• Technology Regulatory Reviews

    BDO has developed a methodology to help businesses minimise the risk of a regulatory breach

Technology Regulatory Reviews

How do you meet the growing regulatory environment for Technology risks?

As technology continues to develop, with this the regulatory environment evolves to meet the changing risks. For example, the new European Data Protection Regulations comes into force soon, with changes in the scope of the data protected and significant increases in the sanctions available to the regulator.

As regulations change, how the Board and business stakeholders stay abreast of the requirements to assess the adequacy of the controls in place will be key to the future vulnerabilities faced by each business.

BDO has developed a methodology to help businesses untangle the regulations impacting IT services, the vulnerabilities they bring to each organisation and the controls or procedures that will minimise the risk of a regulatory breach.

The approach focuses on three basic principles:

  1. Which regulations create the greatest threats to your business (software licence breach, data protection, copyright)?
  2. Does the Board or Senior Management receive appropriate insight to help them understand the vulnerabilities associated with the requirements pertaining to each regulation? Are the IT controls adequate and effective to minimise the risks faced?
  3. Where third party service providers are managing the risks on behalf of the business is there an appropriate assurance approach in place (for example, SSAE16 report to provide independent assurance over the third party’s IT controls)?

Where limited assurance exists, we can work with you to assess the controls in place, whether in-house or by providing an SSAE16 report across a third party service provider.  The scope of any review is key to the robustness of the assurance provided – Typically we tailor our work to meet to your needs and could include the following:

  1. Entity level controls – Are senior management aware of the regulatory risks impacting IT?  Is there appropriate management information to help inform management of the maturity of the controls in place?  Does the assurance programme ensure controls are assessed and tested regularly?
  2. IT General Controls - With specific focus on user access management, change management, interface and batch processing management and data integrity management.
  3. Deeper expert reviews - including Cyber security, technology resilience, data protection healthchecks, assessment of security configuration across key systems or data environments.