Technology

 

 

Expanding the Foundationhttps://iaonline.theiia.org/2016/Pages/Expanding-the-Foundation.aspxExpanding the Foundation<p>​The history of internal auditing, traced to its earliest roots, dates back to at least 4000 B.C., when businesses and governments in the Near East used the profession’s predecessors to ensure they were accounting for tax receipts and disbursements correctly. Technology and organizations advanced over the years, but one of internal auditing’s main functions remained largely the same — evaluating compliance.</p><p>That, of course, has changed over the past few decades, as new regulations, shifting priorities, and the need to improve efficiencies have altered the focus of internal audit work. Particularly in the last quarter-century, there has been dramatic movement in the roles and responsibilities of practitioners. With a rise in prominence, a larger voice in enacting change, and a hand in many aspects of the business, internal audit has matured into a highly respected function. Whereas auditors once operated as reclusive, task-oriented individuals, they’re now often called to be forward-thinking drivers of change who have strong leadership and people skills. <br></p><p>Internal audit has gone through “stages of maturation” over the years, each stage requiring its own changing skills, says Hans Spoel of AJS Consulting in Brussels. Spoel points to internal auditors’ progression from simply certifying the organization’s internal accounts to what he now calls the “effectiveness and efficiency” stage. “When internal audit was tucked away in the comptrollership, skills used to be basic and analytical,” he says. “Internal audit is now a serious partner at the table, and auditors need to be more communication-, presentation-, and consulting-oriented.”<br></p><h2>Technology’s Influence</h2><p>Many attribute the shift in audit to the changes in technology since the mid-1990s. Advanced computing and the Internet have increased the flow of information, allowing auditors to spend more time evaluating processes and understanding the business than dealing with tedious tasks like gathering data and taking inventories.<br></p><p>Günther Meggeneder, senior vice president of corporate internal audit and compliance at ista International GmbH in Essen, Germany, says technology has fundamentally changed the nature of information at auditors’ disposal. While auditors used to test “hand-picked samples” in the 1970s and 1980s, they can now evaluate entire populations of data. Internal auditors of the past conducted “theoretical” interviews, whereas today’s interviews are based on comprehensive analytics. “[Changes] have had a big impact on soft skills, but process knowledge and analytical thinking remains very important,” he says.</p><p>Richard Anderson, clinical professor at the Kellstadt Graduate School of Business at DePaul University in Chicago and a retired partner from PricewaterhouseCoopers LLP, also points to the importance of technology-related advancements in the 1970s and 1980s. He says the rise of computers required auditors to have new skills in IT, prompting organizations to start developing IT audit groups that were “different from other internal auditors.” By the 1990s, the simplification of computers made them easier to operate and, to an extent, merged the two types of practitioners. Soon enough, auditors learned to leverage the Internet, applications, and devices to take some of the legwork out of obtaining data. Moving from manual auditing to a continuous auditing process has also enhanced the need for analytical skills, Anderson says.<br></p><p>Technology has also brought with it an entirely new set of risks that internal auditors must understand, says Rod Winters, retired general auditor for Microsoft Corp. Those risks require practitioners to understand not only organizational processes, but the technology and systems that enable them. “Technology not only became an internal audit compliance tool but also came with its own set of risks,” Winters says.<br></p><h2>Soft Skills and Business Acumen</h2><p>Sridhar Ramamoorti, associate professor at the School of Accountancy and director of the Corporate Governance Center at Kennesaw State University in Kennesaw, Ga., says the psychology of audit also became more complex over the years, requiring more soft skills. Today’s internal auditors need to use a “chemistry approach” of adaptability, flexibility, and relationship-building acumen. “Internal auditors now need to have the people skills to demonstrate the competence and credibility of the internal audit function,” Ramamoorti says.<br></p><p>Betty McPhilimy, associate vice president for audit and advisory services at Northwestern University in Evanston, Ill., cites the early-2000s as a “big turning point” for the profession. In 2002, The IIA changed the definition of internal auditing, redefining the responsibilities to be “more than just the testing and sampling of transactions.” Internal auditors started to provide advisory services with recommendations to enhance efficiency, effectiveness, and controls. “What really evolved was the ability [and expectation] to add value,” McPhilimy says. “It completely changed how organizations view internal audit and the skill sets auditors were expected<br>to have.” <br></p><p>Anderson explains that several events changed skill sets since the 1970s. One was that the focus on internal control “really started to develop as a knowledge set.” By the 1990s, he says companies were upgrading and professionalizing their internal audit groups, looking for people who had experience with accounting and internal controls. Another change was that companies started looking for internal auditors who had been in the business for a while and knew about procedures and operations. “There was a lot of growth by acquisition, and companies needed internal auditors who knew about the business,” Anderson says.<br></p><p>As internal auditors became instruments of improvement and change, they needed more leadership skills than in the past, Winters says. That move from mere financial compliance is leading organizations to seek internal auditors with strategic thinking capabilities, strong communication skills, and the ability to influence others. <br></p><p>In the earlier days of the profession, internal auditors were simply supposed to look for problems. Now they’re expected not only to do that, but to look for improvements, identify solutions, and sell them to management and decision-makers. “It grew into a bigger role, and auditors were expected to have much broader skill sets and business acumen than they did in the past,” Winters says. “Relationship-building, networking, and demonstrating competency in multiple facets of the organization became more important.”  <br></p><p>If Winters were hiring an auditor in 1985, it would have been an accountant or IT person who “sat in an area by themselves,” he says. Today, Winters would be hiring a person who had knowledge of operations and strong people skills.<br></p><p>“There’s still a need for traditional skills,” he says. “But internal auditors now need long-term adaptability, continuous learning, critical thinking, and judgment.”   <br></p>Craig Guillot0162
Medical Device Cybersecurityhttps://iaonline.theiia.org/2015/medical-device-cybersecurityMedical Device Cybersecurity<p>​<span style="line-height:1.6;">S</span><span style="line-height:1.6;">ecuring computer systems is common practice, but the same cannot be said for off-the-shelf (OTS) medical devices containing embedded computer systems, which are vulnerable to threats that could expose patients to harm. For example, attackers could exploit flaws in wireless-enabled medical implants to trick an insulin pump into delivering a lethal dose or reset a pacemaker to deliver a fatal shock. </span></p><p>Concerns over such attacks prompted former U.S. Vice President Dick Cheney’s doctors to disable the wireless functionality of his pacemaker in 2013. The potential threat from criminal organizations, hostile nations, and others is so great that the U.S. Department of Homeland Security is working with the U.S. Food and Drug Administration (FDA), medical device manufacturers, and health-care professionals to address device vulnerabilities. </p><p>In addition to threatening patients’ health, compromised medical devices connected to health-care provider networks may enable hackers to steal patient data, resulting in the unauthorized disclosure of personal health information (PHI). According to Reuters, medical information is worth 10 times more than customer credit card numbers on the black market because it can be used to create fake IDs to buy medical equipment or drugs, as well as to file fraudulent insurance claims. Based on these safety and data security concerns, internal auditors who work in the health-care industry or for benefit providers need to be aware of medical device risks and ensure their organizations have effective mitigation programs in place.           </p><h2>Governmental and Industry Concerns</h2><p>In 2012, the FDA released Strengthening Our National System for Medical Device Postmarket Surveillance, which advocated several key objectives:</p><ul><li><span style="line-height:1.6;">Establish a multistakeholder planning board to identify the governance structure, practices, policies, procedures, and business models necessary to facilitate the creation of an integrated medical device post-market surveillance system.</span><br></li><li><span style="line-height:1.6;">Establish a unique device identification (UDI) system and promote its incorporation into electronic health information.</span><br></li><li><span style="line-height:1.6;">​Develop national and international device registries for selected products.</span><br></li><li><span style="line-height:1.6;">Modernize adverse event reporting and analysis.</span><br></li><li><span style="line-height:1.6;">Develop and use new methods for evidence generation, synthesis, and appraisal.</span><br></li></ul><p>The FDA’s October 2014 guidance for the medical device industry, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, encouraged manufacturers to consider cybersecurity risks throughout the development and manufacturing cycle. In addition to the FDA, the Institute of Electrical and Electronics Engineers (IEEE) released Building Code for Medical Device Software Security to help manufacturers mitigate cybersecurity weaknesses. </p><p>Collectively, these guidelines are not easily enforceable, can be difficult to implement, and may not be legally binding. As such, health-care providers that rely on these devices for patient care and services should exercise their own due diligence to ensure they are safe, reliable, and secure.   </p><h2>Risk Factors </h2><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​<strong>OTS Medical Device Categories</strong><br><br>Modern medical devices represent the culmination of scientific research and technological breakthroughs that have enhanced the quality of patient care. Numerous manufacturers around the world build these OTS devices with varying degrees of software hardening standards that often leave them prone to cybersecurity vulnerabilities. <br> <br>Device categories include:<br><ul><li>Implantable: Cardiac defibrillators/ pacemakers, cochlear implants, neuro-stimulators, gastric stimulators, and insulin pumps.</li><li>Diagnostic: Blood gas analyzers, CT and MRI scanners, and ultrasound and X-ray machines.</li><li>Life support: Heart-lung, kidney dialysis, and respiratory ventilator machines.</li><li>Monitoring: Electro-cardiogram and electro-encephalogram monitoring systems.</li><li>Therapeutic: Continuous Positive Airway Pressure machines, drug delivery systems, blood/plasma infusion pumps, medical lasers, and LASIK.</li><li>Procedural: Remote-controlled surgical robotics.</li></ul></td></tr></tbody></table><p>To understand what needs to be protected, internal auditors must first become familiar with the FDA and IEEE guidelines and other health-care industry sources. OTS medical device areas that should be scrutinized by internal audit include:</p><ul><li><em style="line-height:1.6;">Operating systems.</em><span style="line-height:1.6;"> Many medical devices still run on old, unsupported operating systems that are vulnerable to hacking exploits and UNIX variants with unsecure default configuration settings.</span><br></li><li><em style="line-height:1.6;">Security patching.</em><span style="line-height:1.6;"> Unlike conventional network components, medical devices typically cannot accept security patch updates because they rely on closed operating systems that can only be updated by the manufacturer.</span><br></li><li><em style="line-height:1.6;">Application software.</em><span style="line-height:1.6;"> IT teams usually cannot access medical device internal software to ensure cybersecurity safeguards are in place and operating e</span><span style="line-height:1.6;">ffectively.</span></li><li><em style="line-height:1.6;">Antivirus and antispyware.</em><span style="line-height:1.6;"> The ability to install and update antivirus and antispyware capabilities within medical devices is typically restricted to the manufacturer.</span><br></li><li><em style="line-height:1.6;">Passwords</em><span style="line-height:1.6;">.</span><span style="line-height:1.6;"> Device passwords most often are not changed when installed and remain set at the manufacturer’s default value, which easily can be guessed or obtained from user manuals and other sources on the Internet.  </span><br></li><li><em style="line-height:1.6;">Wi-Fi and Internet connectivity</em><span style="line-height:1.6;">.</span><span style="line-height:1.6;"> Home-use therapeutic and monitoring devices with Wi-Fi and Internet cloud connectivity allow the patient’s health-care team to monitor medical informatio</span><span style="line-height:1.6;">n in real time, as well as change settings remotely, if needed. Although convenient, threat actors can exploit compromised devices to hijack connections, steal patient information, and alter device settings that could threaten the patient’s well-being. </span><br></li></ul><p>Internal auditors should determine whether their organization has an OTS medical device risk mitigation program in place that includes:</p><ul><li><span style="line-height:1.6;">​Documented policies and procedures to manage and secure medical devices.</span><br></li><li><span style="line-height:1.6;">​</span><span style="line-height:1.6;">Processes to maintain an up-to-date inventory of medical devices with UDI tracking capabilities.  </span><br></li><li><span style="line-height:1.6;">Routine security risk assessments using defined metrics to identify which devices are at high risk and require remediation, replacement, or to be placed out of service.</span><br></li><li><span style="line-height:1.6;">A</span><span style="line-height:1.6;"> vendor management program that coordinates with device manufacturers to address security updates for embedded applications, operating systems, software patches, and anti-malware.</span><br></li><li><span style="line-height:1.6;">Stakeholder partnership with the Medical Device Postmarket Surveillance System Planning Board.</span><br></li><li><span style="line-height:1.6;">Organizational collaboration with manufacturers and security experts to identify device security gaps, vulnerabilities, and remediation solutions.</span><br></li><li><span style="line-height:1.6;">Procedures to ensure that medical device default passwords are replaced with complex passwords that are changed frequently.</span><br></li><li><span style="line-height:1.6;">Disabling device Wi-Fi and Internet connectivity, if it is not required.         </span><br></li></ul><h2>Additional Considerations </h2><p>Aside from securing OTS medical devices themselves, health-care providers should invest significantly in a robust, hardened IT infrastructure supported by multilayered security solutions to detect and defend their networks against cyberattacks that exploit compromised medical devices. Data loss prevention solutions also should be in place to mitigate risks associated with the theft of PHI.   </p><p>A health-care provider’s ability to remove high-risk, network-connected devices and disable patient-owned equipment may not be feasible because such measures might disrupt patient care and services and be too costly. Accordingly, providers may be forced to accept risks associated with vulnerable devices until viable solutions can be implemented. Providers faced with this dilemma should reassess their risks and revisit their insurance coverage to ensure they address damages caused by compromised medical devices. Organizations also should ensure that their incident response teams and public relations departments have plans in place to effectively respond to incidents stemming from compromised medical devices.  </p><p>Health-care providers that overlook or ignore the pervasive cybersecurity threats associated with OTS medical devices may face elevated legal, regulatory, and reputation risks. To ensure compliance with legal and regulatory requirements, internal audit at these organizations should advise management about these concerns in addition to including reviews of these devices in their audit plan. </p>Lance Semer1510
