Do You Have Data Fever? You Have Data Fever?<p>​A new internal auditor receives his latest assignment. His manager asks, “How are you going to approach the review of this area?” The auditor responds, “I want to test this, and I want to test that, and I want to test the other thing.” The manager asks why the auditor wants to perform those tests. Excitedly, the auditor answers, “Because that’s where all the information is.”<br></p><p>This scenario illustrates a common mistake made by new auditors — seeking to jump in without considering the risks, the processes, the criteria, or even the audit objective. The auditor recognizes a testable area and says, “I am doing an audit of this department and I know they have expense reports, so I will test the expense reports.”<br></p><p>Of course, those of us with years of experience and knowledge would never fall into that trap, right? Not so fast.<br></p><p>We live in a world where systems hold more information than anyone can possibly fathom. We are awash in data — big, large, super-sized, venti. And data analytics has become a buzzword that draws auditors like frau​dsters to inadequate controls. When auditors see that glorious richness of data, they fall back into that rookie mind-set: “I don’t know what I want or what I’m trying to prove or what I’m going to do with it, but I want everything you’ve got.”<br></p><p>At one time or another we’ve all caught it — data fever: The desire for more and more information without considering what that data is. We turn the fire hose on full force and what we intended to be a thirst-quenching sip of real information turns into a suffocating flood of meaningless facts, figures, and folderol. <br></p><p>More is not always better. The rules for gathering data are the same as for any audit test. First determine what you want to accomplish with the audit. Then articulate what you want to do with the data, coordinating that understanding with the already-identified risks. <br></p><p>It all begins by understanding what the data represents and what it might say. Before even thinking about asking for the data, auditors should talk with the data owners to understand what is available, how it is used, and how it relates to the processes under review. Then, and only then, should auditors begin to think about what data may be needed.<br></p><p>The promise of data analytics is to assist in performing audit work more efficiently. It also represents an opportunity for internal audit to provide real value by showing the organization how all that data can be helpful to everyone. But that cannot be accomplished by just gathering every scrap of data available. Just as you would stop a new auditor from barging forward with unfocused and potentially meaningless testing, stop yourself when asking for a data dump and determine what you are really trying to accomplish. <br></p>Mike Jacka1211
Reporting on Cyber Threats on Cyber Threats<p>​Cybersecurity is at the forefront of most organizations' risk discussions, especially at the audit committee and senior executive levels. However, internal audit reporting may not reflect current cyber threats. It is time for auditors to consider revising the evaluation criteria they use to determine whether an IT finding is reportable.</p><p style="text-align:left;">Raising IT risk concerns may clash with the audit committee's threshold for materiality. For example, data breaches often involve reputation risks more so than financial risks. This is the existential question with cybersecurity: What is costly versus what makes the organization look bad. Overall, internal audit should consider whether outdated reporting criteria have created an<span style="text-decoration:underline;"> </span>expectation gap between what the audit committee expects to be reported and what internal audit considers worth reporting.</p><h2>The Current State of Reporting</h2><p>CAEs use multiple criteria to determine whether a finding is reportable to the audit committee and senior executive levels. In a survey of 163 CAEs<sup> </sup>conducted in July by The IIA's Audit Executive Center, 81 percent say their reporting criteria do not differ among different types of audits, such as fraud, compliance, and IT. </p><p>The survey reveals minimal differences in criteria used to report to the audit committee and senior management. Forty percent of respondents use a combination of criteria or additional criteria, including all internal control weaknesses, judgment, and risks to the organization, to determine what to report to senior executives. That percentage rises to 45 percent who use those criteria as a basis for reporting to the audit committee. Thirty-nine percent use pervasive internal control weakness as their criteria for reporting to both reporting levels. Overall, just 7 percent consider dollar threshold a reporting indicator for both senior executives and audit committees. </p><p style="text-align:justify;"> <img src="/2016/PublishingImages/gen-report-exec.jpg" alt="" style="margin:5px;width:425px;height:317px;" /> <em>Source: IIA Audit Executive Center</em><br> </p><p> <br> </p><p style="text-align:justify;"> <img src="/2016/PublishingImages/Gen-report-ac.jpg" alt="" style="margin:5px;width:425px;height:323px;" /> <em>Source: IIA Audit Executive Center</em><br></p><p> <br> </p><p>When asked about specific IT findings, CAEs overwhelmingly focus on whether the findings affect more than one business segment or department, or has an organizationwide impact (49 percent to senior executives and 51 percent to audit committees). Additionally, 42 percent use a combination of criteria that includes other factors such as business and reputational impact in determining which issues to report to senior executives and the audit committee. Only 5 percent of respondents consider dollar threshold a reporting criteria for either level.</p><p style="text-align:justify;"> <img src="/2016/PublishingImages/IT-report-exec.jpg" alt="" style="margin:5px;width:425px;height:329px;" /> <em>Source: IIA Audit Executive Center</em><br></p><p> <br> </p><p style="text-align:justify;"> <img src="/2016/PublishingImages/IT-report-ac.jpg" alt="" style="margin:5px;width:425px;height:339px;" /> <em>Source: IIA Audit Executive Center</em><br></p><p> <br> </p><h2>Are the Criteria Still Appropriate?</h2><table width="100%" cellspacing="0" class="ms-rteTable-0"><tbody><tr class="ms-rteTableEvenRow-0" style="text-align:center;"><td class="ms-rteTableEvenCol-0" colspan="2" style="width:50%;">​<strong>Audit Committee and Senior Executive <br>Reportable IT Findings</strong> ​</td></tr><tr class="ms-rteTableOddRow-0"><td class="ms-rteTableEvenCol-0">​<strong>Reportable</strong> </td><td class="ms-rteTableOddCol-0">​<strong>Not Reportable</strong> </td></tr><tr class="ms-rteTableEvenRow-0"><td class="ms-rteTableEvenCol-0">​User account activation process findings that impact the organization's ability to appropriately assign user access.</td><td class="ms-rteTableOddCol-0">​User access typically is assigned appropriately, but a current audit noted a couple of users whose access was assigned incorrectly. </td></tr><tr class="ms-rteTableOddRow-0"><td class="ms-rteTableEvenCol-0">User account deactivation process findings that impact the organization's ability to disable user access timely upon termination. ​</td><td class="ms-rteTableOddCol-0">​User account deactivation process works correctly, but a current audit noted one or two contractors or employees whose access were not disabled timely. </td></tr><tr class="ms-rteTableEvenRow-0"><td class="ms-rteTableEvenCol-0">​User transfer process findings where access is not removed when employees transfer to other departments.</td><td class="ms-rteTableOddCol-0">​User access is typically adjusted upon transfer, but a current audit identified one or two users whose access were not adjusted. </td></tr><tr class="ms-rteTableOddRow-0"><td class="ms-rteTableEvenCol-0">​Patching process findings where patching does not occur timely organizationwide. </td><td class="ms-rteTableOddCol-0">​Most servers are patched timely except for a few. </td></tr><tr class="ms-rteTableEvenRow-0"><td class="ms-rteTableEvenCol-0">​Two-factor authentication findings where the authentication system has organizationwide issues (i.e., does not work all the time). </td><td class="ms-rteTableOddCol-0">​Most servers have two-factor authentication enabled for interactive login, but one or two do not. </td></tr></tbody></table><p>Although organizationwide impact is the criterion survey respondents consider most impactful in deciding to report IT findings, this may cause internal audit to not report seemingly lesser findings that could potentially be big cyber threats. Findings such as having one or two untimely user account terminations or users who have been assigned incorrect access would most likely not be considered reportable under current generally used criteria (see "Audit Committee and Senior Executive Reportable IT Findings" at right). </p><p>Yet, these are similar to the causes of some of the largest data breaches reported to the <a href="" target="_blank">Identity Theft Resource Center</a> both this year and historically. These include:</p><ul><li>Stolen third-party or employee credentials.</li><li>Stolen mobile device.</li><li>Unsecure wireless network.</li><li>Two-factor authentication disabled on a few servers.</li></ul><p> </p><p>These data breach trends suggest the current reportable criteria may not reflect cyber threat reality. Although only a few items, or even one item, could be found during an audit, such items may open the door for a hacker or general user to allow data theft to occur. In the world of cybersecurity, the small details matter. Failing to perform an appropriate activity for a single user or server could have an organizationwide impact.</p><p>Questions to consider include:</p><ul><li>In today's world of cyber threats, is the criteria used to decide when to report an IT finding to the audit committee and senior executives still relevant?  </li><li>Should the criteria be revised so that other IT findings currently deemed to be lesser risk would be considered reportable?</li><li>Are the board or senior executives sufficiently educated about cybersecurity to understand the impact of such findings?</li></ul><h2>Modifying Expectations</h2><p> <a href="" target="_blank">Internal Audit's Role in Cyber Preparedness</a>, a 2015 white paper from The IIA's Internal Audit Foundation, discusses the importance of taking a holistic approach to an organization's cybersecurity practices and how internal audit can assist in this endeavor. The white paper cites a <a href="">National Association of Corporate Directors (NACD) publication</a> in which 87 percent of respondents to the 2013-2014 NACD Public Company Governance Survey reported their board's understanding of IT risk needs improvement.<sup> </sup><sup> </sup>The IIA white paper says boards could gain access to cybersecurity expertise by adding members with technology industry expertise. Other suggestions include:</p><ul><li>Scheduling "deep dive" briefings from third-party experts, including specialist cybersecurity firms, government agencies, and industry associations.</li><li>Leveraging the board's existing independent advisers, such as external auditors and outside counsel, who will have a multiclient and industrywide perspective on cyberrisk trends.</li><li>Participating in relevant director education programs, whether provided in-house or externally.</li></ul><p><br></p><p>As boards increase their cyber awareness, internal audit is complimenting this awareness by becoming more technology-savvy and providing services to the organization such as helping the board understand IT risks and the impact of new technology initiatives. Becoming more adept at using technology is helping internal audit provide such services, according to a recent Protiviti Report, <a href="" target="_blank">Internal Auditing Around the World</a>. </p><table width="100%" cellspacing="0" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>Summary and Analyses of Findings That Did Not Meet the Required Reporting Threshold</strong></p><p>Fifteen users with excess or incorrect access were noted among seven audits. Upon evaluating these overall, internal auditors noted an increased trend of failure by the business owners to ensure an adequate access review is performed periodically. Further follow-up revealed that five of the seven business owners were relatively new to the company and had not received the appropriate training. As management is aware, excess or incorrect access rights increase the organization's cyber threat level.</p><p>Untimely disabling of a user's application account occurred in eight out of 10 audits. While none of these incidents met the reporting criteria on its own, internal audit noted an upward trend in untimely removal of user access. It is interesting to note that five of the eight users were contractors for whom the business areas did not provide prompt notification of the need to disable their access. Management is now considering alternatives to manage contractor access. </p></td></tr></tbody></table><p>This growing cyber awareness creates an opportunity for internal audit to report on IT findings that were once considered lower risk and less impactful organizationwide. Similar to the common experience of external auditors reporting various material or immaterial individual financial adjustments, reporting on these IT events can further educate the board and senior executives on cyberrisks. </p><h2>Reporting Alternatives</h2><p>In the world where a single IT event now can cause an organizationwide threat, internal audit needs to engage audit committees and senior executives in discussions about single detailed events and their impacts. Yet, it takes time for perspectives to change and education to occur. In the meantime, there are alternatives auditors can use to retain the current reporting criteria and further emphasize these singular IT findings, including:</p><ul><li>Modifying the reporting narrative of each audit that is distributed to the audit committees and senior executives, including elaborating on the cyber threats encompassed by the audit. Alternatively, during the audit committee presentation, auditors can spend a few moments discussing the cyber threats detailed in the audit<strong><em>.</em></strong><span style="text-decoration:underline;"> </span></li><li>Educating senior executives and audit committees on the finer cyber threat details.</li><li>Maintaining the current reporting criteria and providing an annual summarized report noting the major themes from all unreported IT issues identified (for an example, see "Summary and Analyses of Findings That Did Not Meet the Required Reporting Threshold" at right).</li></ul><p><br></p><p>Although revising reporting criteria to better reflect the current cyberrisk environment should occur, suddenly changing long-established reporting practices may not be the best solution. Using the suggested reporting alternatives and easing into new criteria will allow time for the audit committee and senior executives to adjust their perspectives. Moreover, a gradual shift will allow for additional training and understanding that a single IT finding could do as much harm as a pervasive IT finding. </p><p> <br> </p>James Reinhard0598
Analytics-driven Audits Audits<p>​Data continues to be captured and processed at phenomenal rates. In fact, Computer Sciences Corp. predicts that by 2020, data production will be 44 times greater than it was in 2009. With so much data being generated, there is a need to connect the dots and get meaningful information from it. An audit that is intuitive-based and uses a selection of random samples may not be that effective in the changing business landscape. With so many automated processes, the way internal audit departments conduct audits also needs to be automated. <br></p><p>An analytics-based approach to audit makes it possible to review large data sets and get meaningful insights into internal control processes, including probable vulnerabilities in meeting the overall assurance objectives. The use of analytics can increase audit efficiency and lead to a deeper understanding of the business, risk assessment, and real-time monitoring. Data analysis can be applied to areas such as audit planning, sample selection, risk assessment, control testing, and identifying red flags.<br></p><h2>Data Types and Storage</h2><p>Before embracing data analytics, it is important to understand the types of data being generated. The analytics methods and tools used will depend on the type of data and the manner in which the data is generated and stored. <br></p><p>Qualitative data is a categorical measurement expressed with a natural language description. In statistics, it is often used interchangeably with categorical data (e.g., favorite color = “blue” or height = “tall”). Data are classified as nominal if there is no natural order between the categories (e.g., eye color), or ordinal if an ordering exists (e.g., exam results).<br></p><p>Quantitative or numerical data are counts or measurements. The data are said to be discrete if the measurements are integers (e.g., number of people in a household) and continuous if the measurements can take on any value, usually within some range (e.g., weight). Quantities whose value differ from one observation to another are called variables (e.g., the height and shoe size of every person are different).<br></p><p>Generated data is stored in data warehouses in different formats. Structured data is information, usually displayed in columns and rows, that can easily be ordered and processed. This could be visualized as a perfectly organized filing cabinet where everything is identified, labeled, and easy to access. Unstructured data  has no identifiable internal structure. Types of unstructured data include word processing files, PDF files, digital images, video, audio, and social media posts.<br></p><h2>Data Analytics</h2><p><img src="/2016/PublishingImages/B2B_Aug%2716_chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Data analytics is an analytical process by which insights are generated from operational, financial, and other forms of electronic data internal or external to the organization that communicates exceptions and outliers. Exceptions are deviations from any defined criteria internal or external to the organization. Outliers are considered any data or records that are inconsistent with the population to which it belongs. Analytics relies on the simultaneous application of statistics, computer programming, and operations research to quantify performance. <br></p><p>Data analytics tools and techniques assist in transforming and improving audit approaches in terms of providing insights, predicting outcome, optimizing sampling decisions, extending audit coverage, and highlighting key deficiencies. Analytics embeds data visualization to effectively communicate insight.<br>Analytics is not just about technology. It refers to the use of certain technologies, skill sets, and processes for the exploration, evaluation, and investigation of data generated during business operations (See “The Process of Data Analytics” at right). </p><h2>Analytical Techniques</h2><p>Analytical techniques can be used for risk assessment and control testing in various areas. It is important to link the business understanding, processes, and regulations and co-relate them with the data available to identify exceptions or outliers. There are four types of analytical stages.  <br></p><p>Descriptive analytics identifies events that occurred in the past, while diagnostic analytics looks for reasons past events occurred. Predictive analytics predicts future outcomes based on past events, and prescriptive analytics provides a feasible line of action. Auditors need to gradually move from identifying what went wrong to forecasting what may go wrong. The shift from descriptive to predictive and then to prescriptive analytics requires the application of business insights with analytical techniques supported by technology advancements.<br></p><h2>Analytics Software</h2><p>Some of the numerous tools available for carrying out data analytics require coding or scripting and may not be as user-friendly compared to tools with an easy-to-use graphical user interface. Questions that can help determine which tool to invest in include: What problem needs to be solved? What are the net costs for learning a new tool? What are the other available tools and how do these relate to commonly used tools?<br></p><h2>Changed Business Environment</h2><p>Considering the ever-increasing nature of digitization, it is inevitable that internal auditors change their approach to executing audits. Traditional methods of vouching and verification may need to be reviewed to bring them in line with the changed business environment. Considering increased expectations from stakeholders and the need to look deeper into business transactions, embedding analytics in audit is unavoidable. The proliferation of new forms of data and evolving concepts of analytics-driven audits means internal auditors can gain deeper insights into the business. <br></p>Neha Pansari1751
