Integrated Knowledge Knowledge<h2>​What are the advantages of having an integrated audit function?</h2><p><strong>Simmons</strong> Combining the knowledge, skills, and disciplines of financial, operational, and IT auditors on audit engagements allows for a holistic view of the business, risks, and controls, revealing the bigger picture of the control environment. It also enables two-fold efficiencies in auditing business functions and opining on the strength of the overall control environment — for the audit silo responsible for coverage, as well as for the customer who gains greater assurance from how IT is supporting its business controls and whether IT issues may be impacting its practices or regulatory conformance. It provides cross-skilling of resources with IT and business knowledge information. Finally, it enables internal audit to meet board expectations and provide the C-suite with more comprehensive and connected audit universe coverage.</p><p><strong>Anunciacion</strong> Having an integrated audit function has benefits for both internal audit and the first line of defense, depending on the organization. In a more tangible sense, an integrated audit function helps minimize testing fatigue — passing tests back and forth — which minimizes redundancies. Also, internal audit builds credibility with internal clients.</p><h2>Why is it important for internal auditors to understand the impact of technology innovations on their organizations?</h2><p><strong><img src="/2018/PublishingImages/EOB-Ernest.Anunciacion.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Anunciacion</strong> Internal audit exists to provide assurance to the organization. Since technology plays an increasingly large, fundamental role for companies, auditors must fully grasp what’s involved and associated with it. Auditors must incorporate this into their risk-based audit plan, as changes in technology can easily threaten companies. Today, audit should not be conducted at the speed of risk, but rather at the speed of innovation. Internal audit must keep up with the technology changes that impact the organization to provide assurance to stakeholders.</p><p><strong>Simmons</strong> The pace of technology advancement is changing the way organizations invest in technologies to: gather and consolidate information; manage risk and regulatory pressures; and seek ways to be more efficient, agile, and insight driven. To maintain a competitive advantage, organizations must invest, yet more importantly they must understand the balance of opportunity vs. risk of doing so and how it could impact the risk landscape and ultimately change the control environment. Auditors can add value by not just flagging risks, but also by providing comfort that the risk is well-managed and worth taking. Therefore, auditors need to understand new and emerging technologies and discover innovative ways to engage the business to stay current and provide best-in-class assurance to the organization.</p><h2>What technologies do internal auditors need to have a working knowledge of?</h2><p><strong><img src="/2018/PublishingImages/EOB-CHARMIAN%20SIMMONS.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Simmons</strong> Several disruptive technologies are driving a new wave of processing and doing business, including artificial intelligence, machine learning, software robotics, blockchain, cryptocurrencies, semantic analysis, cloud computing, connected devices, and the Internet of Things. These technologies are being used to fight fraud, improve model and algorithmic trading, decipher unstructured data, and connect things previously unconnected. Internal auditors should be knowledgeable about these technologies to give assurance over them. In addition, auditors should understand how the underlying data is being created, consumed, and used; data is such an important element underpinning how business occurs, it cannot be overlooked. Audit functions should employ their own technology to support them with this, starting with basic to advanced data analytic tools to better analyze large data sets — for data driven audits — and reperform system outputs and interpret predictive analytic techniques used by the business. Lastly, in keeping internal audit innovative, it should consider intelligent automation and workflow automation technologies.</p><p><strong>Anunciacion</strong> Internal auditors need to have a working knowledge of core transaction systems, as well as mission-critical systems, that impact what’s being audited. Business intelligence and office productivity tools are just the start — specific industries require specific tools, as well. Ultimately, internal auditors need to be aware of the organization’s technology roadmap — where they see themselves headed in terms of the technology used — and stay aware of the technologies that could be on the horizon.</p><h2>How important is it to have team members with advanced technology skills?</h2><p><strong>Anunciacion</strong> It’s increasingly important to have team members who not only know their way around technology, but also can push the organization forward. Chief audit executives (CAEs) must pursue a well-rounded team, with expertise in a full tech stack — infrastructure, security, building complex queries, analyzing large data sets, and more. Pursuing a team that is heavily invested in technology and accounting might be difficult, but it’s invaluable in terms of strategically addressing operational risk for the entire company.</p><p><strong>Simmons</strong> One of the top challenges facing CAEs is obtaining high-quality resources with the right skills to balance technology, business knowledge, and project management. It is imperative in most industries to have a balance of IT auditors — application, infrastructure, data analysts/scientists — and financial auditors who understand the front-to-back functions and operations of the organization. Financial auditors are now expected to have basic general computer control skills and carry out testing of these, leaving the complex tech-related areas to be addressed by advanced tech auditors.</p><h2>Why is it important to develop working relationships with IT professionals?</h2><p><strong>Simmons</strong> Technology is deeply ingrained in organizations’ fundamental operations today. Data and processes typically don’t exist without it. Having good and trusted working relationships with key technology professionals and the chief information officer (CIO) ensures auditors remain in touch with current, planned, and future work/projects and keeps them abreast of how the risk landscape is affected by run-the-business or change-the-business activities. This can be achieved through a strong continuous monitoring program, an effective audit work tool that derives meaningful data, and an audit methodology that is agile enough to anticipate or react to events/incidents/programs. </p><p><strong>Anunciacion</strong> IT professionals and the CIO can help auditors get where they want to be. Auditors looking to modernize their processes and organization should not overlook relationship building with IT. After all, IT is the gatekeeper for all technology, supporting the business, helping achieve strategic objectives, and often holding the purse strings when it comes to purchasing new technology. Additionally, building rapport with the chief information security officer (CISO) is of paramount importance. Just like audit, the CIO’s goal is constant vigilance and oversight of the organization’s practices. CAEs should consider monthly meetings with their CISO to make sure all risks are acknowledged.<br></p><h2>How can internal audit use technology to manage stakeholder relationships?</h2><p><strong>Anunciacion</strong> Simply put, technology allows for unparalleled collaboration among the organization and the three lines of defense. Internal audit also can use technology to provide foresight and hindsight — not only mitigating risk before it occurs, but also simplifying the audit reporting process across the board.</p><p><strong>Simmons</strong> Technology that brings together business data, metrics, indicators, financial numbers, risk profiles, emerging risks, market trends, and insight in a connected way for an audit function demonstrates to stakeholders how well auditors understand their business, the market, and the expectations of regulators. The right technology is an enabler for auditors to drive the right conversations and be that trusted advisor. <br></p>Staff1
Attacks Test Cyber Resilience Test Cyber Resilience<p>​The world's industrial control systems are prime targets for cyberattacks. Blame it on the Internet of Things (IoT).</p><p>Three-fourths of 320 industrial system decision-makers who responded to a Kaspersky Lab survey say their organization's operational technology/industrial control systems (OT/ICS) are a likely target. More than half say the IoT's connectivity is a major cybersecurity challenge, according to the <a href="" target="_blank">State of Industrial Cybersecurity 2018 report</a>. Nearly two-thirds say the IoT is more likely to cause OT/ICS risk events to occur. </p><p>Such concerns are why most respondents' organizations are prioritizing management of connected devices as they become more tightly integrated into their networks. "The good news is that we are seeing more and more businesses improving their cybersecurity policies to include dedicated measures toward safeguarding their industrial control networks," says Georgy Shebuldaev, brand manager at Kaspersky Industrial Cybersecurity.</p><h2>Perception vs. Reality</h2><p>Beyond IoT, most respondents are concerned about the impact of advanced persistent threats (APTs) and targeted attacks on industrial systems. Yet, those fears may not reflect the actual threats they face.</p><p>Specifically, only 16 percent of respondents say their organization experienced a targeted attack in the past 12 months. That's down from 36 percent in 2017.</p><p>Meanwhile, almost two-thirds of respondents' organizations suffered a conventional malware or virus attack against their industrial systems. Thirty percent had a ransomware attack. </p><h2>Anticipating Risks</h2><p>Conventional attacks may be more common, but the threats keep changing as attack methods become more sophisticated. Being able to anticipate risks through controls testing and monitoring can strengthen security and resilience. </p><p>Yet, only 12 percent of respondents to a recent Baker Tilly Virchow Krause LLP poll say their organization has a holistic cybersecurity testing program. Such integrated testing seeks to understand the organization's current risk profile and assess the design and effectiveness of its cybersecurity program, according to a <a href="" target="_blank">Baker Tilly webinar</a>. </p><p>Combining "cyber intelligence" techniques and traditional testing methods can give an organization "a better grasp on its potential risks," says Dan Argynov, a manager with the advisory firm's cybersecurity and IT risk practice.