Make the Company Betterhttps://iaonline.theiia.org/2015/make-the-company-betterMake the Company Better<h2>​What is internal audit’s role at Xerox?</h2><p>Internal audit’s role is to make Xerox better. Using a collaborative approach focused on improvements has been well-received by the business. Because we have a separate internal control function that handles Sarbanes-Oxley testing, internal audit can focus on other areas. We have a continuously expanding role to tackle different types of financial, control, operational, IT, governance, and compliance projects. </p><h2>What skills do you look for when staffing Xerox’s internal audit department?</h2><p>The key things I look for are a collaborative mentality, good critical thinking skills, strong interpersonal skills, solid writing skills, and subject matter expertise. A positive attitude and a desire to travel to different locations are always helpful. The department currently has a mix of diverse backgrounds with concentrations in auditing, internal control, and IT. Recently, our focus is bringing in people with more IT, analytics, and health-care experience. Professional credentials are also important.</p><h2>What does Xerox do to support professional development within internal audit?</h2><p>This is one of my top priorities. The department pays for membership to The IIA and has set a 60-hour continuing professional education requirement. I try to have the whole team attend either the International Conference or the All Star Conference and then add on a few extra days for department meetings and team building. That is supplemented by local IIA trainings, training from our cosource provider EY, and webcasts. The department also pays for additional certifications including the certified internal auditor, certified public accountant, certified information systems auditor, and certified fraud examiner. We have copies of study guides the team can use for the exams.  </p><h2>How does your staff keep up with changing technology risks?</h2><p>Keeping up with the pace of change is always a challenge. To identify areas of risk the team attends technical training and reads articles on recent trends. To get the latest perspective we use EY subject matter experts on our projects. We also partner with Xerox's chief information security officer to ensure our work is addressing emerging risk areas. Attending roundtables with other CAEs who are facing similar issues is another great way to get ideas on new risks and how to tackle them. </p><p><br></p>Staff0603
Cyber and Corporate Governancehttps://iaonline.theiia.org/blogs/marks/Pages/Cyber-and-Corporate-Governance.aspxCyber and Corporate Governance<p>​<span style="line-height:1.6;">I have enormous respect for the people at the National Association of Corporate Directors. A US organization, the NACD not only counts among its members a great many members of corporate boards (large and small) and their advisors, but over time has contributed some excellent </span><a href="https://www.nacdonline.org/Store/index.cfm?navItemNumber=539" style="line-height:1.6;">guidance on corporate governance</a><span style="line-height:1.6;">.</span></p><p>Recently, the NACD made available a paper written by one of its members. <a href="http://boardleadership.nacdonline.org/rs/815-YTL-682/images/The%20Director%27s%20Chair.pdf?mkt_tok=3RkMMJWWfF9wsRonsqnPZKXonjHpfsX56ugpWqe/lMI/0ER3fOvrPUfGjI4DScFlI%2BSLDwEYGJlv6SgFQrHAMbl01rgLUxM%3D">Cyber Threats Necessitate a New Governance Model</a> reflects what I believe to be the personal opinion of its author, Gerald Czarnecki. I don't see it noted, but I am assuming (and hoping) that these opinions may not reflect the opinions of the NACD.</p><p>He appears to be a member of multiple boards, as well as a management consultant. He has earned a place at the NACD pulpit, so his comments merit our consideration.</p><p>He certainly has some solid points to make.</p><p>The theme is that technology-related risks, including cyber, are:</p><ol><li>The most significant risks to organizations, in general</li><li>They are not getting sufficient oversight by the board and its committees, both in terms of time allotted and the technical proficiency of the board members and advisors</li></ol><p>I have some sympathy for this.</p><p>The author believes that just as a separate and specialized committee is established to provide oversight of financial reporting, including the performance of the external and internal auditors, so should a separate committee be established to provide oversight of technology-related risks.</p><p>Does this make sense? At a superficial level, it does.</p><p>Financial reporting is an activity somewhat isolated from business operations. It can be viewed and managed as what I would call a siloed activity.</p><p>But technology-related risks are not. In fact, it is better to call them technology-related <strong><em>business</em></strong> risks. They are not critical for their own sake; they are critical because failures to manage them directly affect the achievement of organizational objectives. They impact the business and its success.</p><ol><li>All risks should be managed and reviewed within the context of the objectives and strategies they affect</li><li>Discussions by the board on strategies and performance need to include risk</li><li>Considering risk in a silo, whether technology-related or something else, is the path to poor performance</li><li>Technology-related risks are not the only risks to any objective. As I have noted before, the board and top management need to know whether the totality of risk to any objective or strategy means that they should take action. The level of any single risk may not be cause for action, but when all related risks are considered it may be prudent to change strategy or take other steps</li></ol><p>On the other hand, the board does need to find the time to obtain assurance that technology-related risks are being appropriately addressed by management.</p><p>For that reason, I can see a need – at some but not all organizations – to have separate discussions, perhaps with a specialized committee established for this purpose, with technical advisors, to give cyber and other technology risks appropriate attention. Each board will have to decide the best approach given its structure, the level of risks, and so on.</p><p>But, and this is a big BUT, having separate discussions or even a separate board committee should not distract the board from integrating the discussions of risk – all risks – with strategy and performance.</p><p>I welcome your views.​</p>Norman Marks02040
News Mixed on Cybersecurity Readinesshttps://iaonline.theiia.org/2015/news-mixed-on-cybersecurity-readinessNews Mixed on Cybersecurity Readiness<p>​T​​here are signs that organizations are making progress i​​n addressing cybersecurity risks, but there's still much work to be done, according to a pair of recent surveys. The good news is boards are paying more attention to cybersecurity, the surveys say. </p><p>Forty-five percent of respondents to a worldwide survey by PricewaterhouseCoopers (PwC) and <em>CIO</em> and <em>CSO</em> magazines report that their boards participate in cybersecurity strategy activities. Moreover, a Protiviti study shows that strong board engagement is a key differentiator in an organization's ability to address security risks.</p><p>"Many executives are declaring cyber as the risk that will define our generation," Dennis Chesley, global risk consulting leader at PwC, says in the <a href="http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html" target="_blank">Global State of Information Security Survey 2016​</a>. "As a result, businesses are taking an enterprisewide, business-oriented view of this important risk area."</p><h2>Making Progress</h2><p>Now that it has risen on their agenda, boards and senior executives are taking a fresh look at how their organization addresses information security risks, according to the PwC-conducted survey, which polled more than 10,000 C-level business and IT executives, vice presidents, and directors of IT and information security from 127 countries. One example of this new thinking is that 91 percent of respondents' organizations have adopted a cybersecurity framework or a combination of different frameworks. Security experts point out that a framework is a vital first step in addressing cybersecurity threats because it enables everyone in the organization to have a common frame of reference. The most commonly used frameworks are ISO 27001 from the International Organization for Standardization and the U.S. National Institute of Standards and Technology Cybersecurity Framework.</p><p>These frameworks are creating opportunities for more holistic defenses, the PwC report notes. Nearly half (49 percent) of respondents say it helps their organization better identify and prioritize cybersecurity risks, while 47 percent say their organization is more capable of detecting and mitigating security incidents quickly. </p><p>"We are seeing more of what we once saw as a risk being turned into possible solutions," says David Burg, cybersecurity leader with PwC's Global and U.S. Advisory unit. "For example, many organizations are embracing advanced authentication as a cloud service in place of solely password-based authentication."