What IT risks are you most concerned about?
Cyberthreats, data, and legacy technology are our current areas of focus. Cybersecurity is a hot topic within Citi and with our regulators globally, so our focus on cybersecurity is around how the company gathers threat intelligence and responds to that information, as well as how it reacts to incidents. The data governance coverage is targeted to maintaining the quality and integrity of data. Finally, we maintain a view on how the legacy technology and systems are being controlled.
How is Citi’s internal audit department addressing the increasing number of sophisticated attacks?
Citi Internal Audit has a strong base of knowledgeable IT auditors with extensive technology expertise. That said, we recognize the difficulty in maintaining the same level of expertise as the attackers, or even security professionals. Therefore, we maintain close contact with the Citi Information Security Office and the processes that they operate to identify threats and respond to them proactively. We assess those processes for effectiveness, rather than trying to identify all of the emerging risks ourselves.
How is internal audit reviewing the security of third-party providers when you are facing more regulatory pressure?
Citi uses a large number of third-party providers, and Citi Internal Audit carefully assesses the processes that are used by the organization to review third parties such as the information security assessment. Additionally, we audit the end-to-end processes as operated by these vendors. Finally, internal audit selects a sample of critical vendors and conducts on-site audits of their controls on a cyclical basis.