Technology

 

 

Editor's Note: The Continuous Audithttps://iaonline.theiia.org/2015/editors-note-the-continuous-auditEditor's Note: The Continuous Audit<p>​In today’s ever-evolving business environment, it is clear that internal auditors need to constantly align — and realign — their audit coverage to address emerging risks and avoid damaging surprises. But are audit functions up to the task?<br></p><p>The latest North American Pulse of Internal Audit report from The IIA’s Audit Executive Center indicates they are — to an extent. More than half of the 311 CAE and audit management level respondents to the Pulse survey say internal audit’s biggest challenge in continuously assessing risks is its ability to identify emerging risks and incorporate them into the audit plan. However, nearly 90 percent of respondents say their audit planning is designed to be responsive to changes in the organization’s risk profile.<br></p><p>To be sure, 61 percent of respondents say their audit functions have the resources and expertise to assess risks continuously and analyze their potential impact to the business model. However, audit functions are waging a battle for talent, with 40 percent of those surveyed saying attracting and retaining talent is a high or critical priority.<br></p><p>The need for both a broader and deeper understanding of critical business issues comes across loud and clear in recent research by the ERM Initiative at North Carolina State University. According to the study, 59 percent of senior finance executives say the volume and complexity of risks facing their companies have changed “extensively” or “mostly” in the last five years. And 65 percent say their organization was caught off guard by at least one operational surprise “somewhat” or “extensively” during that time.<br></p><p>Continuous assessment of emerging risks can be more of a challenge for small internal audit departments than for larger, better-resourced functions. In our cover story, <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=e571ba74-69a2-42dd-934c-f3885dfb10bc">“Small Audit Functions, Big Ideas,”</a> author Arthur Piper looks at the practices some small audit departments implement to ensure they provide comprehensive, continual assessments of the risks facing the organization.<br></p><p>According to the Pulse report, geopolitical, macroeconomic, and cyber-related risks will put enormous pressure on many internal audit functions to raise their game. Given the significance of these emerging risks, it is imperative that internal audit functions be able to assess risk on a continuous basis. As the authors of the report state, “In today’s fast-paced operating environments, internal auditors need to audit at the speed of risk.”</p>Anne Millage05281
Cyberrisk on the Agendahttps://iaonline.theiia.org/2015/cyberrisk-on-the-agendaCyberrisk on the Agenda<p>​With cybersecurity becoming a greater priority for both corporate leaders and their internal auditors, the organizations that are the best at managing information security risks are the ones whose boards are most engaged in addressing them, a recent Protiviti report observes. The report, <a href="http://www.protiviti.com/en-US/Documents/Surveys/2015-Internal-Audit-Capabilities-and-Needs-Survey-Protiviti.pdf" target="_blank">From Cybersecurity to Collaboration</a> (PDF), surveyed 800 internal auditors worldwide.</p><p>Thirty percent of respondents say their organization's board is highly engaged with information security risks facing the business, while 41 percent say the board has a medium engagement and 14 percent have low engagement. Respondents say high board engagement translates into greater confidence in the organization's ability to identify (47 percent), assess (43 percent), and mitigate (39 percent) cyberrisks to an acceptable level. </p><p>Moreover, organizations with high board engagement (69 percent) are more likely than other organizations (46 percent) to include cybersecurity in their internal audit plan. Overall, 53 percent of respondents say evaluating and auditing cyberrisks is part of their audit plan, while another 27 percent expect to add it to next year's plan. Top cyberrisks they are addressing include data security, brand and reputational damage, regulatory and compliance violations, leakage of employee personal information, and viruses and malware. </p><p>"Across the globe, businesses are continuing to experience cybersecurity issues, challenges, and breakdowns," says Brian Christensen, executive vice president of Protiviti's global internal audit and financial advisory group. "Those professionals who continue to engage board members and define cybersecurity measures within their annual audit plans will be poised to effectively mitigate future threats."</p><h2>Cyberrisk Assessment</h2><p>Protiviti's findings are comparable to responses to The IIA's latest <a href="http://theiia.mkt5790.com/Pulse_of_Internal_Audit/" target="_blank">North American Pulse of Internal Audit</a> survey, in which 69 percent of the 311 internal audit respondents view cyber threats as a critical or high priority. Organizations that include cybersecurity in their audit plan are more likely to have a cybersecurity risk strategy and policy, Protiviti reports. Seventy percent of organizations that have included information security in their audit plan also have a cyberrisk strategy, and 65 percent have a cybersecurity policy in place. Among organizations that didn't include it in their audit plan, the percentages were 42 percent and 39 percent, respectively. </p><p>Most responding organizations address cyberrisks in their overall risk assessment or through a separate assessment. In organizations that perform such assessments, human resources (69 percent), internal audit (48 percent), and executive management (44 percent) have the most significant involvement. Seventeen percent say the audit committee is significantly involved, but another 43 percent say it is moderately involved.</p><h2>Cyber Skills in Demand</h2><p>Moves by internal audit departments to focus more on cyberrisks are complicated by their continued struggle to fill information security skill gaps. Protiviti's respondents say auditing IT security is the audit process area they most need to improve. They rate learning the U.S. National Institute of Standards and Technology's (NIST's) Cybersecurity Framework, released last year, second among general technical knowledge areas needing improvement. In general, 12 of the 13 top "needs improvement" areas cited in the report pertain to IT risks and directives. </p><p>Respondents to The IIA's Pulse survey ranked cybersecurity and privacy third in terms of skills their departments are lacking. These skills are the second-most difficult to hire, behind general IT skills, respondents say. To fill the void, 37 percent of respondents' organizations are outsourcing for these skills, while 23 percent are recruiting them.</p><h2>Taking Action</h2><p>Faced with growing cyberrisks, greater board interest, and a skills gap, the Protiviti report advises internal audit to take several actions. Chief among these are working with the board and management to develop a cybersecurity strategy and policy and seeking to increase the organization's ability to identify, assess, and mitigate information security risks "very effectively." Other recommended actions include:</p><ul><li>Recognizing the potential for breaches due to employee or business partners' actions.</li><li>Heightening the board's awareness of cyberrisks and its engagement in cybersecurity matters.</li><li>Integrating cyberrisk into the audit plan.</li><li>Evaluating the cybersecurity program against the NIST Cybersecurity Framework and other frameworks.</li><li>Making cybersecurity monitoring and incident response a top management priority.</li><li>Addressing audit staffing and resource shortages.</li></ul><p>In its introduction, the Protiviti report asks, "Will 2015 be a repeat of 2014 and become the year of the data breach?" Every week, there seem to be new security incidents in the headlines and new reminders that organizations aren't as prepared as they should be — or believe themselves to be. As the Protiviti report suggests, internal audit can contribute to making cybersecurity a priority with corporate leaders and an integral consideration in business processes. But many internal audit departments have much to do before they are capable of making a difference in security initiatives.</p>Tim McCollum06050
