Technology

 

 

Cybersecurity Awareness Month: 20 Questions Internal Auditors Should Be Askinghttps://iaonline.theiia.org/2020/Pages/Cybersecurity-Awareness-Month-20-Questions-Internal-Auditors-Should-Be-Asking.aspxCybersecurity Awareness Month: 20 Questions Internal Auditors Should Be Asking<p>The average cost of a data breach is $3.86 million, according to a 2020 global IBM study. Moreover, breaches caused by malicious attacks are the most common — and the most expensive. October is Cybersecurity Awareness Month. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) emphasizes personal accountability in this year's theme: "#DoYourPart. #BeCyberSmart." CISA provides links to specific <a href="https://www.cisa.gov/publication/national-cybersecurity-awareness-month-publications" data-feathr-click-track="true" target="_blank">resources </a>for the month, including tip sheets and a ready-made <a href="https://www.cisa.gov/sites/default/files/publications/NCSAM_PartnerPresentation_2020_final.pdf" data-feathr-click-track="true" target="_blank">presentation</a> (PDF), as well as a <a href="https://www.cisa.gov/cyber-resource-hub" data-feathr-click-track="true" target="_blank">Cyber Resource Hub</a> featuring myriad assessments, tests, and evaluation tools.</p><p><em>Internal Auditor</em>'s four-week cybersecurity series, with five questions to consider each week and a list of suggested resources, seeks to encourage practitioners to help organizations strengthen their defenses against malware, social engineering, physical cyberattacks, and other vulnerabilities. Certainly, COVID-19 has made cybersecurity more relevant than ever to organizational governance, as digital and cloud-based technologies facilitate employees' ability to work remotely; while internal and external security operations centers remotely monitor, assess, and respond to vulnerabilities and threats. Internal audit leaders have augmented their audit plans to specifically consider activities for business continuity, incident management, updated risk assessments, changes in risk management approaches due to changes in the organization's risk appetite and profile, and the remote provision of independent assurance. Cybersecurity is integral to all of these activities, and getting it right is essential to organizational well-being and success.<br></p><h2>Week 3: Questions for the Board of Directors</h2><p>Just as cybersecurity risk stretches far across the organization and can threaten everything from supply chains to worker productivity and third-party relationships, so too must an understanding of cybersecurity stretch from the worker front lines to the very top of leadership — namely, the board of directors. While it is true that the board may not take an active role in cyber-risk management, effective and informed oversight of policies, procedures, and controls from the top is critical to maintaining a stable, productive organization. </p><p>Nowhere has this been truer than in the throes of the COVID-19 pandemic that has dominated the 2020 news cycle. As organizations and businesses continue to deploy and refine systems and networks to support staff working from home, cyber criminals are taking advantage of increased security vulnerabilities to steal data, generate profits, and cause organizational disruption. According to the <a href="https://www.entrepreneur.com/article/349509" data-feathr-click-track="true">U.S. Federal Bureau of Investigation</a>, its Internet Crime Complain Center now receives between 3,000 and 4,000 cybersecurity complaints per day — a 300% increase since the beginning of the pandemic. </p><p>With organizations facing such a stiff challenge, chief audit executives should ensure they are working with the board to remain ever vigilant of cybersecurity threats and understand the depth of the risk their companies must contend with. To help accomplish this task, here are five questions CAEs can ask their boards as they continue to make informed, calculated decisions throughout the pandemic:</p><ol style="list-style-type:decimal;"><li>How are you assured that the current enterprise risk profile and IT risk profile accurately reflect the cyber-related risk faced at this stage of the pandemic?</li><li>What additional financial appropriations have been considered to account for required changes to the network infrastructure, including patch management, and to support remote work efforts?</li><li>What briefings have you and your colleagues received by the chief information security officer, the chief data officer, the chief privacy officer, and the chief risk officer in regard to the increased cyber-related threats faced by organizations in 2020 and the internal efforts implemented to offset those threats?</li><li>What collaboration tools and other technologies have been deployed to assist in board-related communication and activities? </li><li>If a cyber-attack happened today, do you feel the organization has adequate reserves and cyber-related insurance coverage to successfully recover from the incident?</li></ol><h2>Week 2: Questions to Ask on Every Audit<br></h2><p>It's no secret that cybercriminals will seek to gain access to an organization through its weak spots. Like a fortified castle on a hill, an organization may consider itself well-protected — but all it takes is one unguarded "back door" to give an intruder an opening. </p><p>Internal auditors can help their organizations identify the holes in cybersecurity defenses by asking the right questions and investigating IT maintenance procedures and controls. Just like the addition of a new door or window in a castle, the introduction of a new process, application, or system could make an organization's infrastructure more vulnerable to attack if not protected, patched, and monitored. </p><p>And it's not enough to inspect an application or system once and then let it go. Internal audit should conduct due diligence to see what has changed since the last engagement. Likewise, it's important to ascertain who has the "keys" to the castle, in the form of entitlement reviews, and to look for a robust transfer and termination process to ensure access rights are appropriate when someone changes roles or leaves. </p><p>Organizations must have a solid strategy in place to win at cybersecurity chess. As part of Cybersecurity Awareness Month, here are five questions internal auditors should ask during every audit engagement:</p><ol><li>What data protections have been implemented for this process/application/system? <br></li><li>What is the backup and retention schedule for the application/system?<br></li><li>What is the status of patches, vulnerability remediation, and audit finding remediation for this process/system/application?<br></li><li>Have any activities related to this process or application/system been implemented since the last review? What has been the security-related impact of any technology or process change since the last audit?<br></li><li>What were the results of the most recent related entitlement review in terms of user, system, network, operating system, and database access (including privileged, vendor, and super-user access) and the latest entitlement review of roles and their corresponding activities?<br></li></ol><p></p><p>And here are five bonus questions to help internal auditors #BeCyberSmart this month:</p><ol><li>How do you gain assurance the programmers are following secure coding techniques and the organization's software development life cycle?<br></li><li>How do you gain assurance that appropriate separation of duties (SoD) is maintained for users, bots, and application security roles? How is SoD maintained within automated workflows?<br></li><li>What types of intrusion detection, intrusion prevention, and data/information leakage prevention rules have been implemented to safeguard data and information assets from inappropriate access?<br></li><li>How is the system accessed (via single sign-on through a virtual private network, direct to website, etc.)? Who is the administrator? How are his or her activities monitored?</li><li>How is the system monitored? By whom? Who is informed of exceptions? How are they informed and under what circumstances?<br></li></ol><h2>Week 1: Questions for the C-suite</h2><p>A vital element of organizational cybersecurity is assessing and mitigating the risks that could affect critical business processes. Senior management, process owners, the internal audit activity, and the board must consider cyber threats that could cause the interruption or failure of critical businesses processes and their associated infrastructure. This includes assessing whether policies, procedures, and controls are designed adequately and operating effectively to protect the organization's data and information assets — especially with more functions accessing this data and information remotely.</p><p>Leaders must consider, for example, whether policies, procedures, and controls have been updated to account for work-from-home environments and monitor the changes in the supply chain, third-party relationships, and other areas of heightened risk. To coordinate coverage and provide independent assurance to the board, internal audit should reflect on these questions with the C-suite:<br></p><ol><li>What security-related gaps or weaknesses were discovered in this year's assessment of risks related to critical business processes?</li><li>Based on the most recent risk assessment, how were critical business processes adjusted to safeguard data and information assets against cyber threats in work-from-home environments?</li><li>Based on the most recent risk assessment, how were corporate (or department) policies and procedures adjusted to ensure data protection?</li><li>How do you, as the data or process owner, gain assurance that your data or system has adequate controls to prevent, detect, and defend against potential cyberattacks?</li><li>To which cyber threats do you believe your critical processes or data are susceptible, and of those, which are the most likely to affect the organization's data or processes?</li></ol><h2>Additional Resources<br></h2><p>These content and training resources can assist practitioners as they look to support organizational cybersecurity efforts.<br></p><h4><span style="font-style:normal;"></span><span style="font-style:normal;"></span><span style="font-style:normal;"></span><span style="font-style:normal;"></span><span style="font-style:normal;"></span><span style="font-style:normal;"></span><span style="font-style:normal;"></span>Guidance<span style="font-style:normal;"></span><span style="font-style:normal;"></span><span style="font-style:normal;"></span><span style="font-style:normal;"></span><span style="font-style:normal;"></span><span style="font-style:normal;"></span><span style="font-style:normal;"></span><span style="font-style:normal;"></span><span style="font-style:normal;"></span><br></h4><p><a href="https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Assessing-Cybersecurity-Risk-Roles-of-the-Three-Lines-of-Defense.aspx" data-feathr-click-track="true" target="_blank">Global Technology Audit Guide (GTAG): Assessing Cybersecurity Risk — Roles of the Three Lines of Defense</a><br></p><h4>IIA Bulletin<br></h4><p><a href="https://na.theiia.org/periodicals/Public%20Documents/IIA-Bulletin-Cloud-Security-August-2019.pdf" data-feathr-click-track="true" target="_blank">Cloud Security, Insider Threats, and Third-Party Risk (PDF)</a><br></p><p><a href="https://global.theiia.org/knowledge/Public%20Documents/IIA-Bulletin-Rethinking-Preparedness-Pandemics-and-Cybersecurity.pdf" data-feathr-click-track="true">Rethinking Preparedness: Pandemics and Cybersecurity (PDF)</a><br></p><h4>Internal Audit Foundation<br></h4><p><a data-feathr-click-track="true" target="_blank">Privacy and Data Protection — Part 1: Internal Audit's Role in Establishing a Resilient Framework</a> </p><p><a data-feathr-click-track="true">The Future of Cybersecurity in Internal Audit</a><br></p><h4>Internal Auditor Magazine<br></h4><p><a href="/2019/Pages/A-Matter-of-Privacy.aspx" data-feathr-click-track="true">A Matter of Privacy</a><br></p><p><a href="/2020/Pages/Beware-the-Coronavirus-Scams.aspx" data-feathr-click-track="true" target="_blank">Beware the Coronavirus Scams</a><br></p><p><a href="/blogs/chambers/2018/Pages/When-the-SEC-Speaks-About-Cybersecurity-Wed-All-Better-Listen.aspx" data-feathr-click-track="true" target="_blank">When the SEC Speaks About Cybersecurity, We'd All Better Listen</a><br></p><h4>Training</h4><p><a href="https://ondemand.theiia.org/learn/course/external/view/elearning/502/AssessingCybersecurityRiskRolesoftheThreeLinesofDefense" data-feathr-click-track="true" target="_blank">Assessing Cybersecurity Risk: Roles of the Three Lines of Defense</a><br></p><p><a href="https://na.theiia.org/training/courses/Pages/Cybersecurity-Auditing-in-an-Unsecure-World.aspx" data-feathr-click-track="true">Cybersecurity Auditing in an Unsecure World</a><br></p><p><a href="https://na.theiia.org/training/courses/Pages/Fundamentals-of-IT-Auditing.aspx" data-feathr-click-track="true" target="_blank">Fundamentals of IT Auditing</a><br></p><p><a href="https://na.theiia.org/training/eLearning/Pages/OnDemand-Technology.aspx" data-feathr-click-track="true" target="_blank">OnDemand Technology Courses</a><br></p><p><a href="https://na.theiia.org/training/courses/Pages/IT-General-Controls.aspx" data-feathr-click-track="true" target="_blank">IT General Controls</a><br></p><h4>Other</h4><p><a href="https://na.theiia.org/standards-guidance/topics/Pages/Cybersecurity-Resource-Exchange.aspx" data-feathr-click-track="true" target="_blank">The IIA Global Cybersecurity Resource Exchange</a><br></p>Staff0