The Mind of a Credit Card Hacker Mind of a Credit Card Hacker<p>​One of the biggest credit card fraud rings was a collaboration between Miami hacker Albert Gonzalez and hackers in Russia. The ring used SQL injection to steal more than 90 million credit and debit card numbers from retailers such as Barnes & Noble, BJ’s Wholesale Club, Boston Market, OfficeMax, and TJX — the parent company of Marshalls and T.J. Maxx. Gonzalez and his crew were active for two years, and he was known to brag that he had to count hundreds of thousands of dollars by hand when his money-counting machine broke.<br></p><p>Gonzalez got greedy, and his flashy lifestyle caught the attention of law enforcement officials. In 2010, a U.S. federal District Court sentenced him to 20 years in a federal prison and fined him US$25,000.<br></p><p>Smart hackers keep a low profile and cover their tracks so they can continue the cycle. With the right campaign, they can obtain thousands of credit card numbers and sell them for millions of dollars. To help defend their organizations, internal auditors need to know why hackers target the business’ credit card information, how they can steal it, and what happens after the data is stolen. That means learning to think like a hacker. <br></p><h2>First, They Need a Vector</h2><p>A vector is a network, email, application, or host that delivers a viral payload to the user. To gain entry to an organization’s systems, hackers use tools, programming experience, and social engineering skills to target a user’s computer or convince that person to voluntarily give them information or access. The vector they choose determines the steps they need to steal an organization’s data. <br></p><p>Phishing is one of the more common methods. Hackers send emails to unsuspecting victims and convince them that they need to enter private information on a fraudulent website form. For example, the hacker uses PayPal’s logo and a similar domain name to trick users into typing their PayPal user name and password. Internet usage policies should instruct employees to always type the name of the official website in a browser instead of clicking random links embedded in an email.<br>A recent variation on phishing attacks is to send employees emails claiming to be from their organization’s CEO and directing them to complete a transaction. <br></p><h2>Collect the Stolen Data</h2><p>Attackers use zero-day viruses to gain access to a computer. Zero-day viruses have not been previously detected by antivirus software companies, so the software doesn’t recognize them. For this reason, a hacker can quickly collect data and transfer it to his or her private server.<br></p><p>Speed is also essential for hackers who use phishing emails. As soon as email recipients detect that the email and site are fraudulent, it’s only a matter of time before the emails are blocked and the host terminates the hacker’s account. The hacker needs to collect the data from the server and transfer it to a safe location.<br>During the data collection stage, hackers also need to cover their tracks. They can do this by using a different host for the next vector, changing malware signatures, and setting up new anonymous email accounts. <br></p><h2>Verify the Cards Are Valid</h2><p>This step is the most crucial and risky. The hacker needs to verify the cards are valid. The hacker can do this by creating accounts at websites that sell low-priced items and don’t have as much security regarding billing and shipping addresses. A list of these sites can be found through a criminal network or a search engine. The hacker makes small purchases from these online stores to verify the card is still valid and the original cardholder isn’t paying attention to purchases on it. <br></p><p>Consumers who check their debit and credit card activity frequently can detect these transactions quickly before the charges finalize. Moreover, many financial institutions have fraud detection that automatically flags a card for suspicious transactions. These card numbers won’t work, which reduces the hacker’s credibility and trustworthiness with buyers. <br></p><p>Because the hacker’s purchases are small amounts, they can more easily slip through detection. For example, the attacker might charge US$5 on a card and wait a few days. If the charges go through and the product is shipped, he or she can make larger charges or sell the card number on the black market.<br></p><h2>Create Fake Cards </h2><p>For US$100, hackers can create fake credit cards. The number printed on the front of the card is usually fake, but the card number on the magnetic strip is one of the stolen numbers. The attacker also can sell these physical cards, but it’s much more work to send the cards to a buyer.  <br></p><h2>How Auditors Can Respond</h2><p>By understanding the way hackers work, internal auditors can gain better insight into ways to protect the personal data their organization has stored. Here are recommendations auditors can provide to help their organizations shore up their defenses.<br><br><strong>System Requirements</strong> Auditors should advise the IT department or process owners to install and maintain a firewall configuration that is capable of protecting cardholder data. The organization should encrypt transmission of cardholder data across open, public networks, including wireless networks. Also, the organization should use up-to-date antivirus software and ensure that all antivirus mechanisms are current, actively running, and capable of generating audit logs. In addition, it should monitor all access to network resources and cardholder data, and test security systems and processes regularly. <br><br><strong>Access Control</strong> Internal auditors should advise the IT department to limit access to computing resources and cardholder information only to those individuals whose jobs require it. The organization should physically secure all paper and electronic media that contain cardholder data, including computers, networking and communications hardware, paper receipts, reports, and faxes. Moreover, it should use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.<br></p><h2>Becoming a Harder Target</h2><p>As their organization’s third line of defense, internal audit’s assurance and advisory services can be vital to protecting the business from today’s hackers. Auditors should review the organization’s security measures and related controls at least annually, and preferably more frequently, as risks evolve. They also can advise their organizations about ways to strengthen those measures and be better prepared to respond to an incident. With organized hackers targeting organizations from all sides, such actions can help make the difference between becoming a harder target for attackers and suffering a heavy loss from a data breach.    <br></p>Sharif A. Nogod1862
IT and the Integrated Audit and the Integrated Audit<h2>​​How do you define integrated audit from an IT perspective?<br></h2> <p> <strong>KIM</strong> An integrated audit considers IT, financial, and operational controls holistically. While a traditional audit focuses on financial, operational, or IT aspects only, an integrated audit takes a more global approach. From an IT perspective, an integrated audit provides assurance that IT controls are effective and efficient to support the business process. This approach acknowledges that IT, financial, and operational controls are mutually dependent.​<br><strong>JENKINS</strong> There are few strategic initiatives in organizations that don’t include an IT component. Our world has turned into an online world, with technology playing a role in everything we touch. The integrated audit is a more holistic approach, focused on the organization’s top risks. Internal audit won’t be able to present a complete picture of the organization’s risks without considering the technologies associated with them. <br></p><h2>What is your organization’s approach to integrated audits?</h2><p> <strong style="line-height:19.2px;"><img src="/2016/PublishingImages/pamela-jenkins.