</p><p>Another positive sign is information security spending, which is up 24 percent on average at respondents' organizations compared to last year. And some of that spending is aimed at covering what they can't protect, with 59 percent of respondents saying their organization has purchased cybersecurity insurance.</p><h2>Tomorrow's Risks Today</h2><p>Two of the biggest concerns voiced by the PwC survey's respondents are big data and the Internet of Things (IoT). Recent cybersecurity incidents and warnings by security thought-leaders have highlighted the vulnerability of big data and the privacy issues associated with it. Yet 59 percent of respondent organizations are turning that possible liability into a potential asset by leveraging big data analytics to monitor and analyze network activity. Benefits include better understanding of external and internal threats and user behavior, as well as better visibility into anomalous network activity and faster response to security incidents. </p><p>So far, the IoT remains more of a potential risk than a security solution. Only 36 percent of respondents report their organization has an information security strategy for the IoT, which involves connecting a host of machines and devices to the Internet. Attacks on IoT systems are up, with respondents reporting attacks on mobile devices (36 percent this year compared to 24 percent in 2014), embedded systems (30 percent vs. 13 percent), consumer technologies (29 percent vs. 11 percent), and operational systems (26 percent vs. 10 percent). </p><h2>A Matter of Confidence</h2><p>Despite the progress many organizations are making, they continue to fall down in several areas, according to Protiviti's <a href="http://www.protiviti.com/en-US/Documents/Surveys/2015-IT-Security-Privacy-Survey-Protiviti.pdf" target="_blank">2015 IT Security and Privacy Survey</a> (PDF) of 708 chief information, information security, and technology officers, as well as IT vice presidents and directors. One glaring weakness: One-third of organizations surveyed do not have policies for information security, data encryption, and data classification. </p><p>Moreover, only 28 percent of respondents say their boards have a high engagement and level of understanding of information security issues, which is down from 30 percent in last year's survey. Thirty-two percent say their board has a medium engagement and understanding, while 15 percent say it has a low engagement and understanding. Perhaps more telling, 25 percent of respondents don't know their board's engagement and level of understanding, compared to 9 percent in last year's survey. </p><p>Respondents whose boards have a high engagement and understanding of cybersecurity report having more confidence that their organization is able to monitor, detect, and mitigate potential security incidents and that senior management is more aware of the organization's information security exposures. They also are more confident that their organization could prevent a targeted external attack or a breach by a company insider.</p><p>Respondents whose organizations have core information security policies reported greater confidence about their organization's cybersecurity capabilities, as well. But the Protiviti report warns against being overconfident. In particular, the report advises IT leaders to ensure the organization has a crisis response plan in place, trains all personnel on cybersecurity-related policies, and implements controls that address social engineering attacks, such as two-factor authentication and proxy-based controls.</p><h2>Protecting Sensitive Data</h2><p>The Protiviti survey reports that one trend has continued downward over the past three years: the percentage of respondents' organizations that have effective data leakage policies in place. For example, 67 percent of respondents say their organization has a password policy, compared to 77 percent in 2014 and 87 percent in 2013. Fifty-four percent have an information security policy, down from 67 percent last year and 77 percent in 2013. </p><p>Another downward trend is the percentage of respondents whose organizations have a data classification policy for categorizing information as sensitive, confidential, or public. Sixty-five percent of respondents' organizations have a policy, down from 71 percent last year. Half of organizations have developed a scheme for classifying data, compared to 58 percent last year and 63 percent in 2013. The Protiviti report observes that many organizations haven't developed an approach to protecting their vital data because they are striving to have a perfect system, rather than implementing a basic system and improving it over time.</p><h2>Room for Improvement</h2><p>Protiviti managing director for Security, Program & Policy Solutions​ Cal Slemp warns that organizations will need to continue to make improvements to their cyber defenses. "Companies appear intent on addressing data security issues, but are these intentions translating into effective policies and actions to secure organizations' most valuable data?" he says. Faced with greater threats, organizations can't afford to be complacent, he advises. ​</p>Tim McCollum01952
Budgeting for Analyticshttps://iaonline.theiia.org/2015/budgeting-for-analyticsBudgeting for Analytics<p>​Data analytics tools are nearly ubiquitous in today’s high-performance audit functions, with most either developing their analytics capabilities or increasing its use. And while the technology offers significant capabilities for audit enhancement, its value hinges on the users’ ability to put analytics tools into practice and effectively plan analytics engagements. Accordingly, one of the most important steps in implementing a data analytics program is estimating the level of effort required. <br></p><p>Determining the right level of effort for data analytics at each engagement can be difficult, and its consequences immediate — including flawed analytics strategies and testing outlines. Some audit shops may systematically set aside a given percentage of the engagement budget for the use of data analytics. This approach is suitable for repeated audits or when the audit department has observed resource usage trends over several years. But because the objectives and scope of some engagements can be unique, requiring specific sets of testing hypotheses and data sources, developing a systematic and sustainable mechanism for determining level of effort can result in a reasonable and justifiable budget for data analytics.<br></p><p>At the author’s organization, tackling analytics budgeting involved three main steps: obtaining audit leadership support for analytics, crafting and following a methodology for determining analytics effort, and considering several critical success factors. Although the audit universe will vary from one setting to the next, and no methodology provides a one-size-fits-all approach, focusing on these three areas can provide a helpful foundation for those looking to enhance their analytics efforts. <br></p><h2>Leadership Support  </h2><p>Obtaining internal audit leadership support is critical, as it sets the tone at the top for the effort and helps ensure a strong commitment to the use of data analytics on engagements. The CAE ideally should indicate his or her support for analytics use before the start of the annual risk assessment and audit plan development process. When communicating to staff, the CAE needs to explain the data analytics strategy and stress the need to allocate sufficient staff time at the engagement level. The CAE’s open support will also reinforce budget accountability and trigger awareness and staff buy-in for the analytics budgeting process. <br></p><h2>Estimate Level of Effort </h2><p>To determine level of effort, the auditors and data analytics team can begin by using a flagging system to identify potential candidates for data analytics. The list of flagged engagements can then be used to prioritize analytics work for effort estimation. The analytics team should also adopt a methodology to assess the likelihood and intensity of data analytics activities, as well as develop a level-of-effort matrix.<br></p><p><strong>Identify Potential Candidates</strong> During audit plan development, internal audit managers should encourage their staff members to be mindful of analytics needs and to flag potential candidates for application of the technology. Because they know the organization’s business processes, auditors should be at the forefront of identifying engagements that may require the use of analytics and determining how it can be best deployed to support audit results. They should also consider challenges that may be encountered on each engagement. Basic questions that auditors can ask themselves include:<br></p><ul><li>Can the audit team use data to support potential findings?