Technology

 

 

What's Your Cyber Risk Appetite?https://iaonline.theiia.org/2016/Pages/Whats-Your-Cyber-Risk-Appetite.aspxWhat's Your Cyber Risk Appetite?<p>​In drafting the report for a client on a recent information security audit, there was nothing unexpected in the findings. The usual suspects lined up: access control, physical security, and network security. But there was something missing, the elephant in the room. There was no defined or formalized statement of the client's information security risk appetite.</p><p>Typically, organizations do not formally consider and document their information security risk appetite. Although most organizations have an information security policy framework and supporting processes and procedures, many of those policies seem to have been written without an end goal in mind. Specifically, they don't state that the policy is based on an information security risk appetite position or statement. Organizations spend significant resources on information security, but if they do not know what systems and data are to be secured, and to what extent, how do they go about securing them?</p><p>A first step toward drafting a risk appetite statement should be undertaking an internal information security risk assessment to determine where the organization is and where it needs to be. This assessment will involve facing some truths that may not be palatable to senior management, but it will help identify the organization's unique risks and what it needs to do to address them.</p><h3 style="letter-spacing:normal;">Work​ up an Appetite </h3><p>The Committee of Sponsoring Organizations of the Treadway Commission's <em>Enterprise Risk Management–Integrated Framework</em> defines <em>risk appetite</em> as "The degree of risk on a broad-based level that a company or another entity is willing to accept in pursuit of its goals." A June 2009 study by insurance and risk company Marsh and the University of Nottingham, Research Into the Definition and Application of the Concept of Risk Appetite, breaks risk appetite into five categories:</p><ol><li>A limit or boundary set on the risk heat map (usually the top right-hand column).</li><li>Economic measures (including capital changes/impact, profit or loss, and tolerable levels).</li><li>Changes in credit ratings.</li><li>Changes in targets or thresholds of key indicators.</li><li>Qualitative statements (e.g., zero tolerance for license breaches or loss of life).</li></ol><p>The appetite for security risk should be based on the organization's overall risk appetite. The consequence and likelihood of the risk occurring should determine the level of acceptable risk. For example, the impact of not conducting periodic user access reviews on applications may be rated as "medium," which is within the the organization's defined risk appetite. Consequently, management can prioritize resources for taking action based on the appetite it has set. In contrast, a denial of service risk may have the capacity to bring the organization's website down, so the rating of this risk may be outside the acceptable tolerable levels and require appropriate emergency action. </p><p>The organization needs to articulate its risk thresholds and then obtain sign-off from management. A risk mature organization may have multiple levels of risk appetite statements across platforms and technologies. The key to success is aligning these area-specific risk statements with the overall information security risk appetite and the organization's risk appetite statement. </p><p>Some areas where risk appetite may be considered include:</p><ul><li>Asset management.</li><li>Access control.</li><li>Cryptography.</li><li>Physical and environmental security.</li><li>Operations security.</li><li>Communications security.</li><li>System acquisition development and maintenance.</li><li>Supplier relationships.</li><li>Information security incident management.</li><li>Business continuity management.​</li></ul><h3 style="letter-spacing:normal;">Mak​e a Statement</h3><p>The organization's information security risk statement should be based on its overall risk statement. For example, a financial institution's information security risk appetite statement may be pitched and agreed to at a high level of detail prescribed by regulatory authorities, while a start-up company may provide less detail. Factors influencing the standard could be the number of customers, financial impact, and level of risk senior management and the board are willing to accept. </p><p>An example of an organization's overall risk appetite statement is:​</p><p><span class="ms-rteStyle-BQ"><em>The organization has a tolerance for risk that will allow it to achieve its business objectives in a manner that is compliant with the laws and regulations in the jurisdiction in​ which it operates. We specifically will not tolerate any negative impact on employee and customer health and well-being.</em><em>  </em></span></p><p>Based on this overall risk appetite statement, the organization's information security risk appetite statement could be: ​</p><p><em class="ms-rteStyle-BQ">The organization has a low risk appetite for the loss of its business and customer data. </em></p><p>Moreover, information security risk appetite statements for specific areas could include:</p><ul><li>Asset Management: The organization has a medium risk appetite for physical information security assets and will track assets greater than US$2,000. Information assets will be protected per the organization's data classification framework.<br></li><li>Access Control: The organization has a high risk appetite for access controls.  All access to the organization's mission-critical systems will be controlled via biometric authentication. <br></li></ul><h3 style="letter-spacing:normal;">Defining Acc​eptable Risk </h3><p>Having an information security risk appetite statement ensures the organization has defined what it considers an acceptable level of risk. Without such a statement, the organization is saying either that all information is important and will be protected, or that no information is important and therefore will be freely available. Both of these scenarios could be a survival risk for the organization in the long term.​</p><p>Information security risk appetite is the next step in an organization's maturing and understanding of risk management. By giving information security special attention, the organization is acknowledging that this area needs to be addressed specifically.</p>Shannon Buckley0
Software Assets, Hidden Riskshttps://iaonline.theiia.org/2016/Pages/Software-Assets,-Hidden-Risks.aspxSoftware Assets, Hidden Risks<p>​By Huzaifa Hussain and Syed Salman<br></p><p>Most organizations today use a wide range of software to help serve their customers and manage their operations. Software includes operating systems, applications, network management programs, enterprise resource planning solutions, and time-sheet management systems. </p><p>Washington, D.C.-based software industry advocacy organization BSA's <a href="http://www.bsa.org/globalstudy" target="_blank">Global Software Survey</a> finds that 39 percent of software installed globally in 2015 was not licensed appropriately. A 2014 Gartner survey noted that 68 percent of respondents surveyed reported having one or more software license audits within the past year. Moreover, according to a 2013 Cherwell Software <a href="https://www.cherwell.com/-/media/cherwell/files/brochures/cherwell-express-software-manager-2013-software-audit-industry-report.pdf?la=en" target="_blank">report</a> (PDF), 57 percent of the 178 North America-based IT professionals surveyed said their organization owed money to the vendor at the conclusion of a software audit. Of those organizations that owed money, the largest subset owed between US$50,000 and US$250,000. Nearly 60 percent of respondents said license agreements are difficult to understand or interpret.</p><p>Software license compliance is a global problem, says Tariq Ajmal, IT risk advisory leader for a large professional services firm in the Middle East, who has been involved in software asset management (SAM) reviews for large organizations. "Many large organizations in the Middle East have vendor license exposures of over US$1 million," he says.<strong> </strong></p><p>Given these statistics, IT auditors should include SAM reviews in their audit plans to ensure all of their organization's software complies with their license agreements. When organizations do not abide with contractual agreements, it may result in spending on unused software licenses; failure to address controls over software procurement, asset tracking, and retirement; financial exposure for noncompliance with software agreements; and significant unrecorded liabilities.</p><p>The objectives of a SAM review are to:</p><p></p><ul><li>Provide an integrated view of installed software to allow a one-to-one reconciliation between usage and purchased/licensed records.</li><li>Review the organization's process to enable an effective software management life cycle.</li></ul><p> <br> </p><p>IT auditors can perform two broad SAM engagements: auditing the SAM process, itself, and assessing compliance with software licenses. </p><h2>The SAM Process</h2><p>The software license acquisition and inventory process can be hindered by a lack of communication between the organization's procurement department and the individuals who perform SAM activities. IT auditors should assess whether communication and coordination between these parties is adequate and allows for accurate tracking of the organization's software assets.</p><p>To prepare to perform this audit, auditors can refer to ISO/IEC standard 19770-1:2012: Information Technology­—Software Asset Management. One key area to review is organizational management processes such as corporate governance processes, roles and responsibilities, and the adequacy of SAM policies and procedures.</p><p>Another area to review is core SAM processes. These include identification of software assets, baseline software inventory and license compliance, security of software assets, and operational management processes and interfaces for SAM. </p><p>In addition, the audit should assess process interfaces for SAM, including agreement and contract management, the software acquisition process, change management, the software development process, problem and incident management, and the software retirement process.