IT Risks for Managers of Collective Assets: What the Audit Reviews
FINMA has addressed cyber and IT risks in its Risk Monitor for several years as one of the central operational risk priorities for licensed institutions. For managers of collective assets, this is increasingly reflected in the regulatory audit report: the review no longer focuses only on whether IT systems function, but on whether IT governance, controls and reporting processes are documented in an auditable manner.
The regulatory basis is Art. 9 FinIA (appropriate organisation and risk management) in conjunction with Art. 12 et seq. FinIO. Art. 14 FinIA and FINMA Guidance 05/2020 on cyber risks apply to the outsourcing of IT services.
What matters in the audit report
The focus is particularly on:
• Responsibilities for IT and cyber risks at executive management and board of directors level
• Overview of material IT systems and service providers (IT inventory)
• Periodic review and re-certification of access rights
• Controls for outsourced IT services pursuant to Art. 14 FinIA
• Incident response process for cyber incidents
• Reporting process for regulatory-relevant incidents
• Backup, recovery and business continuity concepts
• Reporting to executive management and the board of directors
Many findings do not arise because IT controls do not exist. They arise because responsibilities, controls or evidence are not sufficiently documented.
The common gap: IT exists, but is not auditable
In practice, most managers of collective assets have external IT service providers, security solutions, backups and defined access rights. For the audit, this alone is not sufficient. What is relevant is whether the institution can demonstrate:
• which IT risks have been identified
• who monitors these risks
• which controls are performed and at what frequency
• how service providers are monitored and assessed
• how cyber incidents are identified, documented and escalated
• when a notification to FINMA is assessed
• which evidence is available for the audit
A typical finding in the audit report: access rights are managed technically, but the annual re-certification by the responsible business function is not documented. Or: there is an agreement with the IT provider, but no regular monitoring of the agreed service levels and security requirements. This is precisely where the gap arises between operational IT and regulatory documentation.
Outsourcing does not relieve responsibility
Many managers of collective assets outsource IT services. This is permitted and often unavoidable. From a regulatory perspective, however, the institution remains responsible (Art. 14 FinIA). Anyone outsourcing IT must in particular be able to demonstrate:
• which services are outsourced and whether they constitute material services
• that the duties of care in the selection, instruction and monitoring of the service provider are fulfilled
• how service delivery is monitored on an ongoing basis
• which escalation and exit strategies exist in the event of disruptions or security incidents
• that the service provider is contractually obliged to cooperate in audits
Self-assessment before the next audit
Managers of collective assets should ask themselves the following questions before the next audit:
• Is there an up-to-date overview of critical IT systems and service providers?
• Are responsibilities for IT and cyber risks documented at executive management level?
• Are access rights periodically reviewed and re-certified?
• Is the process for identifying, escalating and reporting cyber incidents defined?
• Is evidence available for the ongoing monitoring of outsourced IT services?
• Are IT and cyber risks regularly reported to executive management and the board of directors?
If these questions cannot be answered clearly and with evidence, action is required before the next regulatory audit.
Conclusion
The audit report shows clearly: IT is part of compliance. Managers of collective assets must not only address cyber and IT risks technically, but also document them in a regulatory-comprehensible manner. The decisive factor is not whether controls exist, but whether they are auditable.
Peak Compliance supports managers of collective assets in preparing IT risk inventories, documenting outsourcing arrangements, designing incident response and reporting processes, and preparing auditable evidence for regulatory audits.
