A Generalist in an IT World Generalist in an IT World<p>IT is changing more rapidly than any other business area. Not only is technology evolving, but emerging risks are constantly materializing, and best practices for risk mitigation are shifting in response. These factors present challenges to even the most technical IT auditors. <br></p><p>For integrated and operational auditors reviewing IT risks, the challenges are even greater. IT processes and their terminology can be daunting to outsiders. Postmortems are now called sprint ceremonies, software deployments involve build-and-release pipelines, and domains comprise trees and forests. What were industry best practices several years ago often are considered vulnerabilities today as the threat landscape evolves. </p><p>Nontechnical auditors may struggle to translate the language, much less assess risks and controls in this environment. However, there are steps they can take to successfully provide assurance and advice on many IT risk areas without becoming technical experts.</p><h2>Clarify Expectations</h2><p>Audit clients may expect that internal auditors are already highly familiar with the terminology, frameworks, and best practices for their area of expertise. Auditors can reduce friction and ensure stronger communication upfront by clarifying their level of familiarity with the subject. </p><p>At every planning meeting, nontechnical internal auditors should remind IT leadership that they will be focusing on processes and controls, not providing technical IT expertise. Moreover, auditors should start meetings with technical experts by providing information on the audit objectives as well as their audit background. A good way to remind clients of the auditor's expertise is to say, "We're not experts on your processes, but we are experts on risk and controls." </p><p>Auditors should feel comfortable asking highly technical interviewees to explain things more simply when those clients use acronyms or get too deep into technical details. Experts often are generous, gracious, and excited to teach practitioners new concepts when auditors are honest about their limited familiarity with technical terms. </p><h2>Be a Continuous Learner</h2><p>While internal auditors cannot be expected to have the same level of technical expertise as their IT audit clients — or even as specialized IT auditors — it is important for all auditors to stay up to date on basic IT control concepts and industry trends. There are many resources available to auditors: Internal Auditor magazine articles and blogs as well as The IIA's Global Technology Audit Guides, training, and certifications. </p><p>When auditors are developing their training plan, they can ask the organization's chief information officer (CIO) for input. The CIO can focus auditors' training on the organization's highest risks or areas in transition, and may provide opportunities for internal auditors to attend the same training that their IT clients are taking, which promotes alignment.</p><p>Auditors should have conversations with technology experts about trends in the profession and balancing operational efficiency and risk mitigation. Both sides can learn from this discussion, as often auditors may err on the side of risk mitigation while the IT client may lean toward operational efficiency. Having an open dialogue can promote stronger alignment, understanding, and collaboration between the auditor and client.</p><p>Also, audit clients can be great teachers and can recommend additional learning resources. For example, I will never forget the moment one of our enterprise architects plopped a thick copy of the ITIL Handbook on my desk and offered to guide me through the content.</p><p>Because of the pace at which IT best practices are changing to better meet stakeholder needs for digital transformation, even the most technical internal auditors need to be learning constantly. One advantage less technical IT auditors may have is a natural openness to change and a practice of researching current IT standards before starting an audit. </p><h2>Build Relationships</h2><p>An internal auditor's network can be one of the practitioner's greatest assets. Auditors can leverage their peers for benchmarking and understanding best practices, as well as a sounding board for ideas. </p><p>Equally valuable are relationships internal auditors have built within their organization, especially with key first- and second-line functions. The organization's enterprise architects, IT security, and IT governance, risk, and control (GRC) staff can be incredible resources because of their expertise in emerging technology, the organization's IT environment, and industry standards. For example, I work closely with the IT GRC team, meeting monthly to discuss audit plans, audit results, and how we can better coordinate and add value. Their technical expertise is helpful as I audit new areas. </p><h2>Leverage Nontechnical Skills </h2><p>Sometimes an internal auditor's perceived technical weakness can be an advantage. A few years ago, the chief audit executive at my company had a conversation with our CIO that changed my perception of my value as a nontechnical IT auditor. </p><p>The CIO explained that often a group in IT already knew there was a problem, but nobody had time to dig into it. When that happened, I would help that group define and solve the problems on its own. As I asked probing questions, facilitated gathering information and ideas, and identified organizational silos, the solutions would become apparent. In other words, it was my lack of technical expertise that made me a trusted asset.</p><p>Inefficiencies and control breakdowns often are caused by ineffective communication between groups. Nontechnical internal auditors can help clients focus on the narrative. Do the processes make sense? Is there a consistent understanding? Are there bottlenecks or points of friction? Sometimes a nontechnical auditor can identify and investigate potential risks by bringing together technical experts to share information, discuss mitigating controls, and come up with an action plan to address the true risk areas. </p><p>Another strength nontechnical internal auditors may bring to the table is an enterprise view of risk. Occasionally, IT audit specialists may be tempted to get caught up in the details and rate a minor finding as critical because it didn't meet a standard or expectation. Nontechnical auditors may be more likely to think at the big picture level, considering mitigating controls and residual risk.</p><h2>Rise to Challenging Risks</h2><p>Nontechnical IT auditors may be tempted to downplay their value in a constantly evolving IT environment. However, by setting clear expectations, learning continuously, building relationships, and embracing their nontechnical skills, these auditors can provide the assurance and advice that their organizations require — even with the most challenging IT risks. <br></p>Jami Shine1
Cybersecurity in Turbulent Times in Turbulent Times<h2>​What have been the short-term implications of the pandemic on organizations' cybersecurity efforts?</h2><p><strong>Raizen</strong> The short-term implications have been tied to whether their current focus was on protecting the external boundary, or if they were previously configured to leverage a hybrid environment with many remote workers already. Those that had infrastructure and practices in place already to support remote work, mostly added licenses for the additional software. Those that did not, operated in a scramble to support continuation of work, often without a focus on security during the process. Attackers recognized this and were quick to target users with pandemic-related phishing campaigns and attacks focused on VPNs or other remote technologies. In some cases, organizations leveraged less secure solutions — those with lower levels or no encryption, external services without multifactor authentication (MFA), etc. — creating opportunities for attackers and added confusion caused by rapid changes.</p><p><strong>Vanvaria</strong> Over the last year, organizations have had to transform at an accelerated speed that would have been thought impossible just a short time ago. However, many organizations did not involve risk management functions or cybersecurity in the decision-making process, not necessarily due to oversight but rather the urgency of the need to adapt for survival. As a result, these organizations need to address the risks and potential vulnerabilities that were introduced during their transformation efforts at the height of the pandemic while also ensuring cybersecurity resilience for the next major event. </p><h2>What will likely be the long-term effects?</h2><p><strong><img src="/2021/PublishingImages/Vanvaria-70x70.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Vanvaria</strong> My colleague Elizabeth Butwin Mann, EY Americas cybersecurity consulting leader, provides a broader look for the longer term of how cybersecurity is a business issue rather than a technology issue. She says the past has always been about cybersecurity as a back-office function, buried in an IT back office, and now it is time to take a look at cybersecurity embedded into business priorities: cyber for supply chain, cyber for manufacturing, cyber for the customer and employee experience, etc. </p><p><strong>Raizen </strong>The longer-term effects will be increased spending on cybersecurity — especially related to the purchase of additional security tools and automation of processes. While many will focus on the technology, there has also been a lot of emphasis on building good processes and on the value of having and testing a response plan. Recent data has shown that in the U.S. National Institute of Standards and Technology Cybersecurity Framework, organizations focus heavily on the Protect domain, but not much on the Respond and Recover domains, although these can be critical, as no security is foolproof. With the increasing volume of threats, automation will be key to sort through the data and respond effectively, which will increase the focus on data quality and validating models used for tuning these tools.</p><h2>With employees returning to offices, how might attitudes toward cybersecurity change?</h2><p><strong><img src="/2021/PublishingImages/Raizen-70x70.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Raizen</strong> I don't think employees' attitudes will change drastically. However, there is an increased awareness of cybersecurity threats among the general population because of the proliferation of these attacks and news stories about them. This mostly helps people become less resistant to additional security controls — when they are reasonable. With security, we always need to keep in mind the balance of security with usability when working with users, as low usability often creates a situation where users will circumvent better security controls. Fortunately, people have become very accustomed to some great controls, such as MFA, and the better we can continue to make similar experiences a standard thing, the more people will adopt them. I know there is a lot of work — including recent efforts from Microsoft to move to a password-less approach, and I think that is a great direction.