</p><h2>Testing Techniques</h2><p>The integrated testing approach described in the Baker Tilly webinar centers on an assessment of the organization's cybersecurity risk management. Speakers advocated documenting the organization's current state using a framework such as the International Organization for Standardization's ISO27001, ISACA's COBIT, or the U.S. National Institute of Standards and Technology's Cybersecurity Framework. This approach covers four parts.</p><p><strong>Reconnaissance.</strong> At this stage, testers should build an organizationwide profile and identify targets. Testers should define the network footprint and identify worthy assets, whether they are data and network assets or people. Moreover, they should identify vulnerabilities and analyze potential motivations for attacks.</p><p><strong>Network assessment.</strong> Testers should analyze the network for internal and external risks and vulnerabilities. They should identify network components such as services, points of access, and access controls. Also, they should scan the network and look for vulnerabilities in the current infrastructure. To test the network's resilience, they should review the organization's disaster recovery capability to restore key functions. </p><p><strong>Threat modeling.</strong> This stage is about modeling how potential threats could occur. Specifically, testers should view threats from the attacker's perspective, looking for approaches that require less effort or could yield a greater reward. This gives the organization a profile of potential attackers and enables it to prioritize its efforts accordingly.</p><p><strong>Attack simulations.</strong> The objective here is to simulate high-threat scenarios identified at the modeling stage. For example, testers could simulate an attack through external system access by trying to gain remote access to an internet-connected application or system using vulnerabilities discovered during earlier stages of testing. </p>Tim McCollum0
Powering Productivity Productivity<p>​Whether in a restaurant, coffee shop, or doctor's office, if you look around, you'll most likely see people with their faces glued to their phones, immersed in scrolling Facebook or Instagram, texting or emailing, or catching up on news headlines. In fact, the number of people who now own smartphones is astounding — 92 percent of Millennials, followed by 85 percent of Gen Xers and 67 percent of Baby Boomers, according to analysis of data from the Pew Research Center.</p><p>With smartphones come apps, which number in the millions for Android and iPhone users. Anyone could stay busy on their phone for hours, or until his or her battery dies, paying bills online, emailing family or co-workers, and checking various social media accounts. The average person opens approximately nine apps a day according to a 2017 report from App Annie, Spotlight on Consumer App Usage. The types and categories of apps are wide-ranging and we wanted to know which ones internal auditors are using. We asked <em>Internal Auditor</em>'s Emerging Leaders to tell us about the apps they're using for work and play and what their favorites are. Answers varied, but several floated to the top.</p><h2>Travel and Expenses</h2><p>Internal auditors who travel for work are often in and out of airports, catching connecting flights, dealing with rental cars, and using GPS or maps to find their way to hotels and audit sites. Jamie White (2016 Emerging Leader), an environment, health, and safety performance risk management consultant with Trinity Consultants in Raleigh, N.C., travels almost weekly for her job, so having a good travel app is critical. She uses FlightAware and American Airlines to help her figure out if her flight has been delayed or cancelled, or determine if she's going to miss a connection. White does a lot of international travel as well, so one of her favorite apps is because "it allows you to download maps of international locations to your phone and then use them without connecting to the internet because that can get expensive," she says. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"> <strong>Emerging Leaders​​</strong><br><span style="color:#222222;background-color:#6eabba;"><br>Meet </span><span style="color:#222222;background-color:#6eabba;">the standout practitioners named</span><span style="color:#222222;background-color:#6eabba;"> </span><a href="/2018/Pages/Emerging-Leaders-2018.aspx"><font color="white">Emerging Leaders: 2018​</font></a><span style="color:#222222;background-color:#6eabba;">. They approach <span style="font-size:12px;"> their work with passion, exude talent, and are driven toward continuous improvement.</span></span><br><br>Learn more about <em>Internal Auditor</em>'s Emerging Leaders <a href="/misc/Pages/Emerging-Leaders.aspx"><font color="white">here</font>​</a>. <br></td></tr></tbody></table><p>Traveling on the job usually involves filling out expense reports and providing copies of receipts to be reimbursed for any out-of-pocket expenses. Many of our Emerging Leaders are using various apps that scan and PDF receipts for this very reason, such as iScan, TurboScan, and Genius Scan. Shakeya McDow (2014 Emerging Leader), executive director of compliance strategy at Kaiser Foundation Hospitals & Health Plan Inc. in Oakland, Calif., uses iSpent to upload receipts into her company's reporting system. The app can also track and split expenses among colleagues — and roommates or travel companions.</p><p>Another app mentioned multiple times, whether used during work travel or in daily life, is Waze. It's a favorite of Michael Levy's (2013 Emerging Leader), director of internal audit at Student Transportation Inc. in Wall Township, N.J. "This app has saved me countless hours of time by identifying traffic ahead and rerouting me, which no other service could do," he says. "Because it's community based, the app often is aware of traffic pattern changes instantly once it's reported by a user — something not many other navigation tools can do."</p><h2>Productivity and Organization</h2><p>Staying organized and managing an often-growing list of to-do items can be overwhelming, so apps that can help manage day-to-day life​ and work projects can come in handy. Note-taking apps, such as GoodNotes, help to simplify daily work for Justin Pawlowski (2015 Emerging Leader), head of internal audit at ALSO Holding AG in Emmen, Switzerland. "It enables me to use my tablet at work and to increase productivity by digitizing my notetaking and leveraging my notes to a much higher extent than when I took physical notes or none at all." The app can convert handwriting into text and even makes handwritten notes searchable.</p><p>Olivier Beauregard (2014 Emerging Leader), senior audit director at Investment Québec, is among many Emerging Leaders who use Wunderlist to manage personal and professional to-do lists. "I visit it at least three times a day to prioritize and add ideas," Beauregard says. "It's the modern version of the Post-It, shared with my team." The Wunderlist app lets you set reminders and create various to-do lists that can be shared with friends, family, or colleagues. </p><p>Bridging the Communication Gap</p><p>For Maja Milosavljevic (2015 Emerging Leader), senior group internal auditor at Sberbank Europe AG in Vienna, a language translation app facilitates auditing in any country without having to worry about the language barrier. "The Scan & Translate app enables me to get the translation of any text into a selected language by uploading a photo of the text into the application, in only a few seconds." Milosavljevic says.</p><p>"Microsoft Teams helps me still collaborate with my audit teams when I'm on the go," says Matt Beachnau (2015 Emerging Leader), senior manager at Protiviti in Indianapolis. "I can still have group chat discussions, review files, and provide timely contributions to the team's efforts if I'm away from my laptop." Also mentioned were Google Drive and Slack for file sharing and collaboration with teams.</p><h2>Networking</h2><p>Overall, LinkedIn was named more than any other app as a favorite of Emerging Leaders. "I use it for recruitment, to identify and research potential staff to join my team," says Louis Seabrooke (2014 Emerging Leader), acting director general, internal audit and evaluation directorate, at the Canada Revenue Agency.  </p><p>Pawlowski also uses LinkedIn to stay in touch with professionals and share views and opinions on hot topics. "These days, I especially appreciate the posts on applying modern technology in internal auditing and smart finance," he says.</p><p>Finding professionals and staying in touch with past colleagues is a reason Bill Stahl (2017 Emerging Leader), manager of advisory services at EY in Atlanta, also uses LinkedIn. But he finds it especially useful when preparing for audits. "I often use it before I meet with someone to see if we have similar connections, backgrounds, or interests so I can more easily build a relationship."</p><p>Alex Rusate (2017 Emerging Leader), senior associate, risk consulting, IT Audit and Assurance, at KPMG in Albany, N.Y., sees LinkedIn as a great tool for connecting with internal auditors around the world to share best practices and help mentor the next generation. "It is great to see how generous other internal auditors are with their time," he says. "For example, I had a question for Norman Marks after reading a blog post of his so I reached out to him via the LinkedIn app and he got back to me immediately that weekend."</p><h2>Apps as Life Hacks</h2><p>The apps mentioned for personal use run the gamut from health tracking, shopping, finances, entertainment and music to news gathering and social media.  </p><p>Seth Peterson (2013 Emerging Leader), internal audit manager at The First National Bank in Sioux Falls, S.D., uses the activity tracker Strava to track the distance, duration, and speed of his biking and running. "It links directly to MyFitnessPal app to calculate the calories burned," he says. "They have various segments created that allow you to compete against anyone else with the app for time or compete against yourself. There's also a social media component to see what your friends are doing and to post pictures of your activities."