</li><li>Is the entity under consideration for review being monitored through the use of key performance indicators (KPIs)? What are those KPIs? What are the underlying data? </li><li>What are the quick data analytics wins if the audit/review were to be conducted? </li><li>Considering the objectives and scope of the engagements, what are the two or three broad testing hypotheses that can be formulated?</li><li>Are the data needed internal or external to the organization?</li><li>Does access to the data needed require additional effort and approval? </li></ul><p>For experienced, data savvy auditors, brainstorming sessions can be a useful tool for high-level consideration of potential data needs and sources. The exercise can also facilitate development of detailed testing hypotheses and help define testing limitations. Early identification of data needed and the sources of that data can help shape data access negotiations with the IT team or the data owners.<br><br><strong>Assess Likelihood</strong> Once flagging is complete, the auditors and data analytics team can assess the likelihood of analytics activity for each engagement. A three-tiered assessment system can be applied: <br></p><ul><li>None. The engagement will not involve any data analytics activities, as its focus, objectives, and scope suggest that analytics will not be required. Reviews of process design or frameworks may fall into this category. </li><li>Likely. The engagement may involve some data analytics activities. The analytics and audit teams anticipate that analytics work will be carried out — they have identified broad preliminary objectives and scope but cannot confirm them before the start of the engagement.</li><li>Certain. The analytics and audit teams have determined the need for analytics, and the objectives and scope of the engagement provide strong indication that analytics work will be carried out. The auditors have identified a preliminary data analytics scope and comprehensive testing hypotheses. <br></li></ul><p>Some gray areas might appear, as likelihood assessments are not always clear-cut. For example, at the time of audit plan development, the audit staff might not have enough information to decide whether or not data analytics activities will be carried out for some engagements. Or, the team may determine that analytics objectives and scope will be defined during engagement planning. Engagements with these characteristics should be kept in mind, and a contingent<br>budget should be set aside to cover them should the need for analytics work arise.<br></p><p>In other circumstances, the delineation between Likely and Certain might not be sharply defined. When this occurs, a hybrid assessment can be used — None/Certain, None/Likely, or simply Yes/No.<strong></strong></p><p><strong>Estimate Intensity</strong> Analytics intensity measures the degree to which analytics activities will be carried out in the selected engagements. The level of intensity can be measured using a low-medium-high scale: <br></p><ul><li>Low: Basic analysis is expected to be performed, and analytics resource usage is estimated to be low. The analysis may include profiling and pattern identification, as well stratification, gap analysis, and calculation of statistical parameters to identify outliers. Factors to consider when assessing the intensity as Low may include whether there are few data sources and if data are readily available.<br></li><li>Medium: Data analytics activities include profiling and pattern identification, stratification, gap analysis, efficiency measurement, benchmarking, and calculation of statistical parameters to identify outliers. Factors to consider when assessing the intensity as Medium may include whether data needed is external to the organization, whether the analytics team will make additional effort to gather the internal data needed, and whether the analytics team anticipates that it will join several data sources in different systems to identify inappropriate matching values.<br></li><li>High: The engagement is considered to be heavily data-driven, or analytics is the core of the review. Analytics activities include profiling and pattern identification, stratification, gap analysis, efficiency measurement, benchmarking, data sequencing, and calculation of statistical parameters to identify outliers. Additionally, the analytics and audit teams are expected to develop complex analysis and hypotheses. Factors to consider when assessing the intensity as High may include whether any data needed is external to the organization and if the analytics team will make additional effort to gather the internal data needed.<br></li></ul><p><strong>Develop a Matrix</strong> Using the likelihood and intensity data gathered, the analytics and internal audit team can create a level-of-effort matrix to help determine analytics budget estimates. The matrix should capture the thought process for assessing the level of data analytics activities.<br></p><p><span id="DeltaPlaceHolderMain"><span><span id="DeltaPlaceHolderMain"><span><img class="ms-rteiaPosition-2" src="/2015/PublishingImages/Pinga-level-of-effort-matrix.jpg" alt="" style="margin:5px;width:576px;" /></span></span></span></span>“Level-of-effort Matrix” at right depicts an example matrix, showing the extent of data analytics activities at the engagement level. The dark tan color indicates that heavy analytics activities will be carried out in the engagements that fall into that category. For example, Engagement E2, with a likelihood of Certain and High intensity, will receive the highest percentage of the engagement’s total budget — say, 50 percent. Engagement E1, in which likelihood and intensity are assessed as Likely and Low, respectively, will receive a percentage significantly lower than that of Engagement E2 — perhaps 10 percent. Engagements with likelihood assessed as None will receive no budget allocation for analytics activities. The analytics team should set percentages using professional judgment, taking into consideration trends observed in the past. <br></p><h2>Key Success Factors </h2><p><span id="DeltaPlaceHolderMain"><span></span></span>To ensure an adequate level-of-effort estimation, the analytics team should view the budgeting exercise as a dynamic, multidimensional activity that takes into account some additional elements. Specifically, success factors for the continuous improvement of the data analytics level of effort include validation of the analytics budget, adoption of a mechanism for funding the budget, and variance measurement.<br><br><strong>Validation Process</strong> Although analytics level-of-effort estimation is primarily the analytics team’s responsibility, team members should work closely with internal audit. During level-of-effort formulation, the analytics team should ensure critical inputs are considered, including minutes of relevant audit staff brainstorming sessions, audit clients’ feedback on the proposed audit plan, and, if available, analytics usage trends observed during prior years.<br></p><p>The analytics team should constantly seek feedback from internal audit staff and management to ensure the assumptions and measurement indicators are well-understood. After applying the matrix, the team should conduct validation meetings with stakeholders, which may result in changes to the level of effort for each engagement.<br></p><p>The analytics team should record both calculated and adjusted levels of effort and document significant changes. This documentation is critical, as it can help refine the criteria for assessing likelihood and intensity of data analytics activities for subsequent years.</p><p><strong>Funding Mechanism</strong> Because data analytics can increase engagement efficiency, support for a specific analytics budget should be clearly communicated across the entire audit department. Before sharing the finalized budget, however, the department must first decide whether to increase the original budget for the engagement by the analytics budget or to make the analytics budget part of the original engagement budget. “Data Analytics Budget Funding” below depicts each of these scenarios.