</p><p><strong>Vanvaria</strong> Remote working has been a particular issue, and incidents of phishing and other threats are on the rise. Larger corporations have been able to ride out the storm more comfortably given the access to capital to manage risk, especially those with integrated risk management functions throughout the first, second, and third lines. Employees will have a greater appreciation for the protection the enterprise network provides; however, employers will have to continue to invest in awareness and enhanced training and provide better hardened equipment to end users. </p><h2>Will it be easier or more difficult to manage cybersecurity post pandemic?</h2><p><strong>Vanvaria</strong> The hybrid world and new ways of working will definitely create another layer of complexity. The EY 2021 Global Information Security Survey, which surveyed more than 1,000 cybersecurity leaders at organizations worldwide, found that 56% say that businesses have sidestepped cyber processes to facilitate new requirements around remote or flexible working. At the same time, cyber leaders say they have never been as concerned as they are now about their ability to manage the cyber threat (43%), with 77% warning that they have seen an increase in the number of disruptive attacks, such as ransomware, over the last 12 months — up from 59% in the previous year's survey.</p><p><strong>Raizen</strong> I don't look at it as easier or more difficult. A few things have happened, including a shifting of risks, and exposure of some underlying issues that have been raised because of that. For example, traditional network boundaries have changed drastically, and concepts such as zero trust, along with the importance of using strong passwords and MFA, and the implementation of endpoint detection and response systems to detect and stop attacks, can be critical. So just like the risks, the effort is similar, but it has shifted to different activities, such as building in automation, or deploying additional training. It will be important to make sure people are continuing to apply basic security to new technologies and solutions as they are introduced.</p><h2>What can internal auditors do to help organizations address cybersecurity as employees return to work?</h2><p><strong>Raizen</strong> It is important to continue to focus on managing risk, and not jump to the latest threat whether it is directly relevant or not. I still see many organizations failing to tackle the basic security controls effectively, while trying to put more advanced things in place. This can leave significant exposure, and cost a lot of time and money in the interim. It is important to focus on having good, formal processes in place, leveraging a standard framework to help ensure completeness and to track maturity, and then to add in tools and automation to support as needed. Internal auditors should focus on the process side, and ensure that basic controls are highly effective before reviewing more advanced system configurations.</p><p><strong>Vanvaria</strong> The pandemic has accelerated the global megatrends, forcing organizations to move toward flexible audit planning. The aim is to shape the internal audit function to meet the future and post-pandemic world demands. Disruptive market conditions, cyberattacks, and digitalization are here to stay and bring along new, even more sophisticated risks, to which companies need to respond to find long-term success. My advice to many chief audit executives is to be agile and flexible in their approach, aligning to their organizations' continuous and emerging enterprise risk management outputs, strategic direction, and priorities. Audit professionals will be able to apply more judgment in their work and focus their attention on new risks and outcomes, in addition to processes and controls. They will also be able to use a variety of dynamic outputs, on a more real-time basis, and go beyond root-cause analysis to provide best practices, sector trends, and relevant benchmarks to meet the needs of stakeholders.<br></p>Staff1
Tactical Fraud Data Analysis Fraud Data Analysis<p>​The days of “give me the data and let me play with it until I find something” are over. It’s no longer enough for internal auditors to hope they stumble across something. They need a tactical search plan.</p><p>For example, a U.S. District judge recently sentenced a California man to six years in federal prison for his role in a scheme to embezzle more than $3 million from a general contractor. The man was one of six individuals who set up shell companies to submit fake construction services and materials invoices to the construction manager. <br></p><p>Internal auditors must ask whether their fraud data analytics could detect such a scheme. Here is how a tactical analytics methodology can help.</p><h3>Decide What to Look For</h3><p>Internal audit should begin with the fraud risk statement, which has five elements: opportunity, entity, fraud action, impact, and financial conversion. The risk statement becomes the technical specifications for programing auditors’ search routines. To illustrate, internal auditors should consider how each element in this risk statement links to the fraud data analytics plan:</p><p>Budget owner acting alone / causes a shell company to be set up on the vendor master file / causes the issuance of a purchase order and approves a fake invoice for services not received / causes the diversion of company funds.<br></p><p><strong>Opportunity</strong> Viewed as either a direct access function, such as accounts payable, or indirect access such as a budget owner acting alone. Because the opportunity element is a budget owner, auditors expect that all fake invoices are recorded in the budget owner’s cost center.<br></p><p><strong>Entity</strong> A vendor, employee, customer, etc., who links to the master file data (name and address). Entities can be false or real. Internal auditors should decide whether they are looking for real or false schemes. They can then decide which permutations to include or exclude from their analysis. They also need to know what they are searching for. In the example fraud risk statement, the entity is a created false entity rather than:</p><ul><li><em>Assumed</em> — takes over the identity of a dormant or real vendor.</li><li><em>Hidden</em> — two vendors with a different name but common identity information.</li><li><em>Conflict of interest</em> — vendor has one customer and ownership links to prior employment.</li><li><em>Temporary</em> — often associated with one-time payment procedures.<br></li></ul><p><strong><br>Fraud Action Statement</strong> Links to the transactional data. In the risk statement example, auditors should search for a fake invoice for services not performed. The analysis starts with the purchase order, vendor invoice, and payment data using five fields: control number, date, amount, line-item description, and general ledger account. Auditors should then determine the data patterns associated with a fake invoice.<br></p><p><strong>Impact Statement</strong> Helps auditors calibrate their analysis regarding total vendor spend levels. Auditors should note that most false billing schemes occur in the bottom-third spend level, whereas pass-through schemes are typically located in the middle third. Conflict of interest schemes can range from the bottom to the top of the spend level. </p><h3>Determine the Level of Sophistication</h3><p>Fraud is about misrepresentation and concealment. Internal audit’s plan must anticipate the sophistication of concealment, ranked on a low, medium, and high scale. Fundamentally, this tells auditors what their search routine can detect. </p><p>A common test is matching human resource data to vendor data. A bank account illustrates how matching and concealment correlate:</p><ul><li><em>Low sophistication.</em> Both files have the same bank routing number and bank account number. The test is successful.</li><li><em>Medium sophistication.</em> Both files have the same bank routing number but different account numbers. The test is useful if an individual is identified through a whistleblower complaint. <br></li><li><em>High sophistication.</em> Each file has a different bank routing number and account number. Internal audit’s test fails, which means its only chance of detecting the scheme is through the transactional data.</li></ul><p><br>Internal audit must understand this level of sophistication concept for every data element in its plan.</p><h3>Choose the Analytics Strategy</h3><p>Internal auditors use four strategies to search for patterns and frequencies that correlate to the fraud risk statement:</p><ul><li><em>Direct evidence.</em> Specific identification correlates to low sophistication. Common patterns associated with these tests are match, duplicate, missing, and changed.</li><li><em>Circumstantial evidence.</em> Internal control avoidance correlates to medium sophistication. An example is finding two vendor invoices with the same date, each below a control level but in total exceeding the control level. Is it a coincidence or fraud?</li><li><em>Data interpretation.</em> Professional experience correlates to high sophistication. The sample is derived from visual examination of data using the auditor’s knowledge of it. Data exclusion is a critical aspect of this strategy because it reduces the amount of data that auditors must search.</li><li><em>Number anomaly.</em> That is, round numbers or recurring numbers. Number anomalies do not link to a fraud risk statement per se; the auditor needs to interpret how the number anomaly correlates to the statement. <br></li></ul><h3>Look for Data Patterns</h3><p>Fraud data analytics for transactional data is about pattern recognition and frequency. Here are two examples using the vendor invoice number and the date field.<br></p><p><strong>Invoice Number</strong> Auditors should search for a low number, a sequential pattern, and a limited number range pattern. If the perpetrator is of low sophistication, auditors would expect to see a starting number of 1, 100, or 1000; whereas, a medium to high concealment strategy might start with an odd number such as 5019. <br></p><p><strong>Date Field</strong> Auditors should perform a speed-of-payment test comparing the invoice date to the payment date. Quick payments are a red flag. Auditors can count on the fraud triangle to cause perpetrators to want their money immediately to satisfy their vice.</p><p>Once a pattern is identified, ask whether the frequency is sufficient to indicate a fraud pattern or a business pattern. Although this is subjective, it is an important consideration. In practice, auditors perform multiple pattern tests. The weight of all those tests becomes the basis for their sample selection.</p><h3>Evaluate the Data </h3><p>Up to this point, the fraud data analytics plan has been about creating a sample of the data and narrowing the focus based on certain criteria. The final step is to ascertain whether there is credible evidence to suggest that a fraud scheme is occurring. Internal audit needs to have effective procedures — fraud tests — embedded in the plan or the plan may fail to reveal the fraud scheme. </p><p>To illustrate a fraud test, auditors should compare the corporate registration date to the first vendor invoice date. If the invoice date is within 90 days of the corporation registration date, that is suspicious. But auditors need to remember it is the weight of all the audit evidence, not just one test.</p><h3>Essential Analytics</h3><p>Even the world’s best auditor using the world’s best audit program cannot detect fraud unless the sample includes a fraudulent transaction. That is why fraud data analytics is so essential to the audit profession and stopping shell company frauds. <br></p>Leonard W. Vona1
