Advanced IT internal audit planning for 2025

Download PDF

As the Energy, Natural Resources, and Chemicals (ENRC) sectors face rapid technological advancements and evolving regulatory landscapes, this thought leadership piece focuses on the unique challenges and opportunities. Here, we offer targeted audit considerations designed to align with the strategic goals and specific needs of this dynamic sector, helping organizations navigate the future with confidence.

Download our article here.

In our published paper, we explore the "Top Risks" areas of focus for 2025 and here we expand to drill down on how they manifest for each sector. This industry-specific lens underscores the importance of tailoring audit strategies to address the nuanced needs and challenges of the industry.

Power and utilities

Physical security and cybersecurity convergence:

As physical and cybersecurity risks converge, particularly at critical infrastructure sites, audits must evaluate the integration of physical security measures with cybersecurity practices to prevent both physical and cyber intrusions.

Supply Chain cybersecurity:

The security of a utility’s supply chain is crucial, especially with increased reliance on third-party vendors for critical software and hardware. Audits need to ensure comprehensive risk assessments are performed on all suppliers and that continuous monitoring systems/processes are in place.

Business continuity and disaster recovery:

Ensuring continuity of operations during and after major disruptions is essential. Audits should test the effectiveness of disaster recovery plans and business continuity procedures, focusing on IT systems and operational technology.

Legacy technology and system obsolescence:

Legacy systems used by utilities pose significant risks due to potential incompatibilities and outdated security measures. Audits should assess the risks associated with maintaining these systems and should evaluate the strategic plans for technology upgrades or transitioned.

Endpoint security management:

The increase in remote work, the variety of endpoint types existing in technology environments, and mobile device usage extends the utility's attack surface. Risks also exist around configuration drift as similar technologies may be deployed with different levels of protection / software. Audits must evaluate endpoint security strategies, including device management, encryption practices, monitoring capabilities, and access controls.

Remote operations and field technician security: The use of remote monitoring, control systems, and connectivity for field operations and engineering services introduces unique cybersecurity challenges. Audits should assess security measures around remote access, communication protocols, and device management.
Data governance and privacy in service operations: Managing sensitive project and operation data requires stringent governance and privacy practices. Audits should evaluate data governance frameworks, ensuring that privacy practices comply with industry regulations and standards.
Cybersecurity implications of emerging technologies used by service providers: The adoption of emerging technologies like AI, IoT, and blockchain introduces new cyber risks. Audits should evaluate the cybersecurity measures in place for these technologies, ensuring vulnerabilities are adequately addressed.
Control system segmentation and isolation: Segregating control systems from corporate networks reduces risks of breach propagation. Audits should assess the segmentation and isolation practices in place to protect sensitive control systems from broader network threats.
Cloud and data center security: As energy service providers increasingly leverage cloud technologies and data centers for operational efficiencies, audits must examine the security of these environments, focusing on data encryption, access controls, and compliance with industry standards.

Assets and operations:

The reliance on legacy systems and aging physical assets in utilities' upstream infrastructure presents risks due to potential incompatibilities and outdated maintenance. Comprehensive audits are necessary to assess these risks and evaluate strategic plans for upgrades or transitions to more efficient solutions. This proactive approach ensures the continued reliability, efficiency, and safety of utility services amidst evolving operational demands.

Operating model:

In the ever-evolving landscape of the upstream energy sector, a robust IT operating model is essential for driving operational efficiency, streamlining processes, and enhancing data management. With ongoing digital transformations, it is critical to have a coherent IT strategy that aligns with business goals.

Cyber & third parties:

Audits are crucial for assessing the integrity and security of IT systems managing supplier relationships, data exchange, and procurement processes. By identifying vulnerabilities and ensuring robust cybersecurity measures, these audits help mitigate risks related to data breaches, compliance issues, and operational disruptions. This proactive approach ensures a secure and resilient supply chain, supporting the efficiency and reliability of upstream services.

Technology and data:

AI technologies are being used in upstream operations to improve efficiency and decision-making in areas like predictive maintenance and reservoir management. This integration requires robust ethical, regulatory, governance, security, and data management practices. Audits should assess the development, deployment, and impact of AI systems to ensure responsible use and establish strong governance and security measures.

Dive into our thinking:

Advanced IT internal audit planning for 2025

Download PDF

Cybersecurity: Cyber-attacks (including ransomware, phishing, and other malicious activities) pose a substantial risk to midstream companies. These attacks can target critical infrastructure, resulting in operational disruptions, data breaches, financial losses, and damage to reputation.
Legacy systems and integration: Many midstream companies still rely on legacy IT systems that may not integrate well with newer technologies. This can lead to inefficiencies, data silos, and an increased risk of system failures.
Data management and integrity: Midstream operations generate vast amounts of data, from sensor data to transactional information. Ensuring the accuracy, security, and integrity of this data is critical. Poor data management can lead to operational inefficiencies, regulatory compliance issues, and decision-making based on inaccurate information.
Supply chain and third-party risks: Increasing reliance on third-party vendors and service providers, including cloud service providers and other IT partners, introduces risks related to the security and reliability of those third parties. A security breach or failure in a third-party system can propagate and affect midstream operations.
Regulatory compliance and legal risks: As regulations concerning data privacy, cybersecurity, and digital operations evolve, midstream companies must ensure ongoing compliance with a complex and changing regulatory landscape. Non-compliance can result in financial penalties, legal action, and reputational harm.

Oil & gas refining, chemicals

Cybersecurity: Cyber-attacks, including ransomware, phishing, and advanced persistent threats (APTs), are a significant concern. Attackers may target critical infrastructure to cause operational disruptions, steal intellectual property, or demand ransom payments.

Operational technology (OT) security: The integration of IT and OT systems in refining and chemical plants increases the risk of cyber-attacks on operational technology. OT systems control critical processes, and any compromise could lead to catastrophic safety incidents and significant financial loss.

Regulatory compliance and data privacy: Compliance with environmental, safety, and data protection regulations is crucial. Non-compliance can result in significant legal penalties, shutdowns, and reputational damage. Regulations such as the General Data Protection Regulation (GDPR) and industry-specific standards must be adhered to.

Supply chain and third-party risks: The refining and chemicals sector relies on a complex supply chain and third-party vendors for IT services, raw materials, and logistics. Any disruption or security breach within the supply chain can have a ripple effect, affecting the entire operation.

Legacy systems and infrastructure: Many refining and chemical companies operate with legacy IT and OT systems that may be outdated and vulnerable to cyber threats. These systems often lack modern security features and may not integrate well with new technologies.

As we move into 2025, the ENRC industry and IT Internal Audit teams find themselves at a pivotal moment, shaped by rapid technological advancements and evolving regulatory demands. IT Internal Audit teams, through industry-specific strategic audit planning, have the opportunity to guide their organizations through these transformative changes. By focusing on the unique aspects of the ENRC sector, such as digital supply chains and sustainable resource management, audit teams can identify risks, drive strategic value, and help ensure that their organizations not only navigate the wave of change but thrive in it.

Explore more