Technology

 

 

Application Control Testinghttps://iaonline.theiia.org/2017/Pages/Application-Control-Testing.aspxApplication Control Testing<p>​Computers, servers, laptops, tablets, smartphones — these are all hardware devices that have connectivity. However, they do nothing without software. Applications are what enable people to work with technology devices and allow them to connect and communicate with other devices. </p><p>Internal auditors need to be aware of what applications are being used when they audit a process. In fact, with the reliance being placed on applications in every business area, auditors are not performing a complete audit if they don’t address the controls within those applications.</p><h2>Controlling Applications</h2><p>Application controls encompass every feature and function of the application and will depend on what the business area does, what the application is, and how much the area relies on the application. To identify them, internal auditors must ask process owners: What are the primary objectives for this area? What tools are used to help meet those goals? What types of reviews are performed? These questions can help auditors narrow their focus to the key aspects of the application.</p><p>Having identified the key application processes, auditors need to identify the controls that are in place. The IIA’s Global Technology Audit Guide (GTAG) 8: Auditing Application Controls breaks down application controls into input, processing, output, storage, and monitoring. The responsibility for these controls is shared between the business and IT, so auditing them should be based on an integrated audit approach. This can be a team with finance, operations, and IT auditors, or it can be an auditor who is familiar with business and IT functions. </p><p>Auditors should identify all of the controls in the application so they can risk-rank them and prioritize their testing. A framework such as the one described in GTAG 8 can help guide this effort.</p><h2>Input Controls</h2><p>Controls such as “edit checks” are usually built into the application, but some input controls can be configurable, such as duplication checks and access controls.</p><p> <strong>Built-in Controls</strong> Auditors may not have to test controls such as field definitions (users can’t substitute an “o” for a “0” in a numeric field) if they are considered low risk. If they need to be tested, auditors need to validate that they exist because no change they implement will alter such controls.</p><p> <strong>Configurable Controls</strong> When auditors look at configurable controls, they also need to look at the controls over the configuration. Who can make changes and how are they tested? Look into the configuration settings for the higher-risk controls. Which roles permit data entry versus only data view? Are there role combinations that are prohibited? These parameters are often defined in configuration files that can be viewed and modified.</p><h2>Processing Controls</h2><p>Another major aspect of application control testing is looking at the processing controls. The internal processing is the reason why the application exists, and it might be justifiable to think the controls over processing are low-risk areas. However, the processing controls may not be as accurate as auditors would like, and changes to the software as it is updated may have an impact on the processing controls. The best way to address these concerns is to look at some of the key processes.</p><p> <strong>Critical Calculations</strong> Discuss any critical calculations with the business owner. Are they performing a manual check or reconciliation? If so, have they ever found an error? If there is still a concern, determine whether there is an application user group where additional details on the internal processes might be available.</p><p> <strong>Custom Calculations</strong> Identify any custom calculations that have been incorporated into the application. Because this introduces another potential source of errors, internal auditors should determine who can create custom codes and assess how they are tested. Some custom calculations may be a low risk. For other calculations, especially where the skills to review code might be lacking, the risk may be high or unknown.</p><p> <strong>Configuration Settings</strong> Some processes have mandatory checks, approvals, and thresholds, but some applications allow these controls to be overridden. If this is the case, internal auditors should look at the configuration settings to identify whether what is allowed is also compliant with the procedures. Also, check the local procedures to ensure that overrides, if allowed, have procedural limitations.</p><h2>Interface Controls</h2><p>If the application receives its data from another application, or if it sends results to another application, then auditors should review the interface controls. These are a special case of input and output controls. </p><p> <strong>Error Detection</strong> The file transfer process should include the error detection from the data packets of the network protocols (Open Systems Interconnection (OSI) layer 3), so if the file was sent directly, auditors can be fairly confident that the data was sent or received. But if a less secure protocol is used for the transfer, inquire whether there are other controls such as check sums and record totals that can be used to confirm the data received is complete.</p><p> <strong>API Limits</strong> For many applications, internal auditors also can look into the application programming interfaces (APIs) that are being used. APIs define the interface between the application layer and the transport layer (two more OSI layers). Auditors can look them up online to determine whether there is a risk of data corruption or data leakage. Depending on the application, there also may be issues with bandwidth or timing that the API requires to ensure the application functions appropriately.</p><h2>Additional Controls</h2><p>Many other aspects of application control testing can be incorporated into an audit. Before auditors finalize their audit plan, they should consider these aspects of control to ensure they have identified all the highest risks:</p><p></p><ul><li>Output controls look at the destination of the application output. </li><li>Storage controls focus on the database structure on which the application relies. </li><li>Monitoring controls look at access logs, input and output file transfer logs, and super-user access.</li><li>Configuration management addresses the procedures surrounding updates to the configuration of the application and its supporting database and operating system. </li><li>Change control and patch management look at how changes to the application are tested and implemented. </li></ul><h2>Work With Business Owners</h2><p>Because applications are critical to businesses, application controls represent a risk that internal auditors should test. Auditors should discuss the process, the applications, and the controls with business owners to reach a consensus on the high-risk areas and focus internal audit’s efforts. </p><p> <br> </p>Richard B. Fowler1
Bring on the Blockchainhttps://iaonline.theiia.org/2017/Pages/Bring-on-the-Blockchain.aspxBring on the Blockchain<p>​Blockchain is breaking out from Bitcoin's shadow to take on financial, health-care, industrial, and other applications. Think digital payments, smart contracts, medical records integrity, and intellectual property control.</p><p>Biggest thing since the internet? Who knows? But it's expected to be disruptive, even for auditors.</p><p>"Of all the emerging technologies we're currently seeing, blockchain has the potential to have the biggest impact on businesses and society at large," says Ron Hale, chief researcher at Cooraclare Institute and author of the ISACA research report, Blockchain Fundamentals. "Enterprises are increasingly looking at how they can adopt this technology and revolutionize how they deliver products and services."</p><p>Best known as the underlying technology for Bitcoin, blockchain keeps track of digital records on a peer-to-peer network. The chain consists of a series of blocks that record current transactions among users of that network. Each completed block attaches to the chain in chronological order so that the blockchain becomes a history of all transactions.</p><p>On the financial side, a blockchain is a distributed ledger. Traditional financial ledgers are centralized. Transactions are sent to a designated person or authority, who records them into its ledger.</p><p>Blockchain's distributed ledger turns that model on its head. As Bitcoin has demonstrated, the ledger is shared publicly across the network of users, who each enter transactions and sign them through encryption. </p><p>That's just one of its features, according to an ISACA Tech Brief, <a href="https://www.isaca.org/blockchain" target="_blank">Blockchain Basics</a>. Blockchain can cut the cost of journaling transactions for record keeping, and it can log and validate transactions much faster than with a centralized ledger, the paper notes. For example, blockchain could save financial lenders up to $20 billion each year in settlement, regulatory, and cross-border payment costs, the Spain-based investment fund Santander InnoVentures estimates.