</p><h2>Software License Assessment</h2><p>The key focus of software license audits is establishing a baseline for software. Specifically, auditors should compare the deployment of software throughout the organization with the number of licenses purchased as stated in the software licensing agreement. This comparison typically will identify cases of overdeployment or underdeployment of software, usage of unauthorized or pirated software, and software contract violations. Auditors will need a good and deep technical understanding of the software being reviewed because the structure and licensing metrics of agreements can vary greatly.</p><p>Auditors should prioritize which software to select for such reviews using a risk-based approach. Prioritization could be based on factors such as the number of deployments and the value of the  software licensing agreement. </p><h2>A Solid Foundation</h2><p>IT auditors should understand that software assets bring with them serious legal, reputational, and financial licensing risks that must be mitigated appropriately by management. Conducting SAM reviews can assure the organization that it complies with all of its legal obligations, uncover any hidden liabilities the organization might face, and ensure software vendor audits progress smoothly. </p><p>Such audits can be a cornerstone of a robust SAM program that helps organizations save costs by optimizing their deployments to better suit the licensing metrics that are most economical. Moreover, an effective SAM program can help the organization establish a solid foundation to become secure and resilient. </p><p> <em>Huzaifa Hussain, CISA, CISM, PMP, MCP, is a senior manager and leader of the software asset management service line at a large professional services firm in the Middle East. <br></em></p><p> <em>Syed Salman, CISA, has 11 years of experience in professional services ranging from IT audits to IT risk advisory at a diverse set of large entities in the Middle East and South Asia.<br></em></p><p> <br> </p>0
Privacy in the Workplacehttps://iaonline.theiia.org/2016/Pages/Privacy-in-the-Workplace.aspxPrivacy in the Workplace<p>​Digital technology has changed workplace behavior — and expectations — for both employees and their employers. The ubiquitous use of smartphones and other devices, company issued and personal, places communications and data management continually at users’ fingertips. Internet use alters the traditional dimensions of employees’ work flexibility requirements and need for expression, as well as employers’ need to monitor employees’ online activity. <br></p><p>Employee concerns have been amplified by the ever-evolving technologies and data collection methods that can seem personally intrusive. Any privacy expectations employees may have are being curtailed by privacy policies, privacy pop-up screens during computer log-ins, background checks, and other workplace measures. At the same time, governments worldwide have issued regulatory guidance to address privacy issues, but guidance often falls short when it comes to balancing employers’ needs to monitor and employees’ expectations of privacy. Both noncompliance with regulations and balancing privacy needs represent major concerns. <br></p><p>Of respondents to PricewaterhouseCoopers’s (PwC’s) Global State of Information Security Survey 2016, 32 percent of security professionals say their board members review security and privacy risks — up from 25 percent in 2015. Employees remain one of the most-cited sources of compromise, with 34 percent of respondents citing current employees as sources of security incidents and 29 percent saying former employees were sources. Organizations have legitimate reasons for wanting to keep tabs on employee data, but employees also want some measure of protection from prying eyes. Evolving expectations on both sides are changing where employees, and their employers, draw the line. Internal auditors tasked with examining privacy in the organization should know where the risks lie, and what requirements their clients may face.<br></p><h2>Drivers of Privacy Disruptions</h2><p> </p><table width="100%" cellspacing="0" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Sound Privacy Program</strong></p><p>An effective privacy strategy comprises numerous practices. Organizations that manage privacy well typically feature several components in their approach: </p><ul><li>An organizational view of what privacy means.</li><li>An understanding of how privacy and data protection fit into the organization’s overall business strategy.</li><li>Complete knowledge of what data is held, where it is, and who has access to it.</li><li>A clear understanding of data ownership and of circumstances under which data is protected and under which it is not. </li><li>Understanding and management of the risks introduced to the data by third parties.</li><li>Data governance that ensures data is being used for the purpose that the organization has committed to, and nothing more.</li><li>A privacy model with agility in mind, given the ever-changing privacy landscape.</li><li>Thorough familiarity with legal obligations in the U.S. and abroad, and tracking of developments in regulatory enforcement actions and case law.</li></ul></td></tr></tbody></table><p>Historically, employee monitoring has been limited to checking internet and email usage. Today, digital disruption trends powered by mobile devices, social media, analytics, big data, and the Internet of Things have opened up a host of additional channels for employee activity. Plus, increased competition has fueled mergers and acquisitions, as well as use of offshoring models and reliance on third parties, resulting in constantly changing privacy expectations in the workplace. Organizations are also starting to apply data analytics to better match people to jobs and to more efficiently and cost-effectively recruit, manage, and retain talent. Employees have a need to be heard and to contribute, and they use internal messaging boards and social media sites to do that. Most organizations do not even realize how much data is being collected and analyzed — and exposing them to legal and compliance risks.<br><br><strong>Employee Expectations</strong> With the rise of a constantly mobile and fluid workforce and the consumerization of technology, trust is essential in the digital world. More and more employees expect to use their own devices and applications at work, as well as cloud services they’re familiar with, because they believe those mechanisms make them more productive. <br></p><p>As employees use these devices with greater frequency, and as they become increasingly responsible for the data they hold in their cloud accounts, trust becomes a more significant factor. For instance, who’s responsible if cloud data gets stolen or a device gets hacked? If disabling software is installed to protect the employer, what is that employer’s responsibility for any personal information that gets lost? If the company comes under investigation by the authorities, would personal devices and data have to be handed over? <br></p><p>Employees might be more inclined to use wearable technology such as a smart watch if the information collected were leveraged for managing work hours or stress levels. They may trade personal data for flexible working hours, free health screening, and fitness incentives and approach data sharing more openly if the information is anonymized and shared at an aggregate level. Wearable technology, GPS tracking devices, radio frequency devices, and video cameras deployed in mobile workforces have great potential to track employee movement and productivity, but at the same time, each individual will have a personal limit to what is considered shareable. <br><br><strong>Employer Expectations and Drivers</strong> Employers’ concerns generally center on the need to protect themselves from loss of confidential information, shield against cyber threats, and comply with laws and regulations. Those needs require that employers monitor employee communications on company-issued computers, cell phones, tablets, and social media sites. Employers also need to collect personal information, such as Social Security numbers and health-related information, to provide health and compensation benefits. Companies are expected to act reasonably regarding their possession of that personal information and to respect employees’ rights to privacy. E-discovery tools are now more commonly deployed to investigate suspicious behavior, and so are data loss prevention tools to monitor network traffic and secure computers. <br><br><strong>Regulatory Landscape</strong> Regulatory developments in recent years have focused mainly on the types of data that should be protected, such as personally identifiable information (PII), health information, financial information, and certain demographic information such as income and union representation. Employees in the U.S. have minimal expectations of privacy compared with their counterparts in Europe and Japan, where privacy expectations are absolute and supersede most other laws and regulations despite varying from country to country. <br></p><p>Employee rights are protected by privacy laws such as the Constitution’s Fourth Amendment, the Electronic Communications Privacy Act, and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. and various European Union (EU) data protection laws in EU member states. However, outside of specific data privacy laws such as HIPAA, interpretations of those laws and regulations are based on <em>reasonable expectations</em> of privacy and refer to both an employee’s expectation and an employer’s implementation of privacy policies in the workplace. Certainly, reasonable expectation can be interpreted differently by different societies, and regulations as such have not kept pace with changing technological advancements. Each country has a multifaceted legal framework in place to govern that country’s employers globally (see “Global Privacy Laws and Regulations” at the end of this article for examples). <br></p><h2>Audit Considerations</h2><p>Organizations should consider taking a holistic approach to managing privacy in the workplace. Moreover, their privacy framework should be agile enough to accommodate changing regulations. Internal auditors should evaluate the framework and other areas of privacy management to gauge the effectiveness of organizational efforts and overall governance. <br><br><strong>Governance Framework</strong> Internal audit should evaluate the organization’s governance framework, if one exists, to verify whether roles and responsibilities for managing privacy have been identified. An adequate framework will incorporate not only a chief information security officer or chief risk officer but also cross-functional partnerships across departments and geographies. Auditors should make sure that management defines a strategic vision and framework, if one does not exist, while ensuring it meets current and long-term business objectives. <br><br><strong>Privacy Risk and Compliance</strong> Execution of a privacy risk and compliance assessment is an essential step in evaluating if the organization has translated its strategic vision and framework into practical implementation. This step entails a gap assessment of applicable laws and regulations within all geographies, as well as the discovery and data flow mapping of data elements that are stored, transmitted, or transferred either on organizational networks or on hard copies. Internal audit should execute such assessments periodically and perform a risk assessment on a more frequent basis to evaluate the impact of organizational and regulatory changes.