</p><p>Online banking apps and money transfer apps such as Zelle and Venmo were frequently mentioned, as well as the financial management app Mint. For Valentina Kostenyuk (2015 Emerging Leader), senior internal auditor at Avangrid Renewables in Portland, it provides an overview of her finance-related activities because it's linked to her debit card, credit cards, and 401(k) accounts. "I can review all of my transactions in real time to ensure there is no fraudulent or erroneous activity on my accounts," she says. "It's also linked to my budgeting activities and provides updates on budgets and bills due, as well as notifying me of updates on my credit score." </p><p>The Castbox app for listening to podcasts is one of Rusate's favorites. "It allows me to develop my knowledge and has the flexibility to use it on the go," he says. "My favorite podcast is called Risktory, which talks about history and how risk management strategies have shaped it. I also subscribe to other channels such as 'Planet Money' from National Public Radio and 'Advice Worth Keeping' from KPMG." Other entertainment apps mentioned include Pandora, Spotify, Google Music, iTunes, Audible, Podkicker Pro, RadioApp, and YouTube.</p><p>The photo-sharing app Instagram is also commonly used by many of our Emerging Leaders. Jade Lee (2013 Emerging Leader), director, internal audit and ERM at AltaLink in Calgary, Alberta, uses it to stay connected with friends and family. "It has become more interactive with stories and direct messaging," she says. "I sometimes use Instagram messaging in place of regular text messaging. It's a good mental break from other tasks and also a good source of instant news."</p><p>"I'm just in it for the pictures," says Anne Davis (2017 Emerging Leader), senior consultant at Deloitte in Charlotte, N.C. "I also follow a variety of news channels and like the daily update of current events."</p><p>Jessica Minshew (2017 Emerging Leader), compliance specialist at CCA and B in Atlanta, regularly uses the Disney World app. "Even when not visiting the parks, you can see what is going on, plan your next trip, shop the gift shops for home delivery, and they are rolling out an augmented reality expansion tool," she says. "It's fun to check out and get excited for your next vacation."</p><h2>App Loyalty</h2><p>Apps can certainly help users navigate their work and personal life more easily — that is, if it's an app that is used more than once. Many apps are downloaded and used just a handful of times before being forgotten and never used again. So, what turns a person into a regular user of a particular app?</p><p>Meghan Patronella (2014 Emerging Leader), senior internal auditor at San Antonia Water System in Texas, says she doesn't have a favorite app because they all fit specific needs. "Do not flood me with useless notifications or make things require more steps than necessary," she says. "For example, if you can remind me of something with the right amount of time before an action needs to be taken, you will have a forever user in me." ​</p>Shannon Steffee0
Internal Audit and the Blockchain Audit and the Blockchain<p>​While cryptocurrencies like bitcoin have received the attention of investors and regulators, it is their underlying technology — the blockchain — that has the greatest potential to disrupt and reshape traditional business and financial processes and infrastructure. The excitement centers on blockchain’s ability to create a distributed ledger of transactions that is secure and can be publicly available in real time. </p><p>With blockchains, transactions can be logged, viewed, monitored, verified, and analyzed. For example, instead of a financial institution acting as an intermediary for the transactions, the blockchain technology, itself, takes on the role of a financial middleman, reducing or possibly eliminating many of the transaction fees and processing delays. Blockchains can enable automakers to track a vehicle from pre-production to sale. Similarly, the food industry is investing in blockchains as a possible solution for traceability and food safety. With blockchains gaining ground in a host of industries, internal auditors need to understand the technology and its audit implications. </p><h2>Blockchain Basics</h2><p>Blockchain technology has been touted as a potential game-changer for businesses because of its ability to verify a transaction without a trusted third party. Blockchains and bitcoins are closely intertwined, because bitcoins represent an active, commercial application of a blockchain. </p><p>In the bitcoin infrastructure, the blockchain is a continuously growing log of currency transactions that is shared and stored on multiple nodes in a network. Blockchains take advantage of three technology concepts to create a robust, secure, and potentially anonymous distributed data structure: peer-to-peer networking, public key cryptography, and transaction verification methodologies.</p><p> <strong>Peer-to-Peer Networking</strong> A simple peer-to-peer (P2P) network consists of two or more computer systems connected together to share resources without the use of a separate server computer. P2P networking enables file-sharing services such as Napster, the pioneering music sharing service, and Skype, the internet telecommunications network. Based on P2P networking, a blockchain consists of a distributed network of computer nodes that maintain shared information. Each node in the P2P blockchain network participates in maintaining the security and accuracy of the information. Each node can store a complete copy of the blockchain — as is in the case of a bitcoin blockchain — or use other types of decentralized storage technologies to manage the data associated with the blockchain.</p><p> <strong>Public Key Cryptography</strong> Blockchain verifies digital identity using public key cryptography. For example, in the bitcoin blockchain, the digital wallets use public key cryptography to send and receive bitcoins securely. This type of cryptographic system uses a pair of public and private keys, where the public key is freely available and the private key is known only to the key owner. The owner uses both a private key and a public key to send and receive messages. Public key cryptography can authenticate a message, where a public key is required to view a message that was encrypted with the corresponding private key. Because the message can only be decrypted with its matching public key, the message is authenticated as created by the owner of the private key. Likewise, a person can use the owner’s public key to encrypt a private message, which can only be decrypted by the owner with his or her matching private key.</p><p> <strong>Transaction Verification Methodology</strong> A methodology must be in place to establish the legitimacy of a transaction within the recording node. The specific transaction verification methodology can vary across different implementations of blockchains. Because blockchain exists on a distributed network of computers maintaining shared information, trust is enabled by the collective record keeping by all nodes in the network. New blocks are added through verified nodes that ensure the integrity of values within a blockchain and prevent the tampering of values within a verified block.</p><p>For example, the bitcoin blockchain uses proof-of-work to verify transactions and to add a new block of transactions to the blockchain. This method is known as the bitcoin mining process and involves bitcoin miners competing to solve a computational-intensive problem. Solving this problem entails finding a hash number with special properties dependent on the contents of a specific block of bitcoin transactions in the blockchain. The hash number is used to validate the data of the current block and prevent the tampering of data in previously validated blocks. The first miner to successfully identify a valid hash number for the block is rewarded, and the block is then added to the blockchain. </p><h2>New Ledgers and Contracts</h2><p>Blockchains are closely associated with two technical innovations: distributed ledgers and smart contracts. A blockchain is a type of distributed ledger, which is a record of transactions maintained across different locations without the need of a central authority to maintain transaction integrity. Unlike a centralized ledger, a distributed ledger does not rely on a single, authoritative version. Instead, copies of the ledger are stored on multiple nodes, and each copy is complete and valid. The responsibility for maintaining the data integrity of the ledger is shared among the nodes through the consensus-building, verification process. </p><p>While a blockchain consists of a sequence or chain of blocks of transaction records, a distributed ledger does not necessarily require a chain structure. Additionally, distributed ledgers do not necessarily require proof-of-work for transaction verification and may use a different verification methodology. </p><p>Whereas a distributed ledger is associated with recording transactions, a smart contract is a method of establishing contracts. A smart contract is used to digitally establish a business relationship, including identifying the terms of an agreement, executing the agreed-upon terms, and verifying fulfillment of the agreement. Because a smart contract is typically implemented with blockchains, the contract cannot be modified or tampered with after it has been accepted into the blockchain. Additionally, every node in the distributed network validates the transactions associated with the contract. Smart contracts have been used to track items within a supply chain and to improve loan processing and insurance claim processing.</p><h2>Five Recommendations for Auditors </h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>The Blockchain Audit</strong> <p>Internal auditors and the technology specialists they work with need to thoroughly understand how blockchains work and the risks involved with them. Auditors will be involved in auditing the technology associated with blockchains, as well as retrieving transactions from them. Moreover, because the software needed to maintain transactions in a blockchain is complex, auditors must provide assurance related to the system’s control environment. Their priority should be reviewing the robustness of computer nodes that are part of a blockchain network. </p><p>In addition, auditors should focus on testing controls directly related to blockchains. These controls include: </p><ul><li>Testing the availability of blockchain data from different nodes in the network. </li><li>Ensuring the accuracy, completeness, and consistency of the data elements that are stored within the blocks. </li><li>Verifying the identicalness of data obtained from different nodes in the network.