The State of Analytics Usehttps://iaonline.theiia.org/2020/Pages/The-State-of-Analytics-Use.aspxThe State of Analytics Use<h2>What is the state of the art in data analytics? </h2><p> <strong>Makhijani </strong>In today’s data-driven world, analytics refers to a range of data analysis, automation, and business intelligence capabilities. The future is audit intelligence — leveraging these capabilities to continuously monitor organizational risk and drive an integrated risk-first, data-centric approach to audit. Analytics enable audit departments to provide real-time assurance, address relevant risks, and provide better insights and increased value to the entire organization.</p><p> <strong>Stohr</strong> In simplest terms, state of the art is the ability to combine data from multiple internal sources and multiple external sources to better inform audit planning, real-time execution, and audit reporting. For example, it is the ability to combine financial performance data and strategic metrics, organized by audit entity, with relevant external inputs such as regulatory enforcement actions and applicable global news to better prepare the audit risk assessment, prioritize audit resources, or report finding priorities in the areas that may experience emerging risks. Traditional audit tools provide plenty of support for the underlying audit execution processes. The new generation of technology is providing additional value by allowing audit teams to combine a wide range of internal and external data, including artificial intelligence (AI) driven content, to provide better insights to inform decision-making throughout the audit cycle. These new technologies help audit leaders think more broadly about the company and offer a deeper level of insight into factors that may affect business performance.</p><h2>What’s driving the use of analytics?</h2><p> <strong><img src="/2020/PublishingImages/russell-stohr_70x70.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Stohr</strong> For most audit teams, the driver is always managing cost while demonstrably increasing internal audit’s value perception. Internal audit can leverage new data analytics to better focus its findings on helping the business understand emerging risks to business objectives and proactively help business partners understand actions they can take. This is critical, as today most organizations are forced to rethink every aspect of their daily operations in response to the COVID-19 pandemic.</p><p> Curiosity is a close second. Nearly every audit leader understands the potential value hidden in the massive amounts of data available. Emerging technologies such as machine learning and natural language processing can help internal audit harvest data in unique and informative ways.</p><p> <strong>Makhijani </strong>Success in today’s data-driven environment is nearly impossible without having a central system to maintain the risks, controls, deficiencies, and audit engagements the department is responsible for. A number of pressures are at play. There is an expectation that internal audit is operating like a modern business unit and can reliably report on department performance to executive leadership and the audit committee. Industry pressure is leading audit departments to break silos and prioritize data sharing across the three lines of defense. Today’s economic environment multiplies the pressure to improve efficiency and effectiveness of audit programs. To stay competitive, businesses need reliable data to react to emerging risks. Lastly, the new normal is a remote-first and often global workforce that requires a system in which audit teams can effectively operate from anywhere in the world. </p><h2>What are internal audit functions at the mature level doing well?</h2><p> <strong><img src="/2020/PublishingImages/Rajiv_Makhijani_70x70.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Makhijani</strong> At a higher level of maturity, internal audit has successfully integrated data with its counterparts in risk management and compliance. It is now focused on integrating its data with key systems and data across the organization. Ultimately, internal audit is seeking two outcomes: 1) increased performance and ability to be strategic by leveraging cross-functional data, and 2) the ability to drive broader organizational value by sharing audit insights with the business.</p><p> <strong>Stohr</strong> These audit functions are creating and articulating a strong vision and road map for how audit will leverage technology and data to better inform and improve business performance. They are incorporating operating and emerging risk perspectives in audit risk assessment and planning. They are monitoring business performance and adjusting audit execution as needed. They are leveraging better data integration and analytics to improve coordination with second line functions. And, they are adjusting their talent acquisition and development to support their technology-enabled vision.</p><h2>How does internal audit move its analytics capabilities to a higher level?</h2><p> <strong>Stohr</strong> Once a technology-enabled internal audit vision is established, the first step is identifying an audit technology that is capable of integrating data and content from many sources and presenting that data in informative and context-sensitive ways throughout the audit process. The next step is identifying the questions internal audit would like to answer at each step of the audit process. For example, during audit planning internal audit may want to know which areas of the business have traditionally produced a high number of findings compared with areas seeing an uptick in regulatory activity. With the key questions in mind, internal audit can begin identifying sources of data. In this example, internal audit needs to mine audit history by audit entity and overlay it with emerging regulatory risk data. With a prioritized set of questions and associated data sources, the audit team can begin incrementally incorporating the new analytics in its audit processes and reports. The goal should be to evolve the data sets and analytics over time. </p><p> <strong>Makhijani </strong>Embedding data analytics into the organization’s culture in a way that positively impacts the organization and affects how decisions are made is an ongoing evolution that often takes years. It’s important to take a layered, incremental approach. Internal audit should start with where its audit data is, and build from there. If the audit team hasn’t digitized its internal audit program yet, it should start by unifying its data in a central audit management system, ideally one that can be integrated with other departments to pull insights to improve the program as well as the business. Another approach is to look at what the organization is already using for analytics and find an audit solution that can integrate with those solutions. Once internal audit has a system for its audit, risk, and compliance data, it should begin thinking about where else in the organization it can pull data from to target more important risk areas or key controls. What’s important is looking for solutions that can grow with internal audit. </p><h2>How can analytics help internal audit during the current crisis?</h2><p> <strong>Makhijani</strong> Without a modern audit management system in place, operating effectively during the crisis can be a nightmare. Centralizing data in an intuitive system that the entire organization can rely on is key to department continuity and success. Then, internal audit can effectively leverage analytics to monitor key business processes and risks. This type of continuous monitoring can enable internal audit to surface problems arising from a rapidly changing environment, enabling the business to stay ahead of the curve.</p><p><strong>Stohr</strong> While the current crisis has created turmoil and disruption for nearly every business, it has also created a tremendous opportunity for businesses to rethink their current perceptions of what is required to make the business run. An audit group we work with helped its business partner identify 22 productivity factors for which it had reliable data available before the pandemic. The concern was by forcing employees to work from home productivity would fall off. After six weeks they checked the productivity factors again and were shocked to find that not only was productivity sustained, but nearly every factor it measured had actually increased. As a result of the analytics the chief audit executive provided, the decision was made to permanently close half of the 120 office locations globally and reinvest the savings into technologies to better enable and connect the distributed workforce. Further, initiatives were launched to change the nature of hiring practices to expand talent acquisition into regions where the organization had not previously looked for talent. In this case, the audit analytics helped the business embrace and harvest the change to achieve a positive outcome.<br></p>Staff1
The Artificially Intelligent Audit Functionhttps://iaonline.theiia.org/2020/Pages/The-Artificially-Intelligent-Audit-Function.aspxThe Artificially Intelligent Audit Function<p>Rather than poring over hand-written work logs one at a time, imagine if internal auditors could have thousands of scribbled notes automatically converted into text, analyzed, and reconciled with electronic time sheets. This is an example of how auditors can use natural language processing (NLP) and text analytics to verify the validity of reimbursements.<br></p><p> Artificial intelligence (AI) techniques such as these are dramatically changing the business landscape. AI refers to systems for managing and analyzing information in ways that mimic human intelligence. For example, smart maps use AI to identify routes that minimize delivery cost and time. AI also powers new kinds of businesses such as social media and ride-sharing services.</p><p> Now it’s internal audit’s turn to take advantage of AI to transform audit work. By leveraging AI, internal auditors can capture and digest higher volumes of information, and analyze a broader range of data formats. Moreover, they can perform those tasks faster than ever. In turn, auditors can deliver more insights to clients and increase stakeholders’ return on investment in audit services. </p><h2> Audit Applications</h2><p> While audit functions vary in size, scope, organizational goals, and regulatory requirements, they all contribute to improving their organization’s governance, risk management, and control processes. In their work, internal auditors analyze and evaluate information from numerous sources to draw conclusions and make recommendations. Recent progress in AI is partly fueled by advances in capturing and processing high volumes of data, which internal audit can harness in several ways.</p><p> <strong>Computer Vision</strong> Internal auditors can use computer vision technology to review the accuracy and reliability of financial and operating information by interpreting and analyzing digital images. Auditors often verify assets as part of their testing, which is time-consuming and done through sampling. Computer vision can improve the quality and efficiency of this process, as well as provide access to previously unavailable information. An example is using drones to measure entire populations of assets such as the number of trucks in a vehicle manufacturing plant or the level of coal stockpiles at a power plant.</p><p> <strong>NLP</strong> Internal auditors can use NLP to analyze text documents more efficiently. By combining NLP with machine learning techniques, auditors can scan vast amounts of text, such as email, contracts, and social media posts, with unprecedented speed to identify discrepancies and extract salient details. As a result, auditors can perform more comprehensive reviews such as scanning bank documents for legal compliance.</p><p> <strong>Machine Learning</strong> This technology extracts insights from data using algorithms that allow machines to automatically learn and improve on their own. Machine learning is used in areas such as recommending books to online shoppers and identifying whether an email is spam.