Tech Fraud and the Small Businesshttps://iaonline.theiia.org/2015/tech-fraud-and-the-small-businessTech Fraud and the Small Business<p>​Like large companies, small companies may become victims of computer hardware thefts that can expose company information and records. Small businesses are easy prey for hackers, too. <em>The New York Times</em> recently reported that hackers have broken into the phone networks of small companies, rerouting thousands of unauthorized calls to premium-rate overseas numbers, resulting in more than US$100,000 in charges for the impacted businesses.<br></p><p>When small businesses and startup companies experience a fraudulent event, they may be hit disproportionally harder than larger organizations and have more difficulty absorbing the losses. For those companies, a significant fraud incident can harm their reputation, cost innocent employees their jobs, cause personal investments to be lost, and make creditors wary of helping the victimized business in the future. Despite such threats, many small-business executives underestimate their company’s fraud risk.<br></p><p>Small firms are particularly unprepared for today’s sophisticated high-tech frauds. Internal auditors can help educate small-business owners and executives about such threats and conduct reviews to identify potential vulnerabilities.<br></p><h2>Small and Vulnerable</h2><p>Small companies are more likely to experience fraud than large firms. In the past two years, 29 percent of reported occupational fraud cases occurred at companies with fewer than 100 employees, according to the Association of Certified Fraud Examiners’ (ACFE’s) <em>2014 Report to the Nations</em>. The median loss per fraud scheme for a small business is US$154,000, the ACFE reports. Small companies tend to be more susceptible to employee misconduct, lapses in technology oversight, unauthorized technology changes, a lack of internal controls, and inadequate segregation of duties.<br></p><p>Asset misappropriation is the most common fraud among all businesses, occurring in 85 percent of cases, although it typically is the least costly fraud. Corruption schemes make up one-third of small-business fraud cases, while financial statement fraud happens in 12 percent of such cases.<br></p><p>Many technology-related frauds spawn from information security incidents such as data breaches. The Ponemon Institute, an independent privacy and security research organization, reports that 55 percent of responding small businesses have had a breach, and 53 percent have had multiple breaches. But technology-related fraud can come from within, too. IT personnel were perpetrators of fraud in 3 percent of cases, the ACFE notes.<br></p><h2>Reducing Risk</h2><p>Internal auditors at small companies can help their organization reduce the risk of technology-related fraud. They should start with fraud basics like educating management about the signs of fraud and likely perpetrators, such as employees who are living beyond their means or experiencing financial difficulties.<br></p><p>From there, auditors should advise management about the many tangible and inexpensive actions even small businesses can take to address fraud, including implementing a code of conduct and anti-fraud policy. To detect wrongdoing sooner, executives should implement a whistleblower hotline that employees, customers, and vendors can access by phone and through the company’s intranet and extranet. According to the ACFE report, only 18 percent of small companies have fraud hotlines, compared with 68 percent of other businesses, yet hotlines reduce the median duration of fraud from 24 months to 12 months. Building fraud training into the internal audit plan can help educate employees about fraud red flags and empower them to speak up about possible incidents.<br></p><p>Beyond these basics, internal auditors at small firms need to address the likely technology enablers of fraud and review the effectiveness of their organization’s safeguards.<br><br><strong>Watch out for the top causes of technology-related fraud.</strong> Many types of network attacks can put small companies at risk of fraud. For example, phishing emails are a significant threat for small businesses and startups because they may not have any rules or policies about accepting such emails, monitor for potential phishing messages, or know how to resolve incidents that may result from someone responding to their content or clicking on a link contained in a message.<br></p><p>Small businesses are particularly vulnerable to data breaches and hacking attacks, which typically target electronic records. Auditors should look for leading causes of breaches such as employee or contractor errors, procedural mistakes, and lost or stolen laptops, smartphones, and storage media.<br></p><p>Small companies also need to guard against identity theft. Identity thieves seek their business account information, employer identification numbers, bank account numbers, or even key employee Social Security numbers. Making matters worse, small businesses do not receive the same protections as consumers in identity-theft cases.<br><br><strong>Plan regular and surprise audits in areas that may pose greater risk.</strong> Based on the company’s risk assessment, internal audit should conduct an occasional deeper-dive review of areas with potential risk from technology-related fraud.<br></p><ul><li>An intellectual property audit can assess the types of sensitive information the company retains — such as credit card and personally identifiable information — what it is used for, and where it resides on the organization’s computers and servers. Auditors can confirm whether the sensitive data is isolated or segregated, and determine whether encryption methods are used for protection.<br></li><li>Internal audit should test information security controls for the company as well as for outsourced vendors. Such tests should confirm the use of strong passwords, regular password changes, and regular updates of antivirus and anti-spy software on computers and servers. Auditors should verify that the company uses a secure, encrypted connection such as Secure Sockets Layer to protect sensitive data while in transit across the Internet and that it uses secure wireless connections throughout the business. Also, they should check that the company has implemented privacy and security policies — including what can be downloaded and appropriate use of social media — and that the company has processes in place to monitor what is being said online. Moreover, internal audit should review Service Organization Controls reports regarding outside vendor services and confirm that the controls are appropriate for the organization.<br></li><li>Other areas internal audit should review are financial operations, cash-handling processes, inventory, and related-party transactions.<br></li></ul><h2>A Matter of Survival</h2><p>While the ACFE reports that companies frequently lose 5 percent of their revenues to fraud, that can be a high price to pay for a young company trying to generate income and get off the ground. Internal auditors at small companies need to help the business prevent and monitor for technology-related fraud or run the risk that it will become a victim. <br></p>Alisanne Gilmore-Allen12931
