IT Audit Challenges


IT Audit Challenges

06 Jul 15:00 by Emir Allen

A common challenge Internal IT Audit Management has to overcome is finding necessary skills to carry out the high impact, high-value audit reviews. Every single audit project requires a healthy mix of technical skills and business understanding to assess the risk and controls realistically.


Traditionally IT auditors are generalists who can review business applications and underlying infrastructure components and platforms. However, banking industry heavily relies on certain platforms for their core processing needs, the main one being IBM Mainframes. It is a mature platform, has been evolving as the business context evolves by adding new capabilities such as automated compliance checks, big data analytics support, security monitoring and alerting functions. Its reliability, resilience and processing speeds and capacity make it the ideal platform for the industry. Unfortunately, the good old “Big Iron” reputation created a complacent attitude towards its security.


It is a common theme within the banking industry to heavily invest on network security devices such as firewalls, IDS and IPS tools, malware protection, etc. and it is indeed very important to protect against the external threats. The historical data, however, shows external threats are only a fraction of the threat landscape; major threats still arise from the inside. The definition of “inside” has been blurred by outsourcing, co-sourcing, etc. All the major banks benefit from outsourced, off-shore development and support teams with the same access rights of the in-house employees. Add industrial espionage and disgruntled employees to the insider threat picture and it becomes clear that they cannot afford to be complacent about their core processing platforms, by some historical assumptions and false sense of security.


A large scale system like IBM Mainframe needs specialist skills to properly assess the end-to-end risk to the critical business services. IT has a very well defined architecture and all the components in this blueprint need to be assessed in relation to other components and systems within and out of the platform. To be able to achieve this, auditors, risk managers, control owners need not only technical security skills but also security architecture skills which would make it possible to reveal the control gaps and weaknesses, highlighting a realistic, not exaggerated, not underestimated, business impact and likelihood.


A high-level definition of end-to-end risk assessment typically includes, but not limited to the below items:


  • Trusted Computing Base of the platform (z/OS): Integrity of the system core should be strictly protected by restricting access to system files, datasets, libraries and tools.
  • Security Server (RACF, ACF2, Top Secret): The access controls, including all the privileged accesses should be granted after a careful assessment of implications for every single critical resource.
  • Databases (DB2, IMS, Datacom): Mainframe databases can use their own access controls in addition to the platform access controls. The other security aspects can hide vulnerabilities resulting in unauthorised access to live data.
  • Middleware (CICS, MQ, FTP, etc): Online transaction processing, messaging queues, file transfers can get real complex real fast. If not well designed they can create many high impact unauthorised entry points to the platform and all the resources on it.
  • Development, Test and Release Controls for Applications, System Tools and Batch Jobs: This is an often overlooked area where there are many very high impact threats are lurking due to insufficient technical architecture understanding of the platform.
  • Resilience, Disaster Recovery and Business Continuity


We have seen with our Banking clients as a recurring theme is a shortage of skilled resources for many of the areas above within IT Audit functions, Risk and Controls, Security Architecture and Management. Alternatively, IBM can provide such services but the cost of such assessments and mitigations are usually astronomical, and as there is this false sense of security, Management of IT, Risk Management and Internal Audit do not feel the cost is justified.


This all ends up usually with poorly designed, historically obscure, ownership not well-defined, important assets are not fully known Mainframe systems, however still supporting 65% of the world’s financial data. In order to sufficiently protect the critical business services and data, Management should consider investing in security, risk and audit staff with the below skills:


  • Overall Mainframe Security and Audit Skills
  • Enterprise Architecture Skills
  • IT General Controls


However, the cost of building these skills are very high and it takes years to achieve the desired results, which usually results in the employee moving on with the newly gained and highly sought after skills in the job market.


      As a supplier to many top tier Investment Banks, we offer our services to provide the most skilled professionals who are able to deliver an assurance that your company has the adequate and effective controls in place. However, there are plenty of challenges in obtaining strong profiles, not least because of the historical tainted reputation which comes with audit.


      Audit, same as many other departments, has evolved over the recent years which has made it a more attractive career path. It is now seen less as the police of the bank and more as part of the business. Internal Audit is vital in helping the business identify and implement key controls (more on this point below). This evolution has made is tougher to recruit the right skillset because one needs to understand the business he is supporting as much as the IT side whilst maintaining healthy relationships with key stakeholders, internally and externally.


      Another shift has taken place in the way audits are carried out. The traditional approach of following a strict process, ticking boxes as you go along, has become increasingly unrewarding. Internal Auditors have to be much more entrepreneurial to achieve high results. Think of it this way – if the bank robber knew security guards were always present at 8am-12pm then 1pm-8am he would know to carry his act shortly after 12 pm!


      Finally, as Auditors get closer to the business other risks are worth keeping an eye on as the conflict of interest could be detrimental to the business. “Forward auditing” is healthy in identifying key risks and preventing having your wrists slapped. What if the auditor is too close to the business?!