The Rise of Automation Rise of Automation<p>​The "big" in big data hardly seems adequate to describe the scope of today's digital information. Each day, the world produces 2.5 quintillion bytes of new data, according to a 2016 IBM Marketing Cloud report. In fact, 90 percent of data created over the history of the human race was generated in the past two years alone, the report says. </p><p>Increasingly, competitive advantage is driven by organizations' ability to access, collect, synthesize, analyze, and exploit insights from that data. But the scope of this undertaking swamps traditional practices and capabilities. Tackling it effectively requires mastering emerging technologies, such as artificial intelligence (AI) and robotic process automation (RPA).</p><p>For internal auditors, these technologies present a challenge and an opportunity. The challenge? How can they help their businesses understand, codify, and develop appropriate controls around the new risks presented by RPA, AI, and other technologies? The opportunity? Where, within the internal audit function itself, can these tools be leveraged to provide deeper insights with greater efficiency?</p><h2>Emerging Technology Risk</h2><p>AI and RPA have great potential to increase efficiency, but they also can help reduce organizational risk. Processes handled by these technologies are performed quickly and with absolute consistency; humans make mistakes or skip steps, robots do not. But that speed and consistency carries its own risk. If a faulty algorithm exists, if the tools access incorrect or incomplete data, if someone tampers with the process, or if RPA does not adjust to changing business or economic conditions, then the organization's automated processes can magnify human errors. Consequently, significant follow-up work may be required to unwind the errors.</p><p>Internal auditors should ask several questions when assessing risks associated with emerging technologies:</p><p></p><ul><li>Has the organization established programs to take advantage of these technologies? Are foundational programs in place, such as data management and governance, as well as user-access controls? </li><li>Who is responsible for determining whether and how such tools can access the organization's data? Has clear accountability been established? Are appropriate safeguards in place?</li><li>Has the organization implemented appropriate development and deployment controls, addressing issues such as how and when new processes are tested and updated? </li><li>Who is accountable for ensuring that use of the technologies complies with corporate policies, as well as applicable laws and regulations?</li><li>Are these processes being considered holistically to address change management, human resources, and other related concerns?</li></ul><p><br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​AI and RPA Defined</strong></p><p>Definitions of AI vary. The <em>English Oxford Living Dictionary</em> defines it broadly as: “The theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.” RPA, on the other hand, involves the use of software with AI and machine learning capabilities to handle high-volume, repeatable tasks that previously required humans to perform. These tasks can include queries, calculations, and maintenance of records and transactions. </p><p>Consider the challenge of wading through potentially thousands of contracts that may contain embedded leases, in an effort to comply with the Financial Accounting Standards Board’s new lease accounting rules. Organizations currently use AI technologies such as text recognition and natural language processing to scan contracts for language that indicates an embedded lease may exist, and to flag those contracts for review. RPA is often coupled with this process to route flagged contracts to appropriate parties, ensuring decisions on embedded leases are made timely. Subsequently, RPA is also often used to follow up on, and to confirm, a decision has been made on those contracts. Beyond this narrow example, a variety of studies indicate that as much as 45 percent of the work performed in businesses every day could eventually be replaced by RPA.</p></td></tr></tbody></table><p>Additionally, internal auditors should determine what the organization is doing to ensure effective governance of its technology (see also <a href="/2018/Pages/A-New-Age-of-IT-Governance-Risk.aspx">"A New Age of IT Governance Risk"</a>). Audit leaders need to work with organizational leadership to help develop an appropriate governance strategy for managing these technologies — and also to help unlock their potential. Internal auditing should be involved as part of the design or launch process so key risk indicators can be identified and appropriate controls embedded. This approach is far more effective than trying to append controls as an afterthought. Audit leadership can aid the chief technology officer and chief information officer in the development of a strong governance plan. Numerous available frameworks, such as COBIT and ITIL, can serve as guides. Also, guidance from the chief legal counsel and compliance department may provide additional support. The governance structure or plan over technology should be periodically reviewed for modifications that may be needed. </p><h2>Three Lines of Defense </h2><p>One of the challenges of today's rapidly changing business technology involves working effectively across the first and second lines of defense, while maintaining internal audit objectivity. The traditional audit approach incorporated relatively static, periodic risk assessments and statistical sampling of data from past transactions to identify control issues. Auditors often identified issues months or more after they arose, making remediation untimely and allowing losses or other issues to compound. With today's tools, internal audit functions can test most or even all transactional data and can do so in close to real time. </p><p>The acceleration toward real-time auditing and the associated need to help identify and manage risks around emerging technologies means that internal auditors find themselves working more closely and more often with those in the first and second lines of defense. One of the benefits of real-time auditing involves pushing risk management down to the first line of defense wherever possible. Internal audit can play a key role in investigating how AI and RPA can be used to augment, and in many cases replace, current manual transaction testing and other risk-testing processes. Automating control testing through the use of RPA can enable organizations to spot anomalies earlier.