviews including, but not limited to: 
  • Data migration
  • Security and compliance
  • System configuration
  • Patch and upgrade management
  • Business process alignment
  • Testing and quality assurance
  • Training and change management
  • License and contract compliance
  • Post go-live support
  • Vendor and third-party management
  • Backup and disaster recovery

Sector: industry and services

A leading manufacturer and distributor of convenience food engaged with us for a review of their technology programme to implement a group-wide payroll and HR system. The company was transitioning to a new platform to align with complex requirements and mitigate issues such as manual workarounds, data privacy risks and future cost increases. Our involvement started with identifying risks and critical controls and interviewing management and key stakeholders to understand the current landscape and potential unmitigated risk. We focused on four key areas: programme governance, business controls, requirements and change management and were able to suggest timely interventions to stop those risks crystalising into issues. 

Sector: financial services

Forvis Mazars was engaged by an established building society to provide ongoing technology programme assurance services over a significant transformation of their core business processes and banking engine. While the organisation was clear on the business outcomes to be achieved and the case for change was robust, the programme represented a significant shift in underlying technology from a largely on-prem solution to a cloud-native one. Add in to this environment a number of third-party dependencies and the risk profile facing the programme team was diverse. We were able to advise on where to best focus effort within constrained assurance resource, suggesting four separate reviews over a 12-month period ranging from programme health check and governance to specialist deep dives on testing new business processes in the cloud solution. 

Sector: public sector

A prominent social housing organisation was at a crossroads, halfway through a 5-year Salesforce implementation programme. The journey was abruptly halted due to unforeseen challenges with the scope, product and delivery of the programme. Forvis Mazars were engaged to develop an end-to-end programme assurance map that highlighted where we expected the organisation to gain assurance based on the transformation programme’s key risks. We worked with the programme team and executive management to establish assurance needs over the remainder of the programme ranging from initiation through to in-service support capabilities. We assessed the assurance need and then the desired level of assurance and whether this was classified as being the 1st, 2nd or 3rd line of defence and then provided a view on where we see evidence that assurance needs were not being met and made specific recommendations on closing the gaps