Infusing IT Auditing Into Engagements IT Auditing Into Engagements<p>​Modern technology is growing rapidly, as is the level of disruption driven by it. In the 2016 Technology Industry Outlook, Deloitte describes the technology sector reaching a tipping point "where cognitive computing, big data analytics, cloud computing, and the rapidly growing Internet of Things are transforming businesses around the globe — including those outside the technology sector." </p><p>Internal audit is being transformed, as well. As advancements in technology drive changes in business operations, internal audit must perform IT audits to help organizations accomplish new and evolving business objectives. That requires the internal audit department and individual auditors to develop IT-related capabilities that are aligned with business risk. Skills that were once considered specialties of IT auditors are now required of all internal auditors. Those practitioners who cannot incorporate technology into their assurance and advisory work will not be able to keep up with the evolving risks, strategies, and needs of their organizations. </p><p>Like any new audit endeavor, internal audit needs to gather information and form a plan for incorporating IT audit techniques into their audit work. Although each organization will require a different mix of effort and materials to obtain this information, some common elements are needed to prepare a comprehensive plan over the short (2 to 3 years), middle (3 to 5 years), and long term (5 to 7 years). The timing in which internal audit implements these elements may vary based on the organization, internal audit department, and internal auditors' capabilities. At each stage, the elements should be completed concurrently, with the internal audit department thinking holistically about the future of integrated auditing at its organization.</p><h2>Short Term: Core IT Audit Capabilities</h2><p>A separate IT audit is not required to start infusing IT-related capabilities into the current internal audit function; already-scheduled audit engagements can incorporate elements of IT auditing, further enabling the internal audit department to identify resources and education needed in the long term. As the internal audit department becomes more knowledgeable about the organization's IT environment, auditors can educate organizational management about the benefits of IT auditing in relation to business objectives. In the short term, the department should focus on creating a solid foundation that allows for development of future efforts.</p><p> <strong>Incorporate IT Perspective Into Current Audit Engagements</strong> Internal audit management should encourage staff members to incorporate IT audit methods into their engagements. During the planning phase, auditors should recognize the role IT plays in the internal controls for the processes currently being audited. Document internal audit's understanding of the organization's IT environment. For example, when auditing the accounts payable process, auditors should not only interview the accounts payable clerk about internal controls, but also talk to the individuals responsible for maintaining and supporting accounts payable data and processing systems. Moreover, internal audit should document automated controls such as access controls to the vendor master file.</p><p>Locate and read IT policies, focusing on change management, segregation of duties, and information security. Consider obtaining training from IT experts on applications used within the organization such as enterprise resource planning (ERP) software. Areas in which internal audit should develop skills include cybersecurity, data mining, audit analytics, crisis management planning, vendor governance, corporate and data governance, continuous auditing, and software and system life cycle management.</p><p> <strong>Identify Resources</strong> Leveraging their knowledge of the organization's IT environment, internal auditors should inventory the IT resources used across the organization. Start with core functions, including resources driving financial, human resources, and customer data. IT resources include IT platforms (servers, routers, and workstations) and software (databases, and proprietary and off-the-shelf applications). In the accounts payable example, IT resources could include ERP software and other electronic records such as spreadsheets used to house important calculations. </p><p>Second, pinpoint data stored on these core IT resources that are vital to current operations and achieving key business objectives. Key data could include vendor bank account, address, and contact information, as well as invoice distribution coding. Analyze current risk assessments of the underlying risks of this data. Examples of accounts payable risks include phantom vendors, duplicate payments, and corrupt or incorrect data. Assessing the current landscape reveals the most critical IT systems and data that need to be audited. Map core IT resources and data to key business objectives. </p><p> <strong>Respond to IT Risks and Identify Audit Objectives That Can Add Value</strong> IT supports nearly all business functions and allows management to make accurate, timely, and appropriate decisions that drive business operations. Integrated audits can support management's risk assessment to help align business objectives and IT. Research by Peter Weill and Jeanne Ross, published in the MIT Sloan Management Review, shows that appropriate alignment of organizational objectives and IT can deliver as much as a 20 percent higher return on investment. </p><p>Internal audit should identify top areas for review, with estimated resource requirements, based on the risk assessment and the risk tolerance of the organization. For example, the business may have an objective to take advantage of potential vendor discounts by making timely payments. Related IT risks include inappropriate access to vendor data,  delayed access to invoice information that hinders decision-making, and incorrect calculation of the cost/benefit of taking discounts. An integrated audit of accounts payable could leverage accessing and identifying critical information to meet the business objective. </p><h2>Middle Term: Advanced IT Audit Capabilities</h2><p>While using the current audit engagement schedule in the short term, chief audit executives (CAEs) should evaluate the department's preparedness to grow into a more mature model in which individual IT audit engagements are expected and the CAE has worked with organizational management to link business risks with IT audit techniques. In the middle term, internal audit must get the right people on board and work with the IT department and the organization at large to use a common IT framework. Moreover, it should partner with management and the IT department to facilitate long-term planning. </p><p> <strong>Build a Team</strong> Audit leaders should recruit qualified personnel with IT skills within the internal audit department. Look for people within the department who have current IT audit skills or an aptitude for technology that would enable them to gain those skills. Create a training plan that will address the core IT systems used within the organization and IT audit areas that will need to be covered in future audits. Consider hiring an IT expert into the internal audit department to help the department establish a solid relationship with the IT department.