</p><div style="width:300px;float:right;padding-left:10px;padding-right:10px;margin-left:10px;background-color:#6eabba;color:#000000;"><h3>How New York Uses AI For Vendor Risk</h3><p>As outsourcing of services and projects increases, internal auditors often must assess the risks that arise from working with vendors. In the past, auditors have relied on labor-intensive analysis of historic risk factors based on previous experience and knowledge gleaned from the work of others to help assess vendor risk. This work often includes ratio analysis — comparing the share of total payments within a certain category — assessing trends over time, and reviewing prior audit results.</p><p>To address vendor risk, internal auditors for the state of New York developed a predictive model using machine learning techniques. The model ranks providers based on risks and pinpoints those transactions that auditors should focus on during an audit. As part of this process, the state used AI and machine learning to automate previous manual processes for examining individual risk factors, such as late or missed payment information.</p><p>In addition, auditors built models to better understand how individual factors contribute to the risk of making improper payments and to account for complex interactions between individual risk factors. Furthermore, these models can include quantitative and qualitative factors. As a result, a single model can consider results from a ratio analysis, as well as information from the notes of audited financial statements that might indicate a red flag such as numerous related-party transactions. </p><p>The models provide a single score for the risk of improper payments for each vendor, which gives internal auditors a quantifiable, easy-to-understand way to evaluate risk. Auditors can group high-risk vendors into peer groups and statistically analyze these providers’ expenses to identify unusual practices. This application enables audit work to be more targeted, which has significantly increased return on investment and decreased audit time for the state’s auditors.</p></div><p> One way internal auditors can use machine learning is to detect anomalies and identify emerging risks. For example, auditors have used the technology to uncover irregular financial transactions and patterns of management fraud (see “How New York Uses AI for Vendor Risk” at right). <br></p><p> Internal auditors also can use machine learning to review all transactions and observations, rather than only a subset of data. During the risk assessment and planning stage, auditors determine high-risk areas based on reviewing a wide range and high volume of information such as organization-specific events, changing legal requirements, and industry trends. As part of this process, auditors must balance resource availability with the comprehensiveness of each audit. With large-scale machine learning — which focuses on designing algorithms to work with large data sets — auditors can cover more information faster while capturing greater detail.<br></p><h2> AI @ Work</h2><p> Rebuilding a traditional audit function to harness AI requires having the right skills, infrastructure, process, and culture. Although there is no one best design, there are components that are important to successfully incorporate AI into the audit function.</p><p> <strong>An AI Strategy That Aligns With Business Priorities and Links to Measurable Performance</strong> Incorporating AI into the audit function is only a good business decision when it helps the organization overall achieve its mission and goals. Hence, the design of the AI strategy must align with the organization’s strategic priorities. The strategy should at least seek to add value in one of the organization’s core mission areas and assist in identifying new and emerging risks.</p><p> While audit functions share similar business objectives, each department may have different immediate priorities. For example, they may have different starting dates for a fiscal year or seasonal variations in their organizations’ businesses. Internal audit should align its AI strategy with how business priorities are expected to evolve over the short, medium, and long terms to best allocate resources to implement the strategy.</p><p> Internal audit should quantify the expected benefits associated with the AI strategy whenever possible. Some common measures include cost savings, revenue enhancement, and increased labor efficiency. Audit leaders should specify intangible benefits such as building goodwill with stakeholders through improved insights, as well. It also is essential to account for the time and resource costs needed to realize benefits.</p><p> <strong>Scalable AI Infrastructure</strong> Because analytics capabilities will evolve progressively over time, it is important to build an AI infrastructure with a strong foundation that can efficiently scale up in capacity and complexity. In choosing the infrastructure of hardware and software to incorporate AI in the audit process, internal audit should consider business needs and how well the technologies will integrate with the organization’s existing systems.</p><p> A significant part of the audit process involves recording, sharing, and reporting information. Therefore, a comprehensive infrastructure should cover data management and analytics tools, spanning from traditional record keeping, file sharing, and reporting to automation and cloud computing. Some issues to consider in selecting these tools include:</p><ul><li>Whether the system architecture uses a modular approach that can be easily adjusted and reintegrated as necessary.</li><li>The level of support available from service providers.</li><li>The training requirements for staff members with different technical backgrounds.</li><li><p>The total costs, including up-front costs and ongoing expenses for system maintenance and upgrades.</p></li></ul><p><strong>Clear and Formal Governance Processes</strong> An AI strategy becomes more impactful and efficient with processes to govern its development and implementation. Typically, internal auditors with specialized skills and knowledge apply AI across the different stages of the audit life cycle and different business needs of the audit function. Establishing a structure to coordinate and align this work is crucial for high-value outcomes. Some recommendations to consider in building an effective AI initiative process include:</p><ul><li>Develop data management and analytics protocols for each stage of the audit process. </li><li>Establish job rotations or other processes to encourage collaboration across teams. </li><li>Standardize and document analytics procedures whenever possible. This can enhance the transparency, consistency of quality, and reproducibility of the analysis.<br></li><li><p>Include a change-management plan in the initiative.</p></li></ul><p><strong>Commitment to Fostering AI Competence</strong> Internal audit needs people with relevant skills to drive high-value outcomes with AI. Therefore, it must be able to attract, develop, manage, and retain talent. The team structure should complement the audit function’s existing structure and culture. Each team member should have distinct roles and responsibilities.</p><p> Training and incentives may be needed to develop AI skills and mindsets. Academic courses and job rotation training can build data analytics skills. Moreover, because AI may be a new concept for some staff members, internal audit should create a learning environment where auditors can ask questions and work through challenges.</p><p> <strong>Communications Plan to Engage Stakeholders and Build Support</strong> Collaboration with different departments within the organization is crucial to ensuring AI strategy aligns with business needs. Communications at all business levels can build support for embedding AI into the audit function. Moreover, a well-formulated communications plan can help ensure alignment with business needs and demonstrate success, which in turn can build buy-in. </p><p> At a high level, the communications plan should identify stakeholders, select channels, and develop customized messages for different groups, according to authors Sara LaBelle and Jennifer Waldeck in <em>Strategic Communication for Organizations</em>. It also should include provisions to monitor and evaluate the plan’s effectiveness. Some recommendations for building a communications plan include:</p><ul><li>Communicate the reason for implementing the AI initiative to encourage participation. </li><li>Use personalized, succinct, clear, and consistent communications to build trust.</li><li>Use key performance indicators to measure effectiveness and help ensure the AI strategy aligns with business priorities.</li></ul><h2>Optimizing AI</h2><p> Taking advantage of the power of AI can help internal auditors provide stakeholders with confidence in their organizations’ operations and deliver higher return on investment in audit services. Accomplishing these goals requires an audit department that nurtures the development of data, infrastructure, people, and processes. Above all, it entails good planning. <br> <br>Internal audit leaders must understand the current state of data management and analytics capabilities, and refine these capabilities to optimize the value AI can generate. It is a big responsibility, but incorporating AI in audit processes can enable auditors to provide critical advice and assurance in a digitally transformed age.<br></p>Kitty Kay Chan1
Protecting Passwordshttps://iaonline.theiia.org/2020/Pages/Protecting-Passwords.aspxProtecting Passwords<p>"The database administrator is gone, and he took our passwords with him,” the client told internal audit. “What do we do?”<br> <br>It was a nightmare scenario for the oil and gas company. The IT department used a password manager to store hundreds of system, database, and service account administrative passwords. It did not know that the software could mass-export an unencrypted list of usernames and passwords. Now that vital list was in the hands of a former employee.</p><p> Individuals and organizations have flocked to password managers for a secure and convenient method to use passwords to access online services. Yet, despite their benefits, these tools raise security concerns for internal auditors.</p><h2>Managing Passwords</h2><p> A password manager stores account usernames, passwords, credit card numbers, and other sensitive information. Various types of password managers accomplish different goals, and some work better than others.</p><p><strong>Personal</strong> Password managers intended for personal use allow the user to create one master password and encrypt the entire password vault storing the user’s various usernames and passwords. The user only has to remember the master password to use the password vault.</p><p><strong>Team</strong> This type of password manager enables a department to share corporate account passwords among staff members. Using a tool to share login information is more secure than sticky notes, email, or a spreadsheet of usernames and passwords. Each user has an account that grants that person access to the stored credentials within the team password manager.</p><p> Personal and team pass-word managers can automatically populate account information when the user accesses a sign-in web page. Alternatively, the user can copy and paste it into the login fields of a web page. </p><p><strong>Enterprise</strong> Often referred to as privileged access management, enterprise password managers are robust, customizable solutions that provide powerful functionality. These tools can automatically change passwords based on timed rotations or after each use of the account. Their monitoring and audit logging capabilities can record who accessed a privileged account, when, and why. </p><h2>Security Risks</h2><p> Password managers have two significant security risks. First, when the password manager is locked, the master password exists in the computer’s memory outside of the tool’s encryption in a plain text, readable format. An intruder could access this master password and expose the other passwords. </p><p> Second, password managers can mass-export passwords into a text file, which makes it easy to move passwords using an unencrypted USB drive. In the wrong hands, a password list can provide access to an organization’s environment. </p><p> Internal auditors can help organizations mitigate these risks by helping IT weigh password manager options to balance a right-sized functionality for the organization with managing the related risk. Enterprise password managers are the most secure solution because they change passwords frequently. However, the tools are expensive because of the need for fit, IT or cybersecurity specialists, and architecture, and the cost may outweigh the benefits. Depending on the number of accounts that need to be managed, budget-minded organizations may opt for a team password manager. </p><h2>Safeguards</h2><p> If the organization chooses a personal or team password manager, internal auditors should provide advice on how to secure it. The organization should consider the tool’s maintenance schedule, security features, and access structure.