<br><br><strong>Policies, Processes, and Controls </strong>Auditors should be proactive in guiding management to develop new — or enhance existing — policies, processes, and controls by incorporating privacy-by-design (i.e., embedding privacy into the design specifications of technologies, business practices, and physical infrastructures). They should, for example, evaluate the privacy impacts of new products, third parties, mergers and acquisitions, systems, and technologies; and when the organization enters new markets, auditors should make sure controls are in place to manage privacy requirements. Controls around investigations of employee behavior on an organization’s networks and computer systems should be in place and evaluated by auditors periodically. These controls might include using e-discovery tools aimed at validating internal approvals, clearly articulating the purposes for monitoring that are proportionate to the investigation underway, and involving lawyers when necessary.<br></p><p><strong>Training and Awareness</strong> When policies set the tone of data protection management and guidance, employees and third parties should be trained in their roles and responsibilities. Training and awareness should be adaptive to meet specific needs at every level: executives, management personnel, human resources personnel, supervisors, IT staff, and so on. Auditors can advise management on the development of such programs and then periodically assess employee participation to gauge training compliance.<br><br><strong>Monitoring and Response</strong> Monitoring the environment to ensure compliance with privacy regulations is not just about deploying e-discovery and other tools over the network. It requires ongoing communication and periodic reporting across departments and geographies to help identify and isolate privacy concerns timely. However, organizations with over-the-top monitoring practices could encounter incidents or privacy crises with no warnings, resulting in their reacting reflexively. In their haste, decision makers could fail to consider who should be in the room making decisions, how emerging issues should be prioritized, and how to think strategically<br>beyond the next 24 hours. Internal auditors should ensure that the business has incident management and response capabilities that align with best practices and overall business objectives.  <br></p><h2>A Matter of Trust</h2><p>Trust in the digital age can be difficult for employers to navigate because it’s closely intertwined with risk, security, and privacy. Nothing is hidden in the digital world; the views and opinions of former and current employees are available for everyone to see, and employees expect a clear explanation of what they are contributing and how they’re to be rewarded for it. For these reasons, ongoing trust levels must be built between employers and employees by way of transparency in their day-to-day interactions, and a mutual interest in balancing both parties’ priorities. </p><table width="100%" cellspacing="0" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h3>​Global Privacy Laws and Regulations</h3><br>Organizations need to carefully consider the privacy-related legal requirements that apply to areas in which they do business. A subset of some of the main laws and regulations affecting privacy worldwide may be helpful for internal auditors looking to assess the potential risks. <br><br><strong>EU–U.S. Privacy Shield</strong> was approved in July 2016 — in the form of a data transfer framework between the U.S. and EU member states — to replace the defunct Safe Harbor agreement after intense negotiations between the U.S. Department of Commerce and the European Commission. At first blush, the Privacy Shield seems to resemble Safe Harbor, but closer inspection reveals that it introduces increased compliance complexities for U.S. businesses. The framework includes stricter requirements for enrolling and monitoring, additional third-party risk managementconsiderations, new avenues for data-subject complaint escalation, and further limitations on government access to personal data. Employers must decide whether to participate in the new data transfer framework or use an alternative method to establish adequacy. More importantly, the decision about a data transfer method must be viewed in consideration of the General Data Protection Regulation — a much larger compliance obligation for U.S. companies that profile or collect data from EU citizens. <br><br><strong>U.S. Securities and Exchange Commission’s Regulation Fair Disclosure</strong> requires its issuers to disclose material information to the general public in a broad and nonexclusive manner. Registrants, therefore, must safeguard such information from inappropriate access and disclosure, in part through monitoring activities. <br><br><strong>Japanese Act on the Protection of Personal Information</strong> defines personally identifiable information (PII) as any information about a living individual that could identify the individual by name, date of birth, or other description contained in such information. The act imposes data protection requirements on PII, including securing prior consents from individuals before exchanging or disclosing PII to third parties. The act was amended in September 2015 to require organizations that employ Japanese citizens to comply with the cross-border exchange requirements for PII before September 2017. <br><br><strong>Australian Privacy Act and Australian Privacy Principles</strong> affect public and private entities in Australia as well as overseas businesses that manage the employee personal information of Australian citizens. The act and the principles specify requirements for active maintenance and notification of privacy policy and for extending liability, including the imposition of fines, to overseas businesses in cases of breaches that result in the loss of an Australian citizen’s PII.<br><br><strong>U.S. National Labor Relations Act</strong> protects the rights of employees to organize and bargain collectively with their employers and to engage in other protected concerted activity. Employers are prohibited from restricting employees from acting together, with or without union, to address work conditions that affect their personal lives. The provisions extend to conversations carried out in personal email accounts and social media sites.<br><br><strong>General Data Protection Regulation (GDPR)</strong> for EU members was officially adopted by the European Commission in April 2016 and goes into effect in May 2018 after a two-year transition period. The GDPR strengthens European data protection laws, giving EU citizens greater say in how their digital information gets collected and managed. This complete overhaul of EU privacy confers regulatory authority over any business that offers products or services in the EU and over any business that tracks and stores EU citizen data, as well as the authority to fine violating companies up to 4 percent of their annual global revenues. New compliance requirements include an appointed privacy officer, privacy by design and default in products and services, the right to be forgotten, additional privacy impact assessments, and complete inventories of personal data and third-party data processors.<br><br><strong>U.S. E-Government Act of 2002</strong> requires that a federal agency conduct a “privacy impact assessment” before developing or procuring an IT system or a project that collects, maintains, or disseminates PII about members of the public. The act also sets forth uniform confidentiality protection requirements regarding such data. <br><br></td></tr></tbody></table><p><br><br><span class="ms-rteStyle-Quote">Parthiv Sheth is a director in PwC’s Risk Assurance practice in New York.</span><br class="ms-rteStyle-Quote"><span class="ms-rteStyle-Quote">Khalid Wasti, CIA, CPA, CISA, CITP, is a partner in PwC’s Internal Technology Audit Solutions practice in New York.</span><br class="ms-rteStyle-Quote"><span class="ms-rteStyle-Quote">A. Michael Smith, CPA, CISA, CISSP, is a national partner in PwC’s Internal Technology Audit Solutions practice in the U.S.</span></p>Parthiv Sheth120
Internal Audit and the Internet of Thingshttps://iaonline.theiia.org/blogs/marks/2016/Pages/Internal-Audit-and-the-Internet-of-Things.aspxInternal Audit and the Internet of Things<p>​Last month, <em>Compliance Week</em> published "<a href="https://www.complianceweek.com/blogs/jose-tabuena/internet-of-things%e2%80%99-role-in-internal-audit-compliance#.V_an0-grKhc" target="_blank" style="background-color:#ffffff;">Internet of Things' Role in Internal Audit & Compliance</a>."</p><p>I heartily agree that this is a topic that merits internal audit's (and the compliance function's) serious attention.</p><p>To quote the article, "Forbes provides a nice simple description of the concept as one of 'connecting any device with an on and off switch to the Internet (and/or to each other).'"</p><p>The Internet of Things (IoT) is not futuristic. It is here today. It will only mushroom in the future, with just about everything interconnected.</p><p>For example, I armed my home security system using my phone while on the way to the airport (I was not driving). If anybody tries to break in, I will receive an alarm on my phone wherever I happen to be.</p><p>Some people have their hearts monitored over the internet — <a href="http://www.forbes.com/sites/ptc/2014/08/05/how-the-internet-of-things-may-help-save-heart-attack-and-stroke-victims/#3fa46ab93357" target="_blank">see this article from <em>Forbes</em></a>.</p><p>What should internal audit be doing about it?</p><p>Certainly, the level of work should be driven by the level of risk. But do we know what the level of risk is when it comes to IoT?</p><p>The article appears to expect internal audit to assess the risk by finding out how "IoT [is] deployed in our organization today."</p><p>I would take a different approach. I would find out whether management knows what is connected to what and why. If they don't know, that is a huge risk itself — how can IoT and its attendant risks be assessed and addressed if they are now known to management?</p><p>Assuming that they know the current state, I would ask for their risk assessment and how they are addressing the identified risks.</p><p>My next step would be to find out what changes are expected over the next 12 months and whether management is addressing them in its risk assessment.</p><p>These few questions would give me a "feel" for the level of risk and whether an audit engagement is merited.</p><p>I might go a step or two further and ask how they know what is connected to what, and how they have identified and addressed the risks.</p><p>That should give me sufficient confidence to know whether an audit engagement should be performed, what form of engagement it should be (assurance or advisory), and when.</p><p>Too many commentators want internal audit to identify and assess emerging risks, such as IoT.</p><p>I strongly disagree. That is management's role, not internal audit's.</p><p>Internal audit can assist by ensuring management has sound practices for identifying, assessing, and addressing risks — both emerging risks and existing risks where the level changes.</p><p>Do you agree?​</p>Norman Marks01527