</p><p> <strong>Understand the IT Framework</strong> Organizations perform optimally when they use a consistent IT framework, which requires assessing the current state of the IT environment, defining a target state, implementing improvements, operating and measuring, and monitoring and evaluating. Examples of frameworks and standards include the International Organization for Standardization's ISO/IEC IT standards, ISACA's COBIT, and the U.S. National Institute of Standards and Technology Cybersecurity Framework. If the organization has not implemented an IT framework, internal audit should highlight the need for one that will allow for communication across business functions. Use of an IT framework helps determine whether the organization's IT business objectives comply fully with business rules and are structured, maintainable, and upgradable.</p><p> <strong>Perform IT Audits</strong> Identify the scope of IT audits that can be handled internally based on the IT experience of internal auditors and outsource coverage of any remaining risks. Consider the organization's adoption of the IT framework and the amount of resources management has devoted to the endeavor. Specific areas audits should address include: 1) segregation of duties to ensure the integrity of automated controls; 2) security, including physical and logical access, to safeguard the core systems as well as critical and sensitive information; and 3) change management to ensure integrity of system changes. A benefit to implementing an IT framework is access to audit programs that are available for these three areas as well as additional auditable areas for future engagements. Internal auditors should devote time to understanding the audit programs and the areas they cover so they will obtain efficiencies.</p><p> <strong>Foster Relationships With IT and Management</strong> Internal audit's relationship with the IT department is the foundation of a successful IT audit engagement. Internal audit should understand the metrics and goals the IT department uses in the monitoring and evaluation process of the IT framework. Through this process, internal audit can determine whether the linkage of IT metrics and objectives aligns with organizational goals. Moreover, it can allow internal audit to help discover and articulate to organizational management which IT initiatives can produce cost savings. Additionally, understanding the IT department's goals and metrics can help internal audit facilitate communication between the IT department and management. The value provided from these efforts can position internal audit to recommend enhancements to achieve operational goals. </p><h2>Long Term: Advanced and Emerging IT Audit Capabilities</h2><p> As the department's IT audit capabilities solidify and mature, it is a good time to start thinking about the long-term direction in which they will be applied to audit engagements. Performing IT audit engagements should give the department the foundational knowledge needed to help its consulting efforts. In the long term, internal audit should continue to develop and mature integrated engagements, grow consulting engagements, and improve IT audit skills with a focus on how organizational IT objectives will shape internal audit. </p><p> <strong>Leverage Data Analysis</strong> Data analytics allow internal audit to search for patterns and plausible interrelationships and anomalies, helping improve operational efficiency and effectiveness, as well as fraud detection and prevention. Moreover, analytics can enable reliable financial reporting and adequate compliance with laws and regulations. </p><p>The best time for internal audit to perform data analysis is early in the IT life cycle, when it can enable auditors to use time and resources more effectively. In this way, using data analytics can better inform IT audit planning and foster a more dynamic internal audit environment that moves from a traditional and post-mortem planning strategy to one that is more innovative and consultative.</p><p> <strong>Obtain Professional Certifications</strong> IT audit techniques cannot reach their maximum potential without adequate training. One of the best ways to achieve this level of aptitude is by obtaining professional certifications that attest to the practitioner's knowledge of technology and internal audit. Working toward certification enables individuals to gain IT audit knowledge. Maintaining certifications also requires auditors to complete continuing education to meet changes in technology and their associated risks. The specific mix of professional certifications should relate to the organization's objectives and core IT systems and data. Good qualifications to start with include The IIA's Certified Internal Auditor designation and ISACA's Certified Information Systems Auditor and Certified in Risk and Information Systems Control certifications.  </p><h2>Rise to the Occasion</h2><p>Internal audit's need to establish its IT audit capabilities and apply them to all of its audit engagements is increasingly important, now that technology is tightly integrated into business processes. Technology is influencing both what is audited and the way audits are being performed. Internal audit departments need to develop the essential skills to audit IT-based controls and processes and to identify operational improvements throughout their organization. Internal audit can take a measured approach to cultivate IT-related capabilities over time in conjunction with organizational management. </p>Andrew Bowman1
The Dark Side of the Internet of Things Dark Side of the Internet of Things<p>​They targeted children and stuffed animals. Hackers gained access to account information and voice recordings of more than 800,000 consumers who had purchased Spir​al Toys' CloudPets toys, cybersecurity researcher Troy Hunt revealed last month. CloudPets are stuffed animals that enable parents and their children to exchange messages through the internet.</p><p>This anecdote reveals both the pervasiveness of the Internet of Things (IoT) and the serious threats associated with it. Personal assistants, wearables, home management systems, smart refrigerators, and other devices are becoming popular with consumers. But the IoT has become particularly entrenched in businesses — ​everything from security systems to security cameras to heating, ventilation, and air conditioning systems. </p><p>Research firm Gartner Inc. predicts that 8.4 billion connected devices will be in use worldwide this year, a 31 percent increase over 2016. That number will surpass 20 billion by 2020, Gartner forecasts. Currently, consumer devices comprise 63 percent of IoT devices, but businesses make up 57 percent of IoT spending.</p><p>"IoT services are central to the rise in IoT devices," says Denise Rueb, a research director at Gartner. Although businesses currently dominate the US$273 billion spent worldwide on IoT services, Rueb says consumer and connectivity services will grow faster. "Consumer IoT services are newer and growing off a small base," she explains. "Similarly, connectivity services are growing robustly as costs drop and new applications emerge."</p><p>Security is the dark cloud hanging over the IoT, information security experts caution. Before last year, many of those concerns were theoretical. Those theories became very real in October when a botnet based on the Mirai malware disrupted internet service in several U.S. cities. At its height, the malware infected hundreds of thousands of devices.</p><p>According to an HP study, <a href="" target="_blank">Internet of Things Security: State of the Union</a>, 70 percent of IoT devices are vulnerable to attack. A separate <a href="" target="_blank">survey​</a> (PDF) by Boston-based IT security company Pwnie Express identifies common attacks against devices, including malware (32 percent), ransomware (20 percent), and man-in-the-middle attacks that intercept communications (16 percent).