<br></p><p><span id="DeltaPlaceHolderMain"><span><strong><img src="/2015/PublishingImages/Pinga-data-analytics-budget-funding.jpg" alt="" style="margin:5px;" /></strong></span></span>In Scenario 2, the general budget of Engagement E2 is increased by 20 days, which corresponds to the data analytics level of effort. This scenario suggests that the analytics budget comes out of a central contingency envelope. By nature, this practice might defeat any efficiencies gain through the analytics work. <br>In Scenario 1, Engagement E1 has an unchanged general budget. This scenario reflects the notion of “doing more with less” on an individual engagement. Moreover, it generates a high perception of accountability among the data analytics and audit teams. </p><p><strong>Variance Measurement</strong> After each engagement or at year-end, the analytics team should compare the initial or adjusted budget with the actual days spent. Any variances observed can help gauge the quality of level-of-effort matrix estimates. Low variances may indicate that empirical assessment was effective, whereas high variances might be an indicator that the criteria for assessing effort need some refinement. When budget overruns occur, the<br>analytics team should consider two important factors: <br></p><ul><li>Experience Level. If the data analytics team is too inexperienced, substantial deviations from the initial budget can be expected. But as the team gains more experience, deviations caused by this factor should decrease.</li><li>Analytics Process Maturity. In early years of data analytics use, level of effort can be significant. Factors that may contribute to budget overruns include absence of a strong partnership/relationship with data owners or the IT department, absence of a clear process for identifying data needed, poor quality assurance surrounding the data analytics activities, absence of a robust infrastructure that supports the analytics team’s work, and poor quality of interactions between the analytics and audit teams. </li></ul><p></p><h2>Benefits and Bottom Line </h2><p>Upfront identification of engagements that lend themselves to data analytics is critical, and it can yield several benefits. First, not only does it help determine the level of effort required, but it also provides a high-level indication of the types of data needed for those engagements. That way, the data analytics team can engage the IT function or the data owners early enough to avoid the bottlenecks of late requests. Additionally, it can have a direct impact on the CAE’s decision-making process by identifying the analytics skills needed as well as isolating areas where co-sourcing would be cost-effective.<br></p><p>Estimating data analytics level of effort for each engagement within the audit plan can be challenging — even daunting, especially if the assessment is performed during audit plan development. And while the matrix system yields a considerable amount of useful data for decision-making, professional judgment ultimately should be the cornerstone of the entire process. An auditor’s knowledge and experience should guide decision-making, using the level-of-effort methodology as a means of informing and supporting conclusions. <br></p>Rigobert Pinga Pinga02458
Big Data Risk and Opportunityhttps://iaonline.theiia.org/2015/big-data-risk-and-opportunityBig Data Risk and Opportunity<p>​To an internal auditor, just the term big data can elicit a sinking feeling. The challenges associated with the volume, complexity, and variety of big data can be overwhelming. The good news is, with a solid action plan, internal auditors can do more than just mitigate the risks associated with big data. Internal audit also can help exploit big data to identify and mitigate existing risks.<br></p><p>Big data is the collection of data sets that are so large and complex that they are difficult to process using conventional database tools. Big data comes in two flavors: structured data (e.g., data in spreadsheets and databases) and unstructured data (e.g., social media posts, emails, audio, video, and GPS data). And, of course, big data can have multiple sources. Typically, working with big data requires new technologies to identify usable business insights, trends, and correlations — often in real time.<br></p><p>Businesses are using big data not only to boost performance, but also to reduce risks and prevent loss. From a risk management perspective, companies can identify risks and create value by using big data in three areas: business opportunities and risks, IT governance, and internal audit opportunities and risks.<br></p><p>First, business opportunities result from the fact that companies have valuable data but often don’t know how to use it to gain actionable insights. Rules creation and testing, personalization of product offerings, using social media to spot consumer trends, and the ability to make data-driven business decisions all represent significant big data opportunities.<br></p><p>But these opportunities come with risk. For example, how does a company store personally identifiable information, and who owns it? How does it address regulatory issues and privacy breaches? What about increased exposure to reputation risk? And how should data retention, such as timing of disposals, be managed?<br></p><p>Big data considerations in the area of IT governance tend to focus on data-center management, specifically capacity planning and monitoring because of the massive replication of data at the software level and the need to measure performance. Of course, IT security is a tremendous concern, as are access control, penetration testing, and the quality of systems testing and processes.<br></p><p>Finally, internal audit opportunities and risks are centered around the security and compliance related to big data implementation, with issues such as ownership of data, authority to access, and secure access as priorities. Also, auditors exploit big data in the areas of continuous controls monitoring, access to nontraditional data sets, and regulatory compliance.<br></p><p>An organization’s plan for addressing these three areas will vary according to its industry, goals, and challenges. However, there is a high-level, phased-action-plan approach any enterprise can customize:<br></p><ul><li>Phase 1: Identify where data resides in the organization and the roles and responsibilities related to it.</li><li>Phase 2: Define goals and priorities.</li><li>Phase 3: Assess critical data issues.</li><li>Phase 4: Identify key risk indicators (KRIs).</li><li>Phase 5: Identify opportunities to add value.</li></ul><p>By applying these phases to each of the three identified areas, internal auditors and risk management professionals can identify and mitigate big data risks and seize any opportunities.<br></p><p>An action plan for addressing IT governance, for example, should focus on the implementation team’s responsibilities in phase 1, including security, capacity planning, code writing, pinpointing the owner of specifications, and identifying internal audit’s role in the project. Phase 2 priorities should include improving system performance and test processes to reduce spurious output. Assessing available data and performing various types of testing of data sets are crucial in phase 3. In phase 4, the KRIs should be identified by addressing trending information on usage and service quality, completeness and accuracy of data, and disaster recovery capabilities. Finally, the focus in phase 5 should be on speed, indexing, and assessing storage and cloud options (private versus internal storage or public versus hybrid cloud) to create efficiencies.<br></p><p>The five phases often overlap and might not occur in sequence. In addition, both risk management professionals and senior management have specific tasks they must accomplish during each phase to make the plan work.<br></p><p>The bottom line: Auditors, risk managers, and compliance officers must work with senior management to understand and embrace big data to help identify and mitigate risks. Plus, they should take advantage of the opportunities big data offers to improve their own effectiveness. By covering risks and opportunities, they can help organizations analyze and understand big data’s potential from both a compliance perspective and a strategic and operational improvement stance. <br> <span class="ms-rteiaStyle-authorbio">Rob Blanchard, CISA, is a senior manager with Crowe Horwath LLP in Columbus, Ohio. <br> Kevin O’Sullivan, CISA, is a principal with Crowe Horwath LLP in New York.</span><br></p>Rob Blanchard05442