Do You Have Data Fever?https://iaonline.theiia.org/2016/Pages/Do-You-Have-Data-Fever.aspxDo You Have Data Fever?<p>​A new internal auditor receives his latest assignment. His manager asks, “How are you going to approach the review of this area?” The auditor responds, “I want to test this, and I want to test that, and I want to test the other thing.” The manager asks why the auditor wants to perform those tests. Excitedly, the auditor answers, “Because that’s where all the information is.”<br></p><p>This scenario illustrates a common mistake made by new auditors — seeking to jump in without considering the risks, the processes, the criteria, or even the audit objective. The auditor recognizes a testable area and says, “I am doing an audit of this department and I know they have expense reports, so I will test the expense reports.”<br></p><p>Of course, those of us with years of experience and knowledge would never fall into that trap, right? Not so fast.<br></p><p>We live in a world where systems hold more information than anyone can possibly fathom. We are awash in data — big, large, super-sized, venti. And data analytics has become a buzzword that draws auditors like frau​dsters to inadequate controls. When auditors see that glorious richness of data, they fall back into that rookie mind-set: “I don’t know what I want or what I’m trying to prove or what I’m going to do with it, but I want everything you’ve got.”<br></p><p>At one time or another we’ve all caught it — data fever: The desire for more and more information without considering what that data is. We turn the fire hose on full force and what we intended to be a thirst-quenching sip of real information turns into a suffocating flood of meaningless facts, figures, and folderol. <br></p><p>More is not always better. The rules for gathering data are the same as for any audit test. First determine what you want to accomplish with the audit. Then articulate what you want to do with the data, coordinating that understanding with the already-identified risks. <br></p><p>It all begins by understanding what the data represents and what it might say. Before even thinking about asking for the data, auditors should talk with the data owners to understand what is available, how it is used, and how it relates to the processes under review. Then, and only then, should auditors begin to think about what data may be needed.<br></p><p>The promise of data analytics is to assist in performing audit work more efficiently. It also represents an opportunity for internal audit to provide real value by showing the organization how all that data can be helpful to everyone. But that cannot be accomplished by just gathering every scrap of data available. Just as you would stop a new auditor from barging forward with unfocused and potentially meaningless testing, stop yourself when asking for a data dump and determine what you are really trying to accomplish. <br></p>Mike Jacka1598
Reporting on Cyber Threatshttps://iaonline.theiia.org/2016/Pages/Reporting-on-Cyber-Threats.aspxReporting on Cyber Threats<p>​Cybersecurity is at the forefront of most organizations' risk discussions, especially at the audit committee and senior executive levels. However, internal audit reporting may not reflect current cyber threats. It is time for auditors to consider revising the evaluation criteria they use to determine whether an IT finding is reportable.</p><p style="text-align:left;">Raising IT risk concerns may clash with the audit committee's threshold for materiality. For example, data breaches often involve reputation risks more so than financial risks. This is the existential question with cybersecurity: What is costly versus what makes the organization look bad. Overall, internal audit should consider whether outdated reporting criteria have created an<span style="text-decoration:underline;"> </span>expectation gap between what the audit committee expects to be reported and what internal audit considers worth reporting.</p><h2>The Current State of Reporting</h2><p>CAEs use multiple criteria to determine whether a finding is reportable to the audit committee and senior executive levels. In a survey of 163 CAEs<sup> </sup>conducted in July by The IIA's Audit Executive Center, 81 percent say their reporting criteria do not differ among different types of audits, such as fraud, compliance, and IT. </p><p>The survey reveals minimal differences in criteria used to report to the audit committee and senior management. Forty percent of respondents use a combination of criteria or additional criteria, including all internal control weaknesses, judgment, and risks to the organization, to determine what to report to senior executives. That percentage rises to 45 percent who use those criteria as a basis for reporting to the audit committee. Thirty-nine percent use pervasive internal control weakness as their criteria for reporting to both reporting levels. Overall, just 7 percent consider dollar threshold a reporting indicator for both senior executives and audit committees. </p><p style="text-align:justify;"> <img src="/2016/PublishingImages/gen-report-exec.jpg" alt="" style="margin:5px;width:425px;height:317px;" /> <em>Source: IIA Audit Executive Center</em><br> </p><p> <br> </p><p style="text-align:justify;"> <img src="/2016/PublishingImages/Gen-report-ac.jpg" alt="" style="margin:5px;width:425px;height:323px;" /> <em>Source: IIA Audit Executive Center</em><br></p><p> <br> </p><p>When asked about specific IT findings, CAEs overwhelmingly focus on whether the findings affect more than one business segment or department, or has an organizationwide impact (49 percent to senior executives and 51 percent to audit committees). Additionally, 42 percent use a combination of criteria that includes other factors such as business and reputational impact in determining which issues to report to senior executives and the audit committee. Only 5 percent of respondents consider dollar threshold a reporting criteria for either level.</p><p style="text-align:justify;"> <img src="/2016/PublishingImages/IT-report-exec.jpg" alt="" style="margin:5px;width:425px;height:329px;" /> <em>Source: IIA Audit Executive Center</em><br></p><p> <br> </p><p style="text-align:justify;"> <img src="/2016/PublishingImages/IT-report-ac.jpg" alt="" style="margin:5px;width:425px;height:339px;" /> <em>Source: IIA Audit Executive Center</em><br></p><p> <br> </p><h2>Are the Criteria Still Appropriate?</h2><table width="100%" cellspacing="0" class="ms-rteTable-0"><tbody><tr class="ms-rteTableEvenRow-0" style="text-align:center;"><td class="ms-rteTableEvenCol-0" colspan="2" style="width:50%;">​<strong>Audit Committee and Senior Executive <br>Reportable IT Findings</strong> ​</td></tr><tr class="ms-rteTableOddRow-0"><td class="ms-rteTableEvenCol-0">​<strong>Reportable</strong> </td><td class="ms-rteTableOddCol-0">​<strong>Not Reportable</strong> </td></tr><tr class="ms-rteTableEvenRow-0"><td class="ms-rteTableEvenCol-0">​User account activation process findings that impact the organization's ability to appropriately assign user access.</td><td class="ms-rteTableOddCol-0">​User access typically is assigned appropriately, but a current audit noted a couple of users whose access was assigned incorrectly. </td></tr><tr class="ms-rteTableOddRow-0"><td class="ms-rteTableEvenCol-0">User account deactivation process findings that impact the organization's ability to disable user access timely upon termination. ​</td><td class="ms-rteTableOddCol-0">​User account deactivation process works correctly, but a current audit noted one or two contractors or employees whose access were not disabled timely. </td></tr><tr class="ms-rteTableEvenRow-0"><td class="ms-rteTableEvenCol-0">​User transfer process findings where access is not removed when employees transfer to other departments.</td><td class="ms-rteTableOddCol-0">​User access is typically adjusted upon transfer, but a current audit identified one or two users whose access were not adjusted. </td></tr><tr class="ms-rteTableOddRow-0"><td class="ms-rteTableEvenCol-0">​Patching process findings where patching does not occur timely organizationwide. </td><td class="ms-rteTableOddCol-0">​Most servers are patched timely except for a few. </td></tr><tr class="ms-rteTableEvenRow-0"><td class="ms-rteTableEvenCol-0">​Two-factor authentication findings where the authentication system has organizationwide issues (i.e., does not work all the time). </td><td class="ms-rteTableOddCol-0">​Most servers have two-factor authentication enabled for interactive login, but one or two do not. </td></tr></tbody></table><p>Although organizationwide impact is the criterion survey respondents consider most impactful in deciding to report IT findings, this may cause internal audit to not report seemingly lesser findings that could potentially be big cyber threats. Findings such as having one or two untimely user account terminations or users who have been assigned incorrect access would most likely not be considered reportable under current generally used criteria (see "Audit Committee and Senior Executive Reportable IT Findings" at right). </p><p>Yet, these are similar to the causes of some of the largest data breaches reported to the <a href="http://www.idtheftcenter.org/" target="_blank">Identity Theft Resource Center</a> both this year and historically. These include:</p><ul><li>Stolen third-party or employee credentials.</li><li>Stolen mobile device.</li><li>Unsecure wireless network.</li><li>Two-factor authentication disabled on a few servers.