​</p><p>Threats to IoT systems were front-and-center this month at the CyberUK conference in London, hosted by the U.K.'s recently established National Cyber Security Centre (NCSC). An NCSC report released in conjunction with the conference warns that IoT devices are vulnerable to threats such as remote code execution or takeover. "Many connected devices have been shipped with less secure software and default passwords," The Cyber Threat to U.K. Businesses 2016/2017 report notes. "There is often no obvious way for consumers to update them, change passwords, or otherwise fix security problems."</p><p>Most of the information security professionals (63 percent) who responded to Pwnie Express' The Internet of Evil Things survey say their organization is prepared to detect threats to connected devices. But when the survey dug deeper, it found that less than half (49 percent) of those respondents knew how many connected devices employees were bringing into the organization, while one-third did not know how many and 17 percent were not sure. </p><p>Industrial systems are a likely target. Ninety-six percent of IT security professionals <a href="" target="_blank">surveyed by Tripwire</a> (JPG) expect attacks on industrial IoT systems to increase this year, and 51 percent say their organization isn't prepared to protect them. "There are only two ways this scenario plays out," says David Meltzer, chief technology officer for the Portland, Ore.-based information security company. "Either we change our level of preparation or we experience the realization of these risks."</p><p>Health care is another area where the IoT shows great promise but carries great threats. Recent ransomware attacks have targeted health-care IT systems successfully. Gartner predicts more than one-fourth of attacks in the health-care sector will target the IoT. For health-care businesses, the IoT raises the stakes because "traditional cybersecurity doesn't always 'walk the talk' when it comes to the IoT," Damon Hopley, senior manager, product management with Verizon's IoT Security group, writes in <a href="" target="_blank"> <em>IT Healthcare News</em></a>. Hopley points out that devices deployed by providers and insurers often are located in remote locations and some of those devices may lack security features that can reduce the risk of remote hijacking.</p><p>What can be done? A recent <a href="" target="_blank">white paper</a> (PDF) from the Bellevue, Wash.-based Online Trust Alliance encourages businesses, consumers, and government to work together to secure the IoT. The paper outlines roles for retailers and ecommerce sites; developers, manufacturers, and automakers; brokers, builders, realtors, and car dealers; and internet service providers. It calls on the private sector to establish minimum security and privacy standards for IoT products, disclose security support, and enhance security offerings. In addition, it advises regulators and policy makers to allow self-regulation and provide safe harbor to device manufacturers that have adopted reasonable security and privacy practices. Finally, it recommends consumers patch and replace insecure devices, and only purchase devices that are backed by a security and privacy commitment from the manufacturer. ​</p><p><br></p>Tim McCollum0
Late to the Project to the Project<p>​There's room for IT audit functions at the technology table, but most of them aren't inv​​olved in all stages of IT projects, the recent <a href="" target="_blank">IT Audit Benchmarking Study</a> by ISACA and Protiviti Inc. reports. The organizations surveyed 1,062 internal audit and IT audit leaders and professionals from organizations throughout the world for the study.</p><p>Nearly 90 percent of respondents say their organizations have implemented an IT system or application within the past three years. Process automation and improvements to core infrastructure were the most common projects, far outpacing initiatives involving business intelligence, customer user interfaces, and collaboration. Across all regions, respondents say most of these projects were successful. </p><p>That's not the norm for such projects, the report notes. It cites a study from consulting firm McKinsey and the University of Oxford that found that IT projects on average run 45 percent over budget and 7 percent over time, while delivering just 56 percent of the promised value.</p><p>IT auditors could be helpful in imple​menting projects more effectively. In the largest companies, 71 percent of IT audit functions are moderately (45 percent) or significantly (26 percent) involved in IT projects. The problem is they are most likely to be involved at the end of projects. Although 43 percent of respondents say IT audit is involved at the planning stage, 65 percent are involved in post-implementation — usually assessing how well the project has done. IT audit is less involved in design, testing, and implementation, when the bulk of the work is performed.</p><p>"There is an opportunity for organizations to derive more value from their major IT projects by engaging IT audit earlier rather than downstream in the projects," says ISACA Chairman Christos Dimitriadis, group director of information security for Athens, Greece-based gaming technology company Intralot. "With a solid foundation of assurance at the front end, organizations can have the confidence they need to be innovative and fast-paced in pursuit of their business goals."</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>Top Business and Technology Challenges</strong></p><ol><li>IT security and privacy.</li><li>Infrastructure management.</li><li>Emerging technology and infrastructure changes.</li><li>Resource, staffing, and skills.</li><li>Regulatory compliance.</li><li>Budgets and cost control.</li><li>Cloud computing and virtualization.</li><li>Bridging IT and the business.</li><li>Project management and change management.</li><li>Third-party and vendor management.</li></ol><p>Source: ISACA and Protiviti Inc., IT Audit Benchmarking Study, 2017.</p></td></tr></tbody></table><p>In addition to post-implementation project reviews (51 percent), IT audits of major projects evaluated test phases (48 percent), project governance (48 percent), the project risk management plan (45 percent), system development life cycle (45 percent), the data conversion process (44 percent), alignment of project success measures to desired business outcomes (41 percent), the project plan (41 percent), and project requirements (40 percent). </p><p>The most significant risk factor respondents identified is frequency of updates to project goals and outcomes based on changing business requirements (26 percent). Other factors include goals that aren't clearly defined (17 percent), frequency of change in project specifications without formal assessments (14 percent), lack of a defined and documented project management methodology (13 percent), capabilities and skills of the project manager and team (12 percent), and level of employee turnover on project teams (7 percent).</p><p>Raising IT audit's profile within the organization could help it become more involved in projects, the report notes. A positive sign is that 55 percent of respondents say their organization's IT audit director regularly attends board meetings, up from 49 percent in last year's study. "Audit committee members, in particular, are seeking greater assurance around critical IT risks and controls," says Gordon Braun, managing director of Protiviti's IT audit practice. "Internal audit and IT audit leaders must be prepared to demonstrate audit coverage of key areas and articulate where the highest risks remain."</p><p>Increasingly, chief audit executives (CAEs) are becoming better able to provide assurance on IT risks, the report finds. Nearly three-fourths (72 percent) of respondents say their organization's CAE has sufficient knowledge to discuss IT audit matters with the audit committee.</p><p>But there is something missing from some organizations' IT operations: IT audit risk assessments. Most respondent organizations perform them, but they are lacking in 23 percent of organizations with less than US$100 million in revenue. Across all organizations surveyed, IT audit risk assessments typically are performed as part of internal audit's overall risk assessment. Most responding organizations update those assessments annually. Continuous assessments are most common in the largest (18 percent) and smallest (14 percent) organizations.</p>Tim McCollum0