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />JENKINS</strong> Fossil is a global organization with retail, distribution, wholesale, and manufacturing facilities in many countries. Internal audit aligns its audit plan with the company’s top global risks. Our audit department has limited resources and IT auditors. We work efficiently and leverage our resources to ensure we address the top risks for the company. Our IT auditor is a part of every audit we perform. Over the last few months, we have begun socializing with the company a more integrated audit approach. We have the full support of the audit committee and top management. As we hire, we look for integrated auditors who can look at a business process, pick out where the risks are, and identify if there are any technology-related red flags. <br> <strong style="line-height:19.2px;">KIM</strong> Integrated audits are the rule rather than exception in my organization. Organizations rely heavily on IT to perform their work. To understand an audit client’s internal controls over a business process requires an understanding of the effectiveness and adequacy of IT controls. All of our staff auditors are trained to perform basic IT audits. However, for audits that are highly technical, we have a team of IT specialists with advanced IT skills. This provides us a cost-effective way to keep up with the rapid changes in technology, as well as deal with the difficulty of recruiting and retaining IT audit professionals, which can be a challenge in the current environment. <br></p><h2>What value does a successful integrated audit approach bring to the organization?</h2><p> <strong style="line-height:19.2px;"><img src="/2016/PublishingImages/Tina-Kim.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />KIM</strong>​ Integrated auditing promotes the principle of risk-based auditing. The business environment is increasingly complex, and businesses and governments are confronting a wide range of risks. Integrated auditing allows audit functions to consider and evaluate risk globally and focus audit efforts on the highest impact areas. More importantly, it increases the relevance of internal auditors’ work by providing better value to stakeholders. Study after study has shown that stakeholders are expecting more from internal audit functions, including those already receiving significant value. By helping to break down silos and increase transparency, integrated auditing provides management with increased insight on how various types of risks impact their business processes and gives auditors more exposure to different aspects of an organization’s operation, increasing their effectiveness. <br> <strong style="line-height:19.2px;">JENKINS</strong> Without an integrated audit approach, the audit results are not covering the full business process/potential risk. To ensure the largest risks of the company are addressed, the audit process needs to include IT. An integrated audit enables auditors to look at an issue holistically and identify the entire risk, not just a piece of it.​</p><h2>What IT skills and knowledge do internal auditors need to communicate with IT professionals?</h2><p> <strong style="line-height:19.2px;">JENKINS</strong> I think it goes both ways. Yes, audit professionals need to have comprehensive knowledge of IT to effectively identify risk and communicate with IT departments, but IT auditors also need to have more than just IT experience. They need to be able to see the forest for the trees, and communicate from a business perspective. It is important for the IT audit professional to have good business acumen to enable an understanding of the business process/risk and its relationship to the IT components. IT auditors need to bridge the gap between being highly technical and being able to speak in basic business terms. <br> <strong><strong style="line-height:19.2px;">KIM</strong>​</strong> Having an education background in computer science or a related field is a big plus. However, a genuine interest and desire to understand technology, coupled with the ability to quickly grasp new trends and understand new technologies, is just as critical. Moreover, as with all audit positions, not only are technical skills important, but communication and other soft skills are also vital. To be effective, internal auditors need to speak the language of their stakeholders. <br></p><h2>What types of IT-related audits should internal audit be able to perform without IT audit expertise?</h2><p> <strong><strong style="line-height:19.2px;">KIM</strong></strong> The IT audit universe represents a continuum of audit activities that run the gamut from basic to intermediate to highly technical and complex. Most internal auditors with training both in the classroom and on the job can generally progress to a level that enables them to perform a basic IT audit. In fact, one of the benefits of the integrated audit approach is that audit staff members work on a single team alongside auditors with more IT audit experience. This provides audit staff with increased exposure and experience in IT audit. That said, the continuum of IT audit activities progressively requires increasingly specialized IT skills. It is generally not cost-effective to train the entire audit team in these higher-order areas. In these instances, the use of specialists should be considered. <br> <strong style="line-height:19.2px;">JENKINS</strong> Internal audit should be able to perform any broad audit with IT components. Even if the auditor is not a certified IT auditor, he or she needs to have a good understanding of where the IT risks are and be able to identify the red flags. Most audit departments do not have the bandwidth to have several auditors with deep technical skills. This is where being a part of The IIA is very helpful, because the auditors can go to The Institute for thought leadership, resources, and benchmarking to help on certain projects. We take advantage of cosourcing. These cosourcing arrangements are ideal for larger and highly technical projects that require a deeper dive into IT.<br></p><h2>What types of IT-related audits should only be performed by IT audit specialists?</h2><p> <strong style="line-height:19.2px;">JENKINS</strong>​ Most audits will have an integrated approach. However, some projects may be just IT focused. It’s important to be able to connect the dots back to the business side. We had our IT auditor document the organization’s global IT footprint so we understand the systems in entirety and where and how they connect. We then identified where we need to drill deeper. Some of those projects may require cosourcing. <br> <strong style="line-height:19.2px;">KIM</strong>​ The internal audit standards require that auditors have the knowledge, skills, and other competencies to perform their individual responsibilities. In the context of IT audits, these standards are uniquely challenging in that technology is constantly evolving, and, due to the costs involved, not all audit staff receive the specialized training required to keep pace. Therefore, for highly technical and complex audits involving areas such as network infrastructure or emerging technology, it is better to rely on an IT audit specialist who possesses the knowledge level and skills to meet the audit needs. <br>That said, recruiting and retaining such specialists is perhaps one of the greatest challenges facing audit functions that want to adopt integrated auditing. When internal resources are not available, alternatives to be considered include guest auditors or cosourcing. While the difficulties can appear daunting, the benefits in increasing risk coverage and creating efficiencies within the audit team are well worth the effort. </p><p> ​<br> </p>1698
Cyber Resilience Resilience<p>​Despite banks spending billions of dollars to protect themselves against cyberattacks, financial regulators remain unimpressed. Mary Jo White, chairman of the U.S. Securities and Exchange Commission, told the press in May that cybersecurity was the biggest risk facing the financial system, but banks’ “policies and procedures are not tailored to their particular risks.” Regulators in Europe also want action. Chairman of the European Banking Authority Andrea Enria — again in May — urged national regulators to stress test European financial institutions to see how vulnerable they were to hackers. If they fail, he said, they should be forced to hold more capital. <br></p><p>And as if that were not enough, SWIFT, the financial payment system that handles more than US$6 trillion in transfers every day, has unveiled a customer security program that includes plans to audit its 11,000 member institutions to check that their security is fit for purpose. “We will look into if and how customers’ compliance to these baselines can be made transparent to, and enforced by, counterparties, regulators, and ourselves,” SWIFT said. Members will have to share more information and tighten the security of their systems.<br></p><p>The pressure to strengthen IT platforms and applications has come in the continuing wake of high-profile cyber failures. Three of SWIFT’s members, for example, have been hacked in the past seven months — including the Bangladesh central bank. Hackers got ahold of the SWIFT codes and transferred US$81 million from its accounts at the U.S. Federal Reserve.<br></p><p>It’s not just banks at risk, either. According to recent data released by the U.K. government, two-thirds of big U.K. businesses have been hit by a cyberattack in the past year. Most of the attacks involved viruses, spyware, or malware, the Cyber Security Breaches Survey said in May. It found that one in four large firms said they were breached once a month — sometimes more — and that attacks could cost millions of pounds to rectify. The volume, frequency, and sophistication of attacks are a game changer. <br></p><h2>Not If, But When   </h2><p>Many organizations are now working on the assumption that a cyber breach is inevitable and that they need to have rapid and effective response mechanisms in place to minimize damage. Internal audit departments are being called upon to help — providing everything from improved diagnostics to help locate where, when, and how a breach has occurred, to assistance with the very effectiveness of a business’ cyber breach response team.<br></p><p>“People now have to be in a posture that assumes you have been breached, rather than saying that you are never going to be breached,” Kelly Barrett, senior vice president of Home Services and former vice president of internal audit and corporate compliance at the Atlanta-based retailer The Home Depot, says. “That mindset changes the way you structure your security program.”