</p><p>According to a 2016 survey of 500 financial and insurance industry professionals from around the world, 22 percent of respondents expect that within five years it will be common for consumers to use blockchain wallets to hold most of their financial assets. Fifty-five percent predict it will happen within 10 years and 71 percent say it will be common within 15 years, according to the survey report, <a href="https://www.pega.com/sites/pega.com/files/docs/2016/Jan/the-future-of-retail-financial-services-study.pdf" target="_blank">The Future of Retail Financial Services</a> (PDF). The survey was conducted by Marketforce Business Media on behalf of technology services provider Cognizant and sales and marketing technology vendor Pegasystems Inc.</p><p>This radically different approach to financial transactions could have a disruptive impact on financial reporting and auditing, U.S. Public Company Accounting Oversight Board (PCAOB) member Jeanette Franzel told attendees at Baruch College's Financial Reporting Conference held in May in New York. She said the PCAOB is studying how blockchain could affect audit standards, inspections, and oversight.</p><p>"Certain technologies, such as robotics, artificial intelligence, and distributed ledger technologies, also known as blockchain or distributed database technology, have the potential to disrupt markets and information-sharing, which could also cause disruption to financial reporting and auditing processes," she said.</p><p>Audit firms already are building their blockchain capabilities. Deloitte announced in February that it <a href="https://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/deloitte-blockchain-assessment-project.html" target="_blank">had completed a project</a> to demonstrate that audit standards and protocols could be applied to providing assurance on blockchain transaction data and infrastructure. "As this technology evolves, it's only a matter of time until our clients tell us they are moving portions of their business onto blockchain infrastructure," says Will Bible, a partner with Deloitte & Touche LLP in Parsippany, N.J.</p><p>Blockchain isn't only about financial transactions. Organizations can apply it to fight identity theft and f​raud, for example. The ISACA paper notes that IBM is working with banks in Canada to use blockchain to validate a person's identity. Indeed, 42 percent of respondents to the Future of Retail Financial Services survey expect consumers will be keeping all of their personally identifiable information in a blockchain wallet within five years. Additionally,  organizations can use blockchain to track and authenticate the ownership of physical assets.</p><p>Along the same lines, organizations can use blockchain to facilitate smart contracts. These contracts are computer code that function to enforce contractual agreements. They work with blockchain similar to the way a video or photo attachment works with email. For example, smart contracts could enable an insurance company to automate some claims, according to an article on the <a href="https://www.techinasia.com/blockchain-technologies" target="_blank"> <em>Tech In Asia</em> website</a>.</p><p>Moreover, blockchain could improve security over records and transactions because it is a permanent record that can never be erased, the Future of Retail Banking report notes. The ability to facilitate anonymous transactions, while ensuring identity, is among the features that could make blockchain a force for innovation, according to the Blockchain Fundamentals report. Another is the potential for eliminating third-party attestation requirements because blockchain transactions can be recorded in a trusted manner.</p><p>On the other hand, the Blockchain Basics paper points out that blockchain is a new technology with few large implementations, so the limitations of the technology aren't known yet. Despite promises of cost savings, the potential variability of transaction costs is another risk. Moreover, organizations must assess security risks, including access control, encryption strength, and the security of the nodes in the blockchain network. Helping their organization understand those risks may be a way internal audit can contribute to seizing the opportunities blockchain presents.</p><p> <br> </p>Tim McCollum0
Auditing Cyber Resiliencyhttps://iaonline.theiia.org/2017/Pages/Auditing-Cyber-Resiliency.aspxAuditing Cyber Resiliency<p>​Organizations continue to implement cybersecurity defenses to prevent an attack from occurring. Cyber resiliency shifts the paradigm away from defense and toward withstanding a hack and returning to business operations. To achieve these goals, IT functions must identify the aspects of cybersecurity that focus on resiliency, and internal auditors must determine the areas in which they can provide assurance and consulting value.</p><p>U.S. Presidential Policy Directive 21 (Homeland Security) defines <em>cyber resiliency</em> as "the ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents." The assumption of cyber resiliency is that an organization will be attacked and a breach will occur, so organizations need to focus on how to detect and recover from incidents.  </p><p>A 2013 publication from The MITRE Corp. notes that there are about 860 controls and enhancements in the U.S. National Institute of Standards and Technology's (NIST's) <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" target="_blank">Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations</a> (PDF). The MITRE publication, <a href="https://www.mitre.org/sites/default/files/publications/13-4047.pdf" target="_blank">Cyber Resiliency and NIST Special Publication 800-53 Rev.4 Controls</a> (PDF), points out that most of the controls are focused on achieving the security goals of confidentiality, integrity, and availability. Depending on how they are categorized, approximately 17 percent of the controls focus on cyber resiliency, according to the MITRE publication. </p><p>Cyber resiliency controls can be grouped into several categories, such as governance, user permission strategy, segmentation, active response, data integrity assurance, monitoring, recovery solutions, and coordinated defense.   </p><h2>Governance</h2><p>Cyber resilient organizations should permeate the governance process through their enterprise risk management (ERM) process, overall security strategy, organizational policies and procedures, communication and awareness strategies, and use of standard frameworks and maturity level assessment. Indeed, cyber resiliency is one part of a far more global picture of cybersecurity within these categories. A cyber resiliency emphasis should include policies and procedures surrounding data and system classifications. The organization's security strategy should focus on critical data and systems to ensure they are least affected by an intruder and have become the more resilient areas. When a hack occurs, the organization should be decisive with its communications strategy and ensure that its employees are aware of the latest cyber threats. Additionally, the current cyber resiliency maturity level should be evaluated based on a cyber resiliency framework. </p><h2>User Access Permissions </h2><p>User access should follow the principle of least privilege to ensure access is granted based on the minimum access needed to perform one's job function. This principle is the primary focus of resiliency within the four tiers of information security: authentication, authorization, access, and monitoring. For higher privilege users, organizations should implement enhanced authentication mechanisms such as two-factor authentication. Authorization for these users may require more than one approval level. Monitoring should be directed primarily toward active review and evaluation of employees with higher privileges. The extent of access can be changed if the threat level changes. </p><h2>Segmentation</h2><p>Cyber resiliency primarily focuses on a segmented architecture approach for the network, using a defense-in-depth strategy. This approach should include isolation of critical data and systems as denoted by the organization's data and system policies and procedures. A multilayered network approach should encompass both logical and physical networks and incorporate limited trust relationships. Key network internal segments and external network connections should include a set of boundary protections such as firewalls that use policies and procedures to restrict access to each segment. Other key assumptions include prohibiting direct connections to the internet and allowing incoming communications from trusted sources. </p><h2>Active Response</h2><p>Resiliency denoted by active response can ensure timely follow-up and resolution of detected alerts. Although this should include timely manual response, it is more focused on automated responses. Firewalls and other network appliances should adapt to deny access to certain portions of the network and limit access based on the current threat level. Intrusion detection and response processes should be in active mode, and potentially shut down portions of the network or internet access for the entire organization in the event of an incident. A downside of active automated responses is that unintended consequences can occur that may interrupt key business processes. Therefore, a combination of some network appliances placed in limited active mode and more timely manual active response might be considered a best alternative versus entirely allowing automated responses to occur.</p><h2>Data Integrity Assurance</h2><p>Cyber resiliency can limit the impact of an incident on a system or data corruption. Organizations can use a combination of physical and logical restrictions to ensure data integrity is maintained, including:</p><ul><li>Limiting the flow of data between network boundaries or segments based on the threat level.