Cyber Root Cause Alarm Bells Are Ringing Root Cause Alarm Bells Are Ringing<p>​<a href="" target="_blank" style="background-color:#ffffff;">A new study by Tripwire</a> should be setting off your alarms.</p><p>The company surveyed 403 IT security professionals, the people who should know about the true state of information security or cyber at their organization.</p><p> <strong>90 percent of organizations lack the </strong> <span style="text-decoration:underline;"> <strong>skills</strong></span><strong> to address the full range of cyber threats!</strong></p><p>There have been repeated reports that information security experts are in high demand but low supply. This confirms the problem.</p><p> <strong>97 percent of organizations lack the </strong> <span style="text-decoration:underline;"> <strong>technology</strong></span><strong> they need to address the threats!</strong></p><p>If I was on the board and heard this, I would be questioning the executive team hard.</p><p>Other surveys indicate that the majority of executives know they have been hacked in the past and expect hackers to be successful in the future.</p><p>​But do they know the true extent of the problem?</p><p>Do they know their defenses are down — and that their people don't have the ability to detect intrusions promptly?</p><p>When I took over the internal audit function at a company years ago, I was concerned by what I saw in the information security area.</p><p>Rather than audit the defenses, I had my team audit whether the company had the <strong>capability</strong> to build, maintain, and manage the defenses.</p><p>Key questions include:</p><ul><li>Do you understand the risk to the business (the consequences) if there is a successful intrusion? How will the objectives of the organization be affected? Can you and have you assessed cyber risk in business terms? How recent is that assessment?</li><li>Are you satisfied and if so why? If not, what are you doing about it?</li><li>Do you have the people to understand (on a continuing basis) and then address cyber risk?</li><li>Do they have the tools? Is that your opinion or theirs?</li><li>Is the voice of information security heard and listened to at senior and board levels?</li><li>Would a reasonable, prudent individual believe the risk to the organization is at an acceptable level, and will continue to be at an acceptable level over the next year?</li><li>How often is an <strong>objective</strong> assessment of information security performed and is it reliable? Are its recommendations acted on?</li><li>Does it still make sense to expect employees to handle cyber risk? Is it better to outsource it, and to what extent should we do that?</li></ul><p> <br> </p><p>I welcome your comments.</p><p> <br> </p>Norman Marks0
Data Mining Mining<p>​The vast amount of data generated by business and the increase in data warehouses and legacy systems have created a treasure trove of information to be mined to draw meaningful insights regarding fraud indicators, emerging risks, and business performance. Companies such as Amazon, Facebook, Google, and Netflix are built on foundations of data exploration and mining.<br></p><p>Data mining, which includes text mining, is the discovery of information without a previously formulated hypothesis where relationships, patterns, and trends hidden in large data sets are uncovered. It involves using methods at the convergence of artificial intelligence, machine learning, statistics, and database systems. With the advent of big data, this niche-driven research discipline, developed in the 1980s, is now a powerful tool.  <br></p><p>There are no roadmaps or directions in data mining. Instead, it requires thinking outside the box to come up with a range of scenarios. Questions like, “What are the risks?” “What opportunities exist for business improvements?” “How can this data be leveraged?” and “What fraudulent activities can occur?” can lead to developing algorithms.<br></p><h2>Data Mining Techniques</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Examples of Data Mining</strong><br><br>Data mining can detect a range of fraud indicators such as bogus vendors, kickbacks, money laundering, insider trading, and claims fraud. <br><br>In a telecommunications audit, for example, a model can be built to show patterns of call destinations, duration, frequency, and time of day. Over time, when actual calls vary from expected patterns, it will alert internal audit to the possibility of fraud. <br><br>Outcomes also can indicate cost-saving opportunities, potential irregularities, and patterns worthy of further investigation. For example, in a procurement audit, using text mining that brings up common products and services may determine that there is an annual savings or discount to ordering cleaning supplies from one vendor instead of several vendors. <br><br>In a retail audit of a bank branch, a review of customer accounts can show single bank accounts converted to joint accounts, indicating marriage. Internal audit may recommend cross-selling mortgages and consumer loans to the joint account owners, which can grow branch profitability. <br><br>In a loan audit, nonperforming loans can be segmented to show different factors for loan failures. This can help guide the revamping of credit models and tightening of lending practices, which can reduce the number of nonperforming loans.<br></td></tr></tbody></table><p>The most common techniques used in data mining are predictive modeling, data segmentation, neural networks, link analysis, and deviation detection.<br><br><strong>Predictive modeling</strong> uses “if then” rules to build algorithms. For example, during a loan audit, auditors can create rules to show which customers in a specific age range (18-25, for instance) with balances exceeding US$5,000 are likely to default. <br><br><strong>Data segmentation</strong> involves partitioning data into segments or clusters of similar records. Also called <em>clustering</em>, this technique lets auditors see common factors underlying each segment. For example, a marketing audit can look at residents of urban neighborhoods and affluent areas where wealthier, older people live.<br><br><strong>Neural networks</strong> are a type of artificial intelligence that uses case-based reasoning and pattern recognition to simulate the way the brain processes, stores, or learns information. In fraud detection, neural networks can learn the characteristics of fraud schemes by comparing new data to stored data and detecting hidden patterns.<br><br><strong>Link analysis</strong> establishes links between records or sets of records. Such links are called <em>associations</em>. Examples include customers buying one product at a specific time and then a different product a few hours later or a vendor supplying a raw material and purchasing a byproduct. Or, in the case of a money laundering audit, identifying addresses that have many wire transfers attached to them.