Shutting the Door on Social Engineeringhttps://iaonline.theiia.org/2015/shutting-the-door-on-social-engineeringShutting the Door on Social Engineering<p>​A busy senior executive walks into her office on Monday morning and begins to review her email. About halfway through, she sees this message: <br><br><strong>To: All employees </strong><br><strong>From: HR and IT department</strong><br><em>The IT department has contracted with XYZ Consulting to test and enhance the performance of our network. In doing so, we ask that you sign into the link below and run a few tests. XYZ has asked us to get as many people as possible to perform the tests to get a true reading of our network speed. Your help is greatly appreciated. Link here: </em><br><em>http://xyznetworktesting.com</em><br><br>The executive finds it odd that she was not informed about this project and calls the IT department to find out more. She is stunned to learn that not only did IT not sanction any network testing, but that this is a phishing email and more than 100 employees had clicked the link and signed in with their network credentials before IT could stop it. <br></p><p>This scenario is a good example of social engineering in today’s highly connected business environment. Wikipedia describes it well: “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.” <br>CAEs have an interest in knowing how the information security department addresses social engineering, primarily because it is used to perpetrate fraud. Additionally, internal audit should proactively assist in detecting how these techniques play out in their organization and help deter them.<br></p><h2>How It Works</h2><p>Social engineering usually targets communications systems. The most common method is to send a phishing email that asks the user to click on a link. This link is set up by the perpetrator to request a user’s network ID and password, thus obtaining the needed credentials to access the company’s systems and data. The scammer then uses those credentials to sign onto the system legitimately, access confidential information, and download the information to sell or perpetrate fraud. <br></p><p>Some social engineering approaches are elaborate. One variation is to have the link execute a piece of malware to invade the system. Another variation is to offer an incentive to entice the user to click on the link such as money or scheduling a package delivery. Still another technique is for the sender to say he or she is acting under the direction of the IT department or a senior executive. Some scams play on a user’s personal situation or sympathetic side — a compassionate plea about a sick child or parent — to trick the user to click on a link or go to a fraudulent website. Some of the nastiest scams — particularly in the banking industry — send phishing emails purporting to be from the organization that tell its customers they need to refresh or verify their credentials or their accounts will be closed.   <br></p><p>Although the email system is the main target, scammers can use the telephone system, as well. For example, a scammer can call claiming to be a customer who has lost his or her credentials to access his or her account. Or callers might say they need to access their financial account immediately and don’t have time to verify their personally identifiable information. Another technique is to call an employee claiming to be a consultant working on the system who needs the employee’s credentials to fix something on the system.  <br></p><h2>What Internal Audit Can Do</h2><p>Addressing social engineering is not a task internal audit can tackle on its own. But there are things auditors can do to help the information security department protect the organization. <br><br><strong>Testing</strong> Performing a social engineering audit in conjunction with the information security department is one of the most effective and eye-opening things internal audit can do to discover whether the organization has a large-scale awareness issue. A good social engineering test consists of:<br></p><ul><li>Craft a phishing email similar to those used in common phishing scenarios.</li><li>Work with IT to set up a fake Web address where the link should be directed.</li><li>At the website, ask for sign-in credentials. </li><li>Send the email to employees and monitor who clicks on the link and enters their credentials.</li></ul><p><br><strong>Awareness</strong> Work with the human resources (HR) and information security departments to develop an effective information security awareness program. Employee awareness is the No. 1 way to deter email and phone phishing scams. Teach employees that while customer service is important, they should never bypass information security protocols to help customers unless they have verified through established procedures that they are truly communicating with a customer.  <br></p><p><strong>Hotline</strong> Include suspicious emails in the organization’s fraud reporting hotlines and procedures. Detecting fake emails is just as important as uncovering an employee who is misappropriating funds. The only difference is they are using a different means to perpetrate the fraudulent activity. One way to encourage reporting is to place an icon on the email tool bar that allows users to easily report a suspicious message.    <br><br><strong>Audit Procedures</strong> Include questions in audits that ask about any unusual activity related to emails or phone calls. Giving system credentials to strangers is even worse than sharing credentials with other employees. <br></p><p>In addition to these items, advise information security and HR to enact these procedures:  <br></p><ul><li>Do not allow personal email to be sent to or from work addresses. This limits the number of suspicious emails and helps deter internal fraud by disgruntled employees emailing sensitive company data to their personal email.</li><li>Monitor all email sent to noncorporate email addresses.</li><li>Recommend tools that have aggressive and effective spam filters to weed out spam and emails sent out through automated email generators.</li><li>Enforce a formal email or computer use policy.</li><li>Do not allow executive privilege to dictate email policy, which can circumvent the measures the information security function has implemented to protect the organization. Executives and senior managers are just as likely as other employees to click on a phishing message. </li><li>Never pre-announce social engineering tests. The element of surprise is important. Testing the awareness level will only be successful if it’s performed under true conditions. </li></ul><p></p><h2>Minimizing the Threat</h2><p>Internal audit has a role to play in an organization’s social engineering defenses. While it is primarily an information security responsibility, awareness, monitoring, and setting up and recommending controls are all activities that internal audit can actively be involved with to minimize the chance that the organization’s systems are breached. In addition, auditors should help detect and minimize conditions that exist for social engineering fraud. Cybercrimes are now one of the new “misappropriation of assets” frauds within organizations. The asset being misappropriated is customer and company private information, and the repercussions to the organization can be devastating.  <br></p>Kenneth Pyzik1714
Auditing the Internet of Thingshttps://iaonline.theiia.org/2015/auditing-the-internet-of-thingsAuditing the Internet of Things<p>The Internet of Things (IoT) is poised to become an integral part of everyone's lives in the not-too-distant future. From coffee machines churning out the kind of coffee people want depending on their mood, to their automobile switching on by itself and adjusting the climate control as they approach it on a weekday morning, the IoT potentially could make people's lives easie​​r as their devices generate data and communicate with each other over the Internet (see "A World of Smart Things," below right). </p><p>The definition of the IoT has evolved over time. <a href="http://www.whatis.techtarget.com/definition/Internet-of-Things" target="_blank">TechTarget</a> describes the IoT as "a scenario in which objects, animals, or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction." </p><p>The big question is, does the IoT have a similar outlook for organizations? The answer is the possibilities are limitless, which is why many organizations already have started to adopt the IoT.  Internal auditors should evaluate the operational and financial risks that IoT can expose their organizations to and provide assurance that those risks are controlled appropriately. ​</p><h2>Auditors as IoT Advisers</h2><p>For organizations that are not yet fully awake to the IoT, an internal audit function can advise management on the importance, benefits, and competitive edge that the IoT can bring to the enterprise. Auditors can demonstrate to management how the IoT can be implemented in processes such as sales distribution and inventory control. Moreover, they can facilitate brainstorming sessions with management and perform research to understand how the IoT can be used within the organization's specific operating environment. That said, while performing such advisory services, internal auditors should maintain their objectivity and not assume management responsibility.