Our Technology Internal Audit and Risk Advisory services support internal audit and risk functions with specialist coverage across cyber security, privacy, operational resilience, third party risk, technology controls and major technology change.
We work as an extension of existing internal audit capability, providing deep technology expertise where it is needed to deliver effective assurance over the organisation’s highest-risk areas.
Technology risks now make up a significant proportion of most internal audit plans, and the expectations placed on that coverage have increased materially. Audit committees and regulators are looking for targeted assurance across multiple technology risk areas, each with its own regulatory, operational and control considerations. Delivering that level of assurance requires more than broad coverage. It requires depth, specialist knowledge and the ability to assess risk and control effectiveness in context.
Our teams include specialists across penetration testing and technical security testing, privacy and data protection, technology governance and control frameworks, operational resilience and third-party assurance. We regularly support internal audit functions operating in highly regulated and high scrutiny environments, including financial services and government, where expectations are shaped by bodies such as APRA, ASIC and the OAIC and where assurance needs to be clear, defensible and decision-useful.
Our services include:
Co-sourced and outsourced IT internal audit
Scalable technology internal audit support aligned to your audit plan, risk profile and maturity. We integrate with your internal audit methodology and reporting, extending coverage across complex technology, cyber and data risks, or delivering fully outsourced technology audit activity where required.
Cyber security risk management
Independent reviews of cyber security risk management, governance and control effectiveness conducted in support of internal audit and risk assurance activities. Typical focus areas include security governance, identity and access management, vulnerability management, security monitoring, incident response and third party cyber risk.
CPS 234 and CPS 230 reviews
Targeted reviews supporting APRA-regulated entities with information security and operational resilience obligations. We assess governance arrangements, board and management accountability, control design and operating effectiveness, helping organisations evidence compliance and strengthen resilience across critical operations.
Privacy, data governance and data protection reviews
Assessments of how personal and sensitive information is governed, protected and used across the organisation. Reviews focus on Privacy Act obligations, data governance frameworks, third party data handling, security of data flows and breach readiness.
IT general controls and application controls
Reviews of IT general controls and application controls underpinning financial reporting, operational integrity and compliance outcomes. Typical areas include user and privileged access, change management, system interfaces, configuration controls, logging and monitoring.
Program and project assurance
Independent assurance over the governance, risk management and control environment of major technology initiatives and transformations. We support boards and executives with early insight into delivery risks, oversight effectiveness and control gaps.
Third party risk management
Reviews of third party and supplier risk frameworks, including governance, due diligence, assurance, contractual controls and ongoing monitoring, with a focus on outsourced and technology-enabled services that underpin critical operations.
Technology due diligence for transactions
Technology and cyber due diligence supporting mergers, acquisitions and divestments. We assess technology risk, security posture, data exposures, key dependencies and integration challenges to support informed transaction decisions and post-deal planning.
On-demand secondments
Short-term secondments of technology risk and internal audit specialists to provide capacity uplift, specialist expertise or support during audit plan delivery, regulatory activity or periods of increased risk.