</li><li>For private blockchains, testing access controls to ensure that only authorized personnel can view or update the blockchain.</li><li>Testing the process for adding new blocks to the blockchain.</li><li>Verifying the immutability of the blockchain to provide assurance that attempts to modify previously approved blocks are unsuccessful.</li></ul></td></tr></tbody></table> <p>One of internal audit’s roles is verifying and reconciling transactions (see “The Blockchain Audit” at right). Because transaction processing is at the core of blockchains, auditors can do five things to better understand the technology: </p><p> <strong>1. Understand that blockchains are a form of transaction-based data storage.</strong> The blockchain is a continuously growing link of blocks that are validated and secured through public key cryptography. In addition to transaction data, each block contains a link to the previous block in the chain, as well as a time stamp on when the block was created. Just as internal auditors have adapted their skills to retrieve data from enterprise resource planning and cloud computing systems, they will need to learn data retrieval methods to assess the data and controls of blockchains. For example, if an organization is using a blockchain to manage its supply chain, the internal auditor should be able to retrieve individual transactions from the blockchain to verify the accuracy and completeness of the blockchain.</p><p> <strong>2. Explore the implications to audit.</strong> Blockchains can have implications for developing appropriate audit procedures. With blockchains, a complete copy of the data is accessible at every node, enabling auditors to test the entire population of transactions instead of relying on sampling. During completeness testing, auditors should be able to trace transactions from the blockchain to the financial statements. For occurrence testing, the auditor may perform vouching procedures to verify that values on the financial statement are directly associated with transactions in the blockchain. In addition, a combination of tools related to data analytics and artificial intelligence could assist with fraud detection through pattern recognition across the entire transaction population. This capability could shift the focus of auditor responsibility toward the planning and investigation of anomalies.</p><p> <strong>3. Explore the implications to financial services. </strong>The financial services sector is actively identifying areas beyond bitcoin with blockchain implications. For example, financial institutions are exploring the use of blockchains and distributed ledgers for payment, clearing, and settlement activities. Blockchains could also be used as a platform for stock trading, which could minimize the need for stock brokers and a centralized stock exchange. Additionally, blockchains can manage the process of issuing shares of a company or taking a company public. In late 2015, Nasdaq announced that its Linq blockchain ledger technology was used to issue shares of a company to a private investor. Finally, blockchain technology is being used as a platform for managing shareholder proxy services such as proxy voting.</p><p> <strong>4. Explore the implications to supply chains.</strong> Supply chain management is a promising area for blockchain usage because blockchains can provide insights into the visibility and traceability of an item. This is particularly useful in cases where an item passes through numerous parties before it reaches the final customer. For example, in December 2017, IBM and Walmart announced they were participating in a blockchain alliance in China to enhance food tracking, traceability, and safety. Another example is the automotive supply chain, where blockchains can be used to track the transactions associated with a specific vehicle, such as production, ownership, financing, registration, insurance, and maintenance. As most organizations are part of some type of supply chain, auditors should be aware of possible internal projects related to blockchains for tracking information or physical assets. Auditors should seek opportunities to participate in prototype efforts to develop their technology skills. Such skills will benefit them when it is time to audit blockchain projects.</p><p> <strong>5. Embrace the reality that new technology will continuously change the skills of auditors.</strong> Internal auditors may need additional training to understand the technology and its implications, and internal audit departments may need to add expertise with these skills. This is especially important for internal auditors in organizations that are already implementing blockchain projects, as auditors may be tasked with evaluating the data controls associated with blockchains. With the conceptual understanding that blockchains represent a new type of data structure for storing and accessing information, traditional application and data controls related to input, processing, and output will still apply, albeit with certain adaptations. For example, a standard application control is that output reports should be protected from unauthorized disclosure. With all transactions potentially accessible on the blockchain, internal auditors may need to recommend additional controls related specifically to authorization, privacy, and confidentiality. </p><h2>Controlling the Chain</h2><p>Blockchain’s potential to revolutionize transaction processing rests with its ability to create a secure, trusted, distributed ledger of transactions that can be accessed without the overhead of a middleman or a centralized authority. Internal auditors will be responsible for recommending controls associated with organizational processes that use blockchains, including the acquisition, protection, delivery, and enhancement of the information assets stored within them. Moreover, traditional IT controls related to security, availability, processing integrity, privacy, and confidentiality will continue to apply. Internal auditors must understand the technical details of blockchains to recommend adaptations of traditional IT controls as their organizations adopt new blockchain-based innovations.<br></p>Lorraine Lee1
Pulling Strings Strings<p>​Deception​ is fast and effective for a criminal trying to access a company's data and assets, because it's easier to trick people than to hack their hardware or break into their offices. Well-intentioned employees will offer account numbers, volunteer passwords, and even open locked security doors if the request seems reasonable or the threat seems real — or if the stranger seeking physical access is a decent actor with an adequate disguise.</p><p>Emails with interesting content, infuriating social media messages, bogus package deliveries, and phone calls with tantalizing offers — four basic forms of social engineering — seem innocuous, and a waste of company time. But they're among the biggest risks organizations now face. When businesses catch on to current tricks and mount new defenses, the perpetrators change the rules, so flexibility and virtually constant vigilance are necessary — and human resources executives, IT managers, and physical plant security personnel need to be involved. For internal auditors, the shape-shifting challenges of social engineering demand assessment and advice on evolving threats and a diverse, integrated, and coordinated response. </p><h2>Evolving Tactics</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>What Is Social Engineering?</strong> <p>Social engineering often starts with recon: Criminals get an idea of an organization’s internal operations and corporate lingo first, then target security guards or receptionists, who offer access rather than information. They then use various forms of deception to trick employees into volunteering sensitive information or responding to bogus email enticements, often exposing the organization’s entire IT infrastructure to attack. </p><p>Social engineering is such an effective tactic and comes in many forms:</p><ul><li> <strong>Baiting.</strong> Placing a malware-infected physical device somewhere it’s sure to be noticed; when it’s loaded onto another computer, the malware is installed (such as a USB flash drive).</li><li> <strong>Phishing.</strong> Sending fake email, often claiming it’s from a trusted source. </li><li> <strong>Pretexting.</strong> Lying to gain access to privileged data, such as pretending to need personal data to confirm someone’s identity.</li><li> <strong>Quid pro quo.</strong> The social engineer pretends to provide something — claiming to be a return call from tech support, for example — in exchange for the target’s information. </li><li> <strong>Scareware.</strong> Tricks the victim into thinking a computer is infected and offers a solution to the problem that actually installs malware.</li><li> <strong>Spear phishing.</strong> Precision phishing, tailored to a specific individual or organization.</li><li> <strong>Tailgating or piggybacking.</strong> Following someone into a secure building, assuming that person is willing to hold the door open.</li><li> <strong>Vishing.</strong> Voice phishing; social engineering over the phone.</li><li> <strong>Water-holing.</strong> The attacker targets a specific person or people by infecting websites they’re known to frequent.</li></ul></td></tr></tbody></table><p>One of the things that's changed over time is that now "the individuals doing this are highly sophisticated," says Kimberly Hagara, vice president, audit services, at the University of Texas Medical Branch (UTMB) in Galveston, part of the University of Texas (UT) System. "In the early days, you received emails asking you to contact some foreign government," she says — usually to "help someone out" or to claim a cash windfall. "Now the tactics are much more trust-based," she adds. "Getting into an organization or a system relies more on human interaction."</p><p>The No. 1 way to get into an organization's system is by spear phishing, mainly because it's global in reach and free. "Or with phone pretexting, you can simply talk to anyone on the phone and get instant compliance from the victims, often getting them to take the time to follow instructions," says Kevin Mitnick, CEO at Mitnick Security Consulting in Las Vegas. The hacker gains access when the recipient clicks on a link in an email, a button on a website, or opens an attachment, he adds. </p><p>Phishing succeeds when the culprit convinces the recipient there's something at stake if he or she doesn't comply — even if the fake invoice attachment comes from a vendor the organization doesn't do business with. Mitnick, who was once the U.S. Federal Bureau of Investigation's Most Wanted Hacker for hacking into 40 companies, explains that an employee who's just curious may not stop to "think critically about whether the email makes sense." And then it's too late. Organizations can install email filters to help identify questionable content but they may find that hackers can bypass them. "When you fix one thing," he says, "they'll attack another."