</p><p><strong>Apply Security Updates and Patches</strong> Organizations should check and frequently update software and patches to ensure they are current. When risks are identified, software fixes are the best way to stay protected against security flaws. </p><p><strong>Check Security Features and Configurations</strong> Security features only work if they are used correctly. Auditors should check which security options are available and ensure that the organization has implemented controls such as:</p><ul><li>Validate that the password manager uses encryption. Also, verify that it is a legitimate tool and not a fake password manager.</li><li>Configure appropriate password controls, such as minimum length and complexity. The organization should use multifactor authentication, if the tool supports it.</li><li>Disable users’ ability to mass-export passwords to plain text, if possible.</li><li>Enable logging. Some tools log whether anyone performs a mass export of usernames and passwords.<br><br> </li></ul><p><strong>Restrict Administrator Access</strong> Users with administrative access can view every password within the tool or modify the security configurations. Therefore, organizations should strictly limit the number of employees with administrative access.</p><p><strong>Implement Role-based Security</strong> Most password managers can limit users’ password access to specific accounts or folders. Organizations should take the approach of least privilege by only granting an employee access to a password as needed. </p><p><strong>Review Password Sharing With External Users</strong> Some password managers support password sharing with external users, while others allow for external sharing of specific credentials. A downside of this practice is that outside parties could gain unauthorized access to the organization’s data and systems. Auditors should review all the shared passwords in the password manager system, determine which passwords can be shared with users outside of the organization, and find out whether the password manager logs password sharing.</p><p><strong>Consider Business Continuity</strong> For business continuity purposes, password managers for shared accounts are able to ensure that the keys to an important account are not in the hands of just one person. Tools that store account data in the cloud support business continuity by enabling businesses to access stored passwords during an outage. </p><p> If the tool is hosted on-site, the organization should consider how account information can be accessed remotely for business continuity. This requires a backup plan such as exporting all passwords to an external file. However, if the organization does this, it should have appropriate management approval, strictly limit access to the external file, and store the file on an encrypted device.</p><h2>When a Breach Occurs</h2><p> If internal auditors receive a call from IT, concerned that former employees have access to stored passwords, there are ways they can help the organization respond. </p><p> First, lock all the doors. If all passwords were exported, auditors should assume all passwords are compromised. The best approach is to change all breached passwords. However, system and service accounts often are linked to background processes, so changing the password could cause crashes or outages. If auditors encounter this situation, they should advise IT to restrict virtual private network access and deny interactive login for those accounts. </p><p> Next, call for help — twice. The first call should be to IT and compliance professionals who can help identify potential exposures and related risks. The next call should be to a trusted security firm to execute attack and penetration scenarios aimed at validating whether the organization has addressed critical exposures. </p><p> Despite the potential threats, the benefits of password managers greatly outweigh the relative risks. With appropriate oversight and controls, those risk levels can be even lower. <br></p>Kari Zahar1
The Analytics Journey: Analytics Roadmaphttps://iaonline.theiia.org/2020/Pages/The-Analytics-Journey-Analytics-Roadmap.aspxThe Analytics Journey: Analytics Roadmap<p>​The <a href="/2020/Pages/The-Analytics-Journey-Analytics-Development.aspx" data-feathr-click-track="true" style="background-color:#ffffff;">previous article</a> in The Analytics Journey series discussed how each new test development can be thought of as a project and how a consistent project methodology can support the scaling, scope, and rotation of the program. Now that internal audit knows how to perform the projects, it must decide which projects to tackle first and which projects to save for later.</p><p>This decision — defining a roadmap for the program — requires internal audit to understand how small steps today allow for great leaps tomorrow. In other words, auditors must clearly understand what kind of insight could be expected from the first few runs in an area, and how — and why — that insight should improve over time.</p><p>Once defined, the analytics program roadmap reminds all stakeholders of which projects are live and which projects are coming soon. It details what this project mix means about the program's maturity and the kind of insight and value that the program will bring to the organization. In the analytics journey, if the <a href="/2020/Pages/The-Analytics-Journey-Finding-the-Right-Direction.aspx" data-feathr-click-track="true">program intent</a> serves as a compass, the roadmap charts the path.</p><h2>Where Should Auditors Start?</h2><p>It is clear that the internal audit analytics program must respond to the needs of the business. That said, the more aware auditors are of business needs, the more "shiny objects" (potential projects) they will see. Because of this, it is important for internal audit to know when to pursue those projects and when to let them go.</p><p>Although this decision will be tightly related to internal audit's program intent, there are some key factors that can help the department decide whether to take on or drop a new analytics project:</p><ol><li> <strong>Organization chart.</strong> Is this function defined for the organization and clearly rolled up to a process owner and executive leadership? If a job function is important enough to have its own executive, then data is being created, and there is something valuable to the organization that can be monitored, audited, optimized, or improved by studying that data.</li><li> <strong>Money.</strong> Does this function generate or handle a significant portion of the organization's revenues or costs?</li><li> <strong>Personally identifiable information and company data.</strong> Does this function manage nonmonetary risks? Could a data leak originate from this function? Would this leak cost more than money?</li><li> <strong>Public.</strong> Does this function interact with the organization's clients? Could it affect the organization's standing in public opinion or its market?</li><li> <strong>Vendors, employees, and other business partners.</strong> Does this function interact with the organization's supply chain and resources needed to run the business? Could it affect the organization's ability to respond to client needs?</li><li> <strong>Volume of activity.</strong> How active is this function? Is this a data-rich environment?</li><li> <strong>Business process and controls.</strong> How complex is this function? Would it lend itself to standardization of processes, objectives, or outcomes, or is it usually a series of "one-off" activities? Would it have measurement points? What would auditors be trying to measure or predict?</li><li> <strong>Systems complexity.</strong> Are these functions supported by one system, manual interactions between systems, or automatic interactions between systems? The more hand-offs there are between systems, the more measurement points. However, those hand-offs create more abstract meaning between those readings and will require a larger team to obtain and interpret the data.</li><li> <strong>Recent work.</strong> Is this a well-established and well-understood function, or is it recent or continuously evolving? Do other analytics monitor it? Would the organization benefit more from going deeper into the function, or should internal audit be covering something else?<br></li></ol><p>These factors relate to how easy or how valuable it would be to tackle a project on an area (see "Data Analytics Program Roadmap" below). By scoring potential projects on these factors, auditors can compare the cost and benefits of different projects in terms that may be relatable to stakeholders.<br></p><p> <img src="/2020/PublishingImages/Roadmap%20charts-1a.jpg" alt="" style="margin:5px;width:725px;height:405px;" /> </p><h2>Projects With Future Potential</h2><p>What about projects that would position the organization for a better future? Auditors should remember their training on net present value: The attractiveness of a project is defined by its expected impact (future value), the value of the team's patience (return rate), and the time it will take to get it.</p><p>For some internal audit departments, a series of quick wins may be more valuable than a large transformation that may be months away from happening. Other teams may reach different decisions. In the end, the balance between current and future needs will be governed by the analytics program's intent.</p><p>Internal auditors also must remember that the analytics program is continuously moving through the maturity curve. Specifically, simple insight today (data access and descriptive projects) can lead to deeper understanding and the ability to predict and prescribe actions in the future.</p><p>"Program Maturity, Value, and Capabilities Progression," below, illustrates this evolution of program capabilities. At a high level, the chart explains how auditors can aggregate <em>event-level transactions</em> into <em>behaviors</em>, which they can use later in combination with new features or characteristics to create <em>predictive profiles</em>. Eventually, by understanding these predictive profiles, auditors can learn how to intervene (modify the profile) to obtain desired outcomes and even enable artificial intelligence to recommend — or make — the decision.<br></p><p> <img src="/2020/PublishingImages/Roadmap%20charts-2a.jpg" alt="" style="margin:5px;width:715px;height:399px;" /> </p><h2>Is the Roadmap Working?</h2><p>Internal audit can measure the effectiveness of the analytics program roadmap through the buy-in from audit clients. As the program becomes better known through consistently successful deployments, the audit function, audit clients, and management will start to have opinions about whether internal audit is looking at the right things and what its next project should be. Eventually, even with a method to allow for transferability and scalability, new project requests could arrive faster than internal audit can grow the program.</p><p>Above all, the program must respond to the needs of the business. By including a consistent approach to deciding what the next project will be, auditors will know, and be able to explain, why they are prioritizing specific projects. At the end, the roadmap will be the best way to ensure the program produces its intended value.<br></p>Francisco Aristiguieta0