Clearing House Auditors Talk Cybersecurity House Auditors Talk Cybersecurity<p>​In daily business news, organizations like the Depository Trust & Clearing Corp. (DTCC) or the Options Clearing Corp. (OCC) typically don't make headlines. That could be considered a good thing. DTCC and OCC are clearing houses, acting as intermediaries between financial institutions such as banks and investment firms. Operating largely behind the scenes, clearing houses are responsible for clearing and settling millions, or even trillions, of dollars daily in securities exchange and other financial markets. (See "Clearing Houses Defined" below.)</p><p>But even if name recognition is low, their importance is outsized, and the job clearing houses do is crucial to the health of economies. They are, in fact, comparable to a utility, like a water or power company. "We are the financial market's silent partner," says Adam Shaffer, who is based in Chicago and serves as executive director of internal audit for OCC. "We are the sole clearing agency for listed equity options in the U.S." <br></p><p>Like all financial organizations, cybersecurity is a top concern for clearing houses, and more so because a successful cyberattack isn't just an issue for that organization. It could actually cause disruptions throughout financial markets. </p><p>"So we are designated a SIFMU — a systemically important financial market utility," explains Shaffer. In the U.S., The OCC is one of only eight financial organizations with this status. Three other SIFMUs are subsidiaries of DTCC, including the Depository Trust Company, the National Securities Clearing Corp., and the Fixed Income Clearing Corp.<br></p><p>Because of their status as financial utilities, clearing houses have a very low risk appetite. "At DTCC, we want to mitigate risk as much as possible," says Steven Jacovetti, DTCC's executive director of internal audit, who is based in Jersey City, N.J. "Our firm's mission is to protect the financial services industry. We have to do everything in our power to make sure that we are providing the highest levels of risk management to protect the firm and our clients." <br></p><p>So what do audit functions at highly regulated, extremely low-risk appetite organizations focus on when it comes to cybersecurity? Experts say resiliency and disruption, third-party risk, and insider threats are among their chief areas of concern. <br></p><h2>Resiliency and Disruption </h2><p>The status of clearing houses as intermediaries means that, generally, these organizations don't deal directly with customer data. Instead, they direct their efforts toward preventing disruptions and building in redundancies. <br></p><p>"When you think of cybersecurity, the majority of the population thinks of personal data — personal identifiable information (PII)," Shaffer says. "We are far more focused on disruption. As a company, we don't maintain much PII. Our walls are really built around making sure that we are — like your power company — a dependable resource that continues to operate." </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<p><strong class="ms-rteFontSize-3">Clearing Houses Defined</strong></p><p>A clearing house provides clearing and settlement services for payments, exchange-traded contracts, and cleared, over-the-counter derivatives. It acts as the neutral counterparty between every buyer and seller, ensuring the integrity of every trade. Its main role is to ensure that the transaction goes smoothly, with the buyer receiving the tradable goods he or she seeks to acquire and the seller receiving the right amount paid for the tradable goods he or she is selling.</p><p>To illustrate one type of clearing house, when an investor decides to purchase a security, his or her order goes through a clearing member firm, which acts as a guarantor to the investor. An investor will typically purchase the security through a brokerage firm, which may or may not be a clearing member firm. If the brokerage firm is not a clearing member, it will have an arrangement with a clearing member firm to "maintain custody" of the investor's securities account. The order is then submitted to a clearing house, which matches a buyer with a seller and executes all activities involved in clearing, securing, and settling the transaction. The clearing house acts as a go-between for the two clearing member firms — monitoring, processing, and assuming the legal counterparty risk for the trade. <br></p></td></tr></tbody></table><p>Having a cyber-resiliency plan and an incident-response plan are must-haves, says Daniel Pokidaylo, vice president of internal audit at The Clearing House (TCH) in New York City. Like OCC, TCH is a designated SIFMU. However, the 168-year-old TCH differs from the other clearing houses in that it is owned by 24 of the largest banks in the U.S. and its role is primarily to clear and settle payment transactions, including Automated Clearing House (ACH) payments.<br></p><p>"Ransomware has become very popular and is hitting the news all the time, so it's important to have an appropriate incident response plan to mitigate cyberthreats," Pokidaylo says. "I think everyone has an incident response plan, but it could be 50 to 100 pages, and when push comes to shove, you may not know who to call. You can't spend time going through the entire plan and figure it out during an actual event, so companies have to make sure that the plan is tested, the appropriate contact information is in there, and procedures are really easy to see and follow."<br></p><h2>Third-party Risk </h2><p>Jacovetti, Pokidaylo, and Shaffer all agree on the need to stay on top of third-party risk, which ranked as one of the top five "high" or "very high" risks among respondents in The IIA's 2021 North American Pulse of Internal Audit survey. <br></p><p>"Auditors are moving beyond control testing to understanding how external parties impact internal control processes, as well as how those efforts are reported," Shaffer says. "You need to have the skills to review contracts and understand exactly what you're committing to whenever you sign on with an external third party, as well as what they are providing in return. For example, what level of visibility do you have into their data to allow you to run an effective cybersecurity program? If you don't build those things into the contract, you're inherently blinding yourself to some things that you traditionally would be able to see in-house."<br></p><p>According to Pokidaylo, events like the SolarWinds cyberattack have underscored the risk involved in working with third-party vendors. "It's important to ensure that any third party we're using, or fourth party, is properly vetted," Pokidaylo says. "Depending on how much we're using that third or fourth party, we might even do an audit or get an audit of those parties done before we start using their services."<br></p><p>Governance also plays an important role in vendor management, such as having policies in place to ensure that information security and internal audit are involved in the adoption of new products and services, Pokidaylo says. "We have to make sure that before anything goes live, the proper security requirements are in place, pen tests are performed, and access controls are appropriate — so all those preventative controls have to be implemented," he says. </p><h2>Insider Threat</h2><p>As Jacovetti points out, sometimes the weakest link has less to do with technology controls and everything to do with the human element. "I think when you ask anybody else about what keeps them up at night, you constantly hear about insiders — whether it's a malicious insider or not," he says. "Even an inadvertent change to a production system, human error, could potentially impact the industry and DTCC, from a reputation perspective." <br></p><p>Like a lot of organizations, DTCC runs quarterly phishing campaigns to educate its workforce on what to watch for when it comes to fraudulent emails. DTCC also uses physical cues within its email client — such as a phish reporting button — to remind people to be careful. "The training is a significant area of focus for us," Jacovetti says, adding that the cybersecurity campaigns highlight "not only the things that <em>have</em> happened, but also the things that <em>can</em> happen."<br></p><p>Beyond phishing threats, cybersecurity risk can also arise from teams simply not following procedures and not communicating with each other. "Different departments may do their own thing and may not necessarily speak to one another," Pokidaylo says. "So it's important to go to the information security team and say, 'Hey, I know you guys have these policies, but how are you educating the entire organization on them or making sure they adhere to it?' And then that eventually makes audit's job easier because once everyone is adhering to them, it enhances the risk culture of the organization. I think the information security team really respects that we're identifying these areas for improvement." <br></p><h2>Relationship Management</h2><p>Jacovetti, Pokidaylo, and Shaffer all tout the necessity of building and maintaining good relationships to mitigate insider threat and cybersecurity issues in general. <br></p><p>"Since I lead the IT audit function at DTCC, I have regular meetings with the chief security officer and his direct reports," Jacovetti says. "I think everybody will say — if you're in audit — you want to be the <em>first</em> person they call, not the <em>last</em> person they call. So we try to make sure that we have good working relationships, that they understand what we need to do, that we understand what their roles are. It's important to have a good line of communication where if they need to reach out and inform us of something, they're not hesitating to let us know."<br></p><h3>Using Internal Audit's Knack for Critical Thinking</h3><p>Auditors themselves can be an important tool in the fight against cybercrime, just by using their tendency to question and imagine possibilities, Shaffer says. He regularly works with OCC's security team in the planning of their "red team" activities, in which participants simulate threats.</p><p>"I constantly think, 'How would I attempt to break our systems?' or 'How would I attempt to get the money in certain funds?' You kind of have to wear that hat, with the right intentions," Shaffer says. "I will always tell my team, 'You can spend a lot of time studying your controls, your environment, everything else, but you really need to take a step back and say, 'If I wanted to break all of it, how would I do it?' Some of the best auditors are the people that figure out really great ways of breaking things." <br></p><h2>Learning From Low-risk Organizations</h2><p>With cybercrime on the rise, internal auditors in all types of industries would do well to take a cue from more risk-averse organizations like clearing houses in preparing for cyber risk. Planning for resiliency and disruption, preventing insider threats, better understanding third-party risk, building relationships with IT and information security, and using internal audit's knack for critical thinking are all important tools in the fight against cybercrime. <br></p>Christine Janesko1