</p><p>An organization's risk posture can be greatly improved by helping management understand the best uses of these tools and by working to deploy them in real time. The technology can help identify control deficiencies much sooner, enable testing of entire populations, and correct deficiencies immediately upon identification. As the third line of defense, however, internal audit needs to maintain its independence. Internal auditors may assist the first and second lines in establishing the use of these technologies by providing advice, but they must also ensure audit independence remains adequate to provide the additional layer of review. </p><h2>Leveraging the Technology </h2><p>When examining RPA and AI, internal audit shouldn't limit its focus to the business's use of these technologies. The audit function itself offers ample opportunities to leverage RPA and AI to achieve efficiencies and improve results. Auditors should consider several potential applications:</p><p>Controls testing is a vital but time-consuming internal audit function, requiring consistent, repetitive application to be effective — just the sort of process that is ideally suited for RPA. In some cases, controls or testing processes will need to be modified to allow for RPA, but once it is in place, automation can produce accurate, consistent, and timely results. For example, ensuring the usefulness of data consumed from multiple sources historically would often require someone from the audit team to spend significant time stitching the data together. Today an RPA automation can quickly replicate all of those tasks with a higher level of accuracy.</p><p>Internal audit work requires a significant amount of routine, repetitive communication. For example, auditors often need to request information and then follow up on those requests, many of which are triggered by specific due dates. These processes offer key opportunities for automation. </p><p>Scorecard population, audit committee reporting, and other predictable documentation demands often can be fully or partially automated. Dashboards can be fully automated for management and the board of directors. Using RPA with a visualization tool can enable automated generation of dashboard information for these key stakeholder groups. </p><p>The specific opportunities to apply emerging technology to the internal audit function will, of course, be partly determined by the circumstances of each organization. By seizing those opportunities where they exist, audit leaders can free up their professionals to focus on the critical thinking necessary to provide real strategic insights for the business. </p><p>Delivering those insights and managing the risks of emerging technologies also requires expanded skills — internal audit leaders should keep those needs in mind as they hire and train staff. Although technology can fuel significant improvements and efficiencies, deploying the right people, skills, and approach ultimately enables the technology to work as intended. Of course, a solid accounting and audit background remains vital, but more and more skills around data science and IT must be part of the internal audit group. And the central mission of internal auditing — to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight — remains the same. But tools like AI and RPA require auditors to possess broader technological skills, strong data management capabilities, and familiarity with mathematics — such as linear algebra and statistics, which drive algorithm development. A background in coding also can be valuable. </p><p>Hiring professionals with these skills and training those already in the internal audit function is essential. Not only will it position the audit team to best understand and address emerging technology risk, but audit functions considered leaders in these areas may be seen as more attractive to top talent.</p><h2>Partners in Transformation</h2><p>The emergence of AI, RPA, and similar technologies is much like that of spreadsheet applications in the mid-1980s. Spreadsheets at that time were innovative and useful, but not yet widely adopted. Within 10 years, they became ubiquitous and revolutionized work, not only within internal audit but across the business world. </p><p>Likewise, AI and RPA are transforming businesses and their internal audit functions. And while the new technologies present new risks, these risks can be managed. The greater risk is failing to capitalize on the power and utility AI and RPA tools offer. Effectively managing emerging technology risks while also leveraging these tools are key challenges for today's internal audit leaders. By doing so, however, they can become true strategic partners in their organization's success. </p><p></p>Michael Rose1
Editor's Note: The Smart, Small Internal Audit Function,-Small-Internal-Audit-Function.aspxEditor's Note: The Smart, Small Internal Audit Function<p>​At an IIA Audit Executive Center CAE roundtable discussion early this year, some participants shook their heads when asked what it would take to make their audit functions more innovative. Participants said they didn’t have the resources to even consider innovating. However, Jim Pelletier, IIA vice president of Professional Standards and Knowledge and <a href="/blogs/Jim-Pelletier">’s innovation blogger</a>, told them they should not consider lack of resources a roadblock to innovating, as it only takes one person to think differently and challenge the status quo.</p><p>Approximately one-fourth of North American IIA members are full-time employees of small (one- to five-person) audit functions, according to The IIA’s 2018 Member Needs Survey. In this month’s cover story, <a href="/2018/Pages/Small-but-Tech-Savvy.aspx">“Small but Tech Savvy,”</a> CAEs of small functions discuss how they are using technology creatively, efficiently, and cost effectively. “Through innovative techniques and keen attention to stakeholder needs, many small audit functions are making the most of the technology tools at their disposal,” author Arthur Piper writes.  </p><p>Innovation and flexibility go hand in hand. “With limited resources comes limited time, but small audit functions must maintain flexibility when events occur that are outside the scope of the audit plan,” writes Justin Stroud, who was brought in as Western Reserve Group’s one-person audit department nearly four years ago (see <a href="/2018/Pages/Starting-Small.aspx">“Governance Perspectives”</a>). “Having laser focus and a detailed game plan can help squeeze in work that can add value to the organization.”</p><p>And small audit departments have been known to do great things! In this month’s <a href="/2018/Pages/A-Case-of-Misplaced-Trust.aspx">“Fraud Findings,”</a> read how a lone internal auditor worked with a forensic investigator to uncover a nearly $4 million embezzlement — no small feat. </p><p>So, here’s to the small but mighty audit function, the men and women who work tirelessly to enhance and protect organizational value. These small teams are succeeding through agility and innovation. </p>Anne Millage0