Trust in Technologyhttps://iaonline.theiia.org/2020/Pages/Trust-in-Technology.aspxTrust in Technology<p>Cutting-edge technologies in artificial intelligence (AI) and machine learning are transforming the way businesses operate and opening up new commercial opportunities for organizations to leverage data. But such progress comes with risks: The technology is not infallible, and companies that are becoming increasingly reliant on it rarely question how the process works, whether it is ethical or trustworthy, or what harm it could cause.</p><p> Countless examples show that machine-learning systems can generate prejudicial output — from gender-recognition cameras that only work on white men to algorithms that display ads for lower paying jobs to women. These problems occur because the data that trains AI programs often reflects the biases of its human compilers, while machine-learning systems are molded entirely by their imperfect learning environment. As such, if the input data is skewed and one-dimensional, and the environment from which the data is sampled is similarly restricted, the output will be wholly predictable.</p><p>For example, if an online executive recruitment AI system is trained on the resumes of Fortune 500 or FTSE100 companies, the technology will assume it should be targeting white, middle-aged men to fill CEO and board-level roles. Without appropriate checks and balances, experts say, AI systems will just perpetuate the bias that exists in the real world.</p><p>“The central problem is that neural networks operate by seeking patterns in data rather than following clear rules of logical inference,” says James Loft, chief operating officer of intelligent automation firm Rainbird in London. “This means they can easily draw irrational conclusions from data, and it can be difficult for humans to understand the causes of their biases.”<br></p><p> And bias is far from the only risk. Data from sophisticated technology also can be manipulated to mislead or deceive, resulting in fraud or other harm to the organization. The output also may run afoul of legal provisions as well as organizational policy. Internal auditors can help keep a watchful eye on the use of these cutting-edge tools, ensuring consistency with ethical requirements and awareness of organizational risks.</p><h2> Multiple Points of Exposure</h2><p> Experts say biases can easily be introduced into AI technologies because — at their most basic level — they operate relatively simply: Programs process data that is fed into them, following a predefined algorithm, and then generate outputs. “There is scope for manipulation in the design and operation of all three of these stages,” says Paul Herring, global chief innovation officer at professional services firm RSM Global in London.</p><p> For example, he says, it is possible to select the input data in a way that is intended to deliberately skew results. If a financial services firm wanted to attract investors to put money into a Ponzi scheme, for instance, it could generate a misleading report by selecting a sample of existing customers that only includes those who had made enormous returns. Unsurprisingly, the report would show amazing results.</p><p> Furthermore, the algorithm or functions applied to the data could be defined in a way to generate skewed results. Continuing with the Ponzi scheme example, even if the inputs included all investors — both winners and losers — the program or algorithm could be defined to ignore the losers or inflate the performance of investors. And even if these first two steps are unbiased and appropriately configured, the report can still be manipulated to highlight certain findings or suppress others.</p><p> To protect themselves from these risks, Herring says, companies — and internal auditors — need to ask questions about how the technology works in practice, and what safeguards it either has built into it, or needs to establish. “It is important to gain an understanding of the methods used by the program to execute the capture and processing of data as well as reporting results,” Herring says. He adds that auditors should inquire “about any built-in biases in each stage.”</p><h2> Speed and Overreliance</h2><p> Several experts point out that data has always had biases in the way it is used. The problem is that “AI has the potential to produce and replicate these biases more quickly in its decision-making processes,” says Nathan Colaner, senior instructor, director of business analytics, at Seattle University.</p><p>“The job of machine learning technologies is to predict outcomes from the data it is being fed, but any ‘prediction’ is a judging in advance, or pre-judging,” Colaner says. “As a result, no one should be surprised that the decisions it makes could be prejudiced.”</p><p> One of the main concerns Colaner has about AI adoption is that organizations become overreliant on the technology and algorithms. “Organizations tend to get swept up with the possibilities that technology allows them to embrace,” he says. “However, while algorithms are an important tool, they should not be used as a crutch — the information they produce is just one source of information among several sources available to the business. Just because the information is produced quickly by a machine does not mean that it is complete and trustworthy.”</p><p> Consequently, internal auditors should ask what safeguards are in place to interrogate the integrity of the data used by the algorithm, and what measures exist to question the resulting outcomes it produces, Colaner says. They also should ask what the perimeters of the algorithm are meant to be, and whether machine learning is producing the agreed objectives, he adds.</p><p> However, Colaner also says there is a significant risk of organizations turning a blind eye to how an algorithm produces data. “Too many organizations focus on the results of the process, rather than look at — or even question — the process itself,” he says. “There needs to be more skepticism around AI-produced decision-making. At the moment, however, there is a tendency to just accept the results without questioning how they were arrived at.”</p><h2> The Need for Transparency</h2><p> Steve Mintz, professor emeritus of accounting at California Polytechnic State University in San Luis Obispo, says there needs to be full transparency and disclosure about how AI machines are generating data and decisions, how that data is being used within the organization, and what the outcomes of such data use are, both for organizations and individuals. He says internal audit functions should be working with the organization’s IT team so they understand: </p><ul><li>The technology and its risks.</li><li>What the technology is meant to achieve for the organization.</li><li>What safeguards the technology team has put in place to prevent bias.</li><li>What measures the team has established to alert the organization that decisions produced by the technology may be flawed.<br><br> </li></ul><p>Mintz also says internal auditors can help manage ethical risks, including the risk that internal fraudsters compromise the data. “If you can’t trust the level of transparency about how data is being used, then how can you trust the system?” he asks. “There needs to be better explainability and auditability around every part of a process in which a machine makes a decision — plain and simple.”</p><p> To check whether the source data is being used appropriately, Ali Hessami, a London-based advisor at technology standards-setter the Institute of Electrical and Electronics Engineers (IEEE), says internal auditors should ask who will ultimately use the results from the analysis. Potential recipients include board members, salespeople, employees, customers, and business partners. Will those individuals or groups use the data to facilitate business decision-making, or perhaps to help identify risks or boost sales? Hessami says organizations should ask themselves who should — and should not — be able to access the data, and what internal controls might be necessary to ensure the data is kept safe from potential unauthorized internal use or external hacking.</p><p>“It is important for internal audit to establish who will be impacted by the use of the results, how they will be impacted, and whether the rights, freedoms, or opportunities of any individuals or groups could be affected by use of the analyzed data,” Hessami says. Internal auditors, he adds, need to question whether the organization has explicit permission, as well as the data subjects’ informed consent, to access the data necessary for analysis.</p><p> Other experts agree that transparency around data collection and use is paramount. Maurice Coyle, chief data scientist at data analytics specialist Truata in Dublin, says developers, IT vendors, and IT departments should be able to justify their decisions and opinions, and audit teams should be querying those justifications to understand their root.</p><p>“Above all else, companies should always be asking developers ‘Why do you think that?’” Coyle says. “Internal audit teams should make sure they understand the reasoning behind what developers implement. Understanding the root of these decisions is the key to gaining assurance that the technology will not cause harm through its processes or outcomes.”</p><p> For Peter van der Putten, assistant professor at Leiden University in the Netherlands and director of AI decisioning at software vendor Pegasystems, companies “should favor transparency over accuracy so they know in detail how an AI program arrived at each decision and can then explain this to a customer.” Privacy regulations, such as the European Union’s General Data Protection Regulation, require that companies possess this capability.</p><p> Furthermore, van der Putten says internal auditors should ask specifically whether predictive models and the logic behind them are transparent and tested for bias. He adds that auditors should question “whether the AI systems are ‘black box’ machine learning systems, or whether it is possible to impose ethical policies, rules, and constraints on top of them to keep these learning systems under control.” </p><h2> Data Governance</h2><p> At the heart of checking the effectiveness — as well as the shortfalls and dangers — of AI technologies, van der Putten says, is the need to establish robust AI and data governance. “AI governance will soon become a real discipline, and more importantly should not just be a matter of guidelines on paper for people and processes,” he says. “It needs to be translated and operationalized into practical guardrails and encoded into AI technical platforms, models, and rules.”</p><p> According to van der Putten, any governance framework should include “tangible definitions and levers” of trade-offs between the company’s objectives and those of the customer when it comes to automated decisions. It also should include procedures for appropriate measurement of bias in models and business rules, while recognizing that bias detection should not just be a single step in a release cycle for new models and rules. “The framework should be measured in an ongoing, continuous basis, as the most modern AI systems are actually learning and optimizing themselves live, in real time,” he says.<br></p><p> Tim Mackey, principal security strategist at software provider Synopsys’ Cybersecurity Research Centre in Boston, says ethically focused governance should include not only an understanding of how data was collected but “how informed any data subjects were to the current or proposed use of their data.” When consumers provide their data, he says, there is an implicit expectation that only the required minimum of data is requested, and that both usage and retention of provided data is aligned with the original transaction or consent. “When data collection, processing scope, or retention are misaligned with consumer expectations,” he says, “data governance risks increase.” </p><h2> Seeking Assurance</h2><p> In many organizations IT and technology risks remain the domain of the IT professionals, as they have the necessary in-house expertise to understand the process as well as the risks. But this approach presents the problem of IT functions essentially reviewing their own work and potentially downplaying risks related to any initiative for which they are responsible. As such, internal audit needs to grasp the nettle and ensure it is in a position to challenge the way AI is used in the organization and become actively involved in AI project development. </p><p> While many internal audit functions may not have the resources or in-house technical skills to audit AI technologies in the way they would like, this should not deter internal audit from doing its job — asking questions and seeking assurance. “Expert knowledge is obviously useful, but you don’t need to be a technical expert — nor do you need to understand everything about data and AI,” says Jim Pelletier, vice president of Standards and Professional Knowledge at The IIA. “You just need to know enough to be able to ask good questions, understand your knowledge gaps, and bring in the right resources when they are needed.”</p><p> Pelletier says internal auditors should approach AI just as they would handle risks associated with a software upgrade or other technology implementation. “The types of questions you need to ask to gain the necessary level of understanding and assurance are largely the same,” he says.</p><p> As trusted advisors, internal auditors need to tell management that data ethics must align with corporate ethics, Pelletier says. Ideally, they also should be involved as early as possible in the discussions about how the organization is going to use AI to further the business, and how data will be leveraged to help achieve those objectives.</p><p>“Internal audit can provide insights and advice in the establishment of project governance processes early on,” he says. “That way, the tech team will not just focus on what the technology can do, but also on achieving business objectives ethically while maintaining compliance with data privacy rules at the heart of the project. Internal audit can review what testing has been done to ensure compliance, how rigorous this testing was, and how the results were reported to — and understood by — management.”</p><p> Pelletier adds that getting involved in the project from the start also can help the organization realize its goals, especially given that IT projects often fall short of intended results. He points to surveys noting examples of project managers checking to ensure technology is functioning correctly instead of determining whether it is an appropriate solution for the business. “Having internal audit involved early and asking whether the technology is doing what it is designed to do can save a lot of time and money in the long run,” he says. </p><h2> Powerful, But Not Perfect</h2><p> AI is a powerful tool — but like anything else, it has its limits. Organizations should come to terms with that fact and remain skeptical about the information the technology produces. And because AI is not 100% trustworthy, internal auditors have a key role in monitoring its usage and the decision-making processes it controls.<br></p>Neil Hodge1