</p><p>Social media can present effective social engineering targets, Mitnick says. "When organizations give employees permission to use social media on company equipment, those who haven't been trained could fall for LinkedIn attacks, for example," he explains, which can be messages encouraging them to click on a link for a business opportunity. "The link redirects the victim to a malicious website," he says. "If an attack like that is well-targeted, it will probably work. If it's sent to a lot of people, it's less likely to." That's because word gets around fast, and then the jig is up. </p><p>Simply picking up the phone works, as well. In fact, "phone pretexting has a high level of success depending on the hacker's skill set," Mitnick says. "People need to understand that social engineering isn't just a phishing problem. It's deception." Indeed. Social engineering isn't just duping someone online — it's also used to gain access to physical premises. An attack like that is a much higher risk for the social engineer, though, which is another reason perpetrators focus on email and phone scams. </p><h2>Physical Risk</h2><p>Physical access is sometimes breached, too. Many organizations maintain multiple buildings — in the UTMB's case, that includes offices, classrooms, health-care services, and research facilities — with varying types and levels of security. Says Hagara: "We look at physical security from a risk perspective, focusing on which buildings hold sensitive information or access to other information, and what the physical security requirements are." </p><p>One requirement, she says, is that "we have to remain an open campus. We have a lot of people coming and going, including patients who come to campus, colleagues from others institutions, and vendors." The UTMB conducts an awareness campaign around wearing ID badges, and stresses that someone who suspects something shouldn't be afraid to speak up.</p><p>Still, she adds, people want to help, and they don't want to be rude, asking people to justify what they're doing. But social engineering — which may start with someone looking over a shoulder to gather information and then develop into someone pretending to carry a heavy box while asking, "Could you hold that door for me?" — requires a tougher stance. "Even though we're a 24/7 operation," Hagara points out, "is a printer really going to be delivered at 10:30 p.m.?" In those cases, demanding identification is OK.</p><h2>Fool Me Once</h2><p>When Mitnick's firm starts a social engineering training engagement, his team members use phone calls, spear phishing, and phone pretexting pretending to be people they're not, and they can "always convince the client to do things" they want them to do. He adds that social engineering is a problem that needs to be addressed because there's too much at stake to ignore it. </p><p>"Most social engineering schemes I've seen are individuals giving up confidential system identification or passwords," says Kenneth Pyzik, vice president, audit professional practices, at Western Alliance Bancorp. in Las Vegas. That's often the entry point the hackers want, so they can implant a Trojan horse or other piece of malware for later data mining exploits. Initial entry may not be detected, he adds, and the longer the breach remains unnoticed, "the more brazen the attack becomes to get at any kind of valuable information." </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Prevention and Detection Tips</strong><br>Experts offer advice on how to keep attacks from happening, or catching them early if they do.<br> <ul><li> <strong>Start with the basics.</strong> Passwords should not be shared among employees for any reason, says David Bryan, associate partner and global leader of technology for IBM’s X-Force Red security testing service. “If you make that a part of the corporate culture, employees will be less likely to freely give passwords to outside persons.” Kenneth Pyzik, vice president, audit professional practices, at Western Alliance Bancorp. in Las Vegas, emphasizes: Don’t forget automated spam filters on email and an easy-to-use phishing icon to quickly report suspicious correspondence.</li><li> <strong>Include everybody.</strong> All system users should be subject to the same email precautions and restrictions, Pyzik says. “There’s no executive privilege,” he adds. “Executives can sometimes be the weakest link.”</li><li> <strong>Practice beating perpetrators at their own game. </strong>“Attack your employees like the bad guys do,” Kevin Mitnick, CEO at Mitnick Security Consulting in Las Vegas, advises. There are email phishing platforms that “train and inoculate” staff members. </li><li> <strong>Don’t make matters worse.</strong> When testing employees’ vulnerability to social engineering scams, make sure they know in advance that they’re being tested, so employee morale isn’t ruined. Explain that added security helps them, too — when they buy movie tickets, say, and pay with a personal credit card on the company computer. “You want to be transparent,” Mitnick adds. “You can’t make testing completely transparent, but make it part of everybody’s job duties to be knowledgeable about how scams are carried out.”</li><li> <strong>Be fair.</strong> “You can’t punish employees for making human mistakes,” Mitnick says. He prefers the carrot to the stick , such as  “an educational message saying that you made a mistake, and that you need to stop and think before you click.” </li><li> <strong>Keep sending the same message.</strong> Raising awareness of social engineering scams may not keep employees from falling for them. Measure how employees perform at a baseline level, then track testing results to see who needs special attention, such as more training videos for additional education. </li><li> <strong>Don’t stop short of true enforcement for repeat offenders.</strong> Some institutions conduct random testing and then let supervisors know when their employees have failed the tests. “Education is then required,  and repeat offenders should be reprimanded,” Pyzik says.</li><li> <strong>Focus on esprit de corps.</strong> “Protecting the network and protecting the company’s confidential information needs to be part of every employee’s job,” Pyzik says. Mitnick adds, “Build a human firewall. Make sure everybody shares the common goal of increasing security for all.”</li><li> <strong>Use advanced technology.</strong> “You want a good endpoint security product that works well at detecting threats,” Mitnick says. Depending on the sophistication of the perpetrator, you might catch ransomware or other malware before it can do much harm.</li></ul></td></tr></tbody></table> <p>In his experience, the perpetrator's target is usually customers' credit card numbers, Social Security numbers, and driver's license numbers "that can be used for financial identify theft or some other illegal gain," Pyzik says. And they don't want just the data from the person who answers the phone or opens the email. "The real asset is customer lists and customer data," he says. "The mother lode is not duping a single person for a single credit card number, it's getting to the customer file for thousands of them."</p><p>Risks for Hagara include researchers' intellectual property, patients' clinical and financial information, UT's financial data, and sensitive details about students and employees. For example, payroll information includes tax identification and Social Security numbers, she explains. And simple email hacks and bogus pizza deliveries often aren't a school's biggest worry, Pyzik adds. "In addition to financial hacks to commercial enterprises," he says, "if the entity doesn't have valuable customer data, then another objective is to plant malware that can later lock system files and demand ransom" (see <a href="/2018/Pages/Held-Hostage.aspx">"Held Hostage"</a>).</p><p>Small and medium-sized enterprises (SMEs) don't escape social engineers' attention, either. "They're regularly targeted," Mitnick points out. SMEs often don't have the funds for IT staff and security, so they're low-hanging fruit — a perpetrator doesn't have to work as hard, and a phishing expedition is very likely to work. </p><p>"Generally, employees want to do good — they want to help others get their jobs done so they can go back to getting their work done," says David Bryan, associate partner and global leader of technology for IBM's X-Force Red security testing service in Minneapolis. "Email phishing can't be stopped, but a targeted attack can be prevented with training and testing to determine if the training was effective." Mitnick advocates combining user education and training videos. "When you know what the scams are, you're less likely to fall for them," he says.</p><h2>Where to Start</h2><p>When the C-suite asks for advice on addressing social engineering, "the thought processes internal audit needs to emphasize are education, simulated phishing, and a layered security approach," Mitnick advises. "And make sure to recommend that the enterprise maintain a process for mitigating risk when something is infected" — whether that's determining internally if the threat is "domestic or something in the wild" or outsourcing the investigation. </p><p>Also, Mitnick says, internal audit should recommend that organizations maintain a social engineering instant response program to mitigate an attack. Often, a third-party sets up a system that sends an alert when an employee clicks on a suspicious email icon, then advises the organization and helps it measure people's progress on compliance. He also suggests regular penetration testing to see if security controls are holding up. </p><p>The internal audit department can recommend those programs and policies, Pyzik says, and can periodically audit the information security department to make sure it's addressing social engineering risk as a priority. The UTMB regularly runs scenarios to help teach its employees about social engineering techniques and technology solutions. "We do a lot to try to protect our system before a perpetrator gets into the network," Hargara says. "That includes quarantining email that appears suspicious or malicious. And we monitor foreign access to our network, among a variety of other technical controls that supplement administrative, individual, and behavioral controls." </p><p>Technological controls can be assessed by internal audit, she notes, and her shop does so periodically. The information security officer at the UTMB "does annual third-party penetration testing scenarios and walk-throughs," she adds, to provide a level of assurance that controls are operating as intended.