Small But Tech Savvy But Tech Savvy<p>​ Technologies such as artificial intelligence (AI) and robotic process automation (RPA) seem a sure way of revolutionizing the value that internal auditors can add to their organizations. But for auditors working in small departments, the budgets to implement such programs are often out of reach. </p><p>Does that mean the days of the small audit function are numbered? Will businesses outsource their audit departments to more technologically enabled consultants to enhance returns on their audit investment? Anecdotally, that seems unlikely — the small audit approach is thriving. Its practitioners are vigorous innovators often working within tight budgets. Squeezing every dollar out of their IT programs is critical, so team members use each application to its maximum capacity. There has to be a rock-solid business case for investing both time and money into new audit technologies — and, if there is, audit committees are supportive. Through innovative techniques and keen attention to stakeholder needs, many small audit functions are making the most of the technology tools at their disposal. </p><h2>Tailored Innovation</h2><p>“Small audit shops generally innovate within tight constraints,” says Ross Wescott, principal at consultancy Wescott & Associates in Portland, Ore. “They do so by using what they have differently and, if necessary, bringing some new processes to the table. Every new audit innovation should add value to the business while enhancing the audit process itself.” </p><p>Wescott says innovation is a mindset that all auditors would do well to adopt — in both small and large teams. Giving themselves permission to innovate is often the biggest step internal auditors need to take — as well as accepting that some initiatives will fail. To be effective, innovation needs to be closely tied to both the needs of the business and to the technological environment the auditor is working in.</p><p>“You would perhaps be surprised, but most IT shops and companies are not very technologically advanced — that is, they are not on the leading edge of technological innovation.” Wescott says. “In the majority of companies, IT lags behind the business’ strategy. The success of an auditor’s IT processes depends on how well they fit their clients’ own infrastructure.”</p><h2>Best Fit</h2><p>That does not mean audit functions in all highly digitalized businesses need to adopt the latest technology trends. Wendy Cooper arrived at the U.K. FTSE 250-listed company Sanne Group plc, London, in January as its internal audit director. Sanne Group is investing in internal audit by developing best practices and growing the team from three members to six. But Cooper is not investing heavily in the latest audit technology.</p><p>Cooper says Microsoft Office products such as templates in Word and Excel are adequate tools for most small internal audit functions. The former she uses for planning and drafting reports; the latter for the audit team’s risk and control matrix work and for tracking management actions on the team’s recommendations. Having worked at the global Lloyds Banking Group, she has used custom audit tools and understands they can be useful in coordinating the work of dozens of audit teams in multiple locations. But she thinks it is overkill for a small team — not least because it requires hours of audit time to keep them up to date. </p><p>In addition to her chosen tools, Cooper uses the business’ IT systems to download data and select samples to be audited. Those systems may be off-the-shelf packages or custom in-house IT systems. Both depend on people within the business helping the audit team.</p><p>“You have to build up good relationships and remain independent at the same time,” she says. That can mean audit staff sitting with the IT expert when requesting data and being there when it is collated. The approach has worked well for Cooper, and she is establishing links with the best people in the business with such IT knowledge.</p><p>She expects all internal audit staff members to be able to test IT controls and to be tech savvy. But for specialist reviews, such as on cyber risk, and for auditing complex financial applications, Cooper has built a co-sourcing relationship with a consulting firm. She says that if the need for specific IT audit skills increases, she would consider adding a more specialized IT auditor to the team.</p><h2>Auditing With Purpose</h2><p>David Givans is the one-person audit function at Deschutes County Administration in Bend, Ore. The county’s data is spread across the organization, usually in discreet silos, and like Cooper, he has to work with business managers to access and analyze data from disparate programs. He says auditors in small functions need to have a “very strong charter” to ensure they have the authority to access the data they need. </p><p>As county internal auditor, he deals with a wide range of government departments. In 2018, internal audits have included, for example, a health report on the inmates of the county’s jails, a controls audit over $10 million of revenue from solid waste disposal franchises, and a follow-up report on its recommendations to the Fairs and Expo team at the county. </p><p>Givans uses a mix of data mining tools and Excel to perform his audits, but understanding what he wants the technology to do is paramount. “I don’t let the technology drive what I want to do,” he says. “I have a personal passion for data and analysis, and I’ve been pretty resourceful with the data mining tools I have. But it has to be used for a purpose. I want it to help me tell a compelling story in my audit reports.” </p><p>He has recently been adding infographics to help him synthesize the data and bolster the arguments that he needs to make. Using such tools is not only an effective way to communicate his findings, but it underlines to the audit committee and to management the benefit those audit technologies provide. In fact, some of the county’s departments are keen to use Givans’ analytics tools. “That’s the perfect outcome,” he says.</p><h2>Knowledge and Maturity</h2><p>Auditors need to know their tools inside and out to be able to focus on the questions they want to ask. “The challenge in applying a technology tool is to get to a point where you can do critical thinking with it,” Givans says. Training courses are effective for learning the nuts and bolts of specific systems, but often do not address how to use those programs in the auditor’s own environment. “A tool can help you ask questions you feel need addressing, but you must understand how it can be used to come up with an answer for your organization,” he says.</p><p>Using a limited number of audit applications can be a virtue. Taking a deeper dive into existing technologies can prove more effective than adding new software programs, which often have a steep learning curve associated with them, Givans says. “If you have a week’s training course on a software package, you need to use that knowledge — otherwise, you will lose it,” he adds. Givans aims to apply the tools he has on every audit so they provide maximum value to both the audit function and the administration.