Pandemic Poses Dual Cybersecurity Challengeshttps://iaonline.theiia.org/2020/Pages/Pandemic-Poses-Dual-Cybersecurity-Challenges.aspxPandemic Poses Dual Cybersecurity Challenges<p>​The shift to remote work was like an army retreating to safer ground, its personnel scattered in the face of the oncoming pandemic. IT functions raced to reconnect these employees to the organization and reestablish communication as their businesses began to understand what disruption really means.</p><p>Meeting the technology demands and solving the problems that arose during the early days of the COVID-19 crisis taxed beleaguered IT functions, but it also put many IT initiatives on hold. For 44% of organizations, cybersecurity was one of those initiatives, according to the <a href="https://sectigo.com/download-content?target=resource-library/2020-work-from-home-it-impact-study&utm_campaign=wakfield-report-wfh" data-feathr-click-track="true" target="_blank">2020 Work-from-home IT Impact Study</a> from cybersecurity firm Sectigo and Wakefield Research.</p><p>Since then, IT functions have been catching up on safeguarding remote work. Now as organizations have settled into a more long-term — and even permanent — remote operating environment, their IT teams have turned their attention to what comes next.</p><p>Those organizations need a dual cybersecurity mindset, a recent McKinsey & Co. article advises. They must secure the technology needed for remote work, while anticipating how to design security for life after the pandemic.</p><p>In the current crisis, "cybersecurity teams are being perceived anew," according to <a href="https://www.mckinsey.com/business-functions/risk/our-insights/a-dual-cybersecurity-mindset-for-the-next-normal?cid=other-eml-alt-mip-mck&hlkid=11567b190b2e4d57a8fe5ec989b8b49c&hctky=1335340&hdpid=257a39db-a247-4b1f-b50d-84c719d6cbad" data-feathr-click-track="true" target="_blank">"A Dual Cybersecurity Mindset for the Next Normal."</a> Going forward, the authors note, "They must no longer be seen as a barrier to growth, but rather become recognized as strategic partners in technology and business decision-making." Internal audit functions may find McKinsey's recommendations helpful when assessing cybersecurity risk, and advising executives and IT management about future plans.</p><h2>Securing Remote Work</h2><p>Five months into remote operations, organizations must fortify their security work, while considering how to safeguard new technology and processes adopted during the pandemic, the McKinsey article advises. The authors recommend focusing on:</p><ul><li>Assessing hot spots by remedying operational, process, and technology gaps.</li><li>Fixing operations by evaluating new risks and implementing controls.</li><li>Fortifying security gains by standardizing remote work procedures and evaluating technologies to reduce long-term risk.</li></ul><h2> The Next Phase</h2><p>While they continue to address the pandemic, IT and cybersecurity leaders should look at how new business conditions may affect the organization, the article says. The authors point to four areas where leaders should act to protect the organization's ability to create value.</p><p><strong>Secure Workforce in New Ways of Working</strong> In response to fundamental changes in the way organizations work, the authors recommend undertaking cybersecurity initiatives, including:</p><ul><li>Dynamic security of users, assets, and resources.</li><li>Cloud-based tools and infrastructure.</li><li>"Contact-aware" workforce privacy that may involve employee consent.</li><li>People defense to reduce fraud and other vulnerabilities that may result from employees' anxiety.</li><li>A remote cybersecurity operating model and talent strategy.</li></ul><p> </p><p><strong>Secure Customers in Shift to Digital</strong> Customers expect a "secure and seamless" digital experience with greater choice and availability, the article notes. IT and cybersecurity functions should prioritize:</p><ul><li>A frictionless customer security experience across all web, mobile, and customer service channels.</li><li>Cybersecurity controls that function at scale.</li><li>Privacy by design that includes controls on the use of customer data.</li><li>Advanced analytics that integrate security into fraud controls.</li></ul><p> <br></p><p><strong>Rethink Supply Chain and Third-party Risk</strong> Organizations need to assess the resilience of their supply chain as they adopt new ways of operating. The article recommends:</p><ul><li>Expanding assessment coverage to review all vendors and potential third parties.</li><li>Updating security controls to account for third parties' remote operations.</li><li>Securing partner collaboration.</li><li>Planning for geopolitical challenges to critical vendors.</li></ul><p> </p><p><strong>Sustaining Increased Sector Collaboration</strong> Organizations need to strengthen partnerships with peers, their industry sectors, and regulators to support changing processes, the authors say.<br></p><h2>Align Security With Changing Business Strategies</h2><p>Flexibility will be key for IT and cybersecurity functions to adopt a dual cybersecurity mindset, the McKinsey authors say. Leaders of these functions should "plan their security strategies to best align with business strategies and priorities," which may have changed during the pandemic. The article recommends that leaders assess opportunities to "leapfrog" current security capabilities, set parameters that prioritize essential initiatives, and clearly communicate time frames for cybersecurity efforts.<br></p>Tim McCollum0
The Digitally Transformed Enterprisehttps://iaonline.theiia.org/2020/Pages/The-Digitally-Transformed-Enterprise.aspxThe Digitally Transformed Enterprise<p>Nearly every organization — from multinational corporations to small, brick-and-mortar enterprises — is in some stage of digital transformation, but just where businesses are along the technology spectrum varies significantly. What is clear is that the challenges and complexities behind getting it right are daunting, especially for internal audit functions that must provide assurance over digital transformation while relying on traditional processes.</p><p>“At San Francisco Bay-area companies, you probably see a lot more chief audit executives being successful with data and data analytics,” says Tom Rudenko, head of audit at Yelp. “I think it’s just the nature of our companies — you have to adopt their methods, adopt their tools, because if you don’t, you’re going to become obsolete very, very fast. Whereas in the more traditional companies that are not in technology, it’s more of a struggle to get to that point.”</p><p> Whatever stage organizations find themselves, digital transformation is ultimately about data — how businesses present data to customers; how they use and manage customer data; and how they aggregate and analyze business data to increase efficiency, accuracy, profit, and speed. The technology used to parse or deliver this data encompasses cloud computing, data analytics and data mining, robotic process automation (RPA), and artificial intelligence.<br></p><p> Chief audit executives (CAEs) must be aware of the strategic risks associated with embracing or neglecting data and new technology, and they must understand its inherent ability to disrupt business plans and models. Indeed, CAEs rank data and new technology risk as likely to grow markedly in relevance over the next five years, according to The IIA’s OnRisk 2020 report.</p><div class="subhead-article"><h3>COVID-19 Accelerates Need <span style="letter-spacing:0px;">f</span><span style="letter-spacing:0px;">or Digitization</span></h3><p>The COVID-19 pandemic has had an economic impact on organizations worldwide. Businesses that were already technology- and data-driven have had an advantage, even in challenging sectors.</p><p>Organizations that were already comfortable with “virtualization” tools and working with digital data were able to more easily transition to setting up remote workforces and processes, connecting with customers, and delivering some services online.</p><p>For instance, while Uber has definitely lost revenue from the slowing of its ride-sharing services, the company’s Uber Eats division was ready to ramp up to meet the growing demand for food deliveries and groceries. Meanwhile, in April, the company launched Uber Direct and Uber Connects — pilot projects involving the delivery of other types of goods, such as over-the-counter medications and packages to loved ones. “We were already using the technology platforms, so it’s really adapting the technology platform to embrace the new activities,” Vincenti explains.</p><p>The pandemic has also pushed customers and businesses alike into developing new behaviors and habits. Telemedicine, previously slow to catch on as a viable alternative to office visits, is becoming more mainstream.</p><p>For example, telehealth provider Carenet Health reported an 80% spike in telehealth visits during the first weeks of the pandemic. Other examples include transportation and logistics companies switching to “contactless” paperwork and internal auditors using drones and security cameras to conduct inventory audits, according to an April 2020 <em>Wall Street Journal</em> article. And a recent study on U.S. attitudes and consumer behavior during the pandemic shows that for as many as 23% of respondents, the shift to more online working, shopping, and meal ordering may be a permanent one.</p><p>As a result of these societal shifts, digital transformation is now even more urgent than before, Vincenti says. “If people needed a reminder to accelerate the process, I think that reminder is loud and clear.”</p></div><p> Still, acknowledging the risk does not always translate into its successful management. Despite recognizing that this risk is likely to grow in relevance, CAEs give themselves and their organizations low marks in relation to their personal knowledge of data and new technology risk and their organizations’ ability to manage it, the report notes.</p><p> Many factors affect just how invested organizations are in technology, such as whether they developed before the computer age or were “born digital.” Either way, organizations that embrace the use of data and new technology have enjoyed a decided advantage in connecting with customers, coordinating with new digital platforms, or shifting to remote operations during the pandemic (see “COVID-19 Accelerates Need for Digitization,” at right). But it is not too late. Organizations that accelerate their digital transformation can still reap the benefits moving forward — and internal auditors can provide valuable assistance along the way. </p><h2> Digital Maturity</h2><p> Part of the reason some companies are further behind than others when it comes to adopting technology and data processes has to do with culture. Dominique Vincenti, who serves as global head of Internal Audit and CAE for Uber, likes to use the generational term <em>digital native</em> to describe organizations that were “born” using and manipulating technology and data — such as Uber and Yelp.</p><p> Vincenti explains that older industries and those that are not inherently digital are facing some of the same challenges Baby Boomers and Generation X have faced in comparison to digital-native Millennials and Generation Z. “Those who’ve been operating in industries where data and technology is not at the heart of the business model, [but are] ‘going there because we have to’ — they’ve found themselves in that non-digital-native situation, and it’s probably more uncomfortable,” Vincenti says. </p><p> For Rudenko, there are pros and cons to working with digitally savvy companies like Uber and Yelp, but one clear advantage is that they are naturally faster at adopting and using technology to solve problems. “The tech companies are not as mature, and they might not have those best practices, but they are very nimble and move fast, and you’re not weighed down by decades of legacy systems, people, and processes,” he says.</p><p> Larger, older organizations may have more mature, formal processes, which can be a good thing, Rudenko says. On the other hand, they are also more likely to have bureaucratic processes or silo mentalities where people are reluctant or unable to share information or effectively collaborate across business units. “In my experience with more mature companies, navigating through the organization and just getting access to the data can be a time-consuming and difficult process,” he says. “By the time you were able to analyze it, it was already kind of old news.”