<br></p><p>Barrett knows through painful experience what a data breach is like. She says no matter how much money a company spends on its defenses, hackers are likely to get ahead of the game through new techniques, or by attacking the most vulnerable part of the business or its supply chain. In addition to beefing up external defenses, Barrett advises organizations to think about what software can be used to pick up behavioral anomalies, such as employees logging into systems at unusual times or unexpected places, within the business, too. While such tools are sophisticated enough to run from day one, they improve over time as the IT team learns how the business works and eradicates any false positives the system may throw at them.<br></p><p>“The key point is that you are now assuming somebody may be looking at things, or using them, inappropriately,” she says. “And so the tools you use need to be much more proactive in looking for those unusual patterns.”<br></p><h2>Collaboration</h2><p>Home Depot’s audit team has been working with the chief information security officer (CISO) to think through the design of such programs, understand how the tools work, and ensure that they are actually controlling what the business intends them to control. Internal audit wants to know that the company is getting the full benefit from the technology it has invested in and that those people reviewing the outputs are accountable. That has also brought about a change in how audit operates in this area.<br></p><p>“Internal audit partners very closely with the CISO,” Barrett says. “They’re not sitting back and waiting to do an audit after the fact. They’re actually helping them look at the tools.” <br></p><p>Barrett realizes that some may question internal audit’s ability to remain independent, but she is clear that as long as internal audit is not implementing controls, that can be achieved. What is powerful about the partnership, she says, is its ability to bring together security experts with auditors who have an equally strong grasp on controls in a way that is proactive. In fact, Barrett is the chair of the company’s data security and policy governance committee, which helps her — and the organization — achieve a helicopter view of the security procedures across the business. “That helps us make sure all the different pieces are being considered, and we are thoughtful about what the response is,” she says. <br></p><p>In the U.S., at least, some of the impetus for smarter working and multidisciplinary cyber defense and reaction programs has come from the board as much as from those working within organizations. If there has not been a revolution that has catapulted cyberrisk to the top of the risk agenda exactly, there has been steady evolution, says Gary Pollack, senior vice president, Assurance Services Leader, American Express Co. in New York.<br></p><p>“Three to five years ago, IT risk professionals may not have been given as much time on the agenda as they are today,” he says. “We are clearly seeing an uptake in time allotment in audit and risk committees dedicated to information security and overall IT risk. It’s given us a seat at the table.”<br>being prepared<br></p><p>Pollack says, eventually, regulators are likely to mandate specialist IT skills on boards and risk committees. He says he has seen an increase of IT skills in people occupying these positions and expects that to increase as organizations continue to enhance their risk management practices.<br></p><p>For now, what is important for Pollack, as with many CAEs, is that customer trust in data protection is given top priority in the way that businesses respond to cyberattacks. “We have been aware for quite some time of the need not only to have a preventive strategy, but also a detective strategy,” he says. “There is a real need to consider a well-balanced approach to prevention and detection, as well as response mechanisms.”<br></p><p>Pollack says his organization has a dedicated team and protocols in place to respond to breach incidents ranging from how to communicate, escalate, and react timely to threats and attacks. From an internal audit perspective, that means Pollack’s team puts equal weight on auditing the preventive and detective parts of breach management controls, protocols, and escalation mechanisms. Audit also participates as an observer during test scenarios aimed at finding weaknesses in those systems before a breach occurs.<br></p><p>“Audit generally acts as an observer during test scenarios and as a reviewer of the results and action items,” he says. Audit then follows up on any actions that have been agreed on to make sure management deals with them. It also flags any gaps in defenses or reaction procedures and makes sure management fixes them.   <br></p><h2>Breach Response</h2><p>Auditors agree that having an appropriate response plan in place for a breach is critical — one that has been tested and retested before the event arises. While it would be rare for internal audit to take charge of such a team, it has a critical role to play, says Nigel Lewis, an independent audit consultant and trainer.<br></p><p>“From an audit point of view, the main thing is that we get assurance that someone will take charge of the incident response team and that there is an incident response plan linked with the business’ recovery plans,” he says. The size of the team depends on the nature of the organization, he says, but even large businesses would typically appoint only 10-15 people to it, split roughly two to one between IT experts and business executives. In an incident, those team members would call on their own teams to implement any remedial action needed.<br></p><p>"Part of the incident response will be pages and pages of plans detailing who does what and what the key activities are,” he says. “Auditing that process is important.” But what should it comprise? Lewis says auditors can cut through the complexity by dividing the process into three parts: reaction time, decision-making, and action.<br></p><p>Although more than eight in 10 breaches are detected within 24 hours, according to the latest U.K. government statistics, it can take months to detect a breach. In 2013, for example, <em>The Wall Street Journal </em>said Chinese hackers had infiltrated its systems for four months without detection. That does not mean swift action isn’t important once a hack is detected. The business needs to do a quick impact analysis to see what type of breach the team is dealing with. Fraud, breaches of confidential data, denial of service, intellectual property, and ransoms — the business needs a plan for each with specified response times. A denial of service attack, for example, is likely to need a faster technical reply than, say, a ransom demand. “You must know how quickly you can respond to each area and be able to test it,” Lewis says.<br></p><p>Many of the decisions a business might need to make can be pre-planned, too. And it is vital to know what the impact of those decisions are likely to be on the organization’s operations, staff, customers, regulators, and the media. Then it is time to put those decisions into action. Deciding which systems to close down and for how long is never easy, but being prepared makes it less likely the breach will turn into an all-out disaster.<br></p><p>“For all of this to work well, you need a good team, convened quickly, and comprising the right experts,” he says. Bringing in external support can be important, and keeping people up-to-date with the latest attack methods and breaches is essential.<br></p><p>If that sounds straightforward, it might be puzzling to know that 37 percent of firms have no cyber response plan, according to PricewaterhouseCoopers’ (PwC’s) 2016 Global Economic Crime Survey. That is because while businesses feel they have response systems in place, they tend to be structured to deal with classic threats such as flooding or power outages, says James Rashleigh, a cybersecurity director at PwC. “While they think they’re prepared, they suddenly find out when they suffer a cyber breach that they’re dealing with something very different.” Businesses that have not nominated a specific leader for the response team, or have someone from the IT team in charge, are not likely to be able to cope well as the issues are too wide-ranging. For example, breaches affecting customers may be subject to litigation, and putting together what happened from a legal perspective is complex.<br></p><h2>Cyber Governance</h2><p>Organizations that do not yet have a sound response team in place could do worse than go back to basics. “Cyberrisk is about protecting the customer,” says Liz Sandwith, a former Chartered Institute of Internal Auditors (IIA–U.K. and Ireland) president, and now chief professional practice adviser at the institute. “So we do all sorts of really great audits in the business space, but this goes beyond that into the real world of our customer base.”<br></p><p>That makes cyberrisk a business issue rather than a technical IT issue, although she is not convinced that many auditors in the U.K. have actually grasped what this distinction means. Behind every IT risk is a business risk, and it is the significance of the latter that can be overlooked when focusing solely on technical fixes and controls. In Sandwith’s view, auditors should decline to engage solely with IT technicians and insist that people from the business also are involved so the significance of the issue to the business is understood and controlled. While those getting a better grip on the issue might do a thorough risk assessment of the threats their organizations face, she says they also need to consider the board’s risk appetite.<br></p><p>“Internal audit has to make the board and the audit committee aware that it’s not just one of those risks where we do our work and make sure it won’t happen,” she says. “Cyber is a risk that is always going to be a risk.”