Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Risk Ready

Citi’s CAE of technology, Joanne Coulson, works closely with the information security function to assess emerging IT threats to the financial giant.​

Comments Views

What IT risks are you most concerned about? 

Cyberthreats, data, and legacy technology are our current areas of focus. Cybersecurity is a hot topic within Citi and with our regulators globally, so our focus on cybersecurity i​s around how the company gathers threat intelligence and responds to that information, as well as how it reacts to incidents. The data governance coverage is targeted to maintaining the quality and integrity of data. Finally, we maintain a view on how the legacy technology and systems are being controlled.

​How is Citi’s internal audit department addressing the increasing number of sophisticated attacks? 

Citi Internal Audit has a strong base of knowledgeable IT auditors with extensive technology expertise. That said, we recognize the difficulty in maintaining the same level of expertise as the attackers, or even security professionals. Therefore, we maintain close contact with the Citi Information Security Office and the processes that they operate to identify threats and respond to them proactively. We assess those processes for effectiveness, rather than trying to identify all of the emerging risks ourselves.

How is internal audit reviewing the security of third-party providers when you are facing more regulatory pressure? ​

​Citi uses a large number of third-party providers, and Citi Internal Audit carefully assesses the processes that are used by the organization to review third parties such as the information security assessment. Additionally, we audit the end-to-end processes as operated by these vendors. Finally, internal audit selects a sample of critical vendors and conducts on-site audits of their controls on a cyclical basis.​

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.



Comment on this article

comments powered by Disqus
  • Galvanize-September-2020-Premium-1
  • Auditboard-September-2020-Premium-3