Technology Risk

We offer assurance technology assessment and attestation services, fostering audit quality and instilling confidence and trust in the adoption and implementation of emerging technology.

How EY can help

IT Audit procedures

The execution of high-quality information technology (IT) audit procedures and IT business processes in support of a financial statement audit and audit of internal controls over financial reporting creates the foundation of our commitment to protecting investors and the broader economy.

IT Audit services include:

  • Integrated audit
  • Financial statement audit

Service Organization Control Reporting and Attestation Services

An independent assessment is undertaken to test management’s assertion over business processes and controls in the IT audit environment and to test business process and controls against specific attestation and agreed-upon procedures (AUP) standards. We also assess internal controls around security, privacy, confidentiality, availability and processing integrity.

Attestation services include:

  • Service Organization Control Reporting (SOCR):
    • SOC 1, SOC 2 and SOC 3
    • SOC for Supply Chain/Cyber
  • Agreed-Upon Procedures (AUP) Examination Reporting
  • Digital Services Act (DSA) and Digital Markets Act (DMA) certification
  • International Organization for Standardization (ISO) certification
  • Cybersecurity Maturity Model Certification (CMMC)
  • SWIFT certification
  • Heath Information Trust Alliance (HITRUST) certification
  • Trusted Information Security Assessment Exchange (TISAX) assessment
  • Performance audits

IT system upgrades and implementation assessments

For companies continuing to invest in technology, it is essential to fully understand IT process risks and to proactively identify potential internal control gaps prior to a system upgrade or implementation.

IT pre- and post-upgrade and implementation assessment services include:

  • Enterprise Resource Planning (ERP) assessments
  • Consolidation tool assessments
  • Governance, Risk, Compliance (GRC) program readiness


The rapid advancement of technology, coupled with an exponential rise in cyber threats, increases risk exposure to technology infrastructure.

EY teams can help identify the ways in which cybersecurity risks can impact IT audit processes, including financial reporting, business procedures and internal controls.

Technology risk cybersecurity services include:

  • Cybersecurity program assessments
  • Incident response tabletop simulations
  • Breach response and analysis assessments
  • Cybersecurity disclosure reporting support
  • Vulnerability assessments 

Environmental, social and governance (ESG)

Investors, regulators and society at large are demanding more transparency on nonfinancial performance, especially regarding ESG issues. 

Technology Risk ESG services include:

  • Internal controls pre-assessment
  • Evaluations of non-financial systems implementation
  • Data pre-assessments
  • Gap analysis
  • Peer benchmarking analysis

Assurance services

Assurance teams serve the public interest by promoting trust and confidence in business and the capital markets.

Our latest thinking

Strategic AI integration, governance and risk in finance

Businesses are preparing to incorporate AI into the finance function and anticipating how to manage risks. Read more.

23 Apr 2024 Natalie Jaros
    Contact us
    Like what you've seen? Get in touch to learn more.