Internal Audit Enjoys Home-field Advantage in the Fight for Cybersecurityhttps://iaonline.theiia.org/blogs/chambers/2015/internal-audit-enjoys-home-field-advantage-in-the-fight-for-cybersecurityInternal Audit Enjoys Home-field Advantage in the Fight for Cybersecurity<p>​<span style="line-height:1.6;">Cybersecurity continues to be a major concern for businesses, with seven in 10 chief audit executives surveyed identifying it as a high or critical priority, according to the just-released 2015 North American Pulse of Internal Audit report. This is not unexpected, but what I do find troubling is something that I'm hearing more and more in my discussions with CAEs around the world.</span></p><p>There appears to be a growing view that cybersecurity issues should reside in the domain of IT and security experts, with internal audit providing little more than support. The question I'm hearing too often is, "What can internal audit contribute?"</p><p>The answer is, plenty.</p><p>The fundamental truth about cybersecurity is that it is as much a business risk as it is a security risk, and it is imperative that our stakeholders understand this so that internal audit is sought out to provide the necessary assurance and governance guidance in this critical area.</p><p>Perhaps there is reticence in leading the fight against cybercrime because of the high stakes involved or the potential for negative publicity around high-profile failures. But our profession has never been one to shrink from complex risks or hard tasks.</p><p>Here's something that should provide some reassurance. There is a dirty little secret about cybersecurity risks that cybercriminals would rather we not know — we have home field advantage.</p><p>Cybercriminals have to come into our house, so to speak, so we have a natural advantage. In the large majority of cyber assaults, the cybercriminal does not know what we have of value, where to find it in the system, or what protections we have around that most valuable data. We do and, with proper planning, can force the attackers to play the game according to our rules. This knowledge should color our approach to creating the protocols that secure and protect our data.</p><p>Experts in data protection recommend a basic process to identify the most important information, what many refer to as the <em>crown jewels </em>of data. It is that data that must be protected at all costs, and it is up to internal audit to provide assurance to stakeholders that the processes in place to protect it are effective and efficient.</p><p>Organizations should begin by segmenting their data into three piles based on its value to the organization:</p><ul><li>Don't care — This is information that would have no appreciable impact on the organization or its clients if it is accessed by hackers, e.g. information readily accessible on the organization's website.</li><li>Reputational risk — This is information that could lead to negative publicity or embarrassment to the organization if it fell into the wrong hands, but it would not kill the company, e.g. employee disciplinary reports.</li><li>Real harm — This is information that could create major problems for a company or its clients if it is hacked, e.g. financial data, PCI, strategic business plans.</li></ul><p>Information in that final <em>crown jewels</em> pile must be separated from the first two piles, isolated and protected. This allows for resources to be concentrated where they are most useful rather than generically spread across the environment. Once protected, it is up to internal audit to do what it does best — test for effectiveness and efficiency of controls and protocols, and provide management and the board with assurance about those protections.</p><p>Daimon Geopfert, national leader for security and privacy consulting at McGladrey, has been a strong advocate of encouraging internal audit to step up on cybersecurity matters. A popular speaker, including at a number of IIA conferences, Geopfert offers straightforward insights that help put the cybersecurity issues squarely in the internal audit camp.</p><p>According to Geopfert:</p><ul><li>Internal audit can and should conduct data mapping and classification exercises to test protections. It is important to "follow the lifecycle" of the data — that is, know where it comes from, where it resides, who uses it and how, and how long it is kept in the system.</li><li>Such exercises will likely turn up instances where protected data is exported from its protected environment for local use, significantly raising the vulnerability to being successfully hacked.</li><li>Through such exercises, internal audit can drive the discussion on what data is most vulnerable and appropriate controls throughout its lifecycle no matter where it travels.</li><li>Internal auditors must learn to ask the right questions regarding data protection, focusing on what actually is happening in field, not just what is written in various policy statements.</li><li>Internal audit must be prepared to sacrifice some sacred cows (business practices), especially regarding behaviors that may make operations easier but increase vulnerability and, therefore, the likelihood of data breaches.</li><li>Internal audit must set expectations with stakeholders on data protection. High-level commitments to protecting certain data will make it easier to curtail risky behavior that simply makes work more convenient. </li></ul><p>The other bit of good news from Geopfert is a figure rarely seen in media coverage of cybersecurity issues. Basic data protections through sound practices and policies will likely discourage 60 percent to 70 percent of hackers, many of whom are not overly skilled, significantly reducing cybersecurity risks. These practices, e.g. limiting access to sensitive information, appropriate patching and monitoring, encryption on mobile devices and media, third-party-vendor security reviews, etc., already should be on internal audit's radar. </p><p>I'd like to hear your thoughts about what role internal audit should play in cybersecurity.</p>Richard Chambers04734
The Risk of Missing the Next New Technologyhttps://iaonline.theiia.org/blogs/marks/2015/the-risk-of-missing-the-next-new-technologyThe Risk of Missing the Next New Technology<p>Is your organization sufficiently intelligent and agile to be able t​o deploy new technologies and obtain competitive advantage?</p><p>Are you so risk averse that you wait for others to lead before you think about following?</p><p>Do you have to wait because you don't have the capacity to address risks that may be created by new technologies?</p><p>In other words, are you running an unacceptable level of risk of being left behind?</p><p>McKinsey has shared some useful insights on one of the latest new technologies, 3-D printing (sometimes called additive manufacturing). <a href="http://www.mckinsey.com/insights/manufacturing/are_you_ready_for_3-d_printing?cid=other-eml-alt-mkq-mck-oth-1502" target="_blank">Are You Ready for 3-D Printing?</a> includes a useful list of known uses of the technology.</p><p>But the most important piece of information, for me, is this:</p><p> <span class="ms-rteiaStyle-BQ">"Two-thirds said that their companies lacked a formal, systematic way to catalog and prioritize emerging technologies in general."</span></p><p>Leaving the specifics of 3-D printing aside, how can this be acceptable?</p><p>We have all seen the enormous potential of new technology. It has revolutionized so many industries, from banking to retail to travel to manufacturing.</p><p>How can any organization fail to pay attention to the potential of new technologies?</p><p>Is this a risk your organization has identified?</p><table cellspacing="0" width="100%" style="height:296px;"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;"><h2>​More on 3-D Printing</h2> <span style="line-height:1.6;">Here are a few interesting links.</span> <ul><li> <a href="http://www.theverge.com/2015/2/27/8119443/amazon-3d-printing-trucks-patent" target="_blank"> <span style="color:#000066;">http://www.theverge.com/2015/2/27/8119443/amazon-3d-printing-trucks-patent</span></a></li><li> <a href="http://www.newyorker.com/magazine/2014/11/24/print-thyself" target="_blank"> <span style="color:#000066;">http://www.newyorker.com/magazine/2014/11/24/print-thyself</span></a></li><li> <a href="http://www.economist.com/node/18114221" target="_blank"> <span style="color:#000066;">http://www.economist.com/node/18114221</span></a></li><li> <a href="http://arstechnica.com/gadgets/2013/08/home-3d-printers-take-us-on-a-maddening-journey-into-another-dimension/" target="_blank"> <span style="color:#000066;">http://arstechnica.com/gadgets/2013/08/home-3d-printers-take-us-on-a-maddening-journey-into-another-dimension/</span></a></li><li> <a href="http://www.economist.com/news/technology-quarterly/21598322-bioprinting-building-living-tissue-3d-printer-becoming-new-business" target="_blank"> <span style="color:#000066;">http://www.economist.com/news/technology-quarterly/21598322-bioprinting-building-living-tissue-3d-printer-becoming-new-business</span></a></li><li> <span style="color:#000066;"> <a href="http://www.wired.com/2014/09/military-grade-drone-can-printed-anywhere/" target="_blank"> <span style="color:#000066;">http://www.wired.com/2014/09/military-grade-drone-can-printed-anywhere/</span></a></span></li></ul></td></tr></tbody></table><p>In my opinion, you can't leave this to the chief information officer and his team. While they are experts in technology, they may not have the insight and ability to dream about new uses by the organization. Business executives have to get involved, as well. </p><p>McKinsey correctly pointed out, "Many also admitted that their companies were ill prepared to undertake a cross-organizational effort to identify the opportunities." That cross-functional effort will very often be required because more than one business area, in addition to IT, should be involved in assessing opportunities, costs, and risk.</p><p>Coming back to 3-D printing, the cost of printers has dropped significantly over the last year or two, to the extent that retail shops are opening! McKinsey points out some of the potential uses for 3-D printing, and my belief is that it will, as is the case with so many new technologies, have a major impact on both our personal and work lives — from rapid design and prototyping to better and cheaper prosthetics to custom tooling on demand to the manufacture of drones, and so much more (see box at right).</p><p> Are you sufficiently agile and intelligent to understand the potential and then deploy new technology to advantage? If not, is this recognized as a strategic risk that needs to be addressed?​​<br></p>Norman Marks03302