</p><p>But how do small functions know whether they are keeping pace with how they should be using technology? It is not easy, says Grant Houle, director of audit at the Mohegan Tribe, which owns Mohegan Gaming and Entertainment in Connecticut. Houle’s seven-person audit team serves the central office in the state. He describes the audit tools that it uses as being “well along the maturity scale” because of the continuous resources and commitment the team has dedicated to its model. “You have to put the time and resources into the tools you have chosen to make sure you get the objectives you defined when you decided to increase your IT capabilities,” he says. </p><p>The team is heavily involved in using data analytics and the automation of internal audit processes, such as workpapers, time keeping, and risk ranking. As is typical for a smaller function, it has not dipped its toe in the water with more experimental technologies, such as AI. Houle prefers not to. When he meets other audit executives who have invested in such technologies, he often discovers that they are underused if the company has made the financial investment but has underestimated the time commitment to see it through. Even electronic workpaper solutions, which have been around for decades, will be little more than repositories if the time is not invested in the core process and behavior changes to get value from the technology.</p><p>Keeping the team’s capability mature is a “work in progress,” he says, because the business is expanding rapidly. Mohegan Gaming and Entertainment has centers in Pennsylvania, Washington state, Louisiana, and New Jersey; a second flagship property under development in Seoul, South Korea; and a new development it is adding next year in Niagara, Ontario. Houle assesses the maturity and fitness of any audit capabilities and tools at each of the new properties that comes on board. That can mean either setting up audit from scratch, or enhancing existing tools, if needed. So far, there are three additional auditors based outside of Connecticut in the wider team — but that is likely to grow.</p><h2>Second-line Partnerships </h2><p>Houle has been innovating his audit capability by finding ways to work with the second line of defense. Although his team has done whole population testing with its analytics software, a key focus that has paid dividends recently is continuous monitoring with automated processes. Under the group’s loyalty scheme, players can earn points. On the gaming tables, the way patrons earn these points has a manual side to it — handling playing cards and tracking play for the purposes of earning points. But a lot of data is also collected from real time play, such as from security cameras. The audit team extracts the tracking data files and the scripts they have developed analyzes them for what may be considered red flag incidents on the tables and passes the results of that analysis on to the second line of defense surveillance group. The surveillance team then corroborates the red flag incidents with visual evidence to assess whether there has been genuine gaming errors or potential fraud. </p><p>“Our job is to make sure we focus on the most valuable red flag incidents, because the surveillance team needs to physically watch the video material in real time for each one — and there may be 200 in a single day,” Houle says. He estimates the continuous monitoring software cost as only about 10 percent of the total project budget — the rest is allocated to the time his team has spent in making sure they get the appropriate value from the objectives they have set.</p><p>With such a success under his belt, Houle is seeking to take the model his team developed on the gaming tables and to innovate audit processes in other parts of the business. Moreover, like Cooper, he is continually keeping abreast of developments in the organization itself to understand if those systems can be better exploited by the audit team.</p><p>“I don’t just want to see what is happening on the shop floor,” he says. “I want to be plugged in earlier than that — where are we transitioning to the cloud, for instance, and what does that mean for us?” For example, so-called stadium gaming is becoming popular. A physical dealer remains present, but up to 70 people can play the game and place bets via live video links to the internet. Houle says the process is less risky for the casino because, for example, the risk of marking cards or stealing chips is minimal. On the other hand, IT security risks may increase. Houle makes sure he is at those early meetings to understand the new processes and how his team may be able to help. </p><h2>Business Culture</h2><p>Michael Levy is the director of internal audit for Student Transportation in Wall, N.J., a multinational school bus contractor. While keeping a close eye on changing processes at his company, his team of five uses a variety of tools including data analytics, visualization, project management tools, cloud document repositories, and collaboration tools. “It is great to have the ability to use data visualization and analytics, but we as a profession need to make sure we are speaking to our audience and using their language,” he says. “Depending on the project, it sometimes can be better to have those tools used in the background — otherwise you can alienate people.” In addition, he says audit teams need to consider organizational maturity levels to ensure that they do not too far exceed the cultural norms of their organizations. “If we get too far ahead, that could be perceived as a negative,” he says. “We want to be sure as auditors that we do not head down a path that the organization will not perceive value from.”</p><p>Although he expects all team members to be conversant with data analytics — someone should be the champion — Levy says that interpersonal skills are also critical for success. “To be successful, we have to be professionals who can facilitate change in the organization and not just manipulate data,” he explains. “That requires relationship building and social skills.” Daily interaction with management helps his team members keep their fingers on the pulse of the organization and be proactive in delivering meaningful change, which data analytics can often help do.</p><p>He says he values the efficiencies that the effective use of audit technologies can bring. Automating workpapers, for example, and the process for sending out audit requests has saved his team many hours. However, when he is attending conferences and networking events, he is on a constant lookout for how to use both new and existing tools more intelligently and strategically.</p><h2>Practical Tools</h2><p>As technologies such as AI and RPA become mainstream, small audit functions will most likely use them where the business case is strongest. Audit committees and management are likely to support those efforts because returns will be demonstrable. As Levy notes: “There is no point in over-engineering something that doesn’t need it. That being said, if we can make recommendations to automate business processes, or parts of the audit, that is an intelligent and efficient way of using our resources.” There are lessons for all on how small functions maximize the return on investment from audit technologies. </p>Arthur Piper1