</li><li>Manually disabling write protect on devices or allowing on read-only disks for operating system or other executables.</li><li>Implementing a secure system development life cycle.</li><li>Performing supplier and vendor due diligence to ensure hardware and software is acquired from reputable sources.</li><li>Establishing white lists to ensure data is received only from trusted sources, or ensuring that malware cannot be injected into the organization's web pages. </li><li>Ensuring tainted data can be recovered timely.</li></ul><h2>Monitoring</h2><p>To be cyber resilient, monitoring should be engaged at a higher level of activity overall so that the standard response processes become the minimum acceptable level. Tracking, logging, and alerting should occur timely and promote an active response. Vulnerability and penetration tests should be performed on a scheduled and unscheduled basis. Incident response plans should be continuously updated and user awareness training should be conducted based on current threats.  </p><h2>Recovery Solutions</h2><p>Resiliency recovery is based on the standard recovery processes of backup, disaster recovery, and continuity planning. However, the level of overall engagement and response may be more active or diversified. Backup resiliency aspects include storing data on-site and off-site in secure locations that can facilitate faster recovery, as well as using redundant systems, locations, power, and environmental systems. Disaster recovery and business continuity should include more diversified locations for planning, with additional testing and plans updated more frequently based on current cyber threats.</p><h2>Coordinated Defense</h2><p>Coordinated defense is the most important category for cyber resiliency. A coordinated defense should include aspects of all the previous categories combined into a comprehensive architecture and strategy. Additionally, this should include purchasing appropriate cyber insurance and hiring external specialists to ensure sufficient competent resources are available in the event of a breach. Cyber insurance can provide both financial coverage and additional specialists, if contained within the policy. Therefore, the overall coordination should ensure there is no duplication between the specialists the organization hires and those provided for under the insurance policy. </p><p>Overall, coordination is necessary to manage all the moving parts during a cyber crisis, including forensic investigation, public relations, and breach notifications. Integral to this coordinated defense is having a  crisis management plan. Moreover, the organization will need to perform many activities that require both technical and nontechnical resources. Using external specialists to supplement existing resources within a coordinated, unified approach can greatly enhance the organization's overall cyber response.     </p><h2>Go Forth and Audit Resiliency</h2><p>While it may take some level of IT competency, there are many assessing and consulting aspects of  cyber resiliency that internal auditors with just a basic understanding of IT general controls can perform. For more IT-intensive resiliency aspects, the internal audit department could either have staffing that includes auditors with a higher level of IT competency or outsource certain reviews that require such skills. The CAE could evaluate the current staff's skills and then create formal plans to enhance its IT competency. Several IIA training courses are available that provide basic IT and cybersecurity training. The focus should be to provide all staff members with a degree of IT skills to enable them to assess cyber resiliency in all audits.</p><p>Once internal audit understands what cyber resiliency is and has trained its staff in fundamental IT general controls, it should develop an assessment and consulting plan. This plan could include incorporating cyber resiliency assessments into areas that the internal audit team currently reviews (see "Cyber Resiliency Activities" below). Equipped with the IT competency skills and plan, internal audit can be at the forefront of assessing and consulting on its organization's cyber resiliency strategies. </p><p> <br> </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​ <p> <strong>Cyber Resiliency Activities</strong></p><p>Internal auditors can perform assessment and consulting activities for each category of cyber resilience. </p><p> <strong>Governance</strong></p><ul><li>Ensure that the chief audit executive and chief information officer jointly communicate the need for resiliency to executive management and the audit committee.</li><li>Review cyber resiliency using a recognized framework. This could include working with the organization's security function to evaluate resiliency controls.</li><li>Review user awareness and training programs, and those metrics management uses to measure whether current training levels are successful. </li><li>Review alignment of policies and procedures that denote which systems and data are critical to the current security architecture and strategies.  </li></ul><p> <br> </p><p> <strong>Least Privilege</strong></p><ul><li>Review privileged access capability by affirming users with domain admin capability and ensuring their activity is monitored.</li><li>Perform access management audits on various systems on a rotational basis. </li><li>Review user account activation and deactivation processes ensuring correct access is assigned for new users and terminated users' accounts are disabled timely. Also determine whether appropriate authorization for access occurs and minimal access is assigned.</li><li>Work with the IT staff to evaluate each system's roles to validate that they meet the least privilege principle. </li><li>Assist in training application owners to ensure users' access is reviewed periodically. </li></ul><p> <br> </p><p> <strong>Active Response</strong></p><ul><li>Assess the strategy used to place network appliances in active response mode and evaluate whether business impacts are incorporated into the strategy.</li><li>Review testing of incident response plans and ensure plans are updated as threat levels change. </li></ul><p> <br> </p><p> <strong>Data Integrity Assurance</strong></p><ul><li>Participate in system and development projects to ensure security is discussed during the entire process.</li><li>Evaluate vendor and supplier management processes to ensure the organization is contracting with reputable vendors. </li><li>Review how data flows between physical and logical networks or network segments, and ensure confidential data is not moving into less secure areas. </li></ul><p> <br> </p><p> <strong>Monitoring</strong></p><ul><li>Work with the security function to develop or assess metrics denoting that alert messages are communicated timely and resolved.  </li><li>Employ a third-party expert to perform a penetration test — with only minimal IT participation — to validate the adequacy of IT detection and mitigation strategies. </li><li>Ensure vulnerability scans are performed periodically and results are remedied timely.</li><li>Test the effectiveness of threat-awareness programs. </li></ul><p> <br> </p><p> <strong>Recovery Solutions</strong></p><ul><li>Conduct a walk-through of the off-site storage facility to ensure adequate security procedures are in place.</li><li>Test whether regular backups of all systems occur.</li><li>Participate in the IT department's regular recovery testing procedures by randomly selecting backup tapes from off-site storage and observing recovery procedures.</li><li>Review redundancy of power and cabling.</li><li>Participate in disaster recovery and continuity exercises. </li></ul><p> <br> </p><p> <strong>Segmentation/Coordinated Defense</strong></p><ul><li>Review the adequacy of the network segmentation strategy to protect critical data and systems. Additionally, review whether network boundaries that segment critical data and systems are protected with a network appliance (i.e., firewall).</li><li>Review cybersecurity policies and procedures, and suggest enhancements. </li> <li>Review cyber insurance coverage and requirements, and ensure there is no duplication of services between cyber insurance-provided expertise and contracted specialists. </li></ul></td></tr></tbody></table><p></p>James Reinhard0