Key Aspects of a Cybersecurity Framework Aspects of a Cybersecurity Framework<p>​Several cybersecurity incidents have made front page news this year. The reality for businesses is that it is a perpetual source of risk. Eighty-seven percent of respondents to Deloitte's most recent Global Risk Management Survey say improving their ability to manage cybersecurity risk will be an extremely or very high priority over the next two years.</p><p>Cyber risk must be managed in a disciplined, systematic way, and cybersecurity frameworks are designed to enable that. Cyber risk management often is associated with the protocols and technology controls organizations have in place to detect and thwart threats, such as malware and phishing. However, internal auditors should understand that a cybersecurity framework consists of more than just tools companies use to guard data and IT. A robust framework lays the foundation for vital processes such as governance, risk identification and assessment, incident response, dissemination of information, and self-assessment and improvement.<br></p><p>Cybersecurity frameworks can be leveraged in various ways. For example, an organization may focus on strict adherence to a particular framework and its standards, and, thereby, be able to communicate to external parties that it is compliant, which promotes trust. It also may select elements of various frameworks that are most relevant to its business model and risk profile. Or it may hold up a framework, such as the U.S. National Institute of Standards and Technology's (NIST's) Cybersecurity Framework, as a model or an ideal state and then get as close as possible using available resources. In some cases, such as with the U.S. Health Insurance Portability and Accountability Act, strict adherence may be mandatory.<br></p><p>Regardless of the organizational approach, any viable cybersecurity framework will include several aspects: governance, risk identification and assessment, controls, response planning, communication, and continuous improvement.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Common Cybersecurity Frameworks</strong><br></p><p>There are several well-known cybersecurity frameworks, including:</p><ul><li>Center for Internet Security (CIS) Critical Security Controls <span style="color:#222222;background-color:#6eabba;">—</span> A prioritized set of actions and best practices designed to mitigate the most prevalent cyberattacks. </li><li>General Data Protection Regulation (GDPR) — Applies to all organizations that collect and store the private data of European Union citizens.</li><li>International Organization for Standardization (ISO) 27000 — Highlights best practices for information security management systems.</li><li><span style="color:#222222;background-color:#6eabba;">NIST Cybersecurity Framework — Commonly used by U.S. organizations, this framework calls for greater collaboration between the public and private sector in identifying, assessing, and managing cyber risk.</span></li><li>North American Electric Reliability Corp.–Critical Infrastructure Protection (NERC-SIP) — Developed specifically to mitigate cyber risk in the utility/power sector.</li><li>Service Organization Control Type 2 (SOC2) — Developed by the American Institute of Certified Public Accountants to verify vendors/partner data management.</li><li><span style="color:#222222;background-color:#6eabba;">U.S. Health Insurance Portability and Accountability Act (HIPAA) — Specific to health-care organizations securing the privacy of electronic health information.</span></li></ul></td></tr></tbody></table><p><strong>Governance</strong><strong> </strong>The role of governance is to promote and ensure accountability, responsibility, effective management, and responsiveness within an organization. From a cybersecurity standpoint, this includes setting a tone of responsibility around data and IT, defining the organization's risk appetite, providing resources and support, and organizing roles and lines of reporting to promote accountability and effective leadership.<br></p><p>Internal auditors, in turn, provide independent, objective assessments of the design and operating effectiveness of the organization's governance processes. It is vital that internal audit assess these processes as part of any cybersecurity-related audit.<br></p><p><strong>Risk Identification and Assessment</strong><strong> </strong>A dynamic inventory of assets and business processes, along with related threats, vulnerabilities, existing controls, and consequences, is a critical component of the cybersecurity risk management strategy. This risk identification and assessment process should consider cybersecurity risk not just in terms of vulnerabilities to IT, but all cybersecurity-related risks companywide. These may include legal, regulatory, and reputational risk.<br></p><p>Many organizations are implementing data analytics and data mining to monitor risk and controls. These technologies can help ensure the completeness of risk inventories and serve as an early warning system for possible threats. At the same time, it is critical that key stakeholders communicate regularly about emerging risk and the effectiveness of controls.<br></p><p><strong>Controls</strong><strong> </strong>This is the most obvious aspect of the framework, consisting of the array of tools and processes used to protect data and IT. This includes the tools and techniques, such as firewalls, password protocols, software patching, logical and physical access controls, and intrusion detection, that are designed to achieve the desired level of security and control. Also included are the policies that define acceptable behaviors and requirements for employees and third parties.<br></p><p>Internal audit is a vital part of the control system. By identifying gaps and vulnerabilities, internal audit supports senior leadership in making informed decisions on what approach to take to mitigate threats.<br></p><p><strong>Response Planning</strong><strong> </strong>It's extremely important for an organization to be able to recover as quickly as possible from a cyberattack, and robust incident response plans are a critical aspect of any cybersecurity framework. The scope of negative impacts to a company's finances and reputation are directly related to how quickly it's able to recover.<br></p><p>Internal audit should keep management informed about business continuity plan implementation and emphasize that cyber incident response should be a top priority because of the inevitability of a security breach. Working closely with the business continuity leader, internal audit also should check to ensure that business continuity plans are up to date and that all critical business functions are covered.<br></p><p>Dissemination of information is an essential aspect of cybersecurity preparedness and response. In addition to restoring operations, incident response plans should include when and how to notify key internal decision-makers, authorities, customers, or the public, as well as communication of important information to employees.<br></p><p><strong>Communication</strong><strong> </strong>Employee awareness is one of the most effective defenses against cyberattacks, and a formal communication plan is a vital component of the cybersecurity framework. Moreover, with today's quickly evolving threats, it's more important than ever for organizations to share information. For example, NIST SP 800-150, Guide to Cyber Threat Information Sharing, lays out multiple ways to share information internally and externally to help combat current and future cyber threats. This allows organizations to leverage communal knowledge, experiences, and capabilities based on threats they have been exposed to, and make better decisions while using improved defense and detection techniques and mitigation strategies. <br></p><p><strong>Continuous Improvement</strong><strong> </strong>As cybersecurity incidents occur, they offer opportunities for the organization to improve its controls and back processes — provided there is a method in place for capturing lessons learned. Reviewing real-world incidents, as well as system test and internal audit results, provides valuable lessons that can be used to achieve better cybersecurity. It's essential that any cybersecurity framework provide for incident review, self-assessment, and continual improvement to stay on top of cyber threats. Internal audit should be a key piece of this function. Many audit teams use a continuous audit approach to look at a company's practices and controls to ensure that outdated processes are identified and mitigation practices stay relevant.<br></p><p><strong>A Holistic Approach</strong></p><p>Cybersecurity experts insist that while technological expertise is essential, effective cybersecurity is an enterprisewide endeavor that requires purposeful leadership, dynamic risk assessment, detailed response planning, employee awareness, and stakeholder engagement. Indeed, an organization must always be improving its strategies and processes to be better prepared for the next possible attack. This type of holistic approach cannot be carried out without a sound framework, and internal audit should remain attuned to whether these crucial aspects are present and functioning at their organizations.<br></p>Lee Blackwell1
Cyber Risk and the Board Risk and the Board<p>​Once an emerging risk discussed just annually by boards and audit committees, cybersecurity is now a board-level issue that must be top of mind for board members and management, alike. Yet, for many board members, cyber risks can be an adventure into unknown territory. These risks comprise a rapidly evolving technical puzzle where the magnitude, vulnerability, likelihood, accountability, and strategies for managing, detecting, monitoring, and responding to risks are a maze of alternatives, with no definitive "right answer." <br></p><p>Defensive strategies such as identity management, perimeter protections, patch management, and multifactor authentication are now minimum requirements for an organization. Companies also must be on the offensive and be vigilant in monitoring for external and internal threats. Moreover, companies must have a forward-looking strategy for responding, preparing, and being resilient when actions must be taken.<br></p><p>Internal audit can help promote transparency, awareness, accountability, and collaboration with management across the three lines and work with the board on cybersecurity. Auditors must help the board see cybersecurity as more than an IT risk — one that can impact the organization's brand, operations, financial, and strategic objectives.<br></p><h3>Understanding the Risks <br></h3><p>Internal audit can collaborate with the first and second lines, chief information officer (CIO), and chief information security officer (CISO) to help the board and audit committee understand and address cybersecurity risks. Together, they can present an enterprise perspective of the organization's key cybersecurity risks, as well as the strategies and plans to protect against, monitor, and respond to those threats.