</p><h2>Trust and What's at Stake</h2><p>During a recent penetration test conducted at the UTMB, one employee who knew about the test in advance said, "You won't be able to get past me," Hargara says. But during the testing process, that employee clicked on the bait, and could have given up sensitive information. What worked? The email had a professional look, and the information it purported to contain was close to a real-life scenario, like a press release the employee would normally respond to. "It looked right and it felt right," she says.</p><p>"The incident exposed a vulnerability," Hargara adds, "and that helped us understand, from an employee standpoint, where the greater risk was and how we could further protect sensitive information. Humans are incredibly trustful." That's why, she emphasizes, defending against social engineering is really about education and awareness training of the risks for the organization, employees, and students. Make sure, Pyzik says, that employees understand what's at stake. "The whole company is at risk when employees are lax," he says. "One mistake can end up costing a company millions of dollars and many peoples' jobs." </p>Russell A. Jackson1
Plugging More Value Into Internal Audits More Value Into Internal Audits<p>​A common response to corporate scandals caused by significant control lapses is to question the performance and value of audits performed by internal audit, particularly the department’s role in providing assurance on enterprise risk management activities. To better identify and assess these types of risks, internal audit needs to provide more valuable audits that evaluate risks and controls, identify gaps, determine root causes, and recommend improvements. </p><p>Taking data privacy as an example, internal audit is expected to evaluate the security of databases where information is stored and determine who has access, how that information is used, and with whom it is shared. Additionally, auditors must provide assurance that the information is not being shared with anyone who should not have access to it. Yet, due to staffing limitations and tight deadlines for providing deliverables, internal audit departments often don’t have time to provide in-depth reviews on emerging risks. </p><p>One way to provide this service is to use technology to automate routine reviews so that they can be performed faster. This can free internal auditors to examine areas they may not have previously audited. Reporting on controls for these once-unexamined areas can provide assurance that controls are operating as designed or identify gaps where improvements are needed. Internal audit can therefore report valuable information about risks and controls that has not been included in prior audit reports.</p><h2>A Large-scale Analysis</h2><p>Value-added auditing is a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. It requires internal auditors to analyze risks and controls to identify the root cause of the ineffectiveness, recommend corrective action, and focus on continuous improvement. </p><p>To perform more valuable audits, internal auditors need time to focus on the overall risks to the organization, while obtaining detailed information to determine the root cause of the finding, not just identify the resulting error. Only then can auditors recommend functional improvements and follow up to ensure they have been implemented. By taking time to probe and understand the business risks and collaborating to develop functional solutions to challenges faced, auditors can move from being a reviewer to a business partner working to resolve problems and simplify complex tasks. </p><p>But internal audit must overcome certain obstacles to perform value-added audits such as having a check-the-box mentality, managing concurrent projects with limited resources, and breaking down information silos. Auditors must communicate relevant information to clients timely, and the department must be flexible enough to respond to changes and emerging risks. By automating routine reviews, auditors can work within the same constraints yet still issue an opinion on controls that may not have been examined previously. Automated reviews also may help auditors identify gaps or risks where there is no mitigating control. Such gaps could expose the organization to potential threats. The time gained to focus on additional areas can enable auditors to provide a larger scale analysis that encompasses strategic organizational goals.</p><h2>Putting Data to Work</h2><p>Technology is key to performing more valuable audits. Automating routine reviews allows for the quick identification of outliers in regularly examined data, a focused review on those specific occurrences, and budgeted time to examine additional areas. In lieu of spending time examining an excessive number of transactions that fall within the expected tolerance, internal auditors can define the normal tolerance and use software to identify the outliers and a small, random sample of normal transactions, then focus the remaining time on examining new areas, such as information security and privacy. Moreover, by leveraging technology, internal audit can set an example for how innovation enhances performance.</p><p> <strong>Electronic Workpapers</strong> Easily shared workpapers may allow a subsequent audit to leverage information identified in a previous exam. By using templates to document audit results, auditors do not have to recreate templates for each review. Linking documents, such as workpapers, support documentation for findings, and policies, allows for a quicker review and access to standards used in the testing and evaluation portions of the audit.</p><p> <strong>Data Mining</strong> Internal auditors should automate reviews to allow for continuous monitoring of routine tasks and to easily identify trends and anomalies that may require additional attention. For example, creating dashboards or setting up alerts can enable internal auditors to quickly identify transactions occurring outside the normal range. When continuously monitored, those outliers can be identified, examined, and, if necessary, corrected sooner than discovering them through a scheduled audit. Detecting outliers faster could minimize the impact of transactions that should not be allowed to continue.</p><p> <strong>Analytics</strong> Analyzing data can enable internal auditors to determine the impact of control weaknesses and the frequency in which they occur. This allows auditors to put issues in perspective and provide clients with a view of risks when there is a failure to comply. By analyzing performance trends and patterns, internal auditors can demonstrate how risks change by time and region. The analysis also can help clients understand the effectiveness of controls as well as determine where corrective actions are needed. Additionally, data analysis can assist management with regulatory and policy compliance in a way that minimizes duplication of efforts.</p><p>To analyze data effectively, internal auditors should set parameters to identify the data that lies outside the normal parameters. This can quickly show where the outliers and risks lie, allowing auditors to devote time to examining these risks.</p><p> <strong>Dashboards</strong> Auditors can use dashboards as a visual method of identifying anomalies and comparing them to other data. Dashboards can demonstrate current versus future states. Moreover, visual demonstrations work well for reporting, explaining findings to decision-makers, and driving change.</p><h2>Finding More Value</h2><p>Technology has an additional way to make audits more valuable. By automating routine tasks, internal audit departments can be better structured to perform audits that are more useful for improving governance, risk management, and control processes. This automation can give auditors more time to question what is being done and why, compare current practices to best practices and industry standards, and evaluate whether there is a more innovative approach. Internal auditors should explore opportunities to use existing technology to automate routine reviews, add value to the organization by reporting on additional areas, and minimize the impacts of risks to their organization </p>Bernadette Calhoun1
The Rising Cost of Insecurity Rising Cost of Insecurity<p>​Data breaches may be more costly than business leaders think. Today's incidents come with hidden costs such as lost business and customers, as well as employee expenses to recover from breaches, according to the <a href="" target="_blank">2018 Cost of a Data Breach Study</a> from IBM Security and the Ponemon Institute. The global study is based on interviews with more than 2,200 individuals in 477 organizations.</p><p>Typically, damage estimates for data breaches focus on easily quantifiable costs, says Wendi Whitmore, global lead for IBM's X-Force Incident Response and Intelligent Services. But that doesn't account for reputational damage, customer loss, and operational costs. "Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake," she explains.</p><p>How costly? The global study estimates the average data breach costs $3.86 million, up 6 percent from the 2017 study. That works out to $148 per compromised record.</p><p>"Mega-breaches" involving more than 1 million lost records — think Equifax, Uber, and Yahoo — may cost organizations between $40 million and $350 million. The number of such breaches has nearly doubled from nine in 2013 to 16 in 2017, the study notes. </p><p>Most of those breaches were caused by malicious and criminal attacks. Worse yet, it takes one year on average to detect and contain a mega-breach, about 100 days longer than the small-scale breaches. </p><h2>Costly Attacks</h2><p>As with mega-breaches, malicious and criminal attacks are the biggest cause of data breaches, accounting for nearly half of incidents. The culprits are both hackers and criminal insiders. </p><p>Moreover, these attacks are more costly than other causes — $157 per record compared to $131 for a systems problem or $128 for human error. Malicious attacks were most common in the Middle East, France, and the U.S.