<br></p><p>She says there is an opportunity for risk management and internal audit to work better together by focusing on the business risks from a resilience perspective. That involves members of the audit team really understanding IT risk from a technical and controls perspective and working with risk management to provide intelligent assurance around its controls. She says working across all lines of defense — management, risk, and audit — is critical if a business is to detect and respond effectively to cyberattacks, as no one function has the skills and scope to do it alone. But audit must be a leader in the process. “There is a real risk that without the right skills and knowledge, internal audit could provide false assurance — naïve assurance — to the board and the audit committee,” she says.     <br></p><p>In addition, Sandwith urges auditors to help establish an effective governance structure around cyberrisk, with defined risk appetite statements pertaining to each threat. Auditors can help ensure the business has information security, risk management, social media, and system access policies that are well-formulated and disseminated across the organization. Finally, she says, the CAE must keep the board engaged with cyberrisk as a living issue.<br></p><p>“Let’s not talk technical at board meetings,” she says. “This is about the impact on customers, reputation, profits, and share price — as well as potential sanctions for getting it wrong. That’s what gets the attention of the board.” And it gets the attention of the regulators and the public, alike. As society gets used to the idea that breaches are an inevitable part of online life, competitive advantage will fall to those who respond best. <br></p>Arthur Piper12804
Driving Innovation Innovation<h2>​You deploy first-of-a-kind technology to improve the quality of life for county residents. How do you balance innovation with managing risk? </h2><p>We apply three criteria to all of our projects. First, it has to be a concept or technology that we can test out in a lean, iterative manner. This helps minimize risk and limit up-front investment. Second, it has to have the potential to scale up. We get a lot of ideas that are too far-fetched. Finally, it has to be somewhat experimental. If we only went after the safe bets, we’d never be innovative.<br></p><h2>How are the challenges and opportunities associated with the Internet of Things (IoT) different from the way you’ve addressed previous technologies? </h2><p>Some new ideas and technologies can be tested in a bubble. IoT is different. It will literally change every aspect of the way we deliver services and govern. Because of that, it’s going to take a comprehensive, strategic approach. It turns our buses into roving data collectors. It eliminates entire labor categories. It changes the way we deploy first responders. So it has to be something we look at from a systems perspective so that we understand the ripple effects of each mini-revolution IoT sets off in each department.</p> <style> div.WordSection1 { } </style> <h2>How does your organization decide which innovations to adopt?  </h2><p>I’m lucky to have a county executive with a leadership style that empowers his team. So many of the day-to-day decisions fall to me. However, I couldn’t do what I do without a lot of partners and support from my team in the executive’s office. With their input and support we choose what ideas should make it into the pipeline.</p><h2>What does your office do to make sure IoT is developed and deployed securely?</h2><p> Partner, partner, partner. We can’t do this on our own nor can we figure it out on our own. No local government can. So we’re working with federal agencies like the U.S. National Institute of Standards and Technology and the National Science Foundation; corporate partners like AT&T, Microsoft, and local start-ups; and other communities through initiatives like the Global Cities Team Challenge. Only by looking outward will we figure out the best way to safely and securely deploy public-sector IoT solutions internally. </p><p><br></p>Staff0673
Editor's Note: What the Future Holds's Note: What the Future Holds<p>​Technology is evolving at a breathtaking pace. Just in the past 10 years, we’ve seen dramatic advancements in the areas of mobile computing, wireless connectivity, cloud technology, big data, and even artificial intelligence. It’s altered the way we communicate, how we purchase goods and services, and the way we do business. But where is all this heading, and what impact will it have? What changes will we see in the next 10 years? <br></p><p>Bruce Schneier, chief technology officer at Resilient, an IBM company, says in a recent <em>Forbes</em> article that we’re moving toward what he calls the World-sized Web (WSW). This massive interconnected system, he says, will have two main components: sensors and actuators. The sensors will collect data, leveraging the multitude of devices connected to the web, and the actuators will affect our environment by carrying out actions. The WSW’s “brains” will reside in the cloud, comprising some form of artificial intelligence. According to Schneier, the system will essentially be a “benign robot.”<br></p><p>That’s a heady concept, but perhaps not so far-fetched. In fact, the foundational components of Schneier’s robot — the Internet of Things (IoT) and cloud computing — are very much a reality for today’s organizations. As author Jane Seago explains in <a href="/2016/Pages/A-World-of-Connections.aspx">“A World of Connections,”</a> the impact of IoT on businesses is already well underway, and it’s an area that calls for close monitoring by internal auditors. She points to the abundance of connections that comprise IoT as a source of both potential benefits and great risk — working with management on both fronts, she says, will be key to auditors’ involvement in the organization’s IoT efforts. <br></p><p>Cloud computing, the decision-making center in Schneier’s WSW model, is the subject of <a href="/2016/Pages/Auditing-the-Cloud.aspx">“Auditing the Cloud.”</a> “With cloud computing becoming mainstream,” the authors say, “internal auditors need to devise new ways of pinpointing the risks these services pose and verifying the security ... of critical data housed by an outside provider.” They examine the many challenges presented by cloud platforms and outline key areas auditors should consider in their assessments.<br></p><p>Most likely, the risks and challenges associated with cloud computing, as well as IoT and other emerging technologies, will only continue to grow in the coming years. And while the shifts thus far may be substantial, and their implications for organizations vast, what’s to come may be truly seismic. Schneier says the impending technology will be increasingly powerful and eventually capable of autonomy. Acting on behalf of users, it will help maximize profits but also “empower criminals and hackers.”<br></p><p>Regardless of whether this prediction ultimately comes to pass, it’s a reminder of the need to constantly look ahead and consider how emerging technology may impact the organization. To paraphrase Schneier, whatever all of this means, we don’t want it to take us by surprise. </p>David Salierno0929
The Opportunity of Things Opportunity of Things<p>​In recent years technology threats have been at the top of the risk agenda for most organizations as lax data protocols and cybersecurity incidents have become more prevalent, more serious, and more costly to remediate. And while such events highlight the dangers of poor IT controls, management and boards must be careful that their attitudes toward embracing new technologies does not make them risk-averse or deter them from exploiting the terrific opportunities th​at such cutting-edge applications can bring to their businesses. Experts believe, in fact, that internal audit has a role in identifying the rewards as well as the risks.</p><p>Many IT analysts say that the next new wave of technological development will be through the growth of the Internet of Things (IoT). IT developer Cisco Systems estimates that investment in developing new IoT technologies will reach US$14.4 trillion by 2022. Furthermore, more than half of major new business processes and systems will incorporate some element of IoT by 2020, according to analyst firm Gartner.</p><p>Already companies are waking up to the opportunities that the technology may afford them, and some are beginning to make substantial investments. For many organizations, IoT technologies tend to be deployed in a "smart office" scenario, where embedded sensors are used in doors and ID cards to improve physical security protocols, or to improve daily office functions, such as connecting paper printers via IoT so that they can "sense" when they need fresh paper supplies or toner refills and then automatically order them. Many are also using IoT capabilities to facilitate real-time training and real-time accounting.</p><p>Several major companies have invested in more cutting-edge IoT technology to enhance their business and product capabilities, and it is here that more forward-thinking and innovative management teams and boards may be able to see a way of not only enhancing their service offerings, but also changing their business model. For example, IT giant Microsoft uses IoT software to collect data on what features are being used for its products so it can strip away the least popular ones and focus on those that customers prefer. </p><p>Automobile and aero-engine maker Rolls-Royce has taken a highly innovative approach and now uses data taken from IoT devices to support processes in three key areas of its operations — design, manufacture, and after-sales support. The company fits aircraft engines with sensors that send real-time data on the engine's function back to monitoring stations on the ground so that the chance of an engine malfunctioning mid-flight is significantly reduced. It also uses sensors to monitor manufacturing faults and achieve better quality control. For example, sensors used in the manufacturing processes at its new factory in Singapore generate half a terabyte of data on each individual fan blade that is produced, thereby more easily locating stress fractures and other problems. </p><p>However, as IoT relies on generating more and more data for companies to mine, the risks surrounding data protection and security also increase, which has been a barrier to some companies becoming early adopters. But Mark Homer, vice president for global customer transformation at ServiceMax, a company that provides cloud-based services for executives and employees away from the office, says that "boards need to understand the advantages inherent in using IoT devices, and not just concentrate on the cybersecurity risks that are associated with them." He adds: "Just as internal audit is there to warn boards about risk, they should also take a more strategic view and flag up the rewards."