<br><br><strong>Deviation detection</strong> is pinpointing deviations from the observations or model worthy of further investigation. An example is detecting an unusual transaction on a credit or purchase card that does not fit the typical spending patterns of a cardholder, such as buying a refrigerator or booking a vacation on a company’s purchase card. <br></p><h2>Email Mining </h2><p>The rapid evolution of data mining techniques on unstructured or semi-structured textual data now provides opportunities for audit analysis. Mining this vast text field is a key tool in the internal auditor’s arsenal for fraud prevention and detection. Word searches using “kickback,” “bank account,” “funds,” “money,” and “override” could uncover fraud, while words such as “flowers,” “anniversary,” “chocolate,” “gift,” “bar,” and “drink” could indicate office romances that breach a company’s code. <br></p><p>Analysis of email logs can uncover key information about employees’ interests, activities, and behaviors. Email contents might include potential evidence of fraud and issues of audit concern. For instance, emails from an employee to customers when the employee does not hold a position that normally communicates with customers would be a red flag.<br></p><p>Emails might contain an exchange of information between parties that can provide evidence of a wide range of managerial fraud. Also embedded in email contents might be issues relating to breaches of compliance requirements and their cover ups, privacy matters, and theft of intellectual property. As emails pass through gateways, they are easy to archive, index, categorize, and monitor for keywords.<br></p><h2>Social Network Analysis</h2><p>Analysis of employees’ Facebook, Linkedin, and Twitter accounts explores relationships or networks between email senders and recipients. Social network relationships may presage kickbacks or collusion between employees and third parties. Within this context, social media analytics is a tremendous tool. However, consideration should be given to such key risks as security, privacy and confidentiality, loss/theft of intellectual property and trade secrets, and legal and compliance. <br></p><h2>Data Mining Tools </h2><p>Data mining can be performed with comparatively modest database systems and simple tools or off-the-shelf software packages. Microsoft Excel has a wide range of functions that can be used in data mining without the hours of training required for other programs. Generalized audit software and server database software also are formidable data mining tools.<br></p><h2>Raising the Bar</h2><p>Data mining demands considerable time, serious commitment, a new mind-set, and new skills. Delays in getting the data, uncooperative management, time spent understanding the data, and scrubbing it are additional challenges. Data mining raises the bar on what can be achieved by addressing issues beyond the reach of traditional analysis techniques. It is more than running complex queries on large data sets. Internal auditors must work with the data to have it reorganized and cleansed, and identify the format of the information based on the technique or analysis they want to use. Data mining increases audit coverage, and with the internet and computer-assisted audit tools, auditors should be limited only by their imaginations. <br></p>Lal Balkaran1
Principles of Cyber Oversight of Cyber Oversight<p>​Most corporate boards of directors discuss cybersecurity regularly, but less than half are confident that their company is appropriately secure against a cyberattack, according to the National Association of Corporate Directors' (NACD's) 2016-2017 public- and private-company governance surveys. These findings point to the challenges boards face in guiding their companies through the perils of cyberrisk, as outlined in the <a href="" target="_blank">NACD Director's Handbook on Cyber-risk Oversight</a>. </p><p>Attackers seek to cash in by targeting business plans, intellectual property, trade secrets, customer and employee personal information, and financial data, the handbook notes. Other nations also are a threat. "The cyber threat picture continues to become more challenging with nation-state attacks against both public and private sectors," says handbook author Larry Clinton, president and CEO of the Internet Security Alliance (ISA), a Washington, D.C.-based cybersecurity trade association.</p><p>In response, corporate boards are paying greater attention to cyberrisks, NACD President and CEO-elect Peter Gleason says. "Directors don't need to be technologists to play an effective role in cyberrisk oversight — but every board can take the opportunity to improve the effectiveness of their cyber-oversight practices," he says.</p><p>The updated handbook provides recent information on cyber threats, legal developments, and statistics on board oversight practices. It outlines five principles for effective oversight of cyberrisk.</p><p> <strong>1. An ERM Issue</strong></p><p>The handbook implores boards to approach cybersecurity as an enterprise risk management issue, rather than an IT concern. As such, directors should address it from strategic, cross-departmental, and economic perspectives. For most publicly listed companies (51 percent), cyberrisk oversight falls on the audit committee, but nearly all directors (96 percent) surveyed say the full board takes on the big picture risks that could impact their company's strategic direction, according to the 2016-2017 NACD Public Company Governance Survey.</p><p>Cyberrisk is magnified by the interconnections an organization has with its customers, affiliates, and suppliers, as well as the growing use of cloud computing and links to national critical infrastructure. "Progressive boards will engage management in a discussion of the varying levels of risk that exist in the company's ecosphere and take them into consideration as they calculate the appropriate cyberrisk posture and tolerance for their own corporation," the handbook advises.</p><p> <strong>2. Legal Implications</strong></p><p>The second principle calls on directors to understand the legal implications cyberrisks pose for their organization. Laws and regulations related to cyberrisk are complex, covering privacy, disclosure requirements, and infrastructure protection, the handbook points out. "Boards should stay aware of current liability issues faced by their organizations — and, potentially, by directors on an individual and collective basis," the handbook stresses. </p><p>Considerations of particular importance are maintaining board minutes that reflect the board's discussions of cybersecurity, and public disclosure and reporting requirements related to cyberrisk. </p><p> <strong>3. Discussion and Expertise</strong></p><p>The third principle addresses two concerns. It calls on boards to make cyberrisk a regular part of their agenda, with adequate time allotted. It also acknowledges that directors may need access to cyberrisk expertise. NACD's research bears these points out: Nearly 90 percent of public company directors surveyed say their board discusses cyberrisk regularly, yet only 14 percent say the board has a high level of knowledge of cyberrisks. </p><p>The most common board cyberrisk oversight practices are reviewing the company's approach to protecting its most critical assets (77 percent) and reviewing the technical infrastructure used to protect those assets (74 percent).</p><p>Although there have been calls for boards to add cyberrisk experts as directors, this might not be appropriate for all companies, the handbook states. Other strategies for tapping into expertise include briefings with outside experts, consulting with external auditors and outside counsel to gain an industry and "multiclient" perspective on risk trends, and participating in director education programs.</p><p> <strong>4. Cyberrisk Framework</strong></p><p>The fourth principle urges directors to expect management to establish an enterprisewide cyberrisk management framework. The handbook specifically discusses the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework, which was issued in 2014. The framework recommends that organizations assess their cybersecurity program along a four-tier scale progressing from 1) partial to 2) risk-informed, 3) repeatable, and 4) adaptive. </p><p>In addition, the handbook recommends organizations adopt an integrated cyberrisk management approach developed by the ISA. Key components include establishing ownership of cyberrisk on a cross-departmental basis, appointing a cross-organization cyberrisk management team, performing an enterprisewide risk assessment, developing an organizationwide cyberrisk management plan, and allotting sufficient financial resources.</p><p> <strong>5. Risk Actions</strong></p><p>The final principle advises boards to discuss with management how to make cyberrisk decisions about which risks to avoid, accept, mitigate, or transfer through insurance. "As with other areas of risk, an organization's cyberrisk tolerance must be consistent with its strategy and, in turn, the resource allocation choices," the handbook states. </p><p> <br> </p>Tim McCollum0