</li></ul><p> </p><p>These data breach trends suggest the current reportable criteria may not reflect cyber threat reality. Although only a few items, or even one item, could be found during an audit, such items may open the door for a hacker or general user to allow data theft to occur. In the world of cybersecurity, the small details matter. Failing to perform an appropriate activity for a single user or server could have an organizationwide impact.</p><p>Questions to consider include:</p><ul><li>In today's world of cyber threats, is the criteria used to decide when to report an IT finding to the audit committee and senior executives still relevant?  </li><li>Should the criteria be revised so that other IT findings currently deemed to be lesser risk would be considered reportable?</li><li>Are the board or senior executives sufficiently educated about cybersecurity to understand the impact of such findings?</li></ul><h2>Modifying Expectations</h2><p> <a href="https://bookstore.theiia.org/internal-audits-role-in-cyber-preparedness" target="_blank">Internal Audit's Role in Cyber Preparedness</a>, a 2015 white paper from The IIA's Internal Audit Foundation, discusses the importance of taking a holistic approach to an organization's cybersecurity practices and how internal audit can assist in this endeavor. The white paper cites a <a href="https://www.nacdonline.org/cyber">National Association of Corporate Directors (NACD) publication</a> in which 87 percent of respondents to the 2013-2014 NACD Public Company Governance Survey reported their board's understanding of IT risk needs improvement.<sup> </sup><sup> </sup>The IIA white paper says boards could gain access to cybersecurity expertise by adding members with technology industry expertise. Other suggestions include:</p><ul><li>Scheduling "deep dive" briefings from third-party experts, including specialist cybersecurity firms, government agencies, and industry associations.</li><li>Leveraging the board's existing independent advisers, such as external auditors and outside counsel, who will have a multiclient and industrywide perspective on cyberrisk trends.</li><li>Participating in relevant director education programs, whether provided in-house or externally.</li></ul><p><br></p><p>As boards increase their cyber awareness, internal audit is complimenting this awareness by becoming more technology-savvy and providing services to the organization such as helping the board understand IT risks and the impact of new technology initiatives. Becoming more adept at using technology is helping internal audit provide such services, according to a recent Protiviti Report, <a href="http://www.protiviti.com/iaworld" target="_blank">Internal Auditing Around the World</a>. </p><table width="100%" cellspacing="0" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>Summary and Analyses of Findings That Did Not Meet the Required Reporting Threshold</strong></p><p>Fifteen users with excess or incorrect access were noted among seven audits. Upon evaluating these overall, internal auditors noted an increased trend of failure by the business owners to ensure an adequate access review is performed periodically. Further follow-up revealed that five of the seven business owners were relatively new to the company and had not received the appropriate training. As management is aware, excess or incorrect access rights increase the organization's cyber threat level.</p><p>Untimely disabling of a user's application account occurred in eight out of 10 audits. While none of these incidents met the reporting criteria on its own, internal audit noted an upward trend in untimely removal of user access. It is interesting to note that five of the eight users were contractors for whom the business areas did not provide prompt notification of the need to disable their access. Management is now considering alternatives to manage contractor access. </p></td></tr></tbody></table><p>This growing cyber awareness creates an opportunity for internal audit to report on IT findings that were once considered lower risk and less impactful organizationwide. Similar to the common experience of external auditors reporting various material or immaterial individual financial adjustments, reporting on these IT events can further educate the board and senior executives on cyberrisks. </p><h2>Reporting Alternatives</h2><p>In the world where a single IT event now can cause an organizationwide threat, internal audit needs to engage audit committees and senior executives in discussions about single detailed events and their impacts. Yet, it takes time for perspectives to change and education to occur. In the meantime, there are alternatives auditors can use to retain the current reporting criteria and further emphasize these singular IT findings, including:</p><ul><li>Modifying the reporting narrative of each audit that is distributed to the audit committees and senior executives, including elaborating on the cyber threats encompassed by the audit. Alternatively, during the audit committee presentation, auditors can spend a few moments discussing the cyber threats detailed in the audit<strong><em>.</em></strong><span style="text-decoration:underline;"> </span></li><li>Educating senior executives and audit committees on the finer cyber threat details.</li><li>Maintaining the current reporting criteria and providing an annual summarized report noting the major themes from all unreported IT issues identified (for an example, see "Summary and Analyses of Findings That Did Not Meet the Required Reporting Threshold" at right).</li></ul><p><br></p><p>Although revising reporting criteria to better reflect the current cyberrisk environment should occur, suddenly changing long-established reporting practices may not be the best solution. Using the suggested reporting alternatives and easing into new criteria will allow time for the audit committee and senior executives to adjust their perspectives. Moreover, a gradual shift will allow for additional training and understanding that a single IT finding could do as much harm as a pervasive IT finding. </p><p> <br> </p>James Reinhard01782
Analytics-driven Auditshttps://iaonline.theiia.org/2016/Pages/Analytics-driven-Audits.aspxAnalytics-driven Audits<p>​Data continues to be captured and processed at phenomenal rates. In fact, Computer Sciences Corp. predicts that by 2020, data production will be 44 times greater than it was in 2009. With so much data being generated, there is a need to connect the dots and get meaningful information from it. An audit that is intuitive-based and uses a selection of random samples may not be that effective in the changing business landscape. With so many automated processes, the way internal audit departments conduct audits also needs to be automated. <br></p><p>An analytics-based approach to audit makes it possible to review large data sets and get meaningful insights into internal control processes, including probable vulnerabilities in meeting the overall assurance objectives. The use of analytics can increase audit efficiency and lead to a deeper understanding of the business, risk assessment, and real-time monitoring. Data analysis can be applied to areas such as audit planning, sample selection, risk assessment, control testing, and identifying red flags.<br></p><h2>Data Types and Storage</h2><p>Before embracing data analytics, it is important to understand the types of data being generated. The analytics methods and tools used will depend on the type of data and the manner in which the data is generated and stored. <br></p><p>Qualitative data is a categorical measurement expressed with a natural language description. In statistics, it is often used interchangeably with categorical data (e.g., favorite color = “blue” or height = “tall”). Data are classified as nominal if there is no natural order between the categories (e.g., eye color), or ordinal if an ordering exists (e.g., exam results).<br></p><p>Quantitative or numerical data are counts or measurements. The data are said to be discrete if the measurements are integers (e.g., number of people in a household) and continuous if the measurements can take on any value, usually within some range (e.g., weight). Quantities whose value differ from one observation to another are called variables (e.g., the height and shoe size of every person are different).<br></p><p>Generated data is stored in data warehouses in different formats. Structured data is information, usually displayed in columns and rows, that can easily be ordered and processed. This could be visualized as a perfectly organized filing cabinet where everything is identified, labeled, and easy to access. Unstructured data  has no identifiable internal structure. Types of unstructured data include word processing files, PDF files, digital images, video, audio, and social media posts.<br></p><h2>Data Analytics</h2><p><img src="/2016/PublishingImages/B2B_Aug%2716_chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Data analytics is an analytical process by which insights are generated from operational, financial, and other forms of electronic data internal or external to the organization that communicates exceptions and outliers. Exceptions are deviations from any defined criteria internal or external to the organization. Outliers are considered any data or records that are inconsistent with the population to which it belongs. Analytics relies on the simultaneous application of statistics, computer programming, and operations research to quantify performance. <br></p><p>Data analytics tools and techniques assist in transforming and improving audit approaches in terms of providing insights, predicting outcome, optimizing sampling decisions, extending audit coverage, and highlighting key deficiencies. Analytics embeds data visualization to effectively communicate insight.<br>Analytics is not just about technology. It refers to the use of certain technologies, skill sets, and processes for the exploration, evaluation, and investigation of data generated during business operations (See “The Process of Data Analytics” at right). </p><h2>Analytical Techniques</h2><p>Analytical techniques can be used for risk assessment and control testing in various areas. It is important to link the business understanding, processes, and regulations and co-relate them with the data available to identify exceptions or outliers. There are four types of analytical stages.  <br></p><p>Descriptive analytics identifies events that occurred in the past, while diagnostic analytics looks for reasons past events occurred. Predictive analytics predicts future outcomes based on past events, and prescriptive analytics provides a feasible line of action. Auditors need to gradually move from identifying what went wrong to forecasting what may go wrong. The shift from descriptive to predictive and then to prescriptive analytics requires the application of business insights with analytical techniques supported by technology advancements.<br></p><h2>Analytics Software</h2><p>Some of the numerous tools available for carrying out data analytics require coding or scripting and may not be as user-friendly compared to tools with an easy-to-use graphical user interface. Questions that can help determine which tool to invest in include: What problem needs to be solved? What are the net costs for learning a new tool? What are the other available tools and how do these relate to commonly used tools?<br></p><h2>Changed Business Environment</h2><p>Considering the ever-increasing nature of digitization, it is inevitable that internal auditors change their approach to executing audits. Traditional methods of vouching and verification may need to be reviewed to bring them in line with the changed business environment. Considering increased expectations from stakeholders and the need to look deeper into business transactions, embedding analytics in audit is unavoidable. The proliferation of new forms of data and evolving concepts of analytics-driven audits means internal auditors can gain deeper insights into the business. <br></p>Neha Pansari1888