Mining for Process Gold for Process Gold<p>​Internal auditors need to accurately understand the underlying business processes within their audit scope. Audit objectives often require auditors to identify deviations from the designed process, determine the potential for automation, and uncover internal control weaknesses.</p><p>Traditional methods of reviewing processes — screening narratives, process flowcharts, interviews and walkthroughs with process owners, and rule-based data analytics — have limitations. An effective supplement is to use process mining to reconstruct real processes based on digital traces from information systems to obtain a clear and objective picture of how the processes actually work.</p><h2>How Process Mining Works</h2><p>Process mining is based on uncovering digital traces of business process activities. Essential for process mining is an event log that comprises a case ID, activities, and a time stamp. The time stamp brings the activities into chronological order and helps auditors visualize how process instances actually occurred. It makes deviations from the designed process obvious.</p><p>The three types of process-mining methods are:</p><ul><li> <em>Process Discovery</em> — extracting a process model based on an event log.</li><li> <em>Conformance Checking</em> — comparing the actual process as recorded in a log with the designed process to identify deviations from the designed process and vice versa.</li><li> <em>Enhancement</em> — improving an existing process model using information extracted from an event log.</li></ul><p> <br> </p><p>Applying process mining can increase internal audit's objectivity and efficiency. It increases objectivity by using digital traces from information systems, while efficiency comes from extracting the corresponding event log from those systems. </p><p>When this happens, internal audit can gain a clear picture of the actual process at the beginning of the audit. That can enable auditors to address their risk-based questions more efficiently. Moreover, auditors can conduct fewer interviews with audit clients about the process design and the actual process, saving clients time.</p><p>Another advantage is the process visualization, itself, which provides a basis for discussion between internal audit and clients. Additionally, similar to using data analytics, process mining allows internal auditors to analyze the full population of transactions using available digital traces. This enables auditors to provide a higher level of assurance and recommend specific actions.</p><p>Despite its advantages, process mining is not suitable for every purpose. One significant limitation is cases, activities, and attributes that do not leave a digital trace. Moreover, internal auditors may encounter unbreachable data discontinuity characterized by unstructured data sets that cannot be linked. </p><p>In addition, auditors may have a false expectation that process mining can solve every problem. For example, process mining is not the right tool for detecting duplicate payments not yet returned. Using rule-based data analytics would be more effective.</p><h2>Different Applications</h2><p>Process mining can be applied everywhere in which digital traces can be transformed structurally while complying with legal requirements. One common use is examining the transactional flow of the purchase-to-pay and order-to-cash processes. </p><p>Beyond transactional flows, internal auditors can use process mining to review how master data quality can be improved. Reviews of customer, material, pricing, and vendor master data have resulted in reducing changes due to inaccurately entered master data, harmonization of responsibilities, and an increased automation rate.</p><p>Recurring processes with high transaction volumes serve as a basis for internal auditors to start using process mining. Process mining can pay off especially when internal audit has a limited understanding of the actual process and the process' inherent risks are not covered yet by rule-based data analytics. In such cases, process mining can help auditors raise new questions about potential deviations from the designed process. </p><h2>Avoiding Mistakes</h2><p>Internal audit departments often make several mistakes when they begin to use process mining. Some of these involve their approach to process-mining technology.</p><p> <strong>Lack of a Systematic Concept</strong> A process-mining application does not help if the department does not first have a systematic concept in place. A systematic concept is marked by different cornerstones, including establishing objectives for using process mining (analysis vs. continuous monitoring), defining responsibilities, building competencies within the organization, and maintaining the application on the existing infrastructure. </p><p> <strong>Reliance on Plug and Play Solutions </strong>Caution is needed with plug and play solutions, which often are too generic. Such solutions, which are designated to run with no or very limited upfront implementation efforts, may produce a high number of false positives. Internal audit should not underestimate the organization's specific requirements and special conditions with regard to activities and attributes. </p><p> <strong>Department-specific Business Cases </strong>Internal audit is not the only department that can benefit from process mining. Other departments can use it to execute primary and secondary process activities. Creating an organizationwide business case for process mining is more effective than developing separate plans for each department. </p><p> <strong>Using Process Mining to Replace Rule-based Data Analytics</strong> Process mining can supplement rule-based data analytics, but it cannot replace it. Rule-based data analytics can detect relevant documents that usually are not linked to each other structurally.</p><p> <strong>Overestimating the Conformance Feature </strong>To apply the conformance feature of a process-mining application, a detailed model of the designed process is needed. This model must extend to the granularity of activities and differentiation of process variants. Without this granularity, organizations may have a high number of false positives.</p><p> <strong>Considering the Visualization to Be the Final Step</strong> With the visualization in hand, process mining really is about to start — not to end. The visualization, itself, is of limited value. Internal audit must address a host of questions: Which false positives can be excluded? Are the identified deviations really disadvantageous to the organization? What are the root causes for the identified deviations? Which specific measures can be taken to address any shortcomings? </p><p> </p><p>Internal audit should address these and other potential mistakes proactively. To raise prospects for success, auditors should include all points at the beginning in a systematic and structured roadmap.