A Winning Pair Winning Pair<p>​We’ve all seen the advertisements for the latest and greatest home security systems. Yet despite all of their bells and whistles  and the good they may do, security systems are useless if we forget to set the alarm. The technology and the person using it must work simultaneously to achieve the best results. In much the same way, governance and automation can be complementary, but they are not substitutes for each other. In some cases, automation may be used to force process steps and monitor actions, but a company cannot automate its way to compliance. Even the most sophisticated automated processes often contain at least an interface with what is usually the factor of greatest risk — the human being. Governance is a tool to help bridge the gap. </p><p>Take cybersecurity, for example. The Center for Internet Security’s Critical Security Controls calls for a defense-in-depth model to help prevent and detect malware. The intent is to use multiple tools, each specializing in different protections such as access control, intrusion protection/detection, malware identification, and vulnerability scanning. These products are “layered,” with each tool testing some aspect of the communication, usually with the ability to block or send alerts on questionable traffic. Only if the message passes through all appropriate gates can it be delivered to its intended destination. This is no inexpensive proposition. A company’s spending on cybersecurity may reach tens of millions of dollars.</p><p>And despite automated defenses, proactive technology tools, and the money, time, and resources invested, organizations remain at risk. Phishing, where a party with harmful intentions uses methods such as enticing emails to get recipients to click a link, is a prime example. The code behind the associated link may load malware onto the user’s machine, capturing login credentials, and spreading malware throughout the network. The intruder now has the same access as that of the victim and will seek elevated access privileges. All it takes is one person clicking one link containing malware in one email to infect the system.  </p><p>Governance can be effective in bolstering the line of defense. A sound policy, employee education, and monitoring for enforcement are all critical facets of such a program. Internal auditors should be looking for governance in all the right places.</p><p>The auditor should determine whether the organization has defined the level of risk it is willing to assume and whether there is a current risk profile. By identifying risks, mitigation activities in place, and residual risks, the organization can determine its current position. The auditor can then compare the risk appetite to the risk profile. Where the residual risk is too high, the organization can brainstorm alternatives and assess the cost/benefit of each. Results are likely to identify high-risk areas where automation alone cannot bridge the gap or is too costly to implement.</p><p>For those actionable items, ensuring good governance may be the best option. Access control is one example. When an employee or contractor is terminated, particularly for cause, access to systems and facilities must be removed immediately. While it is possible to automate access deactivation, the process must be initiated by a human interface. Having a policy that assigns responsibility for this function is best practice. </p><p>There must be widespread awareness and understanding of the policy and a sense of urgency and ownership in carrying it out. As the termination procedure may not be a frequent occurrence, reminders to all managers and inclusion in manager on-board training are necessary. Also, it’s imperative that human resources have this process top of mind. </p><p>A robust awareness program also contributes to driving behaviors. Executive behavior is key, and employees must know what is expected of them. Repeated education can be effective, as many need reminders. Auditors may recommend computer-based training, lunch-and-learn sessions, posters, gamification, and other methods to improve retention and reinforce desired behavior.  </p><p>Finally, there is a need to monitor for desired behavior. While many factors can be monitored electronically, governance still plays a role. The auditor can determine whether there are policies for monitoring employee behavior. Has there been a discussion with the legal department regarding an employee’s expectation of privacy? If employees should not have an expectation of privacy regarding company property, computerized activity on company networks, etc., have they been notified? The auditor may want to recommend a banner on the login page of the company’s systems.</p><p>Just like installing a home security system and remembering to use it, governance and automated controls should be complementary. Auditors can help companies see how a balance is needed. Desired behavior must be governed from the top, embraced by management, and exercised by all. ​</p>Debbie Shelton1
An Important Cyberrisk Framework​ Important Cyberrisk Framework​<p>​Perhaps the most important cyberrisk framework is that published by the U.S. National Institute of Standards and Technology (NIST). Recently, NIST shared for comment a proposed update to their framework.</p><p>You can <a href="" target="_blank">download the document and view related videos here</a>.</p><p>Here are some key excerpts from the executive summary:</p><ul><li>Similar to financial and reputational risk, cybersecurity risk affects a company's bottom line. It can drive up costs and impact revenue. It can harm an organization's ability to innovate and to gain and maintain customers.</li><li>The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization's risk management processes.</li><li>The Framework enables organizations — regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.</li><li>The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks — different threats, different vulnerabilities, different risk tolerances — and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks.</li></ul><p><br></p><p>Later, the authors say this:</p><p><span class="ms-rteStyle-BQ">"Enterprise risk manageme​nt is the consideration of all risks to achieving a given business objective. Ensuring cybersecurity is factored into enterprise risk consideration is integral to achieving business objectives. This includes the positive effects of cybersecurity as well as the negative effects should cybersecurity be subverted."</span></p><p>There's a good amount of material to like.</p><ul><li>The framework is risk-based and talks about, in my words, investing in cybersecurity commensurate with the level of risk.</li><li>When it talks about risk, it is to the achievement of business objectives. They don't talk about protecting information assets, but rather drive to what is important to the success of the business.