</p><p>Chris Price, global leader, people advisory services at professional services firm EY, says that the commercial opportunities IoT offers should not be ignored. Price explains that IoT can produce a "smart workforce" where employees are mobile and can operate just as effectively outside an office with access to the same online resources, and it can result in "smart equipment" in which sensors send data to measure operating conditions, quality results, and faults. He also cites the technology's enablement of "smart maintenance," where the data sent from the production sites can be monitored to see if there will be any machinery breakdown — and so reduce downtime — and request replacement parts there and then. </p><p>But Price adds that while using IoT to collect data may be useful, it is how companies analyze that data — and put it to use — that is important, which is an area that internal audit may need to make management and boards aware. "Collecting data is merely a starting point," he says. "Analyzing it, and then taking action based on the data — such as using it to understand customers and trends, and tailoring products and services to meet specific demands — is absolutely key as you turn raw data into information, and information into actionable insight. In this way, data analytics enabled by IoT provides companies with visualization (what has happened), insight (why it has happened), and foresight (where the company needs to go)."</p><p>Experts say more tech-savvy organizations will recognize that IoT usage can help create revenue by identifying potential problems for customers and providing opportunities to upsell. Furthermore, internal audit can make the business case that having that kind of insight into customer needs can deliver real business value, and that boards and management should embrace these capabilities rather than focus solely on the risks surrounding data security.​​</p>Neil Hodge1933
A World of Connections World of Connections<p>​Depending on the source you consult, by 2020 the number of internet-connected devices worldwide could range from 26 billion (Gartner) to 50 billion (Cisco). At either end of the spectrum, the number is staggering. Clearly, marketplace forces such as increasingly available broadband internet, decreased cost of connecting, expanded use of the cloud, growing numbers of devices built with Wi-Fi capability and sensors, and the lowered cost of technology have combined to create the perfect environment for the Internet of Things (IoT).<br></p><p>The impact of IoT is already well underway. This latest and perhaps most ubiquitous technology trend, which Jim Tully, chief of research for IoT at Gartner, London, defines as “a network of physical objects that contain technology that allows those objects to sense and interact with their surroundings and interact with those surroundings for business benefit,” is an integral part of our lives (see “Examples of IoT” below). Its fans extol IoT’s convenience, speed, personalization, and ease of use. Businesses tout its cost savings, safety enablement, revenue generation, and data-gathering abilities. <br></p><p>However, some view the implications of IoT’s billions of connections and terabytes of data and know that the benefits, while substantial, have a dark side: security risks, loss of privacy, and a diminished capacity for people to control their own lives. Kenneth Mory, principal for Stronghold Solutions International and former city auditor for Austin, Texas, states, “The horizon risks that IoT introduces are orders of magnitude beyond those of the present. These new vulnerabilities have grave implications for IT security and cybersecurity.” <br></p><p>Internal auditors have distinct reasons to ponder what IoT means for their organization. They may be called on to offer advice to management on the benefits and potential competitive edge IoT can provide. However, they must also monitor the new risks it introduces and the compensating controls required. They cannot afford to assume that something once fixed stays fixed. Just as a high tide raises all boats, the rapid development cycle for IoT means an equally rapid evolution of risks. Internal auditors need to stay attuned to these changes and be prepared to keep their organizations apprised.<br></p><h2>An Array of Risks</h2><table width="100%" cellspacing="0" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Examples of IoT</strong><br><br>Many IoT devices are so well embedded in everyday, modern life that we may not realize they are there. But IoT abounds, as indicated by this small sample suggested by Jim Tully, chief of research for IoT at Gartner, London:<br><ul><li><strong>Cars:</strong> Modules track a driver’s behavior — how he or she accelerates, takes the corners, stamps on the brakes. This information allows insurance companies to match the risk of individual drivers with their own specific premium. It can also enable insurance companies to offer “pay as you go” insurance, in which the premium is determined by the amount of time the car is driven or where it is — on a remote country road or in a big city at rush hour.</li><li><strong>Parking: </strong>Sensors monitor city streets and determine whether parking spots are being used. They then link to a mobile app that guides the driver to an available spot.</li><li><strong>Lighting:</strong> New lighting can track the location of people in buildings, providing safety benefits (ensuring their area is lighted) and cost savings (shutting off lights in unoccupied spaces). </li><li><strong>Toys:</strong> Some toys are equipped with cameras that can recognize the faces of individual children. They can then “learn” about those children and interact with them in a highly personalized way.</li><li><strong>Agriculture:</strong> Sensors in the fields track moisture and sunlight, suggest better use of irrigation, and even predict the timing of the harvest.</li><li><strong>Government:</strong> Many cities employ IoT-enabled “smart city” apps to handle tasks such as pollution monitoring and traffic management.</li></ul><br></td></tr></tbody></table><p>Few would likely disagree that IoT’s hyperconnectedness presents risks. There are, however, differences of opinion on the nature of those risks.<br></p><p>Some see the risks in fairly apocalyptic terms. They believe that when everyday activities are monitored and people output information on a near-continual basis, the level of profiling and targeting will grow, leading to increased social, economic, and political struggles. They suggest a need for ways people can disengage from the network, to stop sending and receiving data. Tully considers the disconnect options with some skepticism: “IoT is everywhere,” he says. “There’s no way to get away from a lot of it.” <br></p><p>However, other views of IoT-related risks are more pragmatic: financial loss affecting profitability (a hacker taps into a smart electric meter and steals energy), business interruption (due to a denial-of-service attack), loss of competitive advantage (attacks of any kind by a business rival), governmental upheaval (propaganda or hacktivism), and even loss of life (damage to pacemakers or equipment in hospital operating theaters). Mory points to another risk, loss of market share, which results when “the organization fails to adopt IoT and take advantage of the opportunities and benefits it can provide.” <br></p><p>Mory refers to the upside risk of IoT, a perspective that is sometimes overlooked in the very real concern about security and privacy. But there is a reason the IoT market is expanding rapidly, despite the inherent risk: It provides benefits that many individuals and businesses believe outweigh the associated risk. Customers appreciate the way IoT devices make their lives easier by anticipating and addressing their needs and preferences (e.g., constantly adjusting household temperature based on home conditions and homeowners’ schedules; brewing a cup of coffee to the individual’s precise taste, with the ability to monitor brew status remotely). </p><p>Businesses that use IoT devices in their own processes, or whose employees use IoT devices, may realize competitive advantage over less tech-savvy rivals, save money through device-generated efficiencies and real-time monitoring, enjoy more immediate and personalized engagement with customers, and reap increased return on their marketing investment through more effective and precisely targeted marketing messages. Companies that manufacture IoT devices are likely to see increased earnings due to customer demand and may even find opportunities to create new lines of business. And everyone, individuals and businesses alike, will benefit from the increased focus on cybersecurity — and resulting adoption of commonly accepted standards and business efforts to earn consumer trust — that IoT devices generate. <br></p><p>Whether the risk is upside or downside, it is a pragmatic issue that presents internal audit an active playing field in which to identify, assess, and mitigate risk. But internal audit cannot serve as the lone outpost on risk. Other areas must engage as well. However, Steven Babb, director and independent consultant at Newton Leys Consulting Ltd., Berkshire, U.K., says that management may not be fully aware of the risk — possibly because it is not articulated in business terms — and that policy has not caught up to define IoT usage. “IoT is typically wrapped up as part of cybersecurity, which is getting increased management exposure, but more still can be done,” he says. “Also, IoT covers areas that are typically not under the remit today of information security departments.”