</p><h2>Consumers Losing Trust</h2><p>The cost of a data breach is affected by many factors. For starters, the more records that are compromised, the greater the cost. Organizations that lost less than 10,000 records paid $2.1 million on average. The average total cost for organizations that lost more than 50,000 records was $5.7 million.</p><p>But the real cost may be lost customer trust. Three-fourths of U.S. consumers say they won't do business with companies if they don't trust them to safeguard their data, according to a recent IBM/Harris poll.</p><p>That sentiment is reflected in the survey data. An organization that lost more than 4 percent of its existing customers due to an incident lost $4.9 million on average compared to $2.7 million for organizations that lost less than 1 percent. </p><p>U.S. organizations suffer the most from customer losses due to breaches. For these organizations, the average cost of lost business ($4.2 million) exceeds the total average cost of a data breach. Moreover, U.S. organizations pay nearly twice as much for customer loss than organizations in any other part of the world.</p><p>Taking steps to address customer trust may mitigate the impact of a data breach. The study notes that organizations with a senior-level leader directing efforts to improve customer trust lose fewer customers. Similarly, offering breach victims identity protection services can stem customer loss. </p><h2>Incident Response Is Key</h2><p>The most crucial factor in minimizing the cost of a data breach is the ability to respond to an incident quickly. In the study, the mean time to identify a breach was 197 days, with an additional 69 days needed to contain it. However, organizations that contained a breach within 30 days saved more than $1 million per incident. The study attributes the high response time to "the increasing severity of criminal and malicious attacks." </p><p>Detection and escalation activities include forensics, investigations, assessment and audits, crisis management, and communications to senior management and the board. Response activities include help desk activities, addressing external inquiries, investigations, remediation, legal expenses, providing identity protection services to individuals, and communications with regulators.</p><p>Having an incident response team in place generates the greatest cost savings, reducing the cost of an incident by $14 per record. Other factors that can reduce per-incident costs are extensive use of encryption, business continuity management, and employee training.</p><p>Conversely, a breach caused by a third party adds the most to the cost of an incident. Other factors that raise costs are a breach that occurs during an extensive migration to a cloud service, compliance failures, and heavy use of mobile platforms.</p><h2>Are You Next?</h2><p>Knowing what's at stake, organizations may be curious about their likelihood of suffering a data breach. That all depends on how many records are involved. </p><p>The study notes that the likelihood of a breach declines as the number of compromised records increases. The probability of a data breach involving 10,000 records is 28 percent over the next 24 months. For breaches affecting 100,000 records, it is 1.5 percent.</p><p>Location matters, as well. Organizations in Brazil, France, and South Africa are most likely to have a data breach in the next 24 months, the study estimates based on past trends. German and Australian organizations are the least likely to have a breach.</p>Tim McCollum0
Auditors and Analytics and Analytics<p></p> <h3>How can internal auditors identify opportunities for analytics use? </h3><p><strong>Petersen</strong> In today’s data-driven world, businesses face numerous challenges, from increased regulation and need for transparency to emerging risks from unexpected sources. Auditors should view analytics as an opportunity to reduce risk by aligning test plans with strategic audit goals and auditing larger populations. First, think about your audit objective. Can data help identify where risks exist and how to mitigate them? Second, consider the audit workflow. Look at controls, processes, and procedures for the areas you are auditing to surface ideas for analytics tests to perform. These are generally instituted to mitigate risks, so if they aren’t being followed or are being circumvented regularly, the business could be taking on additional risk.</p><p><strong>Zitting</strong> Opportunities to use analytics exist throughout the audit plan. A simple example is anytime you’re using the traditional method to pick samples for audit testing, analytics can replace that sample test. Think about data first — not as an afterthought. And when you think in broader terms about providing insight and assurance through data, there’s always a data point to be had. For example, if auditing employee talent retention risk, run IT application use metrics to trend employee engagement. If auditing emerging competition threats, use natural language data from Twitter to understand public sentiment. And, if auditing IT system profile vulnerabilities, use correlation analytics to compare IT assets to public vulnerability databases. </p><h3>How can improper use of analytics damage an internal audit?</h3><p><strong><img src="/2018/PublishingImages/Dan-Zitting.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Zitting</strong> Whether you work with advanced analytics or old-school spreadsheets, the danger is the same: drawing conclusions based on bad data. The good news is there’s a review and quality assurance process mandated by The IIA’s International Standards for the Professional Practice of Internal Auditing to prevent us from drawing those bad conclusions. In a digital business environment, those processes need to evolve — making sure we have adequate skills and technical knowledge throughout the team to ensure that effective analytical review and validation steps are taken. If you’re overly concerned about analytics damaging your audit, ask yourself if you are instead actually concerned about changing the way you’ve always done things. Or perhaps you’re not sure how to step into this new technology and approach.</p><p><strong>Petersen</strong> When auditors document their findings they should use very specific language to describe the analytics performed and the results vs. any conclusions being drawn from those results. Damage to an audit can occur if conclusions are drawn based on the results of an improper set of tests run against an unreliable set of data. Establishing the scope and determining the validity of the data to be analyzed is critical to the success of the effort. While most analytics tests do not provide proof of any fraud or wrongdoing, analytic results obtained during fieldwork can provide clues about areas that may need further analysis. Also, just because the analytical tests that were performed found nothing of concern, this doesn’t always indicate there are no concerns in that area of the business. </p><h3>How is analytics use changing with innovations such as artificial intelligence (AI)?</h3><p><strong><img src="/2018/PublishingImages/Ken-Petersen.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Petersen</strong> AI is in its infancy in the audit world, especially for internal auditors. AI and the various technologies it encompasses (machine learning, deep learning, robotic process automation, natural language processing, image recognition, pattern recognition) will become more ubiquitous over time. AI can become another tool auditors can leverage to enhance their process and improve the time it takes to share results and findings. Future versions of analytics tools will be able to recognize data patterns to identify risks that might not have otherwise been considered or to recognize data that suggests specific tests be performed. Introduction of AI should mean that repetitive work will be performed by machines, allowing auditors to spend more time performing critical analysis and raising the value of the output of audit organizations. </p><p><strong>Zitting</strong> AI isn’t magic — it’s another tool in our toolbox, just like traditional rule-based audit analytics is a tool. AI can be used in countless applications, but finding how it can help gain assurance in areas where we don’t always know what to look for is key. Machine learning helps natural language processing (NLP) improve over time. Historically, if I looked at millions of payments to spot which were fraudulent or bribes, I’d have to know what to look for and create a set of rules to run those payments through, flagging violations. I might look for all payments made in high-risk countries where the description includes “donation,” resulting in thousands of hits, most of which would not be an issue. But AI and NLP review the same payments and look at everything — the description, vendor, date and time, amount — and tell me which are more likely to be bribes based on criteria I never even considered. </p><h3>What are the risks of internal audit falling behind with analytics use?</h3><p><strong>Zitting</strong> The world is moving faster. Historically, you’d go out, do an audit, take six months, and report on it three months later. By the time your audit report is in front of management, it’s nine months later. While your findings at the time may have been totally legitimate, the risk landscape shifted, and the business moved on. The report is now irrelevant. To avoid falling behind, we need to fully embrace and use analytics to move faster and do more. Even if the business doesn’t shift its focus between the time you start and finish your audit, there’s a good chance you’ll report on things the business already knows. Because, while you were out doing your audit, someone ran the numbers and got the answers they needed through analytics. Machines do these jobs much faster than we do. </p><p><strong>Petersen</strong> Today’s business environment requires auditors to keep up with the rapid pace of change. In the current data-driven world, organizations are demanding and embracing easier ways to digest and dissect information. Management expects a focus on facts and data-based analysis in all aspects of the business. The traditional practice of simply pulling random samples to support audit testing will soon be considered archaic and of little value. Analytics offers opportunities to identify additional risks throughout the course of an audit, expand the scope of testing, and provide strategic insights. Failing to take advantage of these opportunities will make it challenging to meet increased demands and stay ahead of the changing risk landscape.