CAE Action Steps in Response to Recent Cyberattackshttps://iaonline.theiia.org/2017/Pages/CAE-Action-Steps-in-Response-to-Recent-Cyberattacks.aspxCAE Action Steps in Response to Recent Cyberattacks<p>By now nearly every chief audit executive (CAE) has heard of the wave of cyberattacks that rolled out across the globe <a href="http://www.bbc.com/news/technology-39896393" target="_blank">over the last week</a>. ​While there is no certainty that we currently know all the details about what allowed this attack to be so successful — or the scope of its impact — there are some key concepts for CAEs to keep in mind and action steps they can take in the near future to help their organizations address this type of risk.</p><p> <strong>Cyberthreats are constantly changing and never-ending. </strong>What was experienced last week was different than prior significant issues, and will probably be different than future issues. Organizations need to be up-to-date, flexible, and address cyber risk holistically. The next major attack on your organization could very well be something you were not expecting. In addition, the hard reality is the "next" attack has possibly already happened, you just have not found it yet. Cyberthreats are a constant risk requiring you to be looking forward, not in the rearview mirror. It cannot be a checklist topic driven from past experiences.</p><p> <strong>The primary focus of cyber risk must be its business impact. </strong>What is important is the impact of a cyberattack on business processes, reputation, ability to accomplish objectives, etc. Relegating a cyberattack to merely the result of bad operating practices for testing and installing patches misses the critical question — how does the attack impact the business? Any risk assessment and consideration of responses to cyber issues needs to start with an evaluation of how attacks could impact business operations. For those old enough to remember, this is analogous to Y2K. The issue there wasn't computer systems shutting down, but the impact of the ability to conduct critical business activities.</p><p> <strong>Risk assessment is hard, especially with the type of risks in which cyber falls. </strong>Cyber risk can be either high-likelihood low-impact or low-likelihood high-impact — or probably both. The low-impact issues are relatively easily handled by good IT practices. The high-impact but infrequent risks are much more complicated and need much more attention to assess. For example, any new cyberattack typically is high velocity (appears seemingly out of nowhere overnight), highly complex (is not isolated to only one aspect of the business), and can be highly persistent (impact sticks around for longer than anyone wishes). Simple X-Y grids of risk assessment cannot properly consider a risk like cyber. Cyber risk assessment requires IT knowledge, but, as important, also requires strong understanding of the business, its activities, and its objectives. In short — it requires business acumen.</p><p> <strong>Cyber risks involve more than protecting the "crown jewels." </strong>Many who look at cyber risk primarily focus their efforts on making sure the organization's crown jewels are protected. These are the portion of electronic data that have the most value to the organization.<strong> </strong>While you may have protected the crown jewels, many critical, routine operations may be supported by systems that have very inadequate protection.</p><p> <strong>Cyber risk is not an "IT thing."</strong> Cyber risk is primarily a business risk magnified, modified, and mystified by being supported by IT systems. If the primary drivers on cyber risks and responses are only IT personnel, there is a high risk the approach will be unnecessarily limited and incomplete.</p><p> <strong>Never forget the "human element."</strong> While this attack does not seem to have been primarily driven by an employee opening a phishing email, data suggests this is the source of a large number of successful cyberattacks. Training employees, communicating with them, testing them with "fake" phishing emails, training them some more, and communicating with them some more, are all part of the never-ending process to help employees understand their critical role in preventing an external hack.</p><p>So what should a CAE do today? Management and boards are invariably buzzing about the recent wave of attacks and trying to understand their exposure to this risk. The IIA's Audit Executive Center suggests CAEs do the following:</p><p></p><ol><li>Carefully evaluate the critical operational activities of your organizations and identify the supporting electronic infrastructure to ensure the scope of your organization’s cyber risk assessment is adequate. Do not start from a list of systems or the protections currently in place. Start from critical business activities and reach back into the supporting infrastructure.​<br></li><li>Reevaluate the robustness of the risk assessment for cyber risks. Ensure this risk assessment considers all the inherent complexities and nuances of cyber risks and is not relegated to a simplistic form of risk assessment used for less difficult risks.<br></li><li>Review business continuity plans under all the various scenarios that can occur from cyberattacks — denial of service, ransomware, loss of proprietary data, etc. Ensure the plans cover all these scenarios and address how the business will keep operating, not just whether the crown jewels are protected.<br></li><li>Consider initiating ethical hack routines to seek out vulnerabilities that could be exploited by a cyberattack. With the pace of change in technology, this should be an ongoing effort, not one only done periodically when an issue arises.<br></li><li>Review basic IT operations around patch management. This should not be a new idea, but given current events, it would probably be a good idea to accelerate timing of this on your audit plan.<br></li><li>Review programs and efforts to keep employees well-trained and informed of their critical role in preventing cyberattacks from being successful. <br></li></ol><p></p><p> <em>​This article originally appeared on the <a href="https://aec.theiia.org/Pages/default.aspx" target="_blank">Audit Executive Center's website​</a>.</em></p><p></p>Jim Pelletier0
Elevating the Board’s Oversight of Cyber Riskhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Elevating-the-board’s-oversight-of-cyber-risk.aspxElevating the Board’s Oversight of Cyber Risk<p>​I have known Jim DeLoach of Protiviti for a very long time. He's a friend. </p><p>While we may disagree on details and the way of saying things, we tend to agree more than we disagree.</p><p>For example, I frequently quote Jim when it comes to the periodic review of a list of risks. As he says, this is "enterprise <em>list</em> management," not enterprise risk management — which is about taking the right level of the right risks (my expression).</p><p>When it comes to cyber risk and the board's role, I think we again agree on more than we disagree. He has written a couple of posts for the (U.S.) National Association of Corporate Directors (the second is a continuation of his thinking):</p><ul><li><a href="https://blog.nacdonline.org/2017/03/elevating-board-oversight-of-cyber-risk/" target="_blank">Elevating Board Oversight of Cyber Risk</a>, March 2017.</li><li><a href="https://blog.nacdonline.org/2017/04/cyber-risk-oversight-questions/" target="_blank">Ask These Key Questions to Assess Cyber-Risk Oversight</a>, April 2017.</li></ul><p><br></p><p>These are both good food for thought. But are they enough? Are his questions and insights consistent with what I would do as a board member?</p><p>Frankly, no.</p><p>I would take each of the organization's key objectives (such as the earnings target, customer satisfaction goal, and so on) and ask the executive team how a breach might affect their achievement. It's a simple question, but it's not simple for them to answer. They would have had to complete a careful assessment of the risk to the enterprise, the effect on its various business initiatives, of a breach. </p><p>Most don't go far enough. They may consider the effect on a critical application and its availability, or the cost of disruption, but they haven't thought through how a breach could affect its ability to provide quality products and services to their customers, the organization's reputation and what that means to revenue, and so on.</p><p>So, I would start with a single simple question. The discussion may extend to consideration of his other points, such as the ability to detect a breach and then respond. I have decided that it is better for the board (and management, including the risk officer) to stop trying to manage or mitigate risk. Instead, they should focus on what it will take to achieve the objectives of the organization: How will potential events, situations, and decisions affect that achievement?</p><p>It is easy to go overboard with concern about cyber risk. Of course it is important. But is it the most significant threat to earnings per share?</p><p>The only way to know is to answer my question: "How would a breach affect our ability to attain our critical targets, our measures for success?"</p><p>I welcome your thoughts and comments.</p><p><br></p><p>Please join the conversation by subscribing to this post. See link below.</p><p> </p>Norman Marks0