Thinking Holistically About Securityhttps://iaonline.theiia.org/2015/thinking-holistically-about-securityThinking Holistically About Security<p>​Today's organizations focus great attention on protecting network perimeters from sophisticated external attacks. A December 2014 survey report from the independent research firm Ponemon Institute reminds internal auditors that organizations also must focus attention on internal security while balancing employee productivity (see "Summarized Security Results" below). </p><p>The Ponemon research, sponsored by data protection company Varonis Systems, indicates that organizations are not taking a holistic approach to information ​security. Given the current publicized data breaches, organizations — including the board and senior executives — are focusing on ensuring their external borders are secure from outside threats. However, the survey points out that internal threats still need attention. ​</p><p>Internal auditors can help their organizations ensure current security initiatives are balanced between external and internal threats. To do this, the internal audit function should be engaged with the IT department and assign the appropriate personnel to add value to information security discussions. One way auditors can add value is by thinking outside the box regarding security approaches and providing a holistic view of security risks and considerations. </p><h2>Assessing Security Readiness</h2><p>​Auditors should be engaged early in the conversation regarding risks and potential information security solutions. In addition to its standard assurance service, internal audit should expand its advisory services role with the organization's IT activity to suggest ways to protect the organization from internal and external threats. Examples include working more closely with the security administration function and participating on the organization's security advisory committee.  </p><p>To be a credible contributor in today's changing IT risk landscape, internal audit needs personnel who are qualified to advise and work with IT and information security specialists. The internal auditor should have a basic understanding of the security technologies used and how they have been integrated with the organization's systems, processes, and procedures. The auditor could obtain this understanding by performing a detailed walkthrough or specific audit of each of these technologies. Additionally, previous experience in a security administration role also would benefit the internal auditor. </p><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​ <p> <strong>Summarized Survey Results</strong></p><p>A recent Ponemon Institute study, <a target="_blank" href="http://www.varonis.com/research/why-are-data-breaches-happening"> <span style="color:#000066;"> <span style="color:#000066;">Corporate Data: A Protected Asset or a Ticking Time Bomb</span></span><span style="color:#000066;">?</span></a>, surveyed more than 2,200 employees of organizations in France, Germany, the U.K., and the United States, with perspectives from both end users and IT and information security personnel. The findings highlight several internal threats that organizations may be overlooking:</p><ul><li>Users have access to confidential data they should not have or no longer require.</li><li>The growth of data in organizations has impacted users' ability to locate and access the data they need to perform their jobs.</li><li>Users encounter long wait times to gain access to data.</li></ul><p>Loss or theft of organizational data has occurred over the past two years.​</p></td></tr></tbody></table><p>​Regardless of the organization's overall approach to evaluating security risks, internal audit should perform its own risk assessment of the organization's security posture. By leveraging its broad view of the organization, internal audit's assessment can be sufficiently detailed to ensure appropriate coverage of both major and more basic security aspects such as how access is approved and how user security is handled for transferred employees. The Ponemon report points out that it's imperative that organizations cover these basic security activities and processes, because when they aren't working they often are the root causes of external data breaches and internal data losses. The evaluation results could be used as a baseline for annual security reviews.</p><p>If the organization contracts with external security providers to assess its security posture, internal audit should be involved from the beginning to ensure the appropriate coverage occurs and includes both external and internal threats. The provider's report should suggest ways to enhance the overall security posture. Based on its organizational experience, internal audit should review those suggestions with an open mind and consider enhancing the suggestions or providing alternatives to the consultant's solutions to best align the suggestions with the organization's philosophy and what's needed to address the risks. Where the consultant's review falls short of suggesting alternatives or may not have assessed certain areas, internal audit should provide additional suggestions and consider assessing areas that were not covered.</p><h2>Additional Opportunities</h2><p>Following the risk assessment, the internal audit function should be involved in the organization's discussions to address the risks that were uncovered, including recommending alternatives to standard remediation activities. For example, auditors could suggest supplementing the organization's security administration function with evolving security-as-a-service providers. Such providers could assume certain activities of the current security administration function to free up in-house resources to work on larger, higher-risk imperatives or core IT competencies such as providing virus definition updates, log management, simple provisioning, or expertise on current security events. </p><p>The security risk assessment may provide additional advisory or assurance<strong><em> </em></strong>opportunities for internal audit. Examples include suggesting best practices, such as performing more proactive assurance activities on high-risk areas, or recommending places where new security technologies, such as a data-loss prevention solution, could be implemented. As with the risk assessment, internal audit needs to strike a balance between its advisory and assurance roles. The key points for auditors to remember are to engage early, have the right staffing model, think holistically, and keep an open mind.</p>James Reinhard01571