The Mind of a Credit Card Hackerhttps://iaonline.theiia.org/2016/Pages/The-Mind-of-a-Credit-Card-Hacker.aspxThe Mind of a Credit Card Hacker<p>​One of the biggest credit card fraud rings was a collaboration between Miami hacker Albert Gonzalez and hackers in Russia. The ring used SQL injection to steal more than 90 million credit and debit card numbers from retailers such as Barnes & Noble, BJ’s Wholesale Club, Boston Market, OfficeMax, and TJX — the parent company of Marshalls and T.J. Maxx. Gonzalez and his crew were active for two years, and he was known to brag that he had to count hundreds of thousands of dollars by hand when his money-counting machine broke.<br></p><p>Gonzalez got greedy, and his flashy lifestyle caught the attention of law enforcement officials. In 2010, a U.S. federal District Court sentenced him to 20 years in a federal prison and fined him US$25,000.<br></p><p>Smart hackers keep a low profile and cover their tracks so they can continue the cycle. With the right campaign, they can obtain thousands of credit card numbers and sell them for millions of dollars. To help defend their organizations, internal auditors need to know why hackers target the business’ credit card information, how they can steal it, and what happens after the data is stolen. That means learning to think like a hacker. <br></p><h2>First, They Need a Vector</h2><p>A vector is a network, email, application, or host that delivers a viral payload to the user. To gain entry to an organization’s systems, hackers use tools, programming experience, and social engineering skills to target a user’s computer or convince that person to voluntarily give them information or access. The vector they choose determines the steps they need to steal an organization’s data. <br></p><p>Phishing is one of the more common methods. Hackers send emails to unsuspecting victims and convince them that they need to enter private information on a fraudulent website form. For example, the hacker uses PayPal’s logo and a similar domain name to trick users into typing their PayPal user name and password. Internet usage policies should instruct employees to always type the name of the official website in a browser instead of clicking random links embedded in an email.<br>A recent variation on phishing attacks is to send employees emails claiming to be from their organization’s CEO and directing them to complete a transaction. <br></p><h2>Collect the Stolen Data</h2><p>Attackers use zero-day viruses to gain access to a computer. Zero-day viruses have not been previously detected by antivirus software companies, so the software doesn’t recognize them. For this reason, a hacker can quickly collect data and transfer it to his or her private server.<br></p><p>Speed is also essential for hackers who use phishing emails. As soon as email recipients detect that the email and site are fraudulent, it’s only a matter of time before the emails are blocked and the host terminates the hacker’s account. The hacker needs to collect the data from the server and transfer it to a safe location.<br>During the data collection stage, hackers also need to cover their tracks. They can do this by using a different host for the next vector, changing malware signatures, and setting up new anonymous email accounts. <br></p><h2>Verify the Cards Are Valid</h2><p>This step is the most crucial and risky. The hacker needs to verify the cards are valid. The hacker can do this by creating accounts at websites that sell low-priced items and don’t have as much security regarding billing and shipping addresses. A list of these sites can be found through a criminal network or a search engine. The hacker makes small purchases from these online stores to verify the card is still valid and the original cardholder isn’t paying attention to purchases on it. <br></p><p>Consumers who check their debit and credit card activity frequently can detect these transactions quickly before the charges finalize. Moreover, many financial institutions have fraud detection that automatically flags a card for suspicious transactions. These card numbers won’t work, which reduces the hacker’s credibility and trustworthiness with buyers. <br></p><p>Because the hacker’s purchases are small amounts, they can more easily slip through detection. For example, the attacker might charge US$5 on a card and wait a few days. If the charges go through and the product is shipped, he or she can make larger charges or sell the card number on the black market.<br></p><h2>Create Fake Cards </h2><p>For US$100, hackers can create fake credit cards. The number printed on the front of the card is usually fake, but the card number on the magnetic strip is one of the stolen numbers. The attacker also can sell these physical cards, but it’s much more work to send the cards to a buyer.  <br></p><h2>How Auditors Can Respond</h2><p>By understanding the way hackers work, internal auditors can gain better insight into ways to protect the personal data their organization has stored. Here are recommendations auditors can provide to help their organizations shore up their defenses.<br><br><strong>System Requirements</strong> Auditors should advise the IT department or process owners to install and maintain a firewall configuration that is capable of protecting cardholder data. The organization should encrypt transmission of cardholder data across open, public networks, including wireless networks. Also, the organization should use up-to-date antivirus software and ensure that all antivirus mechanisms are current, actively running, and capable of generating audit logs. In addition, it should monitor all access to network resources and cardholder data, and test security systems and processes regularly. <br><br><strong>Access Control</strong> Internal auditors should advise the IT department to limit access to computing resources and cardholder information only to those individuals whose jobs require it. The organization should physically secure all paper and electronic media that contain cardholder data, including computers, networking and communications hardware, paper receipts, reports, and faxes. Moreover, it should use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.<br></p><h2>Becoming a Harder Target</h2><p>As their organization’s third line of defense, internal audit’s assurance and advisory services can be vital to protecting the business from today’s hackers. Auditors should review the organization’s security measures and related controls at least annually, and preferably more frequently, as risks evolve. They also can advise their organizations about ways to strengthen those measures and be better prepared to respond to an incident. With organized hackers targeting organizations from all sides, such actions can help make the difference between becoming a harder target for attackers and suffering a heavy loss from a data breach.    <br></p>Sharif A. Nogod11082
IT and the Integrated Audithttps://iaonline.theiia.org/2016/Pages/IT-and-the-Integrated-Audit.aspxIT and the Integrated Audit<h2>​​How do you define integrated audit from an IT perspective?<br></h2> <p> <strong>KIM</strong> An integrated audit considers IT, financial, and operational controls holistically. While a traditional audit focuses on financial, operational, or IT aspects only, an integrated audit takes a more global approach. From an IT perspective, an integrated audit provides assurance that IT controls are effective and efficient to support the business process. This approach acknowledges that IT, financial, and operational controls are mutually dependent.​<br><strong>JENKINS</strong> There are few strategic initiatives in organizations that don’t include an IT component. Our world has turned into an online world, with technology playing a role in everything we touch. The integrated audit is a more holistic approach, focused on the organization’s top risks. Internal audit won’t be able to present a complete picture of the organization’s risks without considering the technologies associated with them. <br></p><h2>What is your organization’s approach to integrated audits?</h2><p> <strong style="line-height:19.2px;"><img src="/2016/PublishingImages/pamela-jenkins.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />JENKINS</strong> Fossil is a global organization with retail, distribution, wholesale, and manufacturing facilities in many countries. Internal audit aligns its audit plan with the company’s top global risks. Our audit department has limited resources and IT auditors. We work efficiently and leverage our resources to ensure we address the top risks for the company. Our IT auditor is a part of every audit we perform. Over the last few months, we have begun socializing with the company a more integrated audit approach. We have the full support of the audit committee and top management. As we hire, we look for integrated auditors who can look at a business process, pick out where the risks are, and identify if there are any technology-related red flags. <br> <strong style="line-height:19.2px;">KIM</strong> Integrated audits are the rule rather than exception in my organization. Organizations rely heavily on IT to perform their work. To understand an audit client’s internal controls over a business process requires an understanding of the effectiveness and adequacy of IT controls. All of our staff auditors are trained to perform basic IT audits. However, for audits that are highly technical, we have a team of IT specialists with advanced IT skills. This provides us a cost-effective way to keep up with the rapid changes in technology, as well as deal with the difficulty of recruiting and retaining IT audit professionals, which can be a challenge in the current environment. <br></p><h2>What value does a successful integrated audit approach bring to the organization?