</li><li>It uses a maturity model (although it doesn't describe it as such) as a useful way to assess the effectiveness of the cyber program.</li><li>It makes the point that those responsible for the cyber program need to be at an appropriate level within the organization.</li><li>It emphasizes that the management of cyberrisk needs to be integrated within the broader enterprise risk management activity.</li></ul><p><br></p><p>However, there are some few areas where I would have liked to have seen more discussion.</p><ul><li>Appendix B is a list of objectives for the cyber program. However, in my opinion it is over-simplified and probably incomplete. For example, I do not see anything about protecting the organization from the effects of social engineering.</li><li>While detection is emphasized, the need for <em>timely</em> detection is not mentioned.</li><li>The framework mentions the need for continuous improvement and that cyberrisk is dynamic. However, the sea is constantly rising and defenses have to adapt at least as fast as the risk changes. Investment needs to be in resources that enable threats to be monitored and defenses upgraded continuously.</li><li>The task of assessing the likelihood of a breach is hardly covered at all. There is general acceptance of the fact that a breach is almost inevitable, so the emphasis perhaps should be on the likelihood of different degrees of impact. Past experience may not be a good indicator, as prior breaches may not have been detected — leaving management with the unjustified belief that the incidence of breach is lower than it really is.</li><li>The framework suggests that the organization should have an inventory of all assets or points on the network. However, with the extended supply chain plus the Internet of Things plus the fact that employees and other individuals are hacked as entry points, the problem is far more severe than is presented. I am not persuaded that an inventory can ever be considered complete.</li><li>While the framework talks about integration with the enterprise risk management program, it is important to note that cyber may be one of several risks that might affect the achievement of one or more business objectives. Decisions about acceptable levels of risk to an objective should consider all these risks, not just one. In other words, cyber and other risks to an objective may appear to be at an acceptable level individually, but the aggregate effect may be intolerable and require action.</li><li>The framework references the ISO 31000:2009 global risk management standard (curiously not the COSO ERM Integrated Framework) but defines "risk" in its own way. It also uses the term "risk tolerance" in its own way, inconsistent with that of COSO or ISO. (It is essentially the same as COSO's risk appetite).</li></ul><p><br></p><p>A framework is simply that, a framework that any organization can build out to suit its situation and needs.</p><p>I encourage everybody to consider the document, respond with suggestions for improvement, and perhaps use it to assess and then upgrade your organization's cyber program.</p><p>Your comments?​</p><p><br></p>Norman Marks0
Must-have Controls for SMBs Controls for SMBs<p>​Although most cyber breaches reported in the news have struck large companies such as Target and Yahoo, small and mid-sized businesses (SMBs) suffer a far greater number of cyber incidents. These breaches often involve organizations such as local health-care providers or regional insurance brokers. Although the number of breached records an SMB may have is in the hundreds or thousands, rather than the millions, the cost of these breaches can be higher for SMBs because they may not be able to address the incidents on their own. <br></p><p>Many SMBs have limited or no resources committed to cybersecurity, and some don’t have an internal audit department to provide assurance. For these organizations, the questions are “Where should we focus when it comes to cybersecurity?” and “What are the minimum controls we must have to protect the sensitive information?” Internal auditors at SMBs can help answer these questions by checking that their organization has five essential cybersecurity controls. <br></p><h2>1. Scan the Network</h2><p>Regardless of the organization’s industry, SMBs must ensure their network perimeter is protected. The first step is identifying the vulnerabilities by performing an external network scan at least quarterly. SMBs can either hire an outside company to perform these scans, or they can license software to run the scans, themselves. <br>Moreover, SMBs need a process in place to remedy the critical, high, and medium vulnerabilities within three months of the scan run date, while low vulnerabilities are less of a priority. The fewer vulnerabilities the perimeter network has, the less chance that an external hacker will breach the organization’s network. <br></p><h2>2. Train Employees </h2><p>Educating employees about their cybersecurity responsibilities is not a simple check-box matter. SMBs not only need to implement an effective information security policy, they also need to ensure employees are aware of the policy and their responsibilities. The policy and training should cover:<br></p><ul><li>Awareness of phishing attacks.</li><li>Training on ransomware management.</li><li>Travel tips.</li><li>Potential threats of social engineering.</li><li>Password protection.</li><li>Risks of storing sensitive data in the cloud.</li><li>Accessing corporate information from home computers.</li><li>Awareness of tools the organization provides for securely sending emails or sharing large files.</li><li>Protection of mobile devices.</li><li>Awareness of CEO spoofing attacks.</li></ul><p><br></p><p>In addition, SMBs should verify employees’ level of awareness by conducting simulation exercises. These can be in the form of a phishing exercise in which SMBs send fake emails to employees to see if they will click on a web link, or a social engineering exercise in which a hired individual tries to enter the organization’s physical location and steal sensitive information such as passwords written near the computer screen.<br></p><h2>3. Protect Sensitive Information </h2><p>Management and internal audit should identify and protect the organization’s sensitive data. Even in small organizations, sensitive information tends to proliferate across various platforms and folders. For example, employees’ personal information typically resides in human resources software or with a cloud service provider, but through various downloads and reports, the information can proliferate to shared drives and folders, laptops, emails, and even cloud folders like Dropbox.<br></p><p>Internal auditors at SMBs should check that the organization has performed these tasks to make sure it has a good handle on the organization’s sensitive information:<br></p><ul><li>Inventory all sensitive business processes and the related IT systems. Depending on the organization’s industry, this information could include customer information, pricing data, customers’ credit card information, patients’ health information, engineering data, or financial data.</li><li>For each business process, identify an information owner who has complete authority to approve user access to that information.</li><li>Ensure that the information owner periodically reviews access to all the information he or she owns and updates the access list.</li></ul><p></p><h2>4. Segment the Network </h2><p>Organizations should make it hard to get to their sensitive data by building layers or network segments. Although the network perimeter is an organization’s first line of defense, the probability of the network being penetrated is at an all-time high. Internal auditors should check whether the organization has built a layered defense to protect its sensitive information. <br></p><p>Once the organization has identified its sensitive information, management should work with the IT department to segment those servers that run its sensitive applications. This segmentation will result in an additional layer of protection for these servers, typically by adding another firewall for the segment. Faced with having to penetrate another layer of defense, an intruder may decide to go elsewhere in the network where less sensitive information is stored.