Five ways internal audit can propel tech firms to success

In the ever-evolving, often-frenetic technology sector, there can be an irony at play when it comes to risk. Fast-growing tech businesses operating in a crushingly competitive marketplace are exposed to high levels of risk. By their nature, however, they’re not always experienced in anticipating and managing risk, or struggle to make time for it. 

As for any business, the risks tech businesses  face can be internal or external, and across both of those, can be strategic, regulatory, operational or financial. Their strong culture and purpose-driven approach can mean that particular risks arise and the right processes are not always in place to manage them. 

Internal audit might not be high on the agenda for all , but to protect and help fast track growth, it certainly should be. Internal audit can unlock significant value, while boosting business resilience and enabling much improved strategic decision-making.

For those that want to survive and thrive, internal audit is a vital step in their maturation and scaling journey. 

Governance: achieving an enterprise-wide view of risk

Technology businesses tend to organise themselves across sales, R&D, engineering, customer services and operations functions, with product teams having their own get-to-market delivery mandates. It can be difficult to balance the drive for innovation with risk management to shape an enterprise-wide risk culture and view of risk appetite.

The classic model of risk management in business involves three lines of defence:

1. Management and operational teams involved in running the business and doing the day-to-day work
2. Risk management and compliance specialists within the business
3. Internal audit, which offers independent assurance and usually reports to the board and/or audit committee.

A three-line model often exists, but it can prove challenging to have it operate cohesively and/or the positioning of the second and/ or third line is not always optimal. 

In many cases where our IA practice engages, we often see pockets of risk management, compliance and audit activities spread throughout the organisation. That means it can take time to build and deliver an enterprise-wide view of risk and a truly integrated assurance solution.

Culture: protecting value for growth

There’s no doubt the innovative nature of tech businesses encourages open-mindedness and creativity, but there’s a downside. Dynamic, fast-scaling tech businesses don’t always have the structures in place to oversee, manage and monitor the inherent risk attaching to the products and services they develop. 

Product development tends to be fast-paced and driven by market demand, with processes developed in flight and not ahead of time. It’s a culture of "building the plane while flying it". While that agility and responsiveness to changing circumstances pays dividends, opportunities to have optimised processes can get missed. 

In this environment, for example, subject matter expertise often gets moved from one agenda to the next. The consequence for risk management? Governance, risk and internal control practices can lack standardisation and have wide-ranging levels of embeddedness or maturity across the matrixed organisation. Similarly, process documentation can be lacking and it’s rare that functional team members all have an up to date understanding of key processes.

People: exploiting IP and legacy knowledge

Talent is a mix of those that have worked in tech all their careers, “gold dust” subject matter experts – namely large-scale project sponsors – and the next generation of AI-savvy up-and-coming young executives. 

Attracting and retaining talent is a constant challenge and one the tech sector has had to live with for a long time, as in-demand skills change at pace with market innovation. 

Organisation structure, team configurations and dynamics across global, local, virtual and hybrid teams all shape employee lifecycle patterns and performance management mechanisms. Furthermore, there tends to be high rates of employee churn in the industry. 

Taken together, that all means we frequently see a dearth of legacy knowledge in tech businesses, while succession risk can often be high. When these gaps and risks aren’t clearly identified and managed, they pose  resilience risk challenges.

Systems: streamlining to optimise value 

It’s easy to assume tech businesses have the slickest IT infrastructure and fully integrated enterprise systems. In reality, as they’ve scaled and evolved, they have often restructured multiple times, meaning assorted systems have been interfaced to varying degrees to keep the show on the road. 

Similarly, internal teams have often spun up a plethora of apps, tools and AI capabilities for different purposes over time to support product development, sales and customer-facing teams. 

That’s not all. An extensive range of third-party service providers support this sector, including cloud service providers (CSPs). While companies across sectors face the need to manage third-party providers and work out how best to manage cloud governance, tech businesses in particular tend to rely on multiple CSPs. 

While this multi-cloud approach bolsters resilience, it also increases complexity and the potential for inconsistent compliance across platforms. Operations management and compliance efforts can unintentionally be duplicated. This dynamic may  result in security control weaknesses and gaps in data management and IT resilience controls.

Internal audit can evaluate key governance, risk and internal control mechanisms across cloud based systems and critical third party service providers delivering valuable insights that can be leveraged to enhance system control functionality and third party performance. 

Data: finding clarity amid the noise

Many technology businesses find they have every type and form of data in colossal volumes. Those that have expanded into international markets find managing and protecting the scale of data volumes across multiple territories is significant and complex.

While they’re typically keen to use AI, automation and analytics tools, they can find it challenging to make sense of their data, what it is telling them and how best to use it to support day-to-day operations and strategic decision-making. 

Furthermore, poor data governance generates risks, for example, leading to biased AI models or data privacy breaches. Not only that, but it can also be hard to monitor, interpret and govern AI decisions, given a lack of clear data lineage. That can lead to unethical or harmful outcomes, causing increased regulatory scrutiny and operational costs. 

How Grant Thornton can help

Technology companies’ internal audit maturity can’t always keep pace with their innovation and growth. As with other companies, they must also contend with technology-related challenges, such as cybersecurity, AI and operational resilience.

Regardless, companies must continuously manage existing risks and mitigate emerging ones. Grant Thornton’s internal audit practice delivers tailored solutions to companies at all audit maturity levels.

Strengthen your resilience

See how internal audit can unlock value for your business

Explore our Internal Audit services