12 Technology Audit
S 12.1 A financial institution must ensure that the scope, frequency, and intensity of
technology audits are commensurate with the complexity, sophistication and criticality of technology systems and applications.
S 12.2 The internal audit function must be adequately resourced with relevant
technology audit competencies and sound knowledge of the financial
institution’s technology processes and operations.
S 12.3 A financial institution must ensure its internal technology audit staff are
professionally certifi ed and adequately conversant with the developing
sophistication of the financial institution’s technology systems and delivery channels.
S 12.4 In addition to paragraph 12.2, a large financial institution must establish a
dedicated internal technology audit function that has specialised technology audit competencies to undertake technology audits.
S 12.5 A financial institution must establish a technology audit plan that provides
appropriate coverage of critical technology services, third party service
providers, material external system interfaces, delayed or prematurely
terminated critical technology projects and post -implementation review of new
or material enhancements of technology services.
G 12.6 The internal audit function (in the case of paragraph 12.2) and the dedicated
internal technology audit function (in the case of paragraph 12.4) may be
enlisted to provide advice on compliance with and adequacy of control
processes during the planning and development phases of new major
products, systems or technology operations. In such cases, the technology auditors participating in this capacity should carefully consider whether such an advisory or consulting role would materially impair their independence or objectivity in performing post -impleme ntation reviews of the products, systems
and operations concerned.
13 Internal Awareness and Training
S 13.1 A financial institution must provide adequate and regular technology and
cybersecurity awareness education for all staff in undertaking their respective roles and
measure the effectiveness of its education and awareness
programmes. This cybersecurity aware ness education must be conducted at
19 Operational Risk Integrated Online Network Risk Management in Technology 32 of 67
Issued on: 1 June 2023 least annually by the financial institution and must reflect the current cyber
threat landscape.
S 13.2 A financial institution must provide adequate and continuous training for staff
involved in technology operations, cybersecurity and risk management in order
to ensure that the staff are competent to effectively perform their roles and responsibilities.
S 13.3 In fulfilling the requirements under paragraph 13.2, a large financial institution
shall ensure the staff working on day -to-day IT operations such as IT security,
project management and cloud operations are also suitably certified.
S 13.4 A financial institution must provide its board members with regular training and
information on technology developments to enable the board to effectively
discharge its oversight role.
Gilagolf 