</p><h2>A Smarter Event Log</h2><p>Creating a smart event log provides a basis for value-added process analysis. The quality of event logs can differ significantly from each other. There are different quality attributes such as the number of activities, number of attributes, and accuracy and selectivity of activities. Without these attributes, and especially without company-specific attributes, the prospect of success is decreased dramatically. </p><p>Moreover, activities such as "change purchase order" often are too generic. The audit objective may need to be more specific to focus on only selected types of changes that are of interest and require differentiation. </p><p>Over time, quality attribute requirements change. For example, the attribute "Differentiation between human being and machine (manual vs. automated)" requires more than just differentiating by the type of user. Transactions recorded by mass uploads and use of robotic process automation applications need to be differentiated from actual manual activities to make valid conclusions and to take the right actions.</p><h2>Making a Difference</h2><p>Process mining serves as a supplementary, data-based instrument for internal audit's toolkit — it does not add value by itself. Creating a smart event log and analyzing the visualization requires creativity and logical reasoning. This makes process mining interesting and attractive: Internal auditors can personally make a difference.</p>Justin Pawlowski0
Data at Risk at Risk<p></p> <p>In the age of social media, cloud storage, and the Internet of Things, protecting one’s data has become more and more difficult. Although these technologies create valuable conveniences in people’s everyday lives, they also leave a digital footprint of our identities. With each click or swipe, we voluntarily expose our personally identifiable information and increase the risk of sensitive information loss, or wors​e, identify theft.</p><p> These same risks, of course, exist for the organizations we serve in the form of data theft, unauthorized access to systems, network attacks or intrusions, and misuse of services, information, or assets. Unfortunately, many organizations overlook these risks when performing IT assessments and remain complacent rather than taking proactive steps to protect their sensitive information. As such, internal auditors must ensure an incident management program exists as a portion of the organization’s overall information security strategy. </p><p>Effective incident management assigns personnel responsibility; details and defines requirements for identifying, investigating, and documenting an incident; and establishes escalation triggers and notification procedures. An incomplete process could hinder timely investigation into a potentially damaging incident and diminish an organization’s resilience in the wake of a threat. Accordingly, internal auditors should verify that incident management policies clearly define who needs to be notified when an incident occurs, based on the incident classification and the affected business units and systems. </p><p>The methodology should also include procedures for the collection of data, prioritization of incidents by risk severity, and preservation of compromised systems. Insufficient or incomplete procedures in these areas could exclude critical forensic data and impact the organization’s ability to recover quickly from an incident. Therefore, an effective incident management infrastructure should also follow industry standards for collection, preservation, analysis, and reporting of forensic evidence. Specifically, internal auditors should encourage organizations to use products and services that meet legal rules of evidence, such as those validated by the U.S. National Institute of Standards and Technology, the CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute, or the SANS Institute.</p><p>With more digital and technological vulnerabilities facing organizations than ever, internal auditors should ensure adequate security, privacy, and safeguards of customer and company data, while adapting to ever-changing advances in technology. As the world continues to become more interconnected in both our personal and professional lives, have we conditioned ourselves to accept that our data and personal information are no longer our own? Are internal auditors doing enough to adapt to this reality and protect ourselves and our organizations against the inherent vulnerabilities associated with the digital age? If not, now is the time to act. </p>Robin Brown1
When the SEC Speaks About Cybersecurity, We'd All Better Listen the SEC Speaks About Cybersecurity, We'd All Better Listen<p>​<img src="/2018/PublishingImages/Cyber%20padlock.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />I often find myself talking with reporters about internal audit's role regarding risks, particularly cybersecurity. Recently, a rep​orter asked me about a new U.S. Securities and Exchange Commission (SEC) investigative report, <a href="">"Cyber-Related Frauds Perpetrated Against Public Companies."</a> The report describes investigations at nine publicly traded companies that were victims of cyber fraud.</p><p>In each case studied by the SEC, employees were tricked into sending large sums to bank accounts controlled by fraudsters. Some of the scams continued for months, and often they were detected only after intervention by law enforcement or other outside parties. The nine companies wired a total of nearly $100 million to the criminals, most of which was unrecoverable, according to the SEC.</p><p>As a result of its investigation, the SEC cautioned public companies to consider cyber threats when implementing internal accounting controls. It's good advice. But as internal auditors, we know that cybersecurity preparedness is not just an issue when implementing accounting controls. It is a vitally important facet of risk management every day, in every part of the organizations we serve.</p><p>Initiatives such as October's National Cybersecurity Awareness Month have made important inroads to improving awareness of cyber threats, but there is a big difference between cybersecurity awareness and cybersecurity preparedness. At many of our organizations, there are gaping holes in our preparedness. For example, more than 90 percent of participants in the <em><a href="">2018 North American Pulse of Internal Audit</a> </em>survey from The IIA's Audit Executive Center said their organization had a business continuity plan, but when it came to cyberattacks, many of those plans offered little more than a false sense of security. Only a quarter of survey participants said their plans provided clear, specific procedures for responding to a cyberattack, and 17 percent of respondents reported that their continuity plans did not include any procedures for a response.