</h2><p> <strong style="line-height:19.2px;"><img src="/2016/PublishingImages/Tina-Kim.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />KIM</strong>​ Integrated auditing promotes the principle of risk-based auditing. The business environment is increasingly complex, and businesses and governments are confronting a wide range of risks. Integrated auditing allows audit functions to consider and evaluate risk globally and focus audit efforts on the highest impact areas. More importantly, it increases the relevance of internal auditors’ work by providing better value to stakeholders. Study after study has shown that stakeholders are expecting more from internal audit functions, including those already receiving significant value. By helping to break down silos and increase transparency, integrated auditing provides management with increased insight on how various types of risks impact their business processes and gives auditors more exposure to different aspects of an organization’s operation, increasing their effectiveness. <br> <strong style="line-height:19.2px;">JENKINS</strong> Without an integrated audit approach, the audit results are not covering the full business process/potential risk. To ensure the largest risks of the company are addressed, the audit process needs to include IT. An integrated audit enables auditors to look at an issue holistically and identify the entire risk, not just a piece of it.​</p><h2>What IT skills and knowledge do internal auditors need to communicate with IT professionals?</h2><p> <strong style="line-height:19.2px;">JENKINS</strong> I think it goes both ways. Yes, audit professionals need to have comprehensive knowledge of IT to effectively identify risk and communicate with IT departments, but IT auditors also need to have more than just IT experience. They need to be able to see the forest for the trees, and communicate from a business perspective. It is important for the IT audit professional to have good business acumen to enable an understanding of the business process/risk and its relationship to the IT components. IT auditors need to bridge the gap between being highly technical and being able to speak in basic business terms. <br> <strong><strong style="line-height:19.2px;">KIM</strong>​</strong> Having an education background in computer science or a related field is a big plus. However, a genuine interest and desire to understand technology, coupled with the ability to quickly grasp new trends and understand new technologies, is just as critical. Moreover, as with all audit positions, not only are technical skills important, but communication and other soft skills are also vital. To be effective, internal auditors need to speak the language of their stakeholders. <br></p><h2>What types of IT-related audits should internal audit be able to perform without IT audit expertise?</h2><p> <strong><strong style="line-height:19.2px;">KIM</strong></strong> The IT audit universe represents a continuum of audit activities that run the gamut from basic to intermediate to highly technical and complex. Most internal auditors with training both in the classroom and on the job can generally progress to a level that enables them to perform a basic IT audit. In fact, one of the benefits of the integrated audit approach is that audit staff members work on a single team alongside auditors with more IT audit experience. This provides audit staff with increased exposure and experience in IT audit. That said, the continuum of IT audit activities progressively requires increasingly specialized IT skills. It is generally not cost-effective to train the entire audit team in these higher-order areas. In these instances, the use of specialists should be considered. <br> <strong style="line-height:19.2px;">JENKINS</strong> Internal audit should be able to perform any broad audit with IT components. Even if the auditor is not a certified IT auditor, he or she needs to have a good understanding of where the IT risks are and be able to identify the red flags. Most audit departments do not have the bandwidth to have several auditors with deep technical skills. This is where being a part of The IIA is very helpful, because the auditors can go to The Institute for thought leadership, resources, and benchmarking to help on certain projects. We take advantage of cosourcing. These cosourcing arrangements are ideal for larger and highly technical projects that require a deeper dive into IT.<br></p><h2>What types of IT-related audits should only be performed by IT audit specialists?</h2><p> <strong style="line-height:19.2px;">JENKINS</strong>​ Most audits will have an integrated approach. However, some projects may be just IT focused. It’s important to be able to connect the dots back to the business side. We had our IT auditor document the organization’s global IT footprint so we understand the systems in entirety and where and how they connect. We then identified where we need to drill deeper. Some of those projects may require cosourcing. <br> <strong style="line-height:19.2px;">KIM</strong>​ The internal audit standards require that auditors have the knowledge, skills, and other competencies to perform their individual responsibilities. In the context of IT audits, these standards are uniquely challenging in that technology is constantly evolving, and, due to the costs involved, not all audit staff receive the specialized training required to keep pace. Therefore, for highly technical and complex audits involving areas such as network infrastructure or emerging technology, it is better to rely on an IT audit specialist who possesses the knowledge level and skills to meet the audit needs. <br>That said, recruiting and retaining such specialists is perhaps one of the greatest challenges facing audit functions that want to adopt integrated auditing. When internal resources are not available, alternatives to be considered include guest auditors or cosourcing. While the difficulties can appear daunting, the benefits in increasing risk coverage and creating efficiencies within the audit team are well worth the effort. </p><p> ​<br> </p>1784
Cyber Resiliencehttps://iaonline.theiia.org/2016/Pages/Cyber-Resilience.aspxCyber Resilience<p>​Despite banks spending billions of dollars to protect themselves against cyberattacks, financial regulators remain unimpressed. Mary Jo White, chairman of the U.S. Securities and Exchange Commission, told the press in May that cybersecurity was the biggest risk facing the financial system, but banks’ “policies and procedures are not tailored to their particular risks.” Regulators in Europe also want action. Chairman of the European Banking Authority Andrea Enria — again in May — urged national regulators to stress test European financial institutions to see how vulnerable they were to hackers. If they fail, he said, they should be forced to hold more capital. <br></p><p>And as if that were not enough, SWIFT, the financial payment system that handles more than US$6 trillion in transfers every day, has unveiled a customer security program that includes plans to audit its 11,000 member institutions to check that their security is fit for purpose. “We will look into if and how customers’ compliance to these baselines can be made transparent to, and enforced by, counterparties, regulators, and ourselves,” SWIFT said. Members will have to share more information and tighten the security of their systems.<br></p><p>The pressure to strengthen IT platforms and applications has come in the continuing wake of high-profile cyber failures. Three of SWIFT’s members, for example, have been hacked in the past seven months — including the Bangladesh central bank. Hackers got ahold of the SWIFT codes and transferred US$81 million from its accounts at the U.S. Federal Reserve.<br></p><p>It’s not just banks at risk, either. According to recent data released by the U.K. government, two-thirds of big U.K. businesses have been hit by a cyberattack in the past year. Most of the attacks involved viruses, spyware, or malware, the Cyber Security Breaches Survey said in May. It found that one in four large firms said they were breached once a month — sometimes more — and that attacks could cost millions of pounds to rectify. The volume, frequency, and sophistication of attacks are a game changer. <br></p><h2>Not If, But When   </h2><p>Many organizations are now working on the assumption that a cyber breach is inevitable and that they need to have rapid and effective response mechanisms in place to minimize damage. Internal audit departments are being called upon to help — providing everything from improved diagnostics to help locate where, when, and how a breach has occurred, to assistance with the very effectiveness of a business’ cyber breach response team.<br></p><p>“People now have to be in a posture that assumes you have been breached, rather than saying that you are never going to be breached,” Kelly Barrett, senior vice president of Home Services and former vice president of internal audit and corporate compliance at the Atlanta-based retailer The Home Depot, says. “That mindset changes the way you structure your security program.”<br></p><p>Barrett knows through painful experience what a data breach is like. She says no matter how much money a company spends on its defenses, hackers are likely to get ahead of the game through new techniques, or by attacking the most vulnerable part of the business or its supply chain. In addition to beefing up external defenses, Barrett advises organizations to think about what software can be used to pick up behavioral anomalies, such as employees logging into systems at unusual times or unexpected places, within the business, too. While such tools are sophisticated enough to run from day one, they improve over time as the IT team learns how the business works and eradicates any false positives the system may throw at them.<br></p><p>“The key point is that you are now assuming somebody may be looking at things, or using them, inappropriately,” she says. “And so the tools you use need to be much more proactive in looking for those unusual patterns.”