<br></p><p>Internal audit also can lead or participate in a cyber risk assessment that can help the board understand the organization's capability to manage the associated risks. Sharing a maturity model visualization with the board is a great way to communicate insights, the desired state of maturity versus the organization's current state, and a high-level enterprise view of cyber risks.<br></p><p>Selecting a framework — or multiple frameworks — as a foundation for risk and maturity assessments can help establish a basis, a definition of the domains used, and evaluation criteria for assessments. Some common frameworks include:<br></p><ul><li>The International Organization for Standardization's ISO/SEC 27000 standards for managing information security.</li><li>The U.S. National Institute of Standards and Technology Cybersecurity Framework to help improve critical infrastructure.</li><li>ISACA's COBIT control framework to govern IT infrastructure.<br></li></ul><h3>What to Talk About<br></h3><p>Many boards and organizations may have a false sense of comfort because internal audit and the IT function have completed assessments of IT general computer controls and an attack and penetration audit. Unfortunately, these assessments do not provide adequate assurance across the ever-changing cyber risk landscape. Internal audit and management must provide information about the full spectrum of cyber risks as well as management's plans for raising the organization's cybersecurity capabilities to its maturity target.<br></p><p>Some of the board topics to provide clear insights on include:<br></p><ul><li>How has the organization inventoried and mapped its IT and operational technology assets and their associated risks and vulnerabilities?</li><li>What are the critical assets and processes, and how vulnerable are they?</li><li>How does the organization monitor and respond to potential external and insider threats?</li><li>How prepared is the organization to respond to an event? Are there playbooks and business continuity and disaster recovery plans?</li><li>How decentralized is the organization? What complexities or challenges does that create? Are there silos?</li><li>Is there accountability and ownership of processes and controls?</li><li>Have tabletop and simulation exercises been planned or completed? What were their results and what action plans were recommended?</li><li>What efforts to educate the broader organization about phishing schemes and other tactics are underway or planned? For example, many organizations deliberately send phishing emails to test whether employees will click on these types of messages. Often, clicking on these test links will take users to a training page.</li><li>How is the organization using risk-sensing and analytics efforts to proactively identify threats and risks?</li><li>What are the third-party, supplier risk management strategies to address cybersecurity risks?</li><li>Is the budget adequate to support efforts devoted not just to prevention and detection but also business resiliency?</li></ul><p><br>Internal audit and management, such as the CIO and CISO, can address all of these topics by collaborating across the three lines to help the business align proactively against cybersecurity threats.<br></p><h3>Could It Happen Here? <br></h3><p>Discussing hypothetical risks can be a daunting task for internal audit. But facilitating a discussion about a risk that has happened in another organization can help make the conversation and dialogue less controversial.<br></p><p>A great way to foster a constructive dialogue about the organization's vulnerability to a risk is to take a headline, incident, or case study from another organization and pose the question, "Could it happen here?" To answer that question, internal audit should bring together a group of individuals from different levels, groups, and positions in the organization.<br></p><p>The answer to that question can reveal how prepared the organization is, if it has adequate processes and oversight, and how robust and mature its response plans are. It also can show the board how to recognize if a similar incident is happening or has happened at the business.<br></p><p>Auditors should foster constructive debate and dialogue about the issue, and welcome all opinions and perspectives. The goal is to understand what the vulnerabilities are, how prepared the organization might be, and what actions the organization needs to take next. Anonymous voting technologies or techniques that enable individuals to share thoughts freely can be important for this approach to work.<br></p><p>The objective of this approach is to understand not only what is supposed to happen, but also perceptions about what may happen in reality:<br></p><ul><li>Could this type of incident or risk happen at the organization? Why or why not?</li><li>What is the organization doing to prevent or detect this situation?</li><li>How would the organization know if this risk is happening?</li><li>How would the organization respond? Who would it communicate with internally and externally?</li><li>Who would be accountable for addressing the risk and resolving the issues?</li><li>Are there third parties involved? If so, what is their role?</li><li>What are the organization's weakest links?<br><br></li></ul><p>Conducting a "Could it happen here?" exercise is an engaging approach internal auditors can use to prepare to respond to board member questions about the organization's vulnerability to threats and readiness to respond to them.<br></p><h3>Influencing the Agenda<br></h3><p>Internal audit executives can help influence the board and committee agendas to ensure time is allocated at every meeting or periodically to a discussion of cybersecurity risks. The CAE can contact the management team and the chair of the committee responsible for oversight of cyber risk to review the committee's standing agenda topics and reporting responsibilities for cybersecurity.<br></p><p>Internal audit also should have a plan for specifically communicating its efforts to address cyber risks, as well as how the department is collaborating with the CIO, CISO, and first and second lines. Internal audit should detail the trends it sees and provide an overall perspective of the robustness and proactiveness of the cybersecurity effort. The department also can encourage board or committee members to participate in table-top exercises where a facilitated simulation helps the organization outline the steps and action plans during a cyberattack or crisis scenario. Moreover, auditors can work with the enterprise risk management team to discuss risk tolerances and techniques for managing cyber risks. <br></p><h3>Collaboration Across the Three Lines <br></h3><p>Cybersecurity presents a great opportunity for internal audit to collaborate across the enterprise with the first- and second-line functions — and with the CIO and CISO departments — to inform the board about the risks facing the organization. By working with these functions, internal audit can pull in resources who understand the changing dynamics of cybersecurity.<br></p><p>Work-from-anywhere dynamics, digital accelerations, cloud computing, increased threats, and the complexity of today's environments make keeping technical skills current to address cyber risks challenging for internal auditors and organizations. Internal auditors should work with management across the three lines and the board, engage outside resources as needed, and focus on providing timely, transparent, and proactive information to management and the board. Internal audit should help the organization build data governance, privacy, and cybersecurity controls; regulatory requirements; and capabilities into new enterprise platforms and cloud initiatives up front versus after the fact. Moreover, auditors should understand how the organization is tackling threat management and incident response activities.<br></p><h3>Assure, Advise, and Anticipate <br></h3><p>Internal audit cannot sit on the sidelines and only provide hindsight assurance on the effectiveness of controls or commentary on historical actions. While assurance is an important responsibility for internal audit, management and boards are demanding that internal audit provide forward-looking advice on risks and controls as well as anticipate future risks.<br></p><p>Cybersecurity is a prime area for the internal audit function to evolve efforts to add value and to provide foresight. Internal audit can still provide objective oversight and additional advisory services around issues such as cybersecurity. Communicating with the board about internal audit's work in these areas can help the organization establish a united cyber defense and assist the board in fulfilling its risk oversight responsibilities. <br></p>Sandy Pundmann1
The IT Audit Circle IT Audit Circle<p>​How much is an organization's information worth? That is, what would be the cost — either quantitatively or qualitatively — if its sensitive or valuable information was compromised? For example, it would be costly if customers' personally identifiable information was leaked to the dark web, critical systems suffered denial of service attacks, or the organization was the target of a ransomware incident such as the recent SolarWinds attack.</p><p>Preventing, detecting, and exploiting such threats is why auditing IT controls is necessary. An IT audit examines and evaluates an organization's IT infrastructure, policies, and operations. Such audits determine whether IT controls protect corporate assets, ensure data integrity, and are aligned with the business's overall goals. With businesses increasingly reliant on technology, IT audits are critical to ensure information-related controls and processes are working effectively.</p><h2>Audit Objectives</h2><p>Some IT audits are for regulatory compliance, while others provide assurance that the organization is protecting its valuable information from breaches in confidentiality, integrity, or availability. Regardless of the audit's purpose, its primary objectives include:</p><ul><li>Evaluating the systems and processes in place that secure the organization's data.</li><li>Determining risks to information assets and helping identify methods for minimizing those risks.</li><li>Ensuring that information management processes comply with IT-specific laws, policies, and standards.</li><li>Identifying inefficiencies in IT systems and associated management.</li></ul><p><br>IT audits do much more than deal with threats from outside the organization. Insider breaches are just as bad — and sometimes worse — because they are harder to detect. If users have legitimate access to an organization's files, it is not easy to see if they may be using that access for illegitimate purposes.</p><h2>Inside the Circle</h2><p>The IT audit circle comprises several layers, similar to a layered security defense model (see "The Layers of IT Audits" below). These layers range from data assets at its center all the way up to the network along its outer edge.<br></p><p><strong><img src="/2021/PublishingImages/IT-Audit-the-layers-of-IT-audits.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:400px;height:471px;" />Asset/Data</strong> This is the information that organizations want to protect. When such assets are breached, it may lead to theft, fraud, operational impacts, or loss of confidentiality. These risks can have financial, operational, reputational, strategic, compliance, and legal impacts.