</p><p>As internal auditors, we recognize the importance of the preventive and detective controls that help protect our organizations from cyberattacks. But sooner or later, those controls will fail. Even the most carefully crafted controls break down occasionally, and there's a strong consensus among experts that it is a matter of when, not if, our organizations will undergo a successful attack. Prevention and detection are important, but we also need to help ensure that, after an attack, our organizations can recover efficiently, effectively, and rapidly. </p><p>Cyber resilience takes into account the organization's ability to operate during an attack, and to adapt and recover after the attack. It enables our companies to deliver intended outcomes despite adverse cyber events. But making the transition from cybersecurity to true cyber resilience won't be easy. Culture changes are never easy, and changes that bring together the areas of information security, business continuity, and resilience are especially daunting. That's why cyber resilience is an "all hands on deck" issue that deserves the attention of all three lines of defense. </p><p>At some companies, there is​ a view that cybersecurity issues should reside in the domain of IT and security experts, with internal audit providing little more than support. But part of internal audit's scope must be to assess the organization's cyber culture and help build one that is cyber-savvy. According to The IIA's <a href="">Global Technology Audit Guide (GTAG) "Assessing Cybersecurity Risk</a>," internal audit plays a crucial role in assessing an organization's cybersecurity risks by considering:</p><ul><li>Who has access to the organization's most valuable information?</li><li>Which assets are the likeliest targets for cyberattacks?<br></li><li>Which systems would cause the most significant disruption if compromised?</li><li>Which data, if obtained by unauthorized parties, would cause financial or competitive loss, legal ramifications, or reputational damage to the organization?</li><li>Is management prepared to react timely if a cybersecurity incident occurs?<br><br></li></ul><p>Cybersecurity risks are relentlessly increasing, and the potential consequences extend far beyond the realm of IT. According to a <a href="">report by the Council of Economic Advisors</a>, malicious cyber activity cost the U.S. economy $57 billion to $109 billion in 2016 alone. The reputational risks may be even higher than the financial risks. In the words of Societe Generale Global Chief Information Security Officer Stéphane Nappo, "It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it."</p><p>The IIA's <em>International Standards for the Professional Practice of Internal </em> <em>Auditing ​</em>require that <a href="">chief audit executives report periodically to senior management and the board regarding significant risk and control issues</a>. The frequency and content of those reports should depend on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management and/or the board. If you, like most internal auditors, work at an organization that does not have clear, specific procedures for responding to and recovering from cyberattacks, it may be time to increase the frequency and content of communications regarding cyber threats and their potential consequences. The risks are too high to ignore.</p><p>The recent SEC report should serve as yet another reminder of internal controls regarding cybersecurity. This ever-present risk should always be on our radar, but when the SEC speaks, we should double down on our cybersecurity coverage.</p><p>I look forward to your thoughts on this important subject.<br></p>Richard Chambers0
Five Trends Shaping Digital Transformation Trends Shaping Digital Transformation<p></p> <p>Digital transformation is driving change along two fronts. Organizations are using intelligent systems to solve business problems and reduce costs, yet operational complexity is increasing. Moreover, that complexity is a design problem of those systems — organizations need to focus on how people use technology. </p><p>In the face of these two factors, internal audit can help their organization retool internal controls and streamline business processes to focus on strategic risks wrought by digital transformation. Many audit leaders are preparing for transformation with strategic hires in data management and analytics to leverage talent across an expanding portfolio of risk. Meanwhile, new regulatory technology tools enable internal audit to set up analytics programs quickly. As internal audit’s role continues to grow, these audit tools will need to evolve to keep pace. </p><p>Five technology trends are set to disrupt how internal audit confronts its risk mandates in an age of transformation: audit analytics, robotics, next-generation cloud computing, cybersecurity, and performance optimization. Internal audit will need to leverage these trends to provide leadership and assurance in the emerging digital economy. </p><h2>Audit Analytics</h2><p>Proving insights from data is internal audit’s new value proposition. Auditors are leveraging analytic platforms to provide insights into control performance trends in near-real time. Trends emerging in audit automation include analysis and replacement of rules-based engines with intelligent systems, audit process automation, continuous monitoring, and a focus on deep-data analytics and visualization for better decision-making.</p><p>Ideally, analytic platforms reduce the frequency of false positives in data for a more nuanced look at risks than is possible with point-in-time sampling. Analytics engines work well for routine data sets that are well-defined — such as system user-access controls, accounting functions, and process controls — but more advanced systems are needed for complex risks.</p><h2>Robotics</h2><p>Robotics is another way of describing machine learning and artificial intelligence. These smart systems are either completely autonomous or user-directed with inputs from specific data sets to facilitate machines learning routine tasks. This technology already is used in many industries to achieve business efficiencies and provide expert guidance from zettabytes of data. </p><p>The obvious advantage of using these tools is they can run behind the scenes to alert auditors to changes in the control environment. The opportunities to automate and refine internal controls may be endless, with advances in robotics and machine learning making organizations more responsive to change. A July 16 Forbes article notes, “Auditors can use cognitive technology to redesign their work so they can conduct analyses of structured and unstructured data in ways not possible just a few years ago.”</p><h2>Cloud Computing</h2><p>Although many businesses are reluctant to move data to third-party providers, cloud computing is accelerating. IT research firm IDC projects global public cloud spending will continue at a 19 percent compound annual growth rate through 2020.