Does Your Organization’s Cyber Culture Make You #Wannaaudit?https://iaonline.theiia.org/blogs/chambers/2017/Pages/Does-Your-Organization’s-Cyber-Culture-Make-You-Wannaaudit.aspxDoes Your Organization’s Cyber Culture Make You #Wannaaudit?<p>​It didn't take long for social media to adopt #wannacry for last week's massive cyberattack, which hit computer networks in nearly 100 countries from the U.S. to the U.K. to China. The ransomware virus, called Wanna Decryptor, encrypted valuable data on compromised networks, then threatened to destroy it unless payments were made.</p><p>For those of us who have spent our careers promoting good internal controls and risk management, this latest cyberattack could indeed bring tears of frustration because the attack successfully exploited some of the most basic and easily mitigated cyber risks.</p><p>First, the perpetrators relied on simple phishing to introduce the virus through an email attachment, according to cybersecurity experts quoted by multiple news outlets.</p><p>The news media also reported that a patch to fix vulnerabilities to the specific malware was distributed by Microsoft Corp. at the end of March. Yet, many of the attack's targets, including the U.K.'s National Health Service, fell victim because they failed to apply the patch.</p><p>It is unfathomable to me that such attacks continue to succeed, yet the global reach of Friday's attack reflects how vulnerable we remain. It has become vogue to declare that it is no longer a matter of "if" but "when" an organization will be successfully hacked. But that message, designed to urge organizations to focus beyond prevention, may be enabling weak cybersecurity cultures.</p><p>The recently released <a href="http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/" target="_blank">2017 Data Breach Investigations Report</a> by Verizon offers telling information that confirms just how much work is left to be done. Here's a sampling of its findings, based on analysis of data breaches in 2016:</p><ul><li>80 percent of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.</li><li>1 in 14 users were tricked into following a link or opening an attachment.</li><li>66 percent of malware was installed via malicious email attachments.</li><li>95 percent of phishing attacks that led to breaches were followed by some sort of software installation.</li></ul><p> <br> </p><p>If those statistics don't send a chill down your spine, two other key data points should:</p><ul><li>61 percent of data breach victims were businesses with fewer than 1,000 employees.</li><li>Ransomware has gone from being the 22nd most-common form of malware in 2014 to fifth in 2017.</li></ul><p> <br> </p><p>These statistics raise the alarming specter that organizations don't appreciate the risks they face or the value of even the most basic prophylactic cybersecurity measures. As internal auditors, we must question whether our organizations' cybersecurity cultures could unwittingly allow these breaches to happen.</p><p>Providing assurance on cybersecurity involves more than just looking at whether the protocols and policies designed to block or discourage cyberattacks are in place and operating effectively. We must consider how the organization's culture influences how those protections are carried out. For example, organizations may be willing to accept higher-risk behavior in email practices in exchange for higher productivity. Efforts to protect data through encryption may be undone if rules prohibiting or limiting hard-copy versions of the data are not in place or are ignored. We also must be attuned to an organization's "IT mystique," which accepts that only IT understands certain aspects of cybersecurity and therefore can't be questioned.</p><p>Part of the solution is for internal auditors to build cooperative relationships with IT, chief risk officers, chief information security officers, human resources, and others who manage cyber risks. This is essential for internal audit to gain a clear understanding of what drives cyber risks and what influences the organization's cybersecurity culture. It must then share those insights with management and the board.</p><p>I'll leave you with a number of quick takeaways from the Verizon report that offer sound advice all organizations should take to heart:</p><ul><li> <strong>Be vigilant.</strong> Log files and change-management systems can give you early warning of a breach.</li><li> <strong>Make people your first line of defense.</strong> Train staff to spot the warning signs.</li><li> <strong>Only keep data on a "need-to-know" basis.</strong> Only staff members who need access to systems to do their jobs should have it.</li><li> <strong>Patch promptly.</strong> This could guard against many attacks.</li><li> <strong>Encrypt sensitive data.</strong> Make your data next to useless if it is stolen.</li><li> <strong>Use two-factor authentication.</strong> This can limit the damage that can be done with lost or stolen credentials.</li><li> <strong>Don't forget physical security.</strong> Not all data theft happens online.</li></ul><p> <br> </p><p>Internal auditors often deal with frustrating failures of risk management and internal controls in our organizations. Cybersecurity breaches are perfect examples of failures in multiple lines of defense. While the temptation in the face of calamitous failures is to #Wannacry, we must instead roll up our sleeves and embrace the challenges as internal audit professionals. We must #Wannaaudit.</p><p>As always, I look forward to your comments.</p><p> <br> </p>Richard Chambers0
The Drive for Data Analyticshttps://iaonline.theiia.org/2017/Pages/The-Drive-for-Data-Analytics.aspxThe Drive for Data Analytics<p>​​​​​Demand for internal audit to incorporate data analytics into its work is growing, especially for departments that already are more expert, according to Protiviti Inc.'s <a href="https://www.protiviti.com/US-en/insights/internal-audit-capabilities-and-needs-survey" target="_blank">2017 Internal Audit Capabilities and Needs Survey​</a> of 906 internal audit professionals. Internal audit functions that have made analytics part of their audit processes are seeing real value, the survey report notes. On a 10-point scale, those respondents rate the value of analytics at 6.9.</p><p>"As recognition of these benefits grows, we expect to see chief audit executives work with management and the board of directors to make further investments to increase their data analytics capabilities, in terms of both tools and skill sets, as the practice of internal auditing shifts increasingly to analytics and continuous auditing and monitoring," says Brian Christensen, executive vice president, global internal audit and advisory for Protiviti.</p><p>Most respondents' departments have set out on the road to that future — some are going nowhere fast. Two-thirds of respondents say their department has made data analytics part of its audit process. Among the internal audit functions that haven't done so, 21 percent plan to incorporate analytics into the audit process within the next year, while 43 percent plan to within the next two years. Other audit departments (36 percent) don't plan to add analytics to their processes.</p><p>In terms of maturity, 40 percent say their department is at the initial, ad-hoc stage of developing their analytics capabilities, while 34 percent say they have documented analytics processes sufficiently to make the steps repeatable. That leaves 26 percent of departments that have at least made analytics a defined business practice or have reached the managed and optimized stages.</p><p>Overall, 42 percent of respondents report that their department uses analytics on 25 percent or fewer of its audits. Another 26 percent say their department uses it on up to half of its audits. </p><p>"It can be overwhelming for organizations just getting started with using data analytics," Christensen says, citing issues such as budget constraints and the need to establish processes and train auditors. "Companies just need to pick a starting point and get the help they need so that, over time, they can truly optimize their internal audit functions."</p><p>Departments that have reached the managed and optimized stages of maturity have seen a greater payoff from analytics. Thirty-eight percent of those departments use analytics on more than 75 percent of audits. That pushes the value of analytics up to 8.1 on a 10-point scale.</p><p>Accessing data is one of the biggest challenges organizations face in developing their analytics capabilities. Common problems include identifying where data is stored, system constraints, and coordination with the IT function. Furthermore, less than one-fourth of respondents say the quality of data for analytics is very good or excellent.</p><p>One solution to data access and quality problems is for internal audit to maintain its own warehouse of organizational data, similar to one established by internal auditors at the Canada Revenue Agency (see <a href="/2017/Pages/The-Data-Museum.aspx">"The Data Museum"</a>). Twenty-eight percent of departments using analytics have a dedicated data repository, but 55 percent of the managed or optimized audit functions have one.</p><p>One bright spot for audit functions with more advanced analytics capabilities is that 62 percent are practicing continuous auditing, long touted as a principal benefit of analytics. Continuous auditing enables those departments to monitor areas with known risk issues, data related to controls in scope for compliance initiatives, fraud risk indicators, and key performance indicators in operational processes.</p><p>Progressing to such a stage will take a long-term strategy, the survey report advises. It outlines action items for internal audit functions, including:</p><ul><li>Looking for opportunities to expand the department's knowledge of data analytics capabilities.</li><li>Conducting modest demonstrations of analytics capabilities in the early stages of development.</li><li>Establishing a champion to lead analytics efforts.</li><li>Expanding internal audit's access to quality data and identifying internal and external data sources.</li></ul><p> <br> </p><p>Moreover, it recommends that internal audit functions devise ways to measure the progress of their data analytics efforts and report that to stakeholders.​</p><p> <br> </p>Tim McCollum0
