Internal Auditors Seek Greater UK Telecoms Role via New Security Code
The Chartered Institute of Internal Auditors (CIIA), which recently complained that some of the UK’s major broadband ISPs operated without an internal audit (here) – potentially exposing them to “unchecked risks and increasing the likelihood of corporate collapse“, has now sought to drum up new business by pressing the government to make it a requirement of their revised telecoms security code.
The government are currently in the process (here) of updating the already fairly recent Telecommunications Security Code of Practice (2022). But the Chartered IIA this week “warns that the current proposals do not go far enough” and points to how it remains “silent on the critical role of internal audit in providing independent and objective assurance to boards and senior management that telecoms security risks are being identified, managed and controlled effectively“.
For the uninitiated, the core role of internal audit is to provide independent and objective assurance that an organisation’s risk management, governance, and internal control processes are operating effectively, thereby ensuring the organisation can achieve its goals (although audits aren’t a 100% guarantee of this). In the UK and Ireland, the requirement for having an internal audit function is not universal across all types of organisations.
Advertisement
We should point out that Ofcom’s regulation via their General Conditions of Entitlement (industry rules), which are designed to protect consumers, do require broadband and phone providers to carry out regular audits of their Metering and Billing to ensure customers are billed correctly. But this is not quite the same thing as the deeper and wider role of audits being highlighted by the Chartered IIA.
Anne Kiem OBE, Chief Executive of the Chartered IIA, said:
“Telecommunications are the backbone of our digital economy and touch all of our daily lives. Yet too many telecoms providers operate without the independent assurance that internal audit brings to business-critical risks, despite increasing digital security threats. Ministers need to recognise the vital role of internal audit in supporting robust governance in the Telecommunications Security Code by setting a clear expectation for companies to obtain independent assurance.”
The Chartered IIA’s consultation response thus recommends that the Telecommunications Security Code is “strengthened” by:
➤ Recommending that the Code make clear that a telecom company’s security governance framework should integrate and be consistent with internal and external audit and assurance mechanisms. This aligns and is consistent with a similar requirement in DSIT’s Cyber Governance Code, published in April.
➤ Requiring telecoms providers to explain how they obtain independent assurance – whether through internal audit or equivalent mechanisms – so boards can demonstrate that security measures are effective in practice.
We suspect that more than a few broadband ISPs and network operators may view see this as being just another sneaky way for auditors to drum up a bit of extra business, forced through by new government legislation. But the CIIA argues that it’s “about protecting people, businesses, and the UK’s digital economy. By ensuring a stronger focus on governance, assurance and oversight … the Government can help build a more resilient and secure telecoms sector.”
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Energy Smart Meters May Soon Link via UK Home Broadband Connectivity
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real persons legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
Well they would, wouldn’t they..
Security audits are a good thing, but limiting it to members of a specific body seems like overreach.
I thought Maggie Thatcher abolished the closed shop in the 1980’s. This is just another vested interest trying to bring it in via the back door. Regulating the altnets is Ofcom’s job.
I’m thinking of the Flanders and Swann dittie about (Chorus)’It all makes work for the working man to do….’
Just substitute working for non-working. More company overheads, red tape and so on to cost the subscribers more for no benefit to them in my opinion. Mind you, the companies need to be honest too.
I fully agree with the measure, but on its own, it is my view that it is insufficient for the current state of the market.
Ofcom should have the duty, the authority and the inclination for conducting or instigating, internal audits of businesses to inspect their financial and operational resilience. I think this might become a reality if the changes to the Telecoms Security Code Act are to have have any meaningful impact.