What CIOs Have To Say About Cyber, Information Security, and Morehttps://iaonline.theiia.org/blogs/marks/2015/what-cios-have-to-say-about-cyber-information-security-and-moreWhat CIOs Have To Say About Cyber, Information Security, and More<p>T​​he <a href="http://cionetwork.wsj.com/wp-content/uploads/2015/02/CIONetwork_SpecialReport.pdf" target="_blank">Feb. 10 issue of the <em>Wall Street Journal</em> included a "CIO Network" section</a> (PDF) ​that makes interesting reading. Congratulations to the <em>WSJ</em>, by the way, for making this special report available on the Web.</p><p>Here are some excerpts of note (with my highlights):</p><p> <span class="ms-rteiaStyle-BQ">"The global chief information officers (CIOs) who gathered at the third annual CIO Network in San Diego last week are a chastened crew. <strong>When asked who hasn't been hacked, just one hand went up in the audience, and that CIO got a lot of skeptical looks.</strong> And when asked if business and the government were making progress against hacking or were <strong>losing the battle</strong>, the group overwhelmingly said the latter. But the conversation quickly got pragmatic. 'Don't go overboard on security,' one CIO said. 'I still have to address other matters.' Company networks need to grow and be flexible, interact with vendors and customers, and accommodate internal innovation. <strong>Cybersecurity has become just one more item on the corporate risk-management list — albeit high on the list</strong>, several CIOs said."</span></p><p><span class="ms-rteiaStyle-BQ">"Finding on-ramps to the <strong>cloud</strong> is the No. 1 priority on my agenda."</span></p><p><span class="ms-rteiaStyle-BQ">"Some 44 percent of the CIOs said their companies now tackle <strong>big data projects</strong> 'all the time.'"</span></p><p><span class="ms-rteiaStyle-BQ">"Use current challenges such as market conditions, cybersecurity, innovation, and data analytics as a <strong>catalyst for engagement in the boardroom</strong>. Use the opportunity to drive the components of your business agenda."</span></p><p><span class="ms-rteiaStyle-BQ">"<strong>Take risks</strong> and refrain from simply checking a box. Be open to raw talent who have the smarts, the ambition, the enthusiasm, and the <strong>curiosity</strong>. Also look for people who understand how 'Year Zero' works with technology, and who are <strong>commercially minded</strong>. This strategy requires the CIO to take ownership and develop and install a path for their success."</span></p><p><span class="ms-rteiaStyle-BQ">"Change is constant; look for people who come at problems from a different perspective. Are we talking about a risk taker? Yes. But not someone who just takes risks. Recruit people who are incredibly adaptive to and can drive rapid change, both personally and professionally."</span></p><p><span class="ms-rteiaStyle-BQ">"Categorize what data in your company is the most critical. <strong>Make it clear to everyone how a breach would translate to business impact</strong>."</span></p><p><span class="ms-rteiaStyle-BQ">"<strong>Cybersecurity needs to be elevated to an international level</strong>; firms across industries and governments across regions must organize for this battle. They should view it as securing a common cyberborder."</span></p><p><span class="ms-rteiaStyle-BQ">"CIOs should think about how <strong>digital disruptors</strong> would approach their industry. Understand how to <strong>partner with the business</strong>. Find radically new revenue models and zero-cost supply models. CIOs should partner with early-stage external entities to find new business models."</span></p><p>Does any of this surprise me? No. I am encouraged by the CIOs' generally pragmatic approach. They recognize the importance of cybersecurity and that they can't keep the best hackers out, but need to keep tha​t risk in perspective. They need to enable the business as a whole to succeed, not just avoid harm. They are also very much aware of the threat and opportunity posed by new, disruptive technology — and the essential need to partner with business for strategic advantage.</p><p>What do you think?</p>Norman Marks03797
Viewing Cyberrisk Through a COSO Lenshttps://iaonline.theiia.org/2015/viewing-cyberrisk-through-a-coso-lensViewing Cyberrisk Through a COSO Lens<p>The ​victims keep piling up: Network security breaches at Chick-fil-A Inc., Home Depot, Sony Corp., and Staples Inc. in just the past few months have made 2013's Target Corp. break-in seem like ancient history. But these attacks have gotten the attention of corporate boards, with directors in a recent <a target="_blank" href="http://www.nacdonline.org/AboutUs/PressRelease.cfm?ItemNumber=12530">National Association of Corporate Directors survey</a> voicing complaints about being left in the dark about their organization's information security.</p><p>With cyberrisks front-and-center, senior executives, risk mana​gers, and internal auditors need guidance on how to assess and control those risks before their organization becomes the next headline. Into this void comes new guidance from The Committee of Sponsoring Organizations of the Treadway Commission (COSO). </p><p>"There is a growing concern at all levels of industry about the challenges posed by cybercrime," COSO Chairman Robert Hirth Jr. says in a press release. "This new guidance helps put organizations on the right path toward confronting and managing the frightening number of cyberattacks."</p><p> <a target="_blank" href="http://www.coso.org/documents/COSO%20in%20the%20Cyber%20Age_FULL_r11.pdf">COSO in the Cyber Age</a> (PDF) provides guidance on how organizations can apply internal control components and principles from the updated 2013 COSO <em>Internal Control–Integrated Framework</em> and the <em>Enterprise Risk Management–Integrated Framework</em> to manage their constantly changing IT risks. The research report is written by Mary Galligan, director of Cyber Risk Services at Deloitte & Touche LLP, and Kelly Rau, a senior manager with the firm.​</p><h2>Cyberrisk Assessment</h2><p>The report stresses that management needs to drive the cyberrisk assessment process. Executives should begin by working with business and IT stakeholders to place a value on the organization's information systems and determine which are most important to protect, given its limited resources. The authors cite Principle 6 of the 2013 framework as providing perspective on evaluating an organization's most critical systems in light of operations, external financial and nonfinancial reporting, internal reporting, and compliance objectives. </p><p>From there, senior management can follow Principles 7 and 8 to assess the likelihood that cyberrisks could impact the achievement of objectives and the severity of those impacts. The report says individuals conducting the assessment must understand the organization's cyberrisk profile, including which information systems are valuable to potential attackers and how those attacks might occur. Organizations also need to consider threats and potential attack sources that are more likely within their own industry. </p><p>The impact of technology change on internal controls is another risk consideration, as noted by Principle 9. New technologies and the use of outsourcing and other third parties can expose the organization to new risks, the report says.​</p><h2>Control Activities</h2><p>After assessing their risks, the COSO report advises organizations to implement preventive and detective controls to address attacks from multiple entry points, using Principles 10, 11, and 12 of the 2013 framework for guidance. Deploying such controls in the IT environment can create obstacles for intruders and enable organizations to detect breaches and take corrective action timely. The report recommends that organizations compare the design and implementation of cyber control activities with information security and IT standards and frameworks such as the International Organization for Standardization's <a target="_blank" href="http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=63411">ISO 27000</a>, ISACA's <a target="_blank" href="http://www.isaca.org/cobit/pages/default.aspx?cid=1003566&appeal=pr">COBIT</a>, and the U.S. National Institute of Standards and Technology's <a target="_blank" href="http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf">Framework for Improving Critical Infrastructure Cybersecurity</a> (PDF). ​</p><h2>Information and Communication</h2><p>COSO internal control Principles 13, 14, and 15 direct efforts to identify relevant information, define how it is communicated internally, and determine how it should be communicated externally. The report identifies several points of focus for addressing cyberrisks: </p><ul><li> <strong>Identify information requirements.</strong> These requirements provide a basis for understanding the information systems that are at risk and communicating with the organization to ensure controls are designed to address those risks. </li><li> <strong>Process relevant data into information.