</p><p>Not all assets have the same value or importance to the organization. Organizations typically separate data and systems into three levels of risk: high, moderate, and low. Data may be classified for numerous reasons, including ease of access, maintaining regulatory compliance, and meeting other business objectives. For data security purposes, data classification can facilitate appropriate responses based on the type of data being retrieved, transmitted, or copied.<br></p><p><strong>Databases</strong> Depending on the database contents, confidentiality, integrity, and availability are all risk concerns. Because the data is in a central depository, unauthorized access could provide access to significant amounts of data. In addition, databases are complex, increasing the risk of data corruption, which will impact all the applications and end users that access it. If database performance is slow, it could impact response time for a significant number of users. Activities to audit include:</p><ul><li>User access and authentication.</li><li>Important tables, views, procedures, database links, and runtime logical flows that control certain functionality for business applications and data access permissions.</li><li>Tracking of user, time, and change to the data.</li></ul><p><strong><br>Applications</strong> Some of the controls around applications include IT governance, logical security, change management, business continuity and disaster recovery, system development methodology, input controls, process controls, and output controls. Application audit objectives include efficiency, effectiveness, compliance, and financial reporting implications.<br></p><p><strong>Operating System</strong> Examples of controls around operating systems include effective patch management, vulnerability assessments (health checks), and restricting and monitoring privileged administrative access. For example, the auditor should evaluate whether the latest patches are installed to close operating system vulnerabilities.<br></p><p><strong>Physical System</strong> The goal of IT audits of physical access controls<strong> </strong>is to prevent unauthorized physical access, damage, and interference to the organization's premises and information. Physical security controls protect the computer centers, server farms, telecommunication rooms, and support facilities. Risks include unauthorized use, modification, destruction, or theft of equipment and data media, as well as access to sensitive information and disruption of system and operational processing.</p><p>IT audits should verify that access to restricted computing areas is limited to authorized individuals on a need-to-know basis. These audits also should cover environmental controls such as heating, ventilation, and air conditioning systems; fire suppression systems; and power failures.<br></p><p><strong>Network</strong> Organizations rely on networks as an essential part of doing business. The network management staff is responsible for keeping the network available, secure, and performing well. Through various weaknesses — in the network, networked computers, applications, and user policies — the organization is susceptible to malware of all sorts. An IT audit of the network could include internal and external penetration testing to determine if there are any "backdoor" ways a hacker can enter the system.</p><h2>Being Vigilant</h2><p>IT audits need to be performed continuously. Four resources or variables affect the timing and depth of such audits: people, process, information, and technology. Any change to one of these variables warrants a reevaluation of the other three to determine whether new risks have been introduced and to make changes to IT controls.</p><p>Despite the controls that are in place, there will always be some risk. That requires internal auditors to be ever-vigilant to ensure the organization's assets are protected.<br></p>Mark Edmead1
Staffing for Success for Success<p>Organizations are moving gingerly into the post-pandemic world with a heightened focus on cybersecurity, with overall cybersecurity spending projected to grow as much as 10% this year, according to IT research firm Canalys. Regulators — already concerned about cybersecurity — have ratcheted up their oversight, vividly illustrated by the U.S. Office of the Comptroller of the Currency's $80 million fine against Capital One last year (see "Capital One Data Breach" below). In fact, cybersecurity was one of the top-ranked risks identified by board members, management, and chief audit executives (CAEs) in The IIA's OnRisk 2021 report.<br></p><p>In this environment, internal audit, as part of its oversight function, has a critical role of helping organizations manage cyber threats by evaluating risks and providing an independent assessment of controls. In turn, this role has spurred the need for cybersecurity skills in internal audit functions.</p><p>The heightened concern around cybersecurity has inevitably increased the demand for suitably experienced auditors, says Jamie Burbidge, founder of Bickham Montgomery, a London-based internal audit recruiting firm. "Due to cybersecurity being a relatively recent concern for business leaders, the number of internal auditors at the senior level with relevant experience is quite small," he noted. At present, potential internal audit hires who have the experience and a good grasp of cybersecurity likely are coming from the Big Four accounting firms at slightly more junior levels.</p><p>Regardless of the talent source, experts point to several skills and qualifications to look for when hiring. They also cite the importance of soft competencies, the need to plan ahead for resource needs, and the advantages of developing skills internally.</p><h2>The Right Expertise</h2><p>Shawna Flanders, director, IT Curriculum Development, at The IIA, says two general skills are important for internal auditors who will be involved in cybersecurity audits: data analysis capabilities and critical thinking. "Deploying critical thinking skills gives auditors the ability to determine how a cyber threat in the wild could impact their organization," Flanders says. Plus, they need to be able to use data to discover unusual activity, inappropriate access, and fraud, and possess a broad understanding of IT general controls as well as application, network, and information security controls, she adds.</p><p>In addition, practitioners need to have a deep understanding of relevant threats, such as malware, ransomware or spyware, denials of service, phishing, and password attacks. Given the demands, internal audit functions should consider building dedicated expertise on their team, says Jim Enstrom, senior vice president and CAE at Cboe Global Markets of Chicago. The type of person who can fill this role probably has come up through a technology, cybersecurity, or consulting background, rather than internal audit, he adds.</p><p>Ongoing training and an emphasis on more technical cybersecurity-related certifications should also be a focus area, Enstrom says. Certifications demonstrate a basic level of aptitude and indicate that a person is motivated for self-improvement and self-learning. The IIA offers several seminars on IT topics, including cybersecurity, as well as more than a dozen IT courses on-demand. In mid-July, The Institute launched its IT General Controls Certificate, demonstrating the certificate holder's ability to assess IT risks and controls. </p><p>In addition, more universities are offering advanced degrees in cybersecurity, in which students also are learning the principles of assurance, as well as how to evaluate controls and risk. For example, the University of Central Florida in Orlando, which offers a certificate in cybersecurity, will begin offering a master's degree in cybersecurity and privacy this fall that will include a technical track covering topics such as hardware, software, and security, and an interdisciplinary track that addresses the human aspects of cyberattacks. These types of programs are an opportunity for recruiting, Enstrom says.</p><p>Robert Berry, former executive director of internal audit at the University of South Alabama and now president of consulting firm That Audit Guy, says hands-on experience in cybersecurity is important in considering a hire. Berry says he would look for someone experienced in technology, especially with experience in how networks operate and are secured. "You want to look for somebody who is actively engaged and involved in the craft," he adds — the kind of person who builds his or her own network and tinkers with it, and who is active in chat rooms and forums.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Capital One Data Breach</strong><p>The U.S. federal government's enforcement actions against Capital One in August 2020, which included an $80 million fine from the Office of the Comptroller of the Currency (OCC), illustrates its increased oversight of cybersecurity issues. The actions stemmed from a 2019 cyberattack that stole the personal information of about 100 million individuals. The OCC fine was the first significant penalty against a bank in connection with a data breach or alleged failure to comply with OCC guidelines. The OCC specifically called out Capitol One's internal audit function, saying it failed to identify numerous control weaknesses and gaps and did not effectively report them to the audit committee.<br></p> </td></tr></tbody></table> <h2>Training, Sourcing, and Collaboration<br></h2><p>Rather than hiring from outside, developing skills internally is sometimes a better option, especially in small- to moderate-size departments, Berry says. That way, the auditor is already familiar with the organization and with the procedures involved in conducting engagements, he explains. This approach also might be advantageous for a small department in an industry that does not pay well, which likely will have a hard time recruiting cybersecurity expertise, Berry adds.</p><p>In a midsize department or a midsize organization with a small audit department, audit staff might not have the necessary IT knowledge. Keeping in mind The IIA's <em>International Standards for the Professional Practice of Internal Auditing</em>, the organization might consider a co-source provider, Enstrom says, adding that training, skill building, and certifications also are important for these departments. In addition, where the <em>Standards</em> allow, internal audit should consider collaboration with the organization's information security department, he says. Standard 1210: Proficiency, and Standard 2050: Coordination and Reliance, provide guidance in these areas.</p><h2>Seek Out Soft Skills</h2><p>"Curiosity is the cornerstone of internal audit," Berry says. "If you can't be curious and ask really good questions, you will fail in your career in audit." Soft skills are probably the most important skills, he says, because a person who possesses them can be taught audit skills. Critical thinking and other soft skills give internal auditors, especially those dealing in a technical area such as cybersecurity, the ability to communicate outside their area and to understand how a cyber threat could affect the organization.