The Data Museumhttps://iaonline.theiia.org/2017/Pages/The-Data-Museum.aspxThe Data Museum<p>​​​​​More packets of data pass through the internet than there are grains of sand on the earth. Some organizations have already recognized the great potential that lies hidden within their operational and administrative data stores. For that reason, data management and data quality are among the most important considerations for business intelligence practitioners. However, practitioners must spend most of their effort on curating, cleaning, and preparing data before they can glean any meaningful information through analytics.</p><p>Increasingly, internal audit functions also are expected to use data analytics to tap into their organization's data stores. To do so, auditors need a way to understand, structure, and catalog that data so it tells a story. In the words of the movie hero, Indiana Jones, "it belongs in a museum."</p><p>Internal auditors and data analysts within the Canada Revenue Agency's (CRA's) Audit, Evaluation, and Risk Branch (AERB) are adapting data warehousing principles to create a data museum to support internal audit engagements. This database environment contains useful data curated from various sources to describe historical and current performance levels of CRA operations and administrative activities. The data museum is intended to support a wide variety of engagements at any given time, and could increase internal audit intelligence. </p><p>Internal auditors, program evaluation analysts, and risk managers will be able to browse the data museum, helping them provide more insight, oversight, and foresight for the entire organization. The data will be easily accessible in a format that is ready for analysis, and auditors will be able to browse through the relevant exhibits to gain insight into the controls they are examining. </p><h2>Curating Data</h2><p>In setting up a data mus-eum, internal audit departments need dedicated "archaeologists" to discover and curate new data sources. These individuals select data sets to add to the museum based on four criteria:</p><ul><li>Relevance – Would the data provide information about internal controls, identifying and mitigating risk? Would it help make data-driven business decisions?<br></li><li>Reliability – Is the data relatively free from integrity issues? Would it be easy to prepare the data for permanent display and use by auditors?<br></li><li>Reusability – Will the data be able to support a critical mass of engagements? <br></li><li>Rarity – Is the data currently unavailable in a format that is ready for immediate use?<br></li></ul><p> <br> </p><p>In addition to curation, the data museum relies on thoughtful arrangement of exhibits into themes, similar to how traditional museums are organized. Data are extracted from the CRA's data warehouse and source systems, assessed for value, and prepared and made into exhibits that are displayed by theme for internal audit use. Some data artifacts also can be reused in multiple exhibits and categorized in other themes. </p><p>If a particular engagement requires new data, which is not available, then a new exhibit can be created. If the new exhibit proves to be reusable for future engagements, then it can become part of the data museum's "permanent collection."  </p><h2>The HR Exhibit</h2><p>One of the exhibits in the CRA's internal audit data museum contains information about all employees within the agency. The human resources (HR) exhibit is a curated set of data tables from the CRA's HR database, which was prepared and loaded into the museum. These tables include employee status, personal information, payroll, time reporting, and assignment. </p><p>In setting up the exhibit, the AERB studied the structure of each table and the relationships among them, allowing the department to automate some aspects of data preparation and maintenance. It used Microsoft SQL Server Integrated Services to extract, transform, and load the data, which is refreshed regularly. The department also continues to search for and add new artifacts to the exhibit to keep it relevant, which enables internal auditors to retrieve recent information about any employee or groups of employees. </p><p> <strong>Using SQL</strong> The fastest way to start exploring the AERB's HR exhibit is to run query statements using Structured Query Language (SQL), which selects records from the exhibit and can be exported into reports. Basic SQL statements are not difficult to formulate, and some of the department's internal auditors are already using them to browse the exhibit to access, analyze, and review its data. </p><p>A simple SQL statement is comprised of these elements and expressions:​​​​​​​​​</p> <img src="/2017/PublishingImages/Pages/the-Data-Museum/ITAudit_Simple-SQL-Statement.png" alt="ITAudit_Simple-SQL-Statement.png" style="margin:5px;width:255px;height:179px;" /> <p>​</p><p>Internal auditors can use the information in the HR exhibit as evidence in support of engagement observations and findings. There is also potential to uncover risks to achieving control objectives through trend analysis and data analytics.<br></p><p>The SQL statement below is an example of a simple query of the HR exhibit, which produces a list of managers and executives assigned to various cost centers within the CRA.​<br></p><p> <strong><em>SQL Statement (Pseudo Code)</em></strong></p><p> <img src="/2017/PublishingImages/Pages/the-Data-Museum/ITAudit_SQL-Statement_Pseudo-Code.png" alt="ITAudit_SQL-Statement_Pseudo-Code.png" style="margin:5px;width:420px;height:163px;" /> <br> </p><p> <strong><em>Corresponding SQL Statement (From Pseudo Code)</em></strong></p><p> <strong><img src="/2017/PublishingImages/Pages/the-Data-Museum/ITAudit_Corresponding-SQL-Statement.png" alt="ITAudit_Corresponding-SQL-Statement.png" style="margin:5px;width:550px;height:79px;" /><br></strong></p><p> <strong><strong><em>SQL Query Results (From SQL Statement)</em></strong></strong></p><p> <strong><strong><img src="/2017/PublishingImages/Pages/the-Data-Museum/ITAudit_SQL-Query-Results.png" alt="ITAudit_SQL-Query-Results.png" style="margin:5px;width:470px;height:173px;" /><br></strong></strong></p><p>Internal audit also designed more complex queries to identify managers and employees who used a large amount of sick leave relative to their vacation leave. The information was used to test management oversight of leave usage and identify where high-risk governance issues may exist.<br></p><p> <strong>Tools</strong> In addition to using SQL statements, there are other means to browse and analyze the HR exhibit. Because the data museum resides on a platform that supports Open Database Connectivity, auditors can connect to the data with more sophisticated analysis tools as well as import data into traditional audit tools.</p><p>For data visualization and advanced reporting, auditors can establish a direct connection to the data with Microsoft SQL Server Reporting Services. For simple reporting, auditors export the results of queries to Excel. The flexibility of the AERB's environment will also allow the department to consider using other data visualization tools.​</p><p> <strong>A Horizontal View</strong> A horizontal view of an organization can be achieved by exploring the various exhibits within a data museum holistically. For example, the AERB's HR exhibit could be explored along with a financial transaction exhibit. If high-risk transactions are found within some organizational units, further analysis of HR data could determine whether there is a sufficient number of employees with various roles to achieve effective segregation of duties.</p><h2>Gaining Insight</h2><p>Establishing a data museum can give internal audit departments insight from the vast amounts of data within their organization. To get started, they should: </p><ul><li>Take stock of recent engagements and determine whether there are any frequently used domains of data, which can be formed into exhibits.<br></li><li>Decide on an environment to house the museum. Choose a relational database system that will meet internal audit's needs. <br></li><li>Start small. Design the first exhibit, and understand the business line and corresponding data repository. Decide which tables and data fields the department should keep.<br></li><li>Learn how to write basic SQL statements. This will allow auditors to "interview" the exhibits within the data museum.<br></li><li>Ensure audit trails and logs have been activated so browsing activities comply with internal security policies. Leverage this ability to validate whether management follow-up occurred.<br></li></ul><p> <br> </p><p>As an integral part of the internal audit strategy, a data museum can give auditors insight into the functioning of controls, the achievement of business objectives, and the identification of risk. Information extracted from queries also can help auditors scope audit programs appropriately. Auditors can perform more sophisticated analytics on the data during the audit testing phase as well as during audit follow-up to assess whether management action plans resulted in improvements. If the data museum is visited regularly — independent of any particular engagement — then the information could be used as input into risk-based audit planning activities, helping to increase overall internal audit intelligence.  </p>Kevin Leung1