</strong> Because today's information systems can generate massive amounts of log data and security alerts, organizations must distill that data into meaningful information that can be used to take appropriate action. </li><li> <strong>Capture internal and external data sources.</strong> Potential sources of external data include commercial and industry-focused data, government data, and outsourced service provider data. </li><li> <strong>Maintain quality through processing.</strong> Organizations should establish clear responsibility and accountability for the quality of information, which should be protected from being accessed or changed without authorization.</li><li> <strong>Communicate internal control information.</strong> Organizations need a plan for communicating with personnel about cyberrisks and controls, as well as channels to communicate control information to personnel who are responsible for managing and monitoring them. Moreover, the organization must communicate with external parties to obtain cybersecurity information and to inform business partners, customers, regulators, and shareholders about cyber incidents or activities. ​</li></ul><h2>Control Environment and Monitoring</h2><p>The report calls the COSO framework's control environment and monitoring activities component "foundational" for managing cyberrisks. Although the board and senior management have ultimate authority for cybersecurity, they will need internal and outside experts to explain technical IT information, advise them on which resources are a priority to deploy, and help them monitor the design and effectiveness of cyber controls. ​</p><h2>Becoming Vigilant</h2><p>In assessing their organization's cyberrisks and controls, the COSO report suggests asking questions such as whether it is focused on the right things and whether it is proactive or reactive in establishing security processes and controls. Organizations also should consider whether they have personnel who are qualified to deal with cyberrisks and whether there is collaboration among IT specialists, business units, and external stakeholders. Finally, senior management must be capable of explaining its approach to cyberrisk and its response to incidents, something that may be scrutinized if the organization suffers a security breach.</p>Tim McCollum013901
Encryption Essentialshttps://iaonline.theiia.org/encryption-essentialsEncryption Essentials<p>​Encryption is essential to establishing strong security and internal controls in an increasingly wired and privacy-conscious world. The principles, dynamics, functionality, and the art and science of encryption may cause auditors who aren’t familiar with it to dread and avoid examining their organization’s implementation and application of encryption, as one element of an overall defense-in-depth strategy.<br></p><p>Internal audits of an organization’s encryption policies, practices, and procedures are an important step in assessing its procedures and internal controls for protecting data. If implemented and used appropriately and proactively as part of its data management and security structure, encryption can enable greater defense in depth and strengthen internal controls over critical enterprise data.<br></p><p>When examining encryption policies, practices, and procedures, internal auditors should review both encryption’s technical and nontechnical aspects. To do this, auditors must have a complete understanding and working knowledge of the basics of encryption — the theory, concepts, and terminology of the various components — and how the encryption process works. Such an understanding will enable auditors to recommend to management the most appropriate, logical, and technically correct solution to this important aspect of enterprisewide security.<br></p><h2>Behind the Jargon</h2><p>The discussion of encryption involves terms that are important to understanding how it works. <em>Cryptology</em> is the scientific study of cryptography. <em>Cryptography</em> is the process of converting plain text into a cipher or encrypted text using an algorithm, making the resulting text unreadable without a decoding key. A <em>cipher</em> is a way to make a word or message secret by changing or rearranging the letters in the message.<br></p><p>The process of converting a plain text message to its cipher text form is called <em>enciphering</em> (see “Enciphering Plain Text Into Cipher Text” below). Reversing the process, converting enciphered text into plain text, is called <em>deciphering</em>. The intended recipient must use a decoding key to un-encrypt the text and convert it back into plain, comprehensible text. There is a low probability that anyone without the decoding key would be able to un-encrypt the original plain text.<br></p> <table width="100%" cellspacing="0" class=" ms-rteiaTable-4"><tbody><tr class="ms-rteiaTableEvenRow-4"><td class="ms-rteiaTableEvenCol-4" colspan="2" style="width:50%;"><p> <strong>​Enciphering Plain Text Into Cipher Text </strong>​</p></td></tr><tr class="ms-rteiaTableOddRow-4"><td class="ms-rteiaTableEvenCol-4" style="width:80px;"><p>​Plain Text<br></p></td><td class="ms-rteiaTableOddCol-4"><p>​This is a secret message that I only want to share with authenticated recipients<br><br></p></td></tr><tr class="ms-rteiaTableEvenRow-4"><td class="ms-rteiaTableEvenCol-4" style="width:80px;"><p>​Cipher Text<br></p></td><td class="ms-rteiaTableOddCol-4"><p>​ATRCiekINIUcGF6S3bzPf6JTiavQCf05+z+p+cHrdMI4TCQe<br>PWtdaxHPXAIEdBz4A+e00WF/IWuXHzNmqb3M0wSDEshg<br>YYtwjSqO1X+aiH1yeeRQajB1nqYRlWhNXSobse9FPT+KB7<br>Zzwm66aAafkQYbMp/AeyTtbMfrvOeWoRg=</p></td></tr></tbody></table><p> <em>Public Key Infrastructure</em> (PKI) is a framework that enables various services related to cryptography to be integrated. PKI enables organizations and users to manage keys and certificates, which are used for identification, entitlements, verification, and privacy. By managing keys and certificates through a PKI, an organization establishes and maintains a secure and trustworthy networking environment that allows information and money to be exchanged safely and securely. The aim of PKI is to provide confidentiality, integrity, access control, authentication, and nonrepudiation over transactions, email, and communications enacted by, between, and through discrete users.<br></p><h2>Elements of Encryption</h2><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;"><p>​<strong>The Encryption Challenge</strong><br>A corporate requirement in the form of securing email transmissions illustrates the essential components and process of encryption. A user wants to send an email from point A to an intended recipient at point B. The user requires that the email’s contents remain confidential and viewed only by the recipient, while the recipient expects to be able to authenticate the sender and ensure that the sender cannot deny having sent the email.<br></p><p>The internal auditor’s challenge is to recommend a solution that identifies all necessary elements in their appropriate order, sequence, and relationship. This solution must allow the sender and recipient to achieve confidentiality, integrity, authentication, and nonrepudiation of any email exchanged between them.<br></p><p>See “Solving the Encryption Challenge” at the end of this article for an answer to the challenge.<br></p></td></tr></tbody></table><p>The quickest, easiest, and most straightforward way to gain an understanding of encryption is to examine each component of the encryption process. These components and the definitions represent the essential elements that an auditor will typically encounter when working with encryption and encryption systems. Moreover, a review of these elements will better enable auditors to correctly answer the encryption challenge (see “The Encryption Challenge” at right).<br><br>Authentication. Assurance that a message has not been modified in transit or while stored on a computer. NetAction’s Guide to Using Encryption Software refers to this as message authentication code or the message’s data integrity.<br></p><p>Certificate. Proves the identity of a user or device seeking to access the network. It ensures that the entity has provided correct information and is the owner of the public key, according to the Oracle 9i Security Overview. A certificate is created when an entity’s public key is signed by a trusted identity, such as a certificate authority. It contains information such as:<br></p><p></p><ul><li>The certificate user’s name.