</p><h3>How are auditors using analytics to demonstrate their value?</h3><p><strong>Petersen</strong> The ultimate objective of internal audit is not to find issues, but to help the business flourish. Traditionally, analytics are performed during fieldwork, and may include testing for duplicate transactions, performing a Benford’s test, or looking for other anomalies in the data. However, opportunities exist to consider how analytics can be beneficial in other stages of the audit process such as in scoping, planning, continuous auditing, reporting, or continuous risk assessment. Proactively using analytics to identify areas of focus can help streamline the audit process and apply limited resources to the most important issues. Analytics tools used by audit can be introduced to parts of the business to monitor data throughout the year and head off potential issues before the audit even starts. </p><p><strong>Zitting</strong> First, by making audit outcomes quantifiable. Issue ratings of high, medium, and low are almost a thing of the past — they’re too subjective. Whereas issues that come out of analytical use have a number or value attached, be it monitory or otherwise. There’s a quantifiable nature to our outcomes that makes them more valuable. Next, by getting to insights faster. An audit team that uses analytics is a team with an instantly fast audit robot. By creating automation along the way, auditors can do more work with the same — or fewer — resources. And finally, by providing more assurance over time. Analytics means more coverage.  </p>Staff1
Are Companies Capitulating on Cybersecurity Risks? Companies Capitulating on Cybersecurity Risks?<p><img src="/2018/PublishingImages/Heads%20in%20Sand.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />​In the past dozen years or so, cybersecurity has gone from being a mysterious IT concern best left to chief security officers (CSOs) and chief information security officers (CISOs) to a top priority for boards and executive management. Yet, progress has been painfully slow for a problem everyone agrees is evolving at breakneck speed.</p><p>Reports of high-profile cyberattacks are now routine, and no sector or industry is immune to the threat. Indeed, the Privacy Rights Clearinghouse has documented more than 8,600 data breaches since 2005​, including 831 in 2017. The group, located at the University of San Diego School of Law's Center for Public Interest Law, concedes it doesn't capture every successful cyberattack. Still, it estimates more than 11 billion records have been breached since it began keeping track.</p><p>Even so, I must admit I am troubled each time I read about cyberattacks that might have been avoided. Too often, successful hacks involve human failings, not technological ones. This is especially disturbing when one considers that cybersecurity ranks at or near the top of every management and board poll on risks.</p><p>I'm starting to wonder if the enormity of cybersecurity is feeding inaction within some organizations. I wonder if companies are simply throwing in the towel and accepting what they believe will be "inevitable." Despite knowing that data breaches can do incredible financial and reputational damage, organizations don't take all reasonable steps to protect themselves. Worse, a defeatist or fatalistic view about the eventuality of being hacked may be contributing to weak or ineffective controls.</p><p>Two recent surveys provide additional examples of our struggles with cybersecurity. A survey by Spencer Stuart of S&P 500 companies found that, although boards last year hired the largest number of new directors (397) since 2004, a scant 19 percent of them had a background in technology or telecommunications. This suggests that, while there is growing awareness of the importance of having directors who are knowledgeable about IT and cybersecurity, that awareness hasn't translated into greater action.</p><p>A new report from information security services firm IOActive identified cybersecurity vulnerabilities in nearly all of the 40 major online stock-trading platforms it investigated. The vulnerabilities varied in severity, from storage of unencrypted passwords to promoting features that are susceptible to malware.</p><p>This reflects the continuing challenge of cybersecurity not being integrated into all areas of the organization. I'm certain none of these stock-trading platforms sought to make themselves targets, but too often the drive for convenience or customer-friendly interactions comes at the price of higher cyber vulnerability.​</p><p>If management is capitulating in the face of cybersecurity risks, internal auditors can't afford to join them. We must not only ensure we have the right talent on our staff to audit IT processes and controls, we also must be aware of how cybersecurity is viewed across the organization. In short, part of internal audit's scope must be to assess the organization's cyber culture and help build a culture that is cyber-savvy.</p><p>Talent was among four keys for transforming internal audit that I wrote about in a blog <a href="/blogs/chambers/2018/Pages/Four-Urgent-Keys-to-Transforming-Internal-Audit.aspx"><span style="text-decoration:underline;">post</span></a> earlier this year. In short, internal audit must redefine talent, especially with regard to auditing IT.</p><p>From the blog post:</p><p><em class="ms-rteStyle-BQ">The path forward on talent may be the most challenging. For example, CAEs report significant challenges in recruiting personnel with cybersecurity and privacy/data mining and analytical skills. Still, there are clear steps we can take to make sure we have the right people in place to meet stakeholder demands, innovate, and be agile.</em></p><p><em class="ms-rteStyle-BQ">[The North American Pulse of Internal Audit] identifies six keys that support getting the right people in place, including developing a talent strategy, seeking candidates with different backgrounds, and including future-focused training and development. But one of the most important is to make sure internal audit's scope drives staff competencies. Too often, the work internal audit functions take on is dictated by the skills they have on staff. This is a dangerous practice that works against innovation and agility.</em></p><p>Internal audit's role in building a cyber-savvy culture goes hand-in-hand with having the right talent on staff. Just as internal audit functions can build culture checks into each engagement they perform, so too can they assess how culture contributes to cybersecurity successes and failures.</p><p>Internal audit should work with CSOs and CISOs to identify weaknesses in the organization's cybersecurity controls and practices. It is especially important that the relationship between internal audit and IT leaders be a healthy and cooperative one. After all, they are working for the same goal of effective cybersecurity. </p><p>In all circumstances, internal audit must provide the board with a direct and objective assessment on how cybersecurity is carried out within the organization and whether the organization's culture supports or works against it. Just as important, we must provide assurance on the organization's preparedness to respond if/when the cybersecurity breaches occur.</p><p>I'd like to know what you are doing to assess your organization's cybersecurity culture. As always, I look forward to your comments.</p>Richard Chambers0
Editor's Note: The Human Factor's Note: The Human Factor<p></p> <p>I’m a big fan of the TV series <em>Westworld</em>. For those who haven’t seen it, HBO’s science fiction thriller takes place in a Western-themed, no-holds-barred amusement park where guests interact with lifelike robotic hosts. The show’s many plot twists keep viewers guessing, though eventually we learn there’s much more going on than just gun fights and pleasure seeking. The park’s creators have been quietly taking advantage of guests to carry out a hidden agenda. And while the plan relies in part on Westworld’s futuristic technology, one of its main tools is simple human deception.</p><p>Beyond the realm of fiction, of course, people’s susceptibility to deception and manipulation is a real-world concern for organizations — particularly when it comes to cybersecurity. With a phone call, email, social media exchange, or in-person conversation, skilled social engineers can gain the trust of their victims to commit fraud or other organizational crimes. And as Kimberly Hagara, vice president, Audit Services, at University of Texas Medical Branch, notes in “<a href="/2018/Pages/Pulling-Strings.aspx">Pulling Strings</a>,” the attackers are becoming increasingly sophisticated. “Now the tactics are much more trust-based,” she says. “Getting into an organization or a system relies more on human interaction.”</p><p>In some cases, the attackers leverage systems access to hold the organization’s data hostage. Their success depends not only on malicious software, known as ransomware, but often on the perpetrators’ ability to deceive. According to a recent survey by security firm SentinelOne, nearly 70 percent of successful ransomware attacks in 2017 resulted from hackers gaining access to enterprise networks by phishing via email or social media. </p><p>In our cover story, “<a href="/2018/Pages/Held-Hostage.aspx">Held Hostage,</a>” author Arthur Piper examines the risk of ransomware, how to respond to an attack, and considerations for prevention and detection. The article also stresses that employees often represent the greatest vulnerability to these types of attacks. With that in mind, risk management advice includes ensuring training is provided to all personnel and that policies on responding to ransomware incidents have been well-communicated.</p><p>Cyberattacks don’t have to be high-tech to present a real threat. Despite all the sophisticated tools available for carrying out an attack, crafty perpetrators can weasel their way through even the best defenses with simple techniques that exploit human psychology. Ironically, in the age of artificial intelligence and advanced digital security, preventing cybercrime often comes down to a deeper understanding of nontechnological, human factors. The weakest link in the security chain is often the employee who opens the door, physical or virtual, to an intruder. And when that happens, to borrow from <em></em><em></em><em></em><em></em><em></em><em></em><em>Westworld</em>’s season two tag line, “chaos takes control.”​</p>David Salierno0

  • Gleim_Oct2018_Premium 1
  • IIA CERT CIA_Oct2018_PRemium 2
  • IIA CIALS_Oct2018_Premium 3