Trust in a digitally connected chain

Digital governance is no longer a purely technical matter. It touches on governance, risk management and oversight. Supervisory boards and executives need clarity, coherence and realistic expectations of what assurance can and cannot provide.

Chain dependencies require clear insight

Many organisations only have visibility of their direct suppliers. Information about subcontractors, data flows, cloud chains and concentration risks is often missing. As a result, vulnerabilities remain hidden until an incident occurs. At those moments, swift and effective action is crucial.

Assurance does not provide a complete picture

ISAE 3402, SOC 2 and ISO 27001 reports offer valuable assurance, but always within a defined scope and timeframe. They do not guarantee digital continuity and do not provide a full view of strategic dependencies or resilience capabilities. Careful scoping, connecting findings and strong governance remain essential to draw the right conclusions.

Digital resilience requires board‑level ownership

New frameworks, including DORA and NIS2, explicitly place responsibility for digital resilience with boards and supervisory bodies, even when processes are outsourced. Yet we see that IT risks are often reported in a fragmented manner and that links with data and operational risks are not always clear. Realistic scenario testing and assessments of recovery capability are also limited, particularly when chain partners are involved.

A holistic risk view depends on collaboration between audit disciplines

Accountants, IT auditors and internal audit teams each contribute valuable insights, yet these are not always consolidated. As a result, organisations miss an integrated view of financial, operational and strategic risks. With increasing digitalisation, a single coherent risk assessment is vital for effective decision‑making.

Recommendations for boards and supervisory bodies

Organisations can strengthen their digital resilience by:

• Mapping chain dependencies explicitly and comprehensively, including subcontractors, data flows and concentration risks
• Interpreting assurance reports critically and translating them into their own risk profile
• Embedding digital resilience structurally at board level
• Reporting on IT governance and digitalisation in an integrated way
• Strengthening collaboration between the accountant, IT auditor and internal audit to create one shared risk picture

Building a resilient digital chain

Digitalisation creates opportunities, yet also increases dependency on complex chains. Trust is not built through more reporting, but through insight, transparency and an active dialogue within the organisation and with chain partners. By approaching digitalisation and IT governance as both a chain and governance issue, organisations can build sustainable digital resilience and continuity.

This article is based on the publieke management letter by NBA, NOREA en IIA.