<br></p><p>Corbin Del Carlo, director, internal audit, IT security and infrastructure at Discover in Riverwoods, Ill., points to another group that needs to engage in management of IoT risks: software developers (programmers). “A lot of programmers have always dealt with closed systems,” he says. “They may not be aware of what connectedness implies. As the third line of defense, auditors need to talk to them and make them aware of the risk.”<br></p><h2>Bringing Risks to Light</h2><p>For Babb, internal audit’s role in IoT is “all about visibility and risk — helping risk management teams highlight that the risk is real, quantify the exposure, and bring it to management’s attention,” he says.<br></p><p>Del Carlo echoes that focus. “We have to challenge threat vectors,” he explains. “We have to be willing to offer suggestions of things that could be done to improve security. We have to be willing to ask questions about vendor-driven threats.” Del Carlo adds that vendors likely are not manufacturing the devices they produce alone. He questions whether vendors know who is making the parts they rely on in their supply chain. “Are they testing those parts to ensure they are up to our security specifications?” he asks. <br></p><p>Peter Rhys Jenkins, Worldwide Watson IoT architect, IBM, in Dartmouth, Mass., reinforces the need for security throughout the manufacturing process. “I want my refrigerator to be every bit as secure as a government device,” he says.<br></p><p>Organizations that implement IoT devices should have a strategy for their deployment. M. J. Vaidya, principal, EY, Atlanta, notes that although the internal audit function may not participate in defining that strategy, “It is a critical ingredient in ensuring the strategy is implemented in a good way, from a risk management perspective.”<br></p><p>A productive first step for internal auditors to address IoT is to conduct a risk assessment of the IoT in use in their organization. The risks will vary from one company to the next, depending on the type of IoT systems present and the business process they support. Once the risks are identified, internal audit can ensure that mitigating controls are in place and operating effectively, always keeping in mind the context in which the IoT systems function.<br></p><p>When examining context, it’s important to remember that nothing exists in a vacuum. Del Carlo recalls an incident from the 2015 Black Hat USA Conference, during which hackers assumed the challenge of remotely taking over the controls of an internet-connected vehicle. Their approach was relatively simple. The vehicle manufacturer had not implemented password protection on the internet-facing aspect of the car’s radio. “The designers felt there was nothing sensitive in the radio, so there was no need to protect it,” Del Carlo explains. “And they were right about the radio alone. But that point of entry was the gateway to the rest of the car.” Context is everything.<br></p><h2>Areas of Engagement</h2><p>Taking on the risks associated with IoT is a massive challenge that depends on teamwork across the organization. However, in the spirit of even the longest journey beginning with a single step, there are several initial activities in which internal audit can engage.<br><br><strong>Look for a Policy</strong> When addressing security-related issues within an enterprise, one of the first steps is to determine whether a policy exists and is up to date. While few organizations appear to have an IoT-specific policy at this point, many reference the topic through their “bring your own device” (BYOD) policy. Babb explains that most BYOD policies cover only a small subset of devices that fall under the IoT banner. He adds, “Many of the devices will be brought in by staff, but equally many will be purchased by the organization and used. Of these, many will fall outside the remit of IT and security, so the risks emanating from them may be hidden.”<br></p><p>Mory adds that although his previous employer, the City of Austin, had no umbrella policy to deal with IoT, there were policies to address the use of flash, portable drives, and other portable devices such as phones and laptops. <br></p><p>IoT security shortcomings present an opportunity for internal audit to play a significant role by working with the cybersecurity team, IT, legal, and the privacy function to advise on the development of an IoT policy. Existing policies relating to passwords, patching, and system monitoring will need to be revised to place IoT clearly within their scope. New or updated policies may be required around network segmentation and access control. Approved devices and uses must be spelled out, and the implications clearly identified not only for employees, but also for business partners, suppliers, and customers who have connections to the company’s network.<br><br><strong>Check Inventory</strong> Enforcing an IoT policy is difficult without a clear understanding of the number and types of IoT devices present within the organization. Babb and Mory agree that inventories, if they exist, are likely to be incomplete or siloed, as opposed to presenting a comprehensive view. Some inventories may cover devices the organization has purchased, but fail to mention the consumer devices brought in by employees. <br></p><p>Once the inventory provides the needed information, appropriate controls can be put into place. Del Carlo’s company, Discover, places a priority on protecting its network. “We have a general ban against noncompany devices,” he says. “We won’t allow them onto our network. We provide a ‘guest’ network people can use to connect those devices; all they can get is the internet.” Discover also installs virtualization software on the phones it provides to segment the data, and it has a stringent perimeter defense system. Laptops are encrypted and the data can be wiped remotely. Even then, Del Carlo notes, “Every day these controls block hundreds of exploits from attackers of various sophistication levels. But without constant vigilance against the onslaught, it is unlikely any organization could stop every single attack.”<br><br><strong>Educate Management</strong> Regardless of management’s degree of awareness about IoT risks at this moment, there seems to be consensus that some additional education would be useful. Mory says that some management is aware of the general concepts behind IoT, but lacks a core understanding of the opportunities and threats it presents. In his view, internal audit has a clear role to play in helping management understand and manage the risks.<br></p><p>Vaidya agrees that education is important, “from the board level to the tactical level and across not just IT, not just executives, not just product development, not just manufacturing, but across the business.”<br><br><strong>Review Security</strong> Jenkins lists some basic but necessary steps auditors can test after implementation. “With regard to provisioning, when a new device joins the cloud for the first time, make sure the mechanism used to connect is encrypted,” Jenkins says. He also advises verifying that the cloud itself is secured, password hashes are stored away from other related identification, and data coming from and to devices is encrypted. Jenkins adds: “Over-the-air firmware updates are necessary to keep equipment up to date. Make sure that process is done securely.”<br></p><h2>Getting a Handle on IoT</h2><p>It seems impossible to discuss IoT for any length of time without landing back at a mention of risks. But Tully points out that quite a few IoT devices are deployed for safety. They exist to reduce risk. “Take structural sensors in bridges, for example,” he notes. “These sensors warn of excessive loads and stresses — they are linked to traffic control systems that will stop traffic entering the bridge. Internet-connected carbon monoxide detectors and smoke detectors are similar. They are deployed directly for risk reduction.”<br></p><p>But most in the internal audit and information security fields might argue that it’s not the purpose of the device that worries them — it’s the connectedness and the near-certain impossibility of completely securing an organization, its assets, or the people who use the systems. Del Carlo agrees, but he won’t stop trying to lock it down. “There’s a saying that you can’t make anything foolproof because fools are so ingenious,” he says. “But we can’t just give up. I work for a bank. We are where the money is — literally. We have to maintain the highest possible level of security.”<br></p><p>IoT offers internal auditors an opportunity to serve in a role they don’t often get to inhabit: advocate. They can stand up for individual and enterprise users of IoT devices. “Installing security inside IoT devices is difficult and time-consuming, but necessary,” Jenkins says. “The companies that manufacture the devices say they are doing it, and doing it well. But, are they? Internal auditors need to make them prove it.” <br></p>Jane Seago13389

  • RSM_Sept2016_Prem 1
  • MNP_Tech-Consulting_Sept2016_Prem 2
  • IIA_Auditing Smar_Prem 3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
The Extraordinary Risk of Business Continuity Interruption Extraordinary Risk of Business Continuity Interruption2016-09-12T04:00:00Z2016-09-12T04:00:00Z
Internal Audit as Trusted Advisor: Do Women Hold the Key? Audit as Trusted Advisor: Do Women Hold the Key?2016-09-19T04:00:00Z2016-09-19T04:00:00Z
Auditing the Cloud the Cloud2016-09-14T04:00:00Z2016-09-14T04:00:00Z