</p><p> Regardless of their organization’s level of digital maturity, Vincenti says CAEs looking for a better grasp of data and new technology risk need to understand how their organization is approaching the risk strategically. As with any risk assessment, auditors must know what they’re dealing with. They need to consider how important data and new technology are to the organization’s evolving business model and where their organization is with respect to digital transformation. </p><p> Vincenti suggests CAEs ask themselves: “Is data and new technology becoming a core enabling function? Or is it just sitting on the side as technology has been for many, many years, and is just a way of making things a little bit more efficient — not necessarily an enabler of business but just a support of business?”</p><h2> A New Way of Thinking</h2><p> While every industry is different, Vincenti says it is important to consider competitors: “Are we at odds with how literally the world is evolving, and can we become the next Kodak or Blockbuster in our industry? If auditors determine that digital transformation is now embedded in their business model — fundamentally, how business is now done — then the audit function must change its approach, as well,” Vincenti says.</p><p> Although internal auditors may have had a strong grasp of previous business processes, she adds, they need to realize fundamentally that today’s business is done primarily with data and technology. They must understand the new business world as well as they grasped the former, less digitally based one. </p><p> Vincenti says CAEs also need to recognize that data, along with money and people, is a fundamental asset in this new way of doing business, whereas technology is just the means to use the data. “What I’ve told my team and what I’m trying to tell people is that before understanding technology, do you understand data like you understand dollars? Because this is the raw material.”</p><h2> Building Trust With Small Steps </h2><div class="subhead-article"><h3>Building Technology Into the Audit Process</h3><p> In a May 2020 IIA webinar titled “Utilizing Technology to Advance Internal Audit and Stay Relevant in a New Risk Environment,” presenters Scott Madenburg, director of Solutions Advisory Services, AuditBoard, and Eric Groen, managing director, Protiviti, provided examples of ways analytics technology can be used for reporting and planning: </p><ul><li>Root cause investigation.</li><li>Real-time exception management (continuous risk management).</li><li>Risk quantification.</li><li>Control simulation.</li><li>Predictive risk identification. </li><li>Risk profiling.</li><li>Test data simulation.</li><li>Statistical sampling.</li><li>Continuous controls monitoring.</li><li><p>Identification of fraud indicators.</p></li></ul><p>A key takeaway from the webinar is that internal audit functions looking to incorporate data processes into their own work may not have to reinvent the wheel. There may already be technology tools, data, and people (such as business analysts) that CAEs can leverage to start incorporating data analytics testing and processes into internal audit engagements. CAEs might also consider forming a specialized committee that includes participants from IT, management, and elsewhere to determine how data analytics could be incorporated into and benefit current business practices. </p></div><p> While understanding data and technology is important, it can take time for internal audit to become a trusted resource on data and technology risk if this is not already part of the organization’s culture. Rudenko recommends that internal audit build trust with easy wins using data analytics within the audit function. Although most organizations have all but eliminated travel in the current environment, one of the easiest places to piece together early wins is with travel and expense reporting. As an area at high risk for fraud and one that likely is already part of a reporting system, he says, it can be a good candidate for adaptation to an automated system.</p><p>“You can extract the data out of that system and run it through a series of data-driven tests,” Rudenko says. “Run those tests a couple of times, get the process stabilized, and hand that back to the business. They usually love it, and they’re very happy for something that helps them manage their expenses.” </p><p> Both Rudenko and Vincenti agree that relationships are crucial. “You need to have very robust relationships with the tech and data science communities of your company,” Vincenti says. “And one of the reasons is to leverage the systems and technologies that are already in place so that there are economies of scale.”</p><p> Vincenti asks, for example, why the audit function would consider buying RPA licenses if a privileged RPA vendor relationship and license agreement have already been established elsewhere in the organization. Understanding what technology is available and “piggybacking” wherever possible is key, she says. (See “Building Technology Into the Audit Process” at right.)</p><p> According to Rudenko, once internal audit can demonstrate the efficacy of using data analytics tools, the payoff in trust can be great. “You get a trophy, and you put it on the shelf,” he says. “And you start to build your brand inside the organization, and people start to see the value that you’re bringing back to the company.” </p><p> Management at Yelp sees internal audit as an important part of the company’s strategic planning, rather than as an interloper. Rudenko and his team are consulted for advice on website development, data pipelines, reporting dashboards, and more. “They want our insight,” he says. “They want our knowledge of risks and controls.”</p><h2> The Right Team</h2><p> Building competencies within the internal audit team is also important if the audit function intends to become more technically savvy, but that can take time. According to Rudenko, it is unrealistic to expect everyone on the team to be experts in data analytics, coding, and internal audit because such employees are considered “unicorns” — hard to find even in Silicon Valley.</p><p> At Yelp, Rudenko aims for at least half of the internal audit team to be technically savvy, but he also focuses on people who are a good cultural fit for the company. To do this, he invites people from around the organization to participate in interviews for internal audit positions. Getting buy-in from people who will be working with his auditors helps promote teamwork and trust, Rudenko explains. </p><p>“In the end, it’s about building relationships,” he says. “That’s really what this all comes down to, but that doesn’t happen overnight.” <br><br>At Uber, Vincenti says she has strong technology audit muscle on her team. “One of my directors is the technology specialist, and he is our point-of-contact with the [chief technology officer] of the company,” she says. “On a daily basis, we’re touching base with the engineering teams.” </p><p> Vincenti describes her team of auditors as “specialized generalists.” In other words, while everyone has broad, general knowledge, they each have deep knowledge of one or two specialized areas relevant to Uber’s business model. In addition, the audit activity has its own data science team. While the data scientists understand internal audit enough to work well with the auditors, they are the only true data specialists on the team.</p><h2> The Digital-first Imperative</h2><p> Vincenti points out that, ultimately, analyzing data is not a new concept for internal audit. The difference is that the tools and the focus have changed. And internal auditors, like the organizations they serve, need to adopt a digital-first mindset.</p><p>“The challenge today is to bring data and technology at the core of everything,” Vincenti says. “So today the core is the internal auditor, and the data analytics and technology are on the side — we need to turn the model upside down. We need to put technology in the middle and the internal auditors around to leverage it and add value.”<br></p>Christine Janesko1
Auditing in a Disruptive Environmenthttps://iaonline.theiia.org/2020/Pages/Auditing-in-a-Disruptive-Environment.aspxAuditing in a Disruptive Environment<p style="text-align:left;">Emerging or disruptive technologies, such as artificial intelligence (AI), robotics, the Internet of Things, nanotechnology, and quantum computing, are permeating almost every industry. These technologies not only alter the way the business is done but ultimately hold the key to future organizational success. Without them, few businesses will be able to survive, much less remain competitive, in the long term.<br></p><p style="text-align:left;">Internal audit takes on greater importance in digitally transformed environments. Disruptive technologies, in addition to the value they provide, can multiply potential harm and magnify risks significantly. Stakeholders will expect internal audit to be more engaged as they look to manage these risks and seek assurance that controls are effective. To meet the organization's needs, internal audit must evolve, grow, and adapt to rapidly changing conditions.</p><h2 style="text-align:left;">Rising Expectations</h2><p style="text-align:left;">Significant levels of change in any business environment create uncertainties, increased complexity in operations, and greater risks. New technologies will compel businesses to identify the right strategies, determine the best business models, and recruit people with right skills through a multidisciplinary approach. These initiatives may introduce new strategic and operational risks, which will be a concern for management and auditors.<br></p><p style="text-align:left;">Practitioners will play a key role in helping manage these risks by providing an independent and objective assessment of the new technology environment. But failing to participate upfront in discussions of system development, governance, and risk management could result in a missed opportunity to add value. Auditors need to be proactive and engaged early. To maximize their contributions, they will need to possess strong business acumen and expertise within the sectors in which their organizations operate, as well as the ability to see the secondary or tertiary effects of organizational risk. <br></p><h2 style="text-align:left;">Changing Risk Landscape</h2><p style="text-align:left;">The implications of new technologies and their convergences will introduce several uncertainties in the political landscape, turning economic networks into political weapons. This new reality will require country-specific laws involving legal challenges and at the same time increase concerns about corporate accountability. Many of these regulations will pose additional challenges to the internal audit profession. They will require auditors to have the ability to assess the sectors that are politically risky and determine whether their organization has developed new strategies and relationships that balance economic efficiency with security.</p><p style="text-align:left;">Risks related to cybersecurity will significantly influence the landscape of internal audit's work. The World Economic Forum Global Risks Perception Survey 2019-2020 identified "information infrastructure breakdown" as the sixth most impactful risk over the next 10 years. Some expected risks include the speed of technological development, integration of technologies and devices, cross-border legal issues, and unforeseen consequences. These challenges will require internal auditors to check whether existing procedures, programs, and mechanisms put in place by the audited entity are sufficient. Results of such analysis should point out to management any steps that should be taken to help ensure cybersecurity threats are mitigated. </p><p style="text-align:left;">Additionally, new markets, products,  cross-border trade, and business acquisitions will introduce risks stemming from new supply-chains, business disruptions, and opportunities for fraud. Different countries and regions have distinctly different cultures, as do different organizations that merge. Internal auditors should possess a sound understanding of the business environment, ethical framework, and fraud risk management processes. Practitioners can help companies assess the alignment of their ethics programs and evaluate the performance indicators in place to measure effectiveness and help promote ethical behavior.