</li><li>An expiration date.</li><li>A unique serial number assigned by the certificate authority.</li><li>The user’s public key.</li><li>Information about the rights and uses associated with the certificate.</li><li>The name of the certificate authority that issued the certificate.</li><li>The certificate authority’s signature. </li><li>An algorithm identifier that identifies which algorithm was used to sign the certificate.</li></ul><p> <br> <strong>Certificate Authority.</strong> An authority in a network that issues and manages security credentials and public keys for message encryption, according to SearchSecurity.com. A certificate authority consults with a registration authority to verify information provided by the requestor of a digital certificate. Once the information is verified, the certificate authority can issue a certificate. The certificate includes the owner’s public key, the expiration date of the certificate, the owner’s name, and other information about the public key owner.<br><br><strong>Confidentiality.</strong> Provides assurance that only owners of a shared secret key can decrypt a computer file that has been encrypted with the shared secret key. Confidentiality is ensured because only individuals who know the key will be able to read the encrypted message.<br><br><strong>Cryptographic Keys. </strong>U.S. National Institute of Standards and Technology Special Publication 800-57 (July 2012), Recommendation for Key Management–Part 1, General (Revision 3), identifies 19 different cryptographic keys, each used for a different purpose. In asymmetric key systems, there are a pair of keys that work in tandem: a private key and a public key. The most commonly used key types are:<br></p><p></p><ul><li>Private signature key — used by public-key algorithms to generate digital signatures with possible long-term implications. Private signature keys are used to authenticate the source of a key, protect its integrity, and ensure nonrepudiation of messages, documents, or stored data.</li><li>Public signature-verification key — verifies digital signatures.</li><li>Private authentication key — provides assurance of the originating entity’s identity when executing an authentication mechanism as part of an authentication protocol run or when establishing an authenticated communication session.</li><li>Public authentication key — provides assurance of the originating entity’s identity when executing an authentication mechanism as part of an authentication protocol run or when establishing an authenticated communication session.</li></ul><p> <br> <strong>Digital Certificate.</strong> A document signed by a trusted third party that is the preferred way to securely deliver public keys. The top part of a digital certificate contains plain text identifying the issuer (signer), subject (whose public key is attached), the subject’s public key, and the expiration date of the certificate. The bottom part contains the issuer’s signed hash of the top part.<br><br><strong>Digital Signature.</strong> A small piece of code created by encryption software that is used to authenticate the data sender. A private key creates a digital signature, and a corresponding public key verifies that the signature was really generated by the holder of the private key.<br><br><strong>Hashing.</strong> Used to encrypt and decrypt digital signatures. The hash function transforms the digital signature into a hashed value called the message digest; both the message digest and the signature are sent in separate transmissions to the receiver. Using the same hash function as the sender, the receiver derives a message digest from the signature and compares it with the message digest it also received to ensure their contents are the same.<br><br><strong>Integrity</strong> (or message authentication). Assurance that a file was not changed during transit.<br><br><strong>Key. </strong>A piece of data used for encryption and decryption. Keys typically look like alphanumeric gibberish and are not human-readable.<br><br><strong>Nonrepudiation. </strong>Assurance that the data sender has received proof of delivery and the recipient has proof of the sender’s identity, so neither can later deny having processed the data. For example, if a person has a digital signature that verifies with public key “K,” then he or she knows that the associated private key was used to make that signature. Cryptographic nonrepudiation is provably achieved by all practical public-key cryptosystems.<br><br><strong>Registration Authority.</strong> An authority in a PKI that verifies user requests for a digital certificate and instructs the certificate authority to issue it.<br><br><strong>Secure Sockets Layer Authentication</strong><strong> (SSL)</strong>. Provides authentication, data encryption, and data integrity in a PKI through the exchange of certificates, which are verified by trusted certificate authorities. Authentication is performed using digital certificates and a public/private key pair. SSL typically is used to establish digital identities and to protect data and messages from eavesdropping, tampering, or forging.<br></p><h2>Protecting Critical Assets</h2><p>A working knowledge of encryption definitions, concepts, and methodologies alone is not sufficient to assess internal controls for securing an organization’s critical data assets. As part of a comprehensive internal controls review of enterprisewide data management and security procedures, auditors should examine encryption implementation procedures, policies, enforcement measures, general access controls, and access rights management procedures.<br></p><p>In today’s always-on, globally connected society, it is imperative that organizations develop resilient information management strategies to protect their critical data assets. A robust, proactive cryptographic strategy and platform is an essential piece of a well-controlled and secure enterprise. </p><table width="100%" cellspacing="0" class="ms-rteiaTable-6"><tbody><tr class="ms-rteiaTableEvenRow-6"><td class="ms-rteiaTableEvenCol-6" style="width:100%;"><p> <strong>​Solving the Encryption Challenge</strong><br>To answer the encryption challenge correctly, internal auditors must consider several essential elements of encryption, specifically digital signatures, hashing, and private and public keys.<br></p><p></p><ol><li>The specific steps the sender should take are:</li><li>Create an initial message.</li><li>Calculate a hash value for the message.</li><li>Encrypt the hash with his or her private key.</li><li>Attach the hash to the message.</li><li>Sign the message with his or her digital signature.</li><li>Encrypt the message with the recipient’s public key.</li><li>Send the message to the recipient.</li></ol><p>The recipient of the email should:<br></p><ol><li>Open the message by decrypting it using the recipient’s private key.</li><li>Calculate a new hash value.</li><li>Decrypt the sender’s hash using the sender’s public key.</li><li>Compare the hashes. This provides assurance that the sender sent the message, as the sender’s digital signature is attached to the message, which “binds” the sender as its originator. If there are any discrepancies in the hash values, the recipient cannot rely on the message’s integrity.</li></ol><p>This provides the recipient assurance that the message came from the sender, as the sender’s signature is on the file, thus establishing nonrepudiation.<br></p></td></tr></tbody></table><p></p>Albert J. Marcella Jr.11488