<br></p><h2>5. Deploy Extra Protection for Endpoints  </h2><p>An organization’s electronic business front door also can be the entrance for criminals or bad actors. Most of today’s malware enters through the network but proliferates through the endpoints such as laptops and desktops. At a minimum, internal auditors at SMBs must ensure that all the endpoints are running anti-malware/anti-virus software. Also, they should check that this software’s firewall features are enabled. Moreover, all laptop hard drives should be encrypted.<br></p><p>A Stronger Defense<br>In addition to making sure their organization has implemented these five core controls, internal auditors should advise SMB executives to consider other protective controls:<br></p><ul><li><em>Monitor the network.</em> Network monitoring products and services can provide real-time alerts in case there is an intrusion. </li><li><em>Manage service providers.</em> Organizations should inventory all key service providers and review all contracts for appropriate security, privacy, and data breach notification language.</li><li><em>Protect smart devices.</em> Increasingly, company information is stored on mobile devices. Several solutions can manage and protect the information on these devices. SMBs should make sure they are able to wipe the sensitive information from these devices if they are lost or stolen.</li><li><em>Monitor activity related to sensitive information.</em> SMBs should log activities against their sensitive information and keep an audit log in case an incident occurs and they need to review the logs to evaluate the incident.  </li></ul><p></p><p>Combined with the five essential controls, these controls can help SMBs reduce the probability of a data breach. But a security program is only as strong as its weakest link. Through their assurance and advisory work, internal auditors can help identify these weaknesses and suggest ways to strengthen their organization’s defenses. <br></p>Sajay Rai1
​Deloitte Shares a List of "Risk" Trends to Watch in 2017 and Beyond“risk”-trends-to-watch-in-2017-and-beyond.aspx​Deloitte Shares a List of "Risk" Trends to Watch in 2017 and Beyond<p>​Rather than the list of top risks, the people at Deloitte suggest that there are a number of trends "that have the potential to significantly alter the risk landscape for companies around the world and change how they respond to and manage risk."</p><p>They share 10 in <a href="" target="_blank">The Future of Risk: New Game, New Rules</a>.</p><p>I like the way they start:</p><p><span class="ms-rteStyle-BQ">The risk landscape is changing fast. Every day's headlines bring new reminders that the future is on its way, and sometimes it feels like new risks and response strategies are around every corner. The outlines of new opportunities and new challenges for risk leaders — indeed, all organizational leaders — are already visible.</span></p><p><span class="ms-rteStyle-BQ">What you'll see is that risk's onset and consequences, and the entire nature of the risk discipline, are evolving. The good news? The strategic conversation around risk is changing too. For leaders today, risk can be used as a tool to create value and achieve higher levels of performance. It's no longer something to only fear, minimize, and avoid.</span></p><p>For the moment, let's put aside our differences about the meaning of words such as "risk" and "risk source." </p><p>The 10 trends they have listed merit consideration. As Deloitte suggests, we should all consider these trends. Do we agree with the facts as presented? Will they affect us and, if so, how? How should we respond?</p><p>Please read the report, which is fairly short, before coming back to this discussion.</p><p>The first trend is <span style="text-decoration:underline;">cognitive technologies</span>, which is a fancy term that includes big data analytics, predictive analytics, AI, machine learning, and so on. Deloitte says it is about "using smart machines to detect, predict, and prevent risks in high-risk situations."</p><p>Broadly speaking, every organization should be watching and exploring ways to use new or advances in technology for this purpose.</p><p>But more might be done.</p><p>Machine learning and similar technologies may not only detect patterns and so on, analyze them, but actually make decisions and initiate action. Smart software, as well as machines, is starting to replace humans that perform repetitive analysis and response.</p><p>The second is "<span style="text-decoration:underline;">Controls become pervasive</span>." Deloitte is not talking about internal controls, here. They are talking about controls automation. They could have easily rolled this into the first trend, since it's really about the use of technology for risk monitoring.</p><p>The third is quite different: It's about advances in <span style="text-decoration:underline;">behavioral science</span>. I'm not sure what they expect to be different in 2017 and beyond, because the study of human behavior is not new at all. The key is whether the science will be <span style="text-decoration:underline;">used</span>.</p><p>Deloitte then uses the term "<span style="text-decoration:underline;">vigilance</span>" for its next trend. This is another fancy word; <strong>detection </strong>would have worked just as well, perhaps more accurately, but vigilance is more exciting and appealing to the consumer of Deloitte services.</p><p>Yes, more attention needs to be placed on risk monitoring and detection controls, especially with respect to cyber.</p><p>The next one is "<span style="text-decoration:underline;">risk transfer</span>." Arguably, risk is never transferred. It can only be shared or mitigated. Also, preventive controls do not eliminate risk; they just reduce the level to hopefully acceptable levels, because there is always the possibility that the controls will fail. The only change in this area I am aware of is the emergence of (limited) cyber insurance.</p><p>Deloitte thinks that the fact that <span style="text-decoration:underline;">innovation outpaces regulation</span> is a trend. I am not persuaded. However, the relaxation of regulation under President Trump would be a change — but may not be <span><span>in effect </span></span> long-term if he is not re-elected in four years.</p><p>Using <span style="text-decoration:underline;">risk management to drive performance</span> is not a new thought. I have been pressing for it for a while myself. If it becomes a reality, that would certainly be an important trend.</p><p>"<span style="text-decoration:underline;">Collective risk management</span>" is an interesting concept. However, laws and regulations can limit the sharing of information.</p><p>"<span style="text-decoration:underline;">Disruption</span> dominates the executive agenda" is not new. I agree with Deloitte that it should be expected to increase this year and into the future.</p><p>Then Deloitte picks <span style="text-decoration:underline;">reputation </span>risk — again, not really new. The change is that new technologies can help us address it.</p><p><br></p><p>Overall, a couple of points that should stimulate some thinking. But most of this should be ho-hum for most of us.</p><p>What do you think?​</p><p><br></p><p><br></p>Norman Marks0

  • TeamMate_Prem 1
  • RSM_Prem 2
  • IIA Sydney Conf_Prem 3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z