</p><p style="text-align:left;">Internal auditors also need to understand generational and cultural differences when communicating with employees in diverse organizations. The changes in business models and supply chains may require internal audit to adapt to a desired culture or a set of values through recruiting culturally informed staff. Practitioners will face increased challenges in providing assurance on whether organizations understand, monitor, and manage the tone, incentives, and actions that drive behavior. </p><p style="text-align:left;">Perhaps most importantly, internal auditors will be required to provide assurance on the value for the money their organization invests in the disruptive technologies and tools. Such an assessment is only possible with an integrated view of their implications for policies, governance, and the processes established to implement them.<br></p><h2 style="text-align:left;">The Way Forward </h2><p style="text-align:left;">In a worst-case scenario, disruptive technologies may pose a threat to internal audit and replace practitioner skills, depriving organizations of our most valuable assets: professional skepticism, critical thinking, and communication. While this is unlikely to happen, internal auditors should nonetheless prepare for upcoming challenges and opportunities through a two-pronged strategy.</p><p style="text-align:left;">First, the heads of internal audit functions should determine an audit universe of proposed and current change programs, factoring them into audit plans and engagements. This should provide a basis for identifying areas of audit engagement related to disruptive technologies.  </p><p style="text-align:left;">Second, audit leaders should identify alternative staffing models that provide the diversity of skills necessary to address new technology risks effectively. The coming years, for example, will witness a sharp increase in the number of "data auditors" with the ability to correlate disparate information to provide early identification of fraud and operational risks. Businesses are using automation tools or bot algorithms that mimic the actions of a person or a computer to avoid redundancies and save costs. Audit practitioners should have the ability to provide assurance on such system development processes as well as validate the security risks by quickly adopting new methods of working, including agile auditing, continuous/concurrent auditing, and automated assurance.  <br></p><h2 style="text-align:left;">Rising to the Challenge</h2><p style="text-align:left;">The whole world is struggling to keep pace with technological advancements — and internal auditing is no exception. But our core skills of critical thinking, collaboration, and communicating set auditors apart in the digital age, with technology only serving to augment them. </p><p style="text-align:left;">To remain relevant, internal auditors should recognize emerging technology-related challenges and opportunities, and prepare for future skill requirements. Practitioners need to deploy the same technologies driving the need for change to help them rise to the challenge. As IIA Standard 1230 says, "Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development." There are no better skills to develop than those that will equip practitioners to confidently face the dramatic changes on the horizon.  <br></p>Israel Sadu1
Transforming Corporate Card Auditshttps://iaonline.theiia.org/2020/Pages/Transforming-Corporate-Card-Audits.aspxTransforming Corporate Card Audits<p>​One of the most significant changes in auditing corporate card expenses over the past decade has been the conversion of supporting documentation from paper receipts to electronic form. Although an internal auditor's core duties of ensuring completeness and accuracy in record-keeping remain the same, the electronic form has altered the dynamics of those duties significantly.</p><p>Not so long ago, people mailed paper receipts to a central location for processing. Today, by contrast, a simple receipt photo, screenshot, or email confirmation uploaded via a website or mobile app often suffices. The convenience and efficiency of electronic files, as well as enabling technologies such as cloud storage, data visualization, and automation, have created both new opportunities and challenges in auditing corporate card transactions.</p><h2>Cloud Storage</h2><p>Cloud storage is an on-demand, self-service model where data or software as a service is stored remotely on virtual servers hosted by third parties. </p><p><strong>Opportunities</strong> Cloud storage removes the storage limitation challenge presented by retaining physical copies of paper receipts or using on-site servers, as it is easily scalable to accommodate any data storage needs. Additionally, it reduces pre-installation costs and maintenance charges associated with on-site servers.</p><p>Duplicate back-up copies of data can be stored in multiple locations worldwide, making data less vulnerable to natural disasters. Cloud storage also makes it easier to implement a document retention period for physical receipts. Corporate card data that requires long-term storage could be archived or automatically purged after a defined period.</p><p><strong>Limitations</strong> Digital documentation is susceptible to malicious software, such as ransomware, that encrypts data to an unusable form and holds it hostage unless payment is made. Focusing on data security may protect transaction information from hacking, which could result in negative publicity from a data breach or give competitors insight into prospective projects.</p><p>Use, transfer, and purge of stored personally identifiable information attached to employees' expenses is limited by regulations such as the European Union's General Data Protection Regulation and the California Consumer Privacy Act. If the data is backed-up or stored in international locations, there is the added complexity of the local regulations around the data's use. </p><p>Depending on how the information is housed and structured in a third-party's platform, organizations may have to pay extra to fully access their data the way they want. For instance, application programming interface (API) software, which allows two applications to talk to each other, often is an extra cost. API, for example, allows the expense repository system and audit software to talk to each other and is used to access features or data of a service application.</p><h2>Data Visualization</h2><p>Data visualization distills large datasets into visual graphics to allow for easy understanding of complex relationships within the data.</p><p><strong>Opportunities</strong> Combined with data analytics, data visualization allows the data to be dissected in more ways than before. For example, a dashboard template could track multiple key performance indicators linked to a database that would allow users to slice the data in real time and filter down to focus on any variable for specified business areas. </p><p>Beyond simply graph or pivot data in Excel, data visualization can simultaneously overlay multiple variables, such as transaction types, on a geographic map while highlighting the magnitude of the transactions in different sizes and colors. This could be used, for example, to target potential fraud indicators where there may be misalignment between travel plans and expense transaction locations. </p><p>Auditors can use data visualization to add value in addition to investigating noncompliance. It could highlight frequent exception trends and indicate broader implications, such as the need for additional employee training for specific parts of the corporate card policy or the need to amend the policy. For example, the corporate card policy may have a standard flat threshold for specific expense types, such as lodging or business meals. However, the policy does not consider that guideline amounts are not realistic for high-cost-of-living areas, such as New York or San Francisco, and may indicate that the policy needs to be amended to allow for fluctuations. Data visualization could help draw attention to these types of trends.</p><p>The data also could highlight opportunities to reduce costs and negotiate group rates if, for example, it finds that cross-departmental employees frequently attend the same conferences or events. On the other hand, it could flag individuals who did not use the prenegotiated group rate, and management could use it as an opportunity to educate those employees on ways to maximize their budget. </p><p><strong>Limitations</strong> Despite these benefits, there is a risk of overreliance on data visualization. The insights gleaned from it are limited by the accuracy and completeness of the data inputs, false positives, or misleading trends if used incorrectly.</p><h2>Automation</h2><p>Processes that can drive efficiency and cost savings in corporate card audits include robotic process automation (RPA), a software robot that mimics human actions; machine learning (ML), a subset of artificial intelligence (AI) that allows systems to learn new things from data; and AI, the simulation of human intelligence by machines. </p><p><strong>Opportunities</strong> The combination of RPA, ML, and AI creates a system that mimics human judgment in defined circumstances and could reduce time spent on repetitive and low-value tasks. With the advent of these technologies, the audit concept of reasonable assurance due to limited available audit hours and resources could move much closer to absolute assurance. In the past, internal auditors have focused on rigid criteria: a specific time period, an individual's or group's transactions, keywords, or transactions that exceed a defined threshold. Many potential noncompliant transactions that fall out of the hard-line criteria would be missed, and without software with AI capabilities, it would be impossible for auditors to review the entire volume of transactions.</p><p>Expense tracking software could incorporate a company corporate card policy so that RPA could continuously monitor and flag noncompliant transactions for additional approval or auditor review. This would ensure that auditors focus on transactions that are more likely to be exceptions and perform more meaningful work.</p><p>Optical character recognition (OCR) image-reading software could save not only the submitter's time, but also the approver's and auditor's time, by automatically pulling and matching the amounts from the uploaded receipt to the reported expense transaction. For international receipts in foreign languages, the software can translate the language, look up the local tax rates, and calculate currency exchange rates. More advanced expense-tracking software could cross-reference publicly available data, such as online menus or historical hotel rates, to determine the reasonable range for specific expenses. This would allow for variation due to seasonal or location-based fluctuations for the reasonable expense threshold range. </p><p>AI with OCR could detect split transactions where a larger receipt is paid through multiple transactions or using multiple corporate cards. Another instance of split transaction could occur if there were a deposit that was paid in advance and the remainder of the balance was paid at a later date. Image-reading software could easily detect this, while it is much harder for an auditor to find with paper receipts. The use of OCR software could reduce excessive payment for the same expenses submitted multiple times or circumvention of the policy expense guideline amount. </p><p>Another AI capability is systematic risk profiling. Low-risk recurring transactions could be auto-approved and bypass the need for manager review, saving hours of administrative time and increasing the time available for more productive tasks. This time could focus on high-risk individuals or departments more likely to be noncompliant, leading to increased policy education or behavior change. </p><p><strong>Limitations</strong> AI, ML, and RPA are relatively new and often expensive technologies. The software is only as good as the training data set inputs and what it is being programmed to do. AI involves a learning process, where users must "train" the software. Moreover, the AI tools may produce a high number of false positives, which could create more work than traditional methods. If these technologies do not detect pervasive noncompliance in the training data set, the model may never catch it — but a person could.   </p><p>ML and AI are susceptible to biases and skewed results because of bad data inputs. For instance, the technology might determine that a certain gender or race is a higher risk for noncompliance, leading auditors to focus on those individuals' transactions and possibly result in legal issues/consequences.</p><h2>Beyond Compliance</h2><p>Auditing purchase card expenses goes far beyond reviewing for policy compliance. By using the cloud, data visualization, and automation in corporate card audits, auditors can drive better stewardship of company resources. While these technologies provide tremendous benefits, it's important for internal auditors to be aware of their downsides to adjust accordingly. By building on this foundation, internal audit also can use these technologies to transform the audits of other business areas and processes. </p>Bonnie Tse1

  • FastPath-October-2020-Premium-1
  • AuditBoard-October-2020-Premium-2
  • CIALS-October-2020-Premium-3