The IT Auditorhttps://iaonline.theiia.org/the-it-auditorThe IT Auditor<h3>What IT skill sets will internal auditors require to remain relevant going forward?<br></h3><p> <strong>Simpson</strong> The two most relevant IT skills are data analytics and an understanding of application systems controls. If internal auditors have a strong grasp of both, they should be able to assess most internal controls within an organization. The importance of understanding application controls often is overlooked, but without it the data analyst/scientist is quite ineffective.<br></p><p> <strong>Gowell</strong> The lines between auditor and IT auditor are becoming increasingly blurred. Every auditor now needs to have a good working knowledge of financial reporting systems, software, networks, and cloud computing. Additionally, now that most financial reporting systems can output data into easily digestible formats such as Excel, audit departments are less dependent on IT auditors to obtain data extracts for testing.<br></p><h3>Are IT auditors becoming more specialized in specific areas, such as security, analytics, and system development projects?<br></h3><p> <strong>Gowell</strong> With the emergence of the new breed of data analytics tools that allow any auditor to perform data analytics, I see the classic IT auditor position evolving into a highly specialized role. With the right skill set, IT audit can play an important role in system development. For example, an auditor credentialed in the systems development life cycle approach and development methodologies such as Agile — and all its flavors — can significantly minimize the risk of project failure.<br></p><p> <strong>Simpson</strong> IT auditors are becoming more specialized, and that trend will continue because of the growing complexity and constant changes in IT. Some of the audits traditionally performed by IT auditors, such as data analytics, should be shifted to other auditors.<br></p><h3>How can technology be used to assist the internal audit staff in preparing their audit plan?<br></h3><p> <strong>Simpson</strong> All audit plans today should be risk-based, and there are several tools available to assist the department in conducting risk workshops, assessments, scoring, allocation of resources, etc. Some companies have started using data analytics to supplement risk insights via continuous monitoring systems or governance, risk, and compliance platforms; or for new business processes, they may examine a subset of key business controls.<br></p><p> <strong>Gowell</strong> I am a firm proponent of risk-based audit planning. The days of the “annual” audit plan are numbered, as risks do not change on an annual schedule. Performing a continuous risk assessment simply cannot be done without the benefit of technology. <br></p><p>The key approach leveraged by leading internal audit departments in this area is continuous self-assessment. The process owner uses technology to update risk and control changes directly into an audit management system that directly feeds the risk-based audit planning process.<br></p><h3>How can internal auditors harness the power of big data to better do their jobs?<br></h3><p> <strong>Gowell</strong> With the ability to now simultaneously harness huge volumes of unstructured and structured data, internal auditors can more easily and accurately focus their efforts on true anomalous activity. One of the challenges in limiting analytics to structured data is typically the high level of false positives, which take time to investigate. Leveraging big data analytics can not only make internal auditors more efficient, it also can reduce audit’s footprint on the business.<br></p><p> <strong>Simpson</strong> If the internal audit function is going to add value and improve an organization’s operations, it must be able to efficiently mine/interrogate big data repositories at appropriate frequencies. This is to ensure that the insights are fed to the business timely to inform value-added risk management decisions. Key factors are the ability to:<br></p><ul><li>Understand the business environment.</li><li>Map data and data flows to business processes/procedures.</li><li>Create useful information from data repositories.</li><li>Automate into an efficient and repeatable process.<br></li></ul><h3>For those college programs that have internal audit courses, what additional subjects should they include in their curriculums to better prepare the next generation of auditors?<br></h3><p> <strong>Simpson</strong> While it is important to have strong audit skills, internal auditors also should develop a solid understanding of business processes and the use of IT. More specifically, internal auditors should be well-versed in critical thinking, internal control frameworks such as COSO, and data analytics. <br>The graduate must know how to apply the data analysis tools in an internal audit context — that is, knowing what data to analyze and how to interpret the results. For any auditor to be successful using these tools he or she must be able to answer the question, “How are the internal controls represented in the business systems’ data?”<br></p><p> <strong>Gowell</strong> The feedback I am hearing from audit directors is that a strong background in business is critical for today’s successful internal auditors. Additionally, in this era of text messages, email, Facebook, and Twitter, effective face-to-face communication and strong writing skills are in short supply.<br>I would build a curriculum that incorporates a strong business foundation and also addresses interpersonal communication skills to help prepare students for a successful career in internal audit.<br></p><h3>Should internal audit get into predictive analytics to provide more future insight into risks and control issues? Could predictive analytics and the different technology tools today change the way auditors work and think?<br></h3><p> <strong>Gowell</strong> I am an absolute believer that audit should lead the charge in using historical data to predict trends and help reduce risk. Predictive analytics can not only prevent irregularities, it also helps maximize scarce resources by allowing departments to refine their risk assessments and prioritize audits.<br></p><p> <strong>Simpson</strong> There is the traditional approach of looking at the past to determine what has happened. Then there is looking at what is happening now, implemented primarily using continuous monitoring systems. However, as predictive analytics mature, organizations will use them more often to determine what will happen. For example, a customer’s credit card transaction history can be used to determine that current transactions are anomalous based on usual behavior. Secondly, you can predict potential fraudulent transactions on a specific account by comparing the account activity to patterns of other frauds committed.<br></p><h3>Should internal auditors do on-site audits or scans of the data managed by their organization’s cloud providers?</h3><p> <strong>Simpson</strong> Internal audit performing independent assessments of cloud computing vendors is not practical on a consistent basis, largely due to:<br></p><ul><li>An organization’s ability to maintain adequate skill sets to perform a review of the vendor’s infrastructure and operating procedures.</li><li>Competing/conflicting interests with other entities that may be supported by the vendor.</li></ul><p> <strong>Gowell</strong> With the proliferation of cloud-based solutions comes a corresponding increase in cloud providers. The decision of whether to go on-site to audit depends on the provider and the data being managed. The internal control requirements on cloud providers are increasing, and I believe they will quickly evolve to a point where site visits, at least to the leading providers, are not necessary. </p><table width="100%" cellspacing="5" cellpadding="5" class="ms-rteiaTable-7"><tbody><tr class="ms-rteiaTableEvenRow-7"><td class="ms-rteiaTableEvenCol-7"> <img src="/2014/PublishingImages/Michael-Gowell.jpg" alt="Brian Schwartz" /> </td><td class="ms-rteiaTableOddCol-7"> <span style="line-height:19.2px;">Michael Gowell is general manager and vice president of TeamMate. <br></span></td></tr><tr class="ms-rteiaTableOddRow-7"><td class="ms-rteiaTableEvenCol-7"> <img src="/2014/PublishingImages/Andrew-Simspon.jpg" alt="Warren Stippich" /> </td><td class="ms-rteiaTableOddCol-7"> <span style="line-height:19.2px;">Andrew Simpson is chief operating officer of Caseware RCM Inc.<br></span></td></tr></tbody></table>Staff17860

  • TempleUnivITACS
  • EMC_RSA
  • IIA-GRC

 

 

Small Audit Functions, Big Ideashttps://iaonline.theiia.org/2015/small-audit-functions-big-ideasSmall Audit Functions, Big Ideas2015-03-31T04:00:00Z2015-03-31T04:00:00Z
Explaining Risk and Internal Control While Standing on One Foothttps://iaonline.theiia.org/blogs/marks/2015/explaining-risk-and-internal-control-while-standing-on-one-footExplaining Risk and Internal Control While Standing on One Foot2015-04-07T04:00:00Z2015-04-07T04:00:00Z
Cyberrisk on the Agendahttps://iaonline.theiia.org/2015/cyberrisk-on-the-agendaCyberrisk on the Agenda2015-03-26T04:00:00Z2015-03-26T04:00:00Z
The Empty Boxes Schemehttps://iaonline.theiia.org/2015/the-empty-boxes-schemeThe Empty Boxes Scheme2015-03-30T04:00:00Z2015-03-30T04:00:00Z