Infusing IT Auditing Into Engagementshttps://iaonline.theiia.org/2017/Pages/Infusing-IT-Auditing-Into-Engagements.aspxInfusing IT Auditing Into Engagements<p>​Modern technology is growing rapidly, as is the level of disruption driven by it. In the 2016 Technology Industry Outlook, Deloitte describes the technology sector reaching a tipping point "where cognitive computing, big data analytics, cloud computing, and the rapidly growing Internet of Things are transforming businesses around the globe — including those outside the technology sector." </p><p>Internal audit is being transformed, as well. As advancements in technology drive changes in business operations, internal audit must perform IT audits to help organizations accomplish new and evolving business objectives. That requires the internal audit department and individual auditors to develop IT-related capabilities that are aligned with business risk. Skills that were once considered specialties of IT auditors are now required of all internal auditors. Those practitioners who cannot incorporate technology into their assurance and advisory work will not be able to keep up with the evolving risks, strategies, and needs of their organizations. </p><p>Like any new audit endeavor, internal audit needs to gather information and form a plan for incorporating IT audit techniques into their audit work. Although each organization will require a different mix of effort and materials to obtain this information, some common elements are needed to prepare a comprehensive plan over the short (2 to 3 years), middle (3 to 5 years), and long term (5 to 7 years). The timing in which internal audit implements these elements may vary based on the organization, internal audit department, and internal auditors' capabilities. At each stage, the elements should be completed concurrently, with the internal audit department thinking holistically about the future of integrated auditing at its organization.</p><h2>Short Term: Core IT Audit Capabilities</h2><p>A separate IT audit is not required to start infusing IT-related capabilities into the current internal audit function; already-scheduled audit engagements can incorporate elements of IT auditing, further enabling the internal audit department to identify resources and education needed in the long term. As the internal audit department becomes more knowledgeable about the organization's IT environment, auditors can educate organizational management about the benefits of IT auditing in relation to business objectives. In the short term, the department should focus on creating a solid foundation that allows for development of future efforts.</p><p> <strong>Incorporate IT Perspective Into Current Audit Engagements</strong> Internal audit management should encourage staff members to incorporate IT audit methods into their engagements. During the planning phase, auditors should recognize the role IT plays in the internal controls for the processes currently being audited. Document internal audit's understanding of the organization's IT environment. For example, when auditing the accounts payable process, auditors should not only interview the accounts payable clerk about internal controls, but also talk to the individuals responsible for maintaining and supporting accounts payable data and processing systems. Moreover, internal audit should document automated controls such as access controls to the vendor master file.</p><p>Locate and read IT policies, focusing on change management, segregation of duties, and information security. Consider obtaining training from IT experts on applications used within the organization such as enterprise resource planning (ERP) software. Areas in which internal audit should develop skills include cybersecurity, data mining, audit analytics, crisis management planning, vendor governance, corporate and data governance, continuous auditing, and software and system life cycle management.</p><p> <strong>Identify Resources</strong> Leveraging their knowledge of the organization's IT environment, internal auditors should inventory the IT resources used across the organization. Start with core functions, including resources driving financial, human resources, and customer data. IT resources include IT platforms (servers, routers, and workstations) and software (databases, and proprietary and off-the-shelf applications). In the accounts payable example, IT resources could include ERP software and other electronic records such as spreadsheets used to house important calculations. </p><p>Second, pinpoint data stored on these core IT resources that are vital to current operations and achieving key business objectives. Key data could include vendor bank account, address, and contact information, as well as invoice distribution coding. Analyze current risk assessments of the underlying risks of this data. Examples of accounts payable risks include phantom vendors, duplicate payments, and corrupt or incorrect data. Assessing the current landscape reveals the most critical IT systems and data that need to be audited. Map core IT resources and data to key business objectives. </p><p> <strong>Respond to IT Risks and Identify Audit Objectives That Can Add Value</strong> IT supports nearly all business functions and allows management to make accurate, timely, and appropriate decisions that drive business operations. Integrated audits can support management's risk assessment to help align business objectives and IT. Research by Peter Weill and Jeanne Ross, published in the MIT Sloan Management Review, shows that appropriate alignment of organizational objectives and IT can deliver as much as a 20 percent higher return on investment. </p><p>Internal audit should identify top areas for review, with estimated resource requirements, based on the risk assessment and the risk tolerance of the organization. For example, the business may have an objective to take advantage of potential vendor discounts by making timely payments. Related IT risks include inappropriate access to vendor data,  delayed access to invoice information that hinders decision-making, and incorrect calculation of the cost/benefit of taking discounts. An integrated audit of accounts payable could leverage accessing and identifying critical information to meet the business objective. </p><h2>Middle Term: Advanced IT Audit Capabilities</h2><p>While using the current audit engagement schedule in the short term, chief audit executives (CAEs) should evaluate the department's preparedness to grow into a more mature model in which individual IT audit engagements are expected and the CAE has worked with organizational management to link business risks with IT audit techniques. In the middle term, internal audit must get the right people on board and work with the IT department and the organization at large to use a common IT framework. Moreover, it should partner with management and the IT department to facilitate long-term planning. </p><p> <strong>Build a Team</strong> Audit leaders should recruit qualified personnel with IT skills within the internal audit department. Look for people within the department who have current IT audit skills or an aptitude for technology that would enable them to gain those skills. Create a training plan that will address the core IT systems used within the organization and IT audit areas that will need to be covered in future audits. Consider hiring an IT expert into the internal audit department to help the department establish a solid relationship with the IT department.</p><p> <strong>Understand the IT Framework</strong> Organizations perform optimally when they use a consistent IT framework, which requires assessing the current state of the IT environment, defining a target state, implementing improvements, operating and measuring, and monitoring and evaluating. Examples of frameworks and standards include the International Organization for Standardization's ISO/IEC IT standards, ISACA's COBIT, and the U.S. National Institute of Standards and Technology Cybersecurity Framework. If the organization has not implemented an IT framework, internal audit should highlight the need for one that will allow for communication across business functions. Use of an IT framework helps determine whether the organization's IT business objectives comply fully with business rules and are structured, maintainable, and upgradable.</p><p> <strong>Perform IT Audits</strong> Identify the scope of IT audits that can be handled internally based on the IT experience of internal auditors and outsource coverage of any remaining risks. Consider the organization's adoption of the IT framework and the amount of resources management has devoted to the endeavor. Specific areas audits should address include: 1) segregation of duties to ensure the integrity of automated controls; 2) security, including physical and logical access, to safeguard the core systems as well as critical and sensitive information; and 3) change management to ensure integrity of system changes. A benefit to implementing an IT framework is access to audit programs that are available for these three areas as well as additional auditable areas for future engagements. Internal auditors should devote time to understanding the audit programs and the areas they cover so they will obtain efficiencies.