Five ways internal audit can propel tech firms to success

The technology sector is fast moving and constantly changing. It includes areas such as eGaming, esports, financial technology including blockchain and cryptocurrency, artificial intelligence, data management, digital media and software development.

There is an irony when it comes to risk. Rapidly growing tech firms in competitive markets face high levels of exposure. Yet by nature, they are often not equipped to anticipate or manage risk and may struggle to make time for it.

Like any business, tech firms face internal and external risks. These may be strategic, regulatory, operational or financial. Their strong culture and purpose-led approach can lead to specific risks emerging, and the right processes are not always in place to manage them. 

Internal audit might not be high on the agenda for all , but to protect and help fast track growth, it certainly should be. Internal audit can unlock significant value, while boosting business resilience and enabling much improved strategic decision-making.

For those that want to survive and thrive, internal audit is a vital step in their maturation and scaling journey. 

Governance: achieving an enterprise-wide view of risk

Technology businesses often organise around sales, R&D, engineering, customer services and operations, with product teams driving their own get-to-market mandates. Balancing innovation with risk management can be challenging as shaping an enterprise-wide risk culture and view of risk appetite takes deliberate effort.

The classic business risk model includes three lines of defence:

1. Management and operational teams involved in running the business and doing the day-to-day work
2. Risk management and compliance specialists within the organisation
3. Internal audit, providing independent assurance and typically reporting to the board and/or audit committee. 

A three-line model may be in place, but making it work cohesively can be a challenge. While the positioning of the second or third line is not always optimal.

In many cases where our IA practice engages, we often see pockets of risk management, compliance and audit activities spread throughout the organisation. That means it can take time to build and deliver an enterprise-wide view of risk and a truly integrated assurance solution.

Culture: protecting value for growth

Tech businesses thrive on innovation and open-mindedness but there’s a downside. Fast-scaling firms don’t always have the structures to oversee, manage and monitor the inherent risk tied to the products and services they develop. 

Product development tends to be fast-paced and driven by market demand, with processes developed in flight and not ahead of time. It’s a culture of "building the plane while flying it". While that agility and responsiveness to changing circumstances pays dividends, opportunities to have optimised processes can get missed. 

In this environment, for example, subject matter expertise often gets moved from one agenda to the next. The consequence for risk management? Governance, risk and internal control practices can lack standardisation and have wide-ranging levels of embeddedness or maturity across the matrixed organisation. Similarly, process documentation can be lacking and it’s rare that functional team members all have an up to date understanding of key processes.

People: exploiting IP and legacy knowledge

Talent is a mix of those that have worked in tech all their careers, “gold dust” subject matter experts – namely large-scale project sponsors – and the next generation of AI-savvy up-and-coming young executives. 

Attracting and retaining talent is a constant challenge, one the tech sector has long lived with, as in-demand skills shift rapidly with market innovation.

Organisation structure, team setup and dynamics across global, local, virtual and hybrid teams all influence employee lifecycle patterns and performance management. The industry also sees high rates of employee churn. 

Taken together, this often results in a lack of legacy knowledge across tech businesses with succession risk frequently high. When these gaps and risks aren’t clearly identified or managed, they present resilience challenges.

Systems: streamlining to optimise value

It’s easy to assume tech businesses have the slickest IT infrastructure and fully integrated enterprise systems. In reality, as they’ve scaled and evolved, they have often restructured multiple times, meaning assorted systems have been interfaced to varying degrees to keep the show on the road. 

This is especially true in the eGaming sector, where firms often operate across multiple jurisdictions and rely on a combination of legacy platforms and modern gaming software services. Internal teams frequently develop a wide range of apps, tools and artificial intelligence capabilities to support product development, sales and customer-facing functions. 

The sector also depends heavily on third-party service providers, including cloud service providers. While all businesses must manage third-party relationships and cloud governance, gaming and software firms often rely on multiple providers to maintain uptime and performance.

While this multi-cloud approach bolsters resilience, it also increases complexity and the potential for inconsistent compliance across platforms. Operations management and compliance efforts can unintentionally be duplicated. This dynamic may  result in security control weaknesses and gaps in data management and IT resilience controls.

Internal audit can assess key governance, risk and control mechanisms across cloud systems and critical third-party providers. These insights can be used to strengthen system controls and improve third-party performance, helping eGaming and software firms maintain trust, meet regulatory expectations and scale with confidence.

Data: finding clarity amid the noise

Many tech companies have huge amounts of data in all kinds of formats. Those that operate across different countries often find it hard to manage and protect this data – the scale and complexity can be a real challenge.

Many tech firms are eager to adopt artificial intelligence, automation and analytics tools. However, they often struggle to understand their data, what it reveals and how to use it effectively to support daily operations and strategic decisions. 

Poor data governance can create serious risks. It may result in biased AI models or breaches of data privacy. In addition, it can be difficult to monitor, interpret and manage AI decisions without clear data lineage. This can lead to unethical or harmful outcomes, increased regulatory scrutiny and higher operational costs.

How Grant Thornton can help

Technology companies’ internal audit maturity can’t always keep pace with their innovation and growth. As with other companies, they must also contend with technology-related challenges, such as cybersecurity, AI and operational resilience.

Regardless, companies must continuously manage existing risks and mitigate emerging ones. Grant Thornton’s internal audit practice delivers tailored solutions to companies at all audit maturity levels.