</p><p>When he started Bickham Montgomery about 10 years ago, Burbidge found that technical proficiency was by far the most sought-after trait for companies when hiring internal auditors. Now, he sees more emphasis on communication skills as part of an internal auditor's role. "You need to be able to communicate, need to be able to persuade, need to be able to partner with the business," he says.</p><p>Jeannie Alday, director of Internal Audit for Chatham County, Ga., says in hiring someone with an IT background, she wants to determine whether the candidate will be able to communicate with IT staff, and IT management, but also with county management and others who may have limited background in IT. "Those soft skills are huge, and they're not always easy to spot in the limited interview process," Alday says.</p><h2>Looking Ahead on Hiring</h2><p>Given the rapidly changing environment, cyber awareness is fundamental to the execution of an organization's strategy. "In any organization today, cybersecurity is one of the top risks," Enstrom says. In the present environment, boards, management, and other stakeholders need to focus continually on cyber risk and whether their organization has the right skills and resource strategy, he says. Importantly, organizations need to make necessary investments in skills and resources.</p><p>Post-pandemic, hiring likely will become more challenging because of pent-up demand, Enstrom says, and demand already exceeds the number of candidates. As a result, audit hiring managers should think more creatively about compensation and other job benefits. He also notes that many cybersecurity professional have had limited exposure to internal auditing and assurance, may see auditing as having limited opportunity for advancement, and might not consider going into the field.</p><p>This perception underscores the necessity of selling the opportunities and value proposition of the profession to prospective job candidates. Compared with going directly into information security, internal audit offers the potential for greater diversity of experience and breadth of opportunity — working with senior executives and board members — and exposure to different projects, Enstrom says. Moreover, because of the importance of good communication skills, time spent in internal audit can be a great learning opportunity for someone who is less comfortable in this area.</p><p>"Early in a person's career, working in internal audit really represents a great learning opportunity because you have so many different projects you can work on," Enstrom says. "I think we don't sell that enough as a profession."</p><p>As another area of focus for hiring, Enstrom emphasized the importance of partnering with outside firms, or organizations that can help with the candidate sourcing process. He highlights one example — the Greenwood Project. "The Greenwood Project is a nonprofit organization dedicated to introducing Black and Latinx students to careers within the financial industry," he says. "We've had success working with Greenwood Project and we continue to look for ways to strengthen our relationship and promote the profession of internal auditing to Greenwood students and diversity candidates. In addition to accounting and business students interested in financial services, we have been working with Greenwood to promote an interest in IT audit, data analytics, and cybersecurity roles in the internal audit profession."</p><p>Meanwhile, when recruiting through universities, internal audit functions need to look beyond the accounting and finance departments and build relationships with computer science and cybersecurity programs. "In my experience, many students in computer science or other IT disciplines are unaware of job opportunities in the internal audit profession," Enstrom says. "Given this, it's really important for the company and recruiter to understand and have relationships with faculty and staff in these colleges, not just the business schools."</p><p>The bottom line? "You have to offer competitive salaries, and you have to be very clear and crisp in your value proposition — how internal audit will benefit them in their career," Enstrom says. Moreover, companies recruiting in the post-COVID-19 marketplace will need to think more broadly and consider hiring candidates from outside their geographic area. <br></p>Geoffrey Nordhoff1
Collaboration as a Control as a Control<p>One of the features of The IIA's <a href="" data-feathr-click-track="true"><span style="text-decoration:underline;">Three Lines Model</span></a> (PDF) is its clear description of accountability among key players within an organization. The governing body is responsible for organizational oversight, management is tasked with achieving organizational objectives, and internal audit's role is to provide assurance and advice. The model also points out that this <em>delineation</em> does not imply <em>isolation</em>. Among all roles, "the basis for successful coherence is regular and effective coordination, collaboration, and communication," the model states.<br></p><p>This idea of teamwork boosting organizational objectives is backed by empirical evidence. A 2018 study by Arizona State University, the University of Nevada, the University of Massachusetts Amherst, and Iowa State University shows that a positive relationship between internal audit and information security can improve an organization's cybersecurity efforts. For instance, the findings indicate that stronger relationships between the two functions results in better detection of security incidents, internal control weaknesses, and incidents of noncompliance. <br></p><p>At Cboe Global Markets Inc., Umesh Yerram, chief information security officer (CISO), and Heidi Zenger, senior director of internal audit, demonstrate how a successful relationship between information security and internal audit works in practice. As a global exchange operator with 21 markets offering options, futures, equities, and foreign exchange products that trade billions in contracts daily, Cboe is naturally focused on cybersecurity as a critical risk. Yerram, based in Philadelphia, and Zenger, who works in the Kansas City, Kan., metro area and heads up IT audit, discussed how a strong collaboration between information security and internal audit helps them amplify their findings and better mitigate cyber risk. <br></p><h3>How did the working relationship between your functions evolve?</h3><p><strong>Zenger</strong> One pivot point was hiring an auditor with specialized security skills. As auditors, we say that a process is a process; we can understand all of the risks if you have the time to dedicate and teach us. But there really is a place for specialized skills; so I think that helped [enhance] our relationship quite a bit. After Umesh joined the company as CISO, I think the next real pivot point was the security team stepping into more of a second-line monitoring role. There's still some first-line activities, but by increasing that second-line monitoring role, it just brought us a little bit closer to speaking the same language from a risk management perspective.<br></p><p><strong>Yerram</strong> I joined Cboe in January, and the relationship between Heidi's team and my team has definitely expanded over the course of seven months. We have clear role responsibilities; I am part of the second line, and internal audit is the third line. But at the end of the day, we are both trying to make sure that cyber risk or any other risk is properly identified, addressed, or brought to leadership's attention. That's been our goal and what we've been doing from day one. We want the board to hear the same message, whether it's coming from me or it's coming from internal audit. Heidi and team present to the audit committee, and I present to the risk committee — and, of course, to the full board — so we want to make sure that we convey the strong collaboration between our two functions.<br></p><p>Another thing that helps us build that strong relationship is to Heidi's point: Heidi has a resource who is a cyber specialist, so we can actually speak the same language. [The specialist]<strong><em> </em></strong>does work behind the scenes to make sure Heidi and team are aware of some of the technical nuances that need to happen in remediating. Now it's a lot more streamlined to have those conversations — without any barriers. So that definitely helps. <br></p><h3>To what extent is that relationship formalized?</h3><p><strong>Zenger</strong> Umesh has a security governance team within his group. The security governance team and our IT audit team meet on a monthly basis to talk through risks, monitor any issues or vulnerabilities, and discuss any upcoming audits. Umesh and I meet one-on-one on a monthly basis, as well, to talk about the same things on a slightly higher level, and Umesh also meets with our chief audit executive once a month to make sure that we're communicating with each level of the organization. <br></p><p>In addition, the company has a formal weekly project management meeting where we discuss the status of larger projects within the organization, as well as approve any new ones coming on board. This gives audit and security an opportunity to say, "Hey, we need to be involved in this, and we want to review the risks before this is approved and moves forward." Or if we've identified anything with the ongoing projects, we have an opportunity to voice those concerns upfront.<br></p><p><strong>Yerram</strong> I also have a security council meeting that Heidi participates in, so that's another touch point where she and I have conversations about cyber risk. We use some of the open findings from internal audit that Heidi's team presents, so that our chief operating officer and chief risk officer understand the audit items that are coming to them, along with any delays or risks that we need to highlight at that point. We want to make sure that leadership is aware of the progress on a monthly basis before we present to the board on a quarterly schedule.<br></p><h3>How do your teams collaborate?</h3><p><strong>Yerram</strong><strong> </strong>If two teams have two different messages, that creates confusion, and then, how do you prioritize the risk? But with the relationship we have, the expertise internal audit has, and the communication we have established, it helps us to really get on the same page. So we have those conversations regularly and say, "OK, we've identified 10 risks, but what are the top three, four, or five that we can actually bring to senior leadership's attention? Then when we are aligned and we go and make that case together, it definitely gets heard and reacted upon. I think one of the biggest benefits of our collaboration is that now we actually prioritize the highest risks for the company from a cyber perspective. <br></p><p><strong>Zenger</strong> The security team conducts its own security risk assessment based on all of the input and data they're receiving from their tools and an awareness of external threats. The security risk assessment serves as one of the inputs we can use in the internal audit risk assessment, which is our own independent perspective of risks throughout the company. And then, similarly, as we have audit issues and findings that we're aware of and that we include in our reports, that's one of the things the security team can pick up and use to inform its security risk assessment. So it's a two-way street from that capacity. I also see a lot more of the information sharing occurring across the teams now where we say, "OK, we identified these vulnerabilities or risks and we're seeing this on our side. What are you seeing through all the monitoring activity that you're doing and how does that inform each one of our programs?'