</p><p> <strong>Foster Relationships With IT and Management</strong> Internal audit's relationship with the IT department is the foundation of a successful IT audit engagement. Internal audit should understand the metrics and goals the IT department uses in the monitoring and evaluation process of the IT framework. Through this process, internal audit can determine whether the linkage of IT metrics and objectives aligns with organizational goals. Moreover, it can allow internal audit to help discover and articulate to organizational management which IT initiatives can produce cost savings. Additionally, understanding the IT department's goals and metrics can help internal audit facilitate communication between the IT department and management. The value provided from these efforts can position internal audit to recommend enhancements to achieve operational goals. </p><h2>Long Term: Advanced and Emerging IT Audit Capabilities</h2><p> As the department's IT audit capabilities solidify and mature, it is a good time to start thinking about the long-term direction in which they will be applied to audit engagements. Performing IT audit engagements should give the department the foundational knowledge needed to help its consulting efforts. In the long term, internal audit should continue to develop and mature integrated engagements, grow consulting engagements, and improve IT audit skills with a focus on how organizational IT objectives will shape internal audit. </p><p> <strong>Leverage Data Analysis</strong> Data analytics allow internal audit to search for patterns and plausible interrelationships and anomalies, helping improve operational efficiency and effectiveness, as well as fraud detection and prevention. Moreover, analytics can enable reliable financial reporting and adequate compliance with laws and regulations. </p><p>The best time for internal audit to perform data analysis is early in the IT life cycle, when it can enable auditors to use time and resources more effectively. In this way, using data analytics can better inform IT audit planning and foster a more dynamic internal audit environment that moves from a traditional and post-mortem planning strategy to one that is more innovative and consultative.</p><p> <strong>Obtain Professional Certifications</strong> IT audit techniques cannot reach their maximum potential without adequate training. One of the best ways to achieve this level of aptitude is by obtaining professional certifications that attest to the practitioner's knowledge of technology and internal audit. Working toward certification enables individuals to gain IT audit knowledge. Maintaining certifications also requires auditors to complete continuing education to meet changes in technology and their associated risks. The specific mix of professional certifications should relate to the organization's objectives and core IT systems and data. Good qualifications to start with include The IIA's Certified Internal Auditor designation and ISACA's Certified Information Systems Auditor and Certified in Risk and Information Systems Control certifications.  </p><h2>Rise to the Occasion</h2><p>Internal audit's need to establish its IT audit capabilities and apply them to all of its audit engagements is increasingly important, now that technology is tightly integrated into business processes. Technology is influencing both what is audited and the way audits are being performed. Internal audit departments need to develop the essential skills to audit IT-based controls and processes and to identify operational improvements throughout their organization. Internal audit can take a measured approach to cultivate IT-related capabilities over time in conjunction with organizational management. </p>Andrew Bowman1
The Dark Side of the Internet of Thingshttps://iaonline.theiia.org/2017/Pages/The-Dark-Side-of-IoT.aspxThe Dark Side of the Internet of Things<p>​They targeted children and stuffed animals. Hackers gained access to account information and voice recordings of more than 800,000 consumers who had purchased Spir​al Toys' CloudPets toys, cybersecurity researcher Troy Hunt revealed last month. CloudPets are stuffed animals that enable parents and their children to exchange messages through the internet.</p><p>This anecdote reveals both the pervasiveness of the Internet of Things (IoT) and the serious threats associated with it. Personal assistants, wearables, home management systems, smart refrigerators, and other devices are becoming popular with consumers. But the IoT has become particularly entrenched in businesses — ​everything from security systems to security cameras to heating, ventilation, and air conditioning systems. </p><p>Research firm Gartner Inc. predicts that 8.4 billion connected devices will be in use worldwide this year, a 31 percent increase over 2016. That number will surpass 20 billion by 2020, Gartner forecasts. Currently, consumer devices comprise 63 percent of IoT devices, but businesses make up 57 percent of IoT spending.</p><p>"IoT services are central to the rise in IoT devices," says Denise Rueb, a research director at Gartner. Although businesses currently dominate the US$273 billion spent worldwide on IoT services, Rueb says consumer and connectivity services will grow faster. "Consumer IoT services are newer and growing off a small base," she explains. "Similarly, connectivity services are growing robustly as costs drop and new applications emerge."</p><p>Security is the dark cloud hanging over the IoT, information security experts caution. Before last year, many of those concerns were theoretical. Those theories became very real in October when a botnet based on the Mirai malware disrupted internet service in several U.S. cities. At its height, the malware infected hundreds of thousands of devices.</p><p>According to an HP study, <a href="http://go.saas.hpe.com/fod/internet-of-things" target="_blank">Internet of Things Security: State of the Union</a>, 70 percent of IoT devices are vulnerable to attack. A separate <a href="https://www.pwnieexpress.com/hubfs/2017InternetOfEvilThings.pdf?utm_campaign=IoET%202017&utm_source=hs_automation&utm_medium=email&utm_content=42452447" target="_blank">survey​</a> (PDF) by Boston-based IT security company Pwnie Express identifies common attacks against devices, including malware (32 percent), ransomware (20 percent), and man-in-the-middle attacks that intercept communications (16 percent).​</p><p>Threats to IoT systems were front-and-center this month at the CyberUK conference in London, hosted by the U.K.'s recently established National Cyber Security Centre (NCSC). An NCSC report released in conjunction with the conference warns that IoT devices are vulnerable to threats such as remote code execution or takeover. "Many connected devices have been shipped with less secure software and default passwords," The Cyber Threat to U.K. Businesses 2016/2017 report notes. "There is often no obvious way for consumers to update them, change passwords, or otherwise fix security problems."</p><p>Most of the information security professionals (63 percent) who responded to Pwnie Express' The Internet of Evil Things survey say their organization is prepared to detect threats to connected devices. But when the survey dug deeper, it found that less than half (49 percent) of those respondents knew how many connected devices employees were bringing into the organization, while one-third did not know how many and 17 percent were not sure. </p><p>Industrial systems are a likely target. Ninety-six percent of IT security professionals <a href="http://info.tripwire.com/rs/314-IAH-785/images/SurveyResults%20IIOT%202017.jpg" target="_blank">surveyed by Tripwire</a> (JPG) expect attacks on industrial IoT systems to increase this year, and 51 percent say their organization isn't prepared to protect them. "There are only two ways this scenario plays out," says David Meltzer, chief technology officer for the Portland, Ore.-based information security company. "Either we change our level of preparation or we experience the realization of these risks."</p><p>Health care is another area where the IoT shows great promise but carries great threats. Recent ransomware attacks have targeted health-care IT systems successfully. Gartner predicts more than one-fourth of attacks in the health-care sector will target the IoT. For health-care businesses, the IoT raises the stakes because "traditional cybersecurity doesn't always 'walk the talk' when it comes to the IoT," Damon Hopley, senior manager, product management with Verizon's IoT Security group, writes in <a href="http://www.healthcareitnews.com/sponsored-content/why-iot-security-so-critical-healthcare" target="_blank"> <em>IT Healthcare News</em></a>. Hopley points out that devices deployed by providers and insurers often are located in remote locations and some of those devices may lack security features that can reduce the risk of remote hijacking.</p><p>What can be done? A recent <a href="http://otalliance.actonsoftware.com/acton/attachment/6361/f-00a1/1/-/-/-/-/IoT%20Shared%20Roles%203-2017.pdf" target="_blank">white paper</a> (PDF) from the Bellevue, Wash.-based Online Trust Alliance encourages businesses, consumers, and government to work together to secure the IoT. The paper outlines roles for retailers and ecommerce sites; developers, manufacturers, and automakers; brokers, builders, realtors, and car dealers; and internet service providers. It calls on the private sector to establish minimum security and privacy standards for IoT products, disclose security support, and enhance security offerings. In addition, it advises regulators and policy makers to allow self-regulation and provide safe harbor to device manufacturers that have adopted reasonable security and privacy practices. Finally, it recommends consumers patch and replace insecure devices, and only purchase devices that are backed by a security and privacy commitment from the manufacturer. ​</p><p><br></p>Tim McCollum0

  • MNP_Natonal Can Conf_July2017_Premium 1
  • LockPath2_July2017_Premium 2
  • IIA_GRC_July2017_Premium 3

 

 

Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z
Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z