</p><h2>Assurance on New Risks</h2><p>Management and internal auditors need to fully acknowledge that although the IoT can bring many rewards, it also gives birth to numerous risks. Inadequate understanding of the risk environment or applicable controls can lead to disaster for the organization. Furthermore, given the rapid development and advancement of the IoT, the associated risks and controls also are changing and evolving rapidly. Internal auditors need to stay abreast of IoT developments and advancements to be able to assess the risks and controls in their organization. </p><p>The first step for auditors is conducting a risk assessment of the IoT in use in their organization. Specific risks will depend on the nature of the IoT systems the organization has deployed and the overall business process they support. </p><table cellspacing="0" width="100%" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;"><p> <span style="line-height:1.6;"> <strong>A World of Smart Things</strong></span></p><p>According to the Deloitte publication <a href="http://www2.deloitte.com/global/en/pages/technology-media-and-telecommunications/articles/tmt-pred-the-iot-is-things-not-people.html" target="_blank"> <span style="color:#000066;">TMT Predictions 2015 — The Internet of Things Really Is Things, not People</span></a>, 60 percent of all IoT devices will be paid for and used by enterprises and industries in 2015. Furthermore, enterprises and industries will generate 90 percent of IoT services revenue this year.</p><p>"The development of the Internet of Things is expected to surge in the coming years," says Stéphane Richard, CEO of Paris-based telecommunications company Orange S.A., in a <a href="http://www.machinetomachinemagazine.com/2015/09/22/orange-deploys-network-for-internet-of-things-iot/" target="_blank"> <span style="color:#000066;">September 2015 </span> <em style="color:#000066;"> <span style="color:#000066;">M2M Magazine</span></em><span style="color:#000066;"> article</span></a>. "By 2020, we believe that there will be more than 25 billion objects connected in the world." </p><p>​The two studies listed below illustrate the depth and breadth of possible gains from adopting the IoT:</p><ul><li> <a href="http://www.machinetomachinemagazine.com/2014/05/08/case-study-rac-using-m2m-to-cut-fuel-costs-by-17/" target="_blank"><span style="color:#000066;">"Case Study: RAC Using M2M to Cut Fuel Costs by 17%,"</span></a><em>M2M Magazine</em>, May 8, 2014. </li><li> <a href="http://mobileworldcapital.com/250/" target="_blank"> <span style="color:#000066;">"The Spanish City of Santander to Become a Global Smart City,"</span></a> by Maria Gonzalez, <em>Mobile World Capital</em>, Nov. 11, 2013. ​</li></ul></td></tr></tbody></table><p>​​Internal auditors can start by looking at these areas:</p><ul><li> <strong>Security.</strong> IoT systems are connected to the Internet, so they are prone to attacks from cyber criminals and hacktivists. Seventy-two percent of global IT and cybersecurity professionals surveyed by ISACA say there is a medium or high likelihood that an organization will be hacked through an IoT device. Among other information security audit procedures, IT auditors should perform a vulnerability assessment of such devices and consider conducting penetration tests on those systems periodically. Results of these procedures should be used to strengthen the security of IoT systems, where necessary. Auditors should carefully consider where third parties are involved to support IoT systems and assess whether third parties have adequate security controls in place to protect data residing in IoT systems. Furthermore, they should assess the adequacy of the encryption IoT systems use for communication. </li></ul><ul><li> <strong>Resilience.</strong> IoT systems may support a business process that is critical or time-bound, such as the delivery of perishable goods. IT auditors should assess whether controls are in place to recover IoT systems in the event of a failure. Auditors should determine whether management understands the potential business impact of an IoT system outage and whether appropriate and adequate policies, procedures, and processes are in place to recover affected business processes timely in the event of an outage or disaster.<br> </li><li> <strong>Health and Safety.</strong> Many of today's IoT systems can pose a serious threat to human life and safety. Examples include implantable biomedical devices, such as pacemakers and defibrillators, and assembly line robots at a manufacturing facility. An important area internal auditors should assess is whether such IoT systems have undergone sufficient testing using appropriate test cases before being deployed into production. Furthermore, controls should be in place to ensure adequate testing is performed before upgrades, patches, and changes are made to IoT systems where health and safety is a significant risk.<br> </li><li> <strong>Monitoring.</strong> Like any other system, controls should be in place to monitor whether IoT systems are functioning as intended. Internal auditors should assess whether adequate monitoring controls are in place and whether all such controls have been operating effectively over time. Furthermore, auditors should assess whether exceptions and failures that occur are logged appropriately and resolutions to incidents are recorded timely. Auditors also should assess whether management has a process that takes recurring incidents into account and analyzes their root causes. <br> </li><li> <strong>Scoping of IoT systems.</strong> Because many vendor-provided IoT systems can be simple to implement, some systems may be deployed by business units without the IT department's involvement. For example, fire detection systems in enterprise facilities may have IoT capability that the IT department does not know about and risk management professionals and internal auditors may not notice. Auditors should be vigilant to see where and when IoT systems are deployed by different departments at the organization and prioritize IoT systems audits according to their criticality and sensitivity. ​</li></ul><h2>Realizing the Benefits</h2><p>It's likely that the need to perform sound audits of IoT systems will grow at organizations in all industries worldwide. Internal audit departments should gear up for the challenge of ensuring that controls related to risks of IoT systems are operating effectively. Although there is a diverse range of IoT systems in service today, auditors can use the five areas above as a guide to planning and executing an IoT systems audit. However, they should keep an open mind to understand the overall context in which a particular IoT system operates and develop creative ways to perform their audits depending on that system's specific functionality. Such internal audits can help position organizations to realize the full benefits of the IoT.​​​</p>Syed Salman03080
The Difference Between IT GRC and IT Securityhttps://iaonline.theiia.org/blogs/marks/2015/the-difference-between-it-grc-and-it-securityThe Difference Between IT GRC and IT Security<p>My congratulations to Michael Rasmussen for <a href="http://grc2020.com/2015/10/06/it-grc-it-security/?utm_source=GRC+Pundit+Newsletter&utm_campaign=e13b216cde-2015_10_06_IT_GRC_%3e_IT_Security10_6_2015&utm_medium=email&utm_term=0_c406030978-e13b216cde-269804489" target="_blank">his new post</a> on this topic. While a more interesting discussion could be held on whether there is a difference between "IT security," "information security," and "cyber," he makes a number of very valid points.</p><p>I especially like that he has quoted ISACA on the definition of <em>IT governance</em>.</p><p>Michael makes the very important point that when it comes to technology, there is far more to manage — risks and all — than security.</p><p>I would add that executives and the board need to balance investment in cyber against investment in new technology and other business initiatives. This can only be done when there is an informed understanding of the value realized — which includes risk reduction — in each of the investment options.</p><p>Of course, managing IT or technology in a silo is a recipe for failure. That is why I am not a fan of the concept of IT GRC. Michael "gets it," knowing him as I do and noticing his reference to business objectives.</p><p>What do you think! Is Michael right? Is this a useful discussion?</p>Norman Marks01402

  • TeamMate Feb2016_Prem1
  • ISACA_Feb 2016_Prem2
  • IIA Standards_Feb2016_Prem3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
What 2015's Top 10 Blogs Tell Us About Internal Audithttps://iaonline.theiia.org/blogs/chambers/2016/Pages/What-2015s-Top-10-Blogs-Tell-Us-About-Internal-Audit.aspxWhat 2015's Top 10 Blogs Tell Us About Internal Audit2016-01-25T05:00:00Z2016-01-25T05:00:00Z
The Contracting Conspiracyhttps://iaonline.theiia.org/2016/Pages/The-Contracting-Conspiracy.aspxThe Contracting Conspiracy2016-01-19T05:00:00Z2016-01-19T05:00:00Z