<br></p><h3>What has been the impact of the relationship on your organization's cybersecurity efforts?</h3><p><strong>Yerram</strong> A good measure for us is patch management. I talk to my peers constantly and it's not a very exciting piece of work to do. Nowadays, given the onslaught of zero day [attacks] and the vulnerabilities that threat actors are exploiting, it's not on the top of everybody's priorities to go patch the system. By working together on this risk, we significantly improved our ability to patch, to align with our changing risk profile. We now have more resources and awareness from the senior leadership that this work has to be done, based on the risk that we articulated.<br></p><p><strong>Zenger</strong> Cboe recently invested in a leadership training program, and I believe that has helped us foster and maintain a healthy relationship. We don't always see eye to eye. I see things through an audit perspective; I view the world based on the evidence of the body of work and conclusions we're reaching. And Umesh sees the risk to the organization from the outside and from a cyber perspective. We do have a lot of challenging conversations, and I think that's to our benefit. In our training, we call these kinds of conversations "crucial conversations." We have these crucial conversations on a regular basis — and that's good, because if we weren't having them, that means we're afraid to bring up those differences in opinions, and the organization suffers as a result of the lack of conversation and challenge. Umesh called me one day after having a conversation the previous day, and just as he started it out, I paused and said, "Umesh, are we having a crucial conversation right now?" and he said, "Yes, exactly!" And so, by knowing that we were going into an important conversation, we could both relax. We could both appreciate the idea that, "We've got to do some hard work today and we can tackle it together."<br></p>Christine Janesko1
Challenges to Adopting Data Analytics to Adopting Data Analytics<h3>​What are the biggest limitations internal auditors are facing in implementing data analytics?</h3><p><strong>Thomasson</strong> There are four common blockers to implementation. First, getting access to complete data populations is difficult for many teams. It’s imperative that IT management understand why it’s necessary. IT’s main issues with granting data access include concerns around system performance impact, cyber and data security, and a lack of knowledge or comfort with what will be done with the data. The second block is getting management buy-in. Investing resources — both time and money — in a project or activity requires buy-in and approval. Many auditors have trouble getting IT and even their own management team to invest the necessary resources in their analytics projects. Next, starting a data analytics program requires specialized knowledge and skills that are often hard to come by — especially in the audit world. If a team doesn’t have the required skills, it needs to either invest in training or hire external help — both of which cost money and involve further internal approvals. The final blocker is budget. Internal audit has always been seen as a cost center, which constrains the amount of money the team can access. There’s also difficulty in providing specific ROI and value calculations when creating a business case. As a result, it can be almost impossible to get budget approval to build an analytics program. </p><p><strong><img src="/2021/PublishingImages/Anunciacion_70x70.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Anunciacion</strong> We’ve been hearing about big data, data analytics, and “Moneyball” for 15 years. The biggest limitation for internal audit departments is embracing a change mindset. We get so caught up in our traditional methodologies that many internal audit functions don’t know where to start. It doesn’t have to be a massive, full-blown analytics program from day one. You can start small and smart in specific areas. Then it comes down to three things: people, process, and technology. Internal audit teams might not feel like they have the right skills, that they need a background in programming or data science — that’s not true. Auditors can do basic population testing using scripts already created for them. From a process perspective, it’s understanding where within internal audit’s methodology data analytics is ripe for implementation. Typically, we see it within the testing phase. I’d argue there are other parts of the process, like reporting, planning, or risk assessments, where analytics can be integrated. Finally, I’m a huge advocate of ensuring internal audit’s process is well-defined before investing in any sort of technology. <br></p><h3>How does poor organizational data governance limit internal audit’s success with analytics?</h3><p><strong>Anunciacion</strong> Success begins with the strategy for data governance. What’s the structure around it? The most mature organizations have sound governance structures in place, such as policies and procedures around data availability and privacy. I’ve seen data governance committees where folks that represent a function — marketing, sales, IT, etc. — are in charge of maintaining the integrity of their own data. The last thing we need are more committees, but it’s imperative to have stewards throughout the organization to say, “Hey, who is the point of contact if I need to get my hands on payroll data or usage data?” It’s equally important to establish a framework for what can and cannot be done with data. Data is the most underused asset an organization has. We need to start treating data the same way we treat our people, our systems, our products and services, and institutional knowledge. </p><p><strong><img src="/2021/PublishingImages/Thomasson_70x70.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Thomasson</strong> Poor data governance limits the success of a data analytics program in many ways, but here are two examples. First, insufficient processes can lead to ambiguity and frustration. Internal auditors face major barriers without dedicated owners and rules around data. There can be system owners and business owners — or sometimes, no owners at all — and the steps needed to review and approve access to data will often vary. As a result, internal auditors spend time trying to untangle these factors and tailor their approach, which creates frustration and sometimes even leads to abandoning data access attempts. Second, without structure and standards, inconsistencies, inefficiencies, and bad data hygiene flourish, creating muddy data of questionable value. Auditors are then often tasked with data clean-up, which ultimately slows down analysis. If the data cleansing is done wrong or can’t be done at all, it also can mean poor, misguided, or unattainable insights.<br></p><h3>What impacts can poor data have on audit findings?</h3><p><strong>Thomasson</strong> Poor data only leads to greater barriers and limitations for internal auditors. When auditors have to jockey for access and clean data, it’s time not spent providing valuable insights to the business. It does nothing to elevate internal audit’s value — it may even harm their reputation within the organization — and it wastes resources, making it even harder to advocate for additional budget. At the end of the day, poor data means poor insights and recommendations, which leads to poor decision-making that can negatively impact an organization’s overall strategy. This results in even more wasted resources as people, budget, and technology are pointed in the wrong direction. </p><p><strong>Anunciacion</strong> There are significant ramifications that could ripple throughout the organization if there is poor data. For auditors, it could lead to bad decision-making, or simply recommendations that don’t add value. Making sure internal audit has the right data at the right time is critical for testing because the results of an internal audit engagement are typically independent opinions. With poor data, an audit finding may not necessarily be an audit finding, and management may not agree with internal audit’s observations. It’s one thing to have data, but to transform data into information, that’s a big challenge. Internal audit can potentially lose visibility into new opportunities, or the root causes of organizational pain points. Lastly, the organization can’t manage what it can’t measure. <br></p><h3>What should auditors look for in assessing the readiness of data for analytics testing?</h3><p><strong>Anunciacion</strong> Internal auditors have to look at the organization’s appetite for data analytics. Many companies are protective of data for obvious reasons. Most often, internal auditors aren’t going to get direct access to a mission-critical system — typically, an organization will have a data lake or data warehouse where auditors can access data without any implications to the source. Aligning with the right people and establishing rapport, trust, and credibility with the data owners to get that access is going to be key to the readiness of analytics. </p><p><strong>Thomasson</strong> Before trying to build an analysis program, auditors should look at the IT team: Who is their contact? How does IT feel about providing data access? What are IT’s biggest concerns, and how can internal audit work most effectively with IT? Are there existing processes in place that internal auditors can review and learn from? What documentation or approvals will internal audit need? Internal audit also should consider whether the organization values data insights. If internal audit hits a roadblock, does it know who can help? Has someone else done this before? <br></p><h3>What steps can internal audit take to cleanse data to ensure it is reliable?</h3><p><strong>Thomasson</strong> Besides having a good overall data governance program, auditors should always keep in mind the end result: What are they trying to achieve? And then auditors should work backward. Identify what will answer their questions, where the data lives, who owns it, and how to get their hands on it. This also will help internal audit focus on the data that matters and cut what doesn’t.</p><p><strong>Anunciacion</strong> There are a number of data services and tools that help normalize data, but internal audit should start with an understanding of what it has in place. Identify potential issues, such as incomplete or redundant data sets, that will take time away from performing actual testing. Work with data owners to ensure they have clean data to begin with. That really should be done on the front lines versus on the internal audit side. It’s not going to happen overnight, but internal audit can take the first steps around championing the need for cleansing and normalizing data.  <br></p>Staff1

  • AuditBoard-January-2022-Premium-1
  • CIA-January-2022-Premium-2
  • 2022-GAM-January-2022-Premium-3