<br></p><h2>Collaboration</h2><p>Home Depot’s audit team has been working with the chief information security officer (CISO) to think through the design of such programs, understand how the tools work, and ensure that they are actually controlling what the business intends them to control. Internal audit wants to know that the company is getting the full benefit from the technology it has invested in and that those people reviewing the outputs are accountable. That has also brought about a change in how audit operates in this area.<br></p><p>“Internal audit partners very closely with the CISO,” Barrett says. “They’re not sitting back and waiting to do an audit after the fact. They’re actually helping them look at the tools.” <br></p><p>Barrett realizes that some may question internal audit’s ability to remain independent, but she is clear that as long as internal audit is not implementing controls, that can be achieved. What is powerful about the partnership, she says, is its ability to bring together security experts with auditors who have an equally strong grasp on controls in a way that is proactive. In fact, Barrett is the chair of the company’s data security and policy governance committee, which helps her — and the organization — achieve a helicopter view of the security procedures across the business. “That helps us make sure all the different pieces are being considered, and we are thoughtful about what the response is,” she says. <br></p><p>In the U.S., at least, some of the impetus for smarter working and multidisciplinary cyber defense and reaction programs has come from the board as much as from those working within organizations. If there has not been a revolution that has catapulted cyberrisk to the top of the risk agenda exactly, there has been steady evolution, says Gary Pollack, senior vice president, Assurance Services Leader, American Express Co. in New York.<br></p><p>“Three to five years ago, IT risk professionals may not have been given as much time on the agenda as they are today,” he says. “We are clearly seeing an uptake in time allotment in audit and risk committees dedicated to information security and overall IT risk. It’s given us a seat at the table.”<br>being prepared<br></p><p>Pollack says, eventually, regulators are likely to mandate specialist IT skills on boards and risk committees. He says he has seen an increase of IT skills in people occupying these positions and expects that to increase as organizations continue to enhance their risk management practices.<br></p><p>For now, what is important for Pollack, as with many CAEs, is that customer trust in data protection is given top priority in the way that businesses respond to cyberattacks. “We have been aware for quite some time of the need not only to have a preventive strategy, but also a detective strategy,” he says. “There is a real need to consider a well-balanced approach to prevention and detection, as well as response mechanisms.”<br></p><p>Pollack says his organization has a dedicated team and protocols in place to respond to breach incidents ranging from how to communicate, escalate, and react timely to threats and attacks. From an internal audit perspective, that means Pollack’s team puts equal weight on auditing the preventive and detective parts of breach management controls, protocols, and escalation mechanisms. Audit also participates as an observer during test scenarios aimed at finding weaknesses in those systems before a breach occurs.<br></p><p>“Audit generally acts as an observer during test scenarios and as a reviewer of the results and action items,” he says. Audit then follows up on any actions that have been agreed on to make sure management deals with them. It also flags any gaps in defenses or reaction procedures and makes sure management fixes them.   <br></p><h2>Breach Response</h2><p>Auditors agree that having an appropriate response plan in place for a breach is critical — one that has been tested and retested before the event arises. While it would be rare for internal audit to take charge of such a team, it has a critical role to play, says Nigel Lewis, an independent audit consultant and trainer.<br></p><p>“From an audit point of view, the main thing is that we get assurance that someone will take charge of the incident response team and that there is an incident response plan linked with the business’ recovery plans,” he says. The size of the team depends on the nature of the organization, he says, but even large businesses would typically appoint only 10-15 people to it, split roughly two to one between IT experts and business executives. In an incident, those team members would call on their own teams to implement any remedial action needed.<br></p><p>"Part of the incident response will be pages and pages of plans detailing who does what and what the key activities are,” he says. “Auditing that process is important.” But what should it comprise? Lewis says auditors can cut through the complexity by dividing the process into three parts: reaction time, decision-making, and action.<br></p><p>Although more than eight in 10 breaches are detected within 24 hours, according to the latest U.K. government statistics, it can take months to detect a breach. In 2013, for example, <em>The Wall Street Journal </em>said Chinese hackers had infiltrated its systems for four months without detection. That does not mean swift action isn’t important once a hack is detected. The business needs to do a quick impact analysis to see what type of breach the team is dealing with. Fraud, breaches of confidential data, denial of service, intellectual property, and ransoms — the business needs a plan for each with specified response times. A denial of service attack, for example, is likely to need a faster technical reply than, say, a ransom demand. “You must know how quickly you can respond to each area and be able to test it,” Lewis says.<br></p><p>Many of the decisions a business might need to make can be pre-planned, too. And it is vital to know what the impact of those decisions are likely to be on the organization’s operations, staff, customers, regulators, and the media. Then it is time to put those decisions into action. Deciding which systems to close down and for how long is never easy, but being prepared makes it less likely the breach will turn into an all-out disaster.<br></p><p>“For all of this to work well, you need a good team, convened quickly, and comprising the right experts,” he says. Bringing in external support can be important, and keeping people up-to-date with the latest attack methods and breaches is essential.<br></p><p>If that sounds straightforward, it might be puzzling to know that 37 percent of firms have no cyber response plan, according to PricewaterhouseCoopers’ (PwC’s) 2016 Global Economic Crime Survey. That is because while businesses feel they have response systems in place, they tend to be structured to deal with classic threats such as flooding or power outages, says James Rashleigh, a cybersecurity director at PwC. “While they think they’re prepared, they suddenly find out when they suffer a cyber breach that they’re dealing with something very different.” Businesses that have not nominated a specific leader for the response team, or have someone from the IT team in charge, are not likely to be able to cope well as the issues are too wide-ranging. For example, breaches affecting customers may be subject to litigation, and putting together what happened from a legal perspective is complex.<br></p><h2>Cyber Governance</h2><p>Organizations that do not yet have a sound response team in place could do worse than go back to basics. “Cyberrisk is about protecting the customer,” says Liz Sandwith, a former Chartered Institute of Internal Auditors (IIA–U.K. and Ireland) president, and now chief professional practice adviser at the institute. “So we do all sorts of really great audits in the business space, but this goes beyond that into the real world of our customer base.”<br></p><p>That makes cyberrisk a business issue rather than a technical IT issue, although she is not convinced that many auditors in the U.K. have actually grasped what this distinction means. Behind every IT risk is a business risk, and it is the significance of the latter that can be overlooked when focusing solely on technical fixes and controls. In Sandwith’s view, auditors should decline to engage solely with IT technicians and insist that people from the business also are involved so the significance of the issue to the business is understood and controlled. While those getting a better grip on the issue might do a thorough risk assessment of the threats their organizations face, she says they also need to consider the board’s risk appetite.<br></p><p>“Internal audit has to make the board and the audit committee aware that it’s not just one of those risks where we do our work and make sure it won’t happen,” she says. “Cyber is a risk that is always going to be a risk.”<br></p><p>She says there is an opportunity for risk management and internal audit to work better together by focusing on the business risks from a resilience perspective. That involves members of the audit team really understanding IT risk from a technical and controls perspective and working with risk management to provide intelligent assurance around its controls. She says working across all lines of defense — management, risk, and audit — is critical if a business is to detect and respond effectively to cyberattacks, as no one function has the skills and scope to do it alone. But audit must be a leader in the process. “There is a real risk that without the right skills and knowledge, internal audit could provide false assurance — naïve assurance — to the board and the audit committee,” she says.     <br></p><p>In addition, Sandwith urges auditors to help establish an effective governance structure around cyberrisk, with defined risk appetite statements pertaining to each threat. Auditors can help ensure the business has information security, risk management, social media, and system access policies that are well-formulated and disseminated across the organization. Finally, she says, the CAE must keep the board engaged with cyberrisk as a living issue.<br></p><p>“Let’s not talk technical at board meetings,” she says. “This is about the impact on customers, reputation, profits, and share price — as well as potential sanctions for getting it wrong. That’s what gets the attention of the board.” And it gets the attention of the regulators and the public, alike. As society gets used to the idea that breaches are an inevitable part of online life, competitive advantage will fall to those who respond best. <br></p>Arthur Piper12968

  • MNP_Tech-Consulting_Dec2016_Prem
  • IIA_EOY_CPE_Prem 2
  • IIA_COSO-Certificate OnDemand-Dec2016_Prem 3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Attribute Sampling Planshttps://iaonline.theiia.org/attribute-sampling-plansAttribute Sampling Plans2010-01-01T05:00:00Z2010-01-01T05:00:00Z