</p><p>Organizations facing competing mandates, such as data security and cost reductions, have leveraged a suite of cloud services to support these demands. Cloud computing will require internal audit to develop a portfolio of internal controls and distributed controls that function along parallel lines, as well as define a distributed control environment. Distributed controls are virtual in nature and designed specifically for third-party vendors such as cloud and ecommerce providers. </p><p>Internal auditors must prepare for a future where data is decentralized among service providers on platforms independent of internal controls within the organization. This paradigm creates a new risk exposure called “robust yet fragile.” Outsourcing increases scale, making organizations more robust for growth yet more fragile to single points of failure. Reliance on a distributed network of third-party providers creates fragility from each relationship. Contractual and service-level agreements are insufficient backstops. Understanding these new points of fragility will require new assurance models.</p><h2>Information Security </h2><p>Managing risks in a distributed data environment becomes even more complex for asymmetric risks such as information security. Cybersecurity is no longer a compliance exercise to ensure that policies and procedures are followed. Internal auditors must become conversant in the greatest vulnerability in cyber risk — the human element. </p><p>Vulnerabilities in complex systems exceed simple solutions, and technology alone is not enough. People trust technology, but cybercriminals can easily exploit that trust. As the digital economy expands into trillions of connected networks and devices, internal audit must assess cyberattack vulnerabilities created by unauthorized cloud services and even employee accounts with third-party providers. </p><p>Internal auditors must anticipate how digital profiles created in cyberspace result in new vulnerabilities within the organization. This requires a boundaryless security program that educates employees about how their behavior on the internet leads to vulnerabilities inside the organization. For example, dormant personal internet account credentials can be used to socially engineer access to sensitive enterprise systems. Security programs that reward good behavior and reduce complexity serve as better incentives than blanket punitive responses.</p><p>The human-machine interaction is not a new risk. Researchers have identified this interaction as the main cause of the cyber paradox in which cyber risks continue to rise faster than investments in cybersecurity. The human-machine interaction risk is a design problem that ignores human behavior. Basic cybersecurity training has raised awareness but isn’t a solution. The problem requires a broader awareness of digital habits that inadvertently lead to unexpected internal vulnerabilities. Internal audit must take a broader view of the control environment that extends to behavioral factors. </p><h2>Performance Optimization</h2><p>Performance optimization is a process that considers user behavior, technology interface, and situational awareness. Situational awareness is the product of sense-making, comprehension, and response. Examples of performance optimization include contract automation, audit analytics, risk assessments, financial reporting, and chatbots.</p><p>To optimize performance, organizations should: </p><ul><li>Clearly define the best achievable outcomes. <br></li><li>Measure progress in incremental steps. <br></li><li>Use controlled experiments to reduce risk.<br></li><li>Anticipate and learn from failure.<br></li></ul><p>Internal audit should partner with business owners to establish use-cases for performance optimization that increases efficiency and productivity, reduces risk and uncertainty, and addresses complexity. </p><h2>A Path Toward Audit Leadership</h2><p>The era of digital transformation is an exciting time for internal audit to build on the three lines of defense to become a more proactive leader by advising on strategic business performance. Although some internal audit functions have already adopted some of these approaches, it is not too late to catch up and surpass early adopters. Audit analytics is an obvious place to start for some organizations, while organizations that are further along may be adopting more advanced technologies. </p><p>The digital economy presents new opportunities for internal audit to create new assurance models. Audit priorities that align with organizational objectives and reduce risk are a powerful combination. Lastly, automation is a powerful tool, but auditors should never underestimate its impact on the people who have to use it. ​</p>James Bone1
Will Artificial Intelligence Bring Smarter Security? Artificial Intelligence Bring Smarter Security?<p>​Can artificial intelligence (AI) close the IT security gap? Most respondents to a global Ponemon Institute study are hoping it can. </p><p>These IT and IT security professionals say AI, machine learning, and behavioral analytics are essential to detecting today's dynamic threats to computer applications and networks, according to <a href="" target="_blank">Closing the IT Security Gap With Automation and AI in the Era of IoT</a>. The report based on a survey of 3,800 respondents is sponsored by Santa Clara, Calif.-based networking company Aruba.</p><p>Simply put, businesses aren't able to stop advanced, targeted attacks, says Ponemon Chairman Larry Ponemon. "Against this backdrop, AI-based security tools, which can automate tasks and free IT personnel to manage other aspects of a security program, were viewed as critical for helping businesses keep up with increasing threat levels," he says.</p><h2>Minding the Gap</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<p><strong>Top Cyber Threats</strong></p><p>According to a <a href="" target="_blank"><span class="ms-rteForeColor-8">Tech Republic article</span></a>, North America-based IT and security managers polled by Osterman Research say the top security threats they face are:</p><ul><li>Ransomware attacks.</li><li>Breach of sensitive data.</li><li>Phishing attacks.</li><li>Malware infiltration.</li><li>Targeted attacks.</li><li>Shadow IT and employees using unauthorized cloud applications and services.</li><li>Endpoints compromised by botnets.</li><li>Cryptocurrency mining malware installed on PCs and servers.</li><li>Use of computer processing units by cryptocurrency miners when users visit websites.</li><li>Employees who visit websites that violate company policies.</li></ul></td></tr></tbody></table><p>The security gap is about technology, processes, and people, the report notes. Two-thirds of respondents say their security team can't see and control all of the users and devices that are connected to their IT infrastructure. This includes mobile devices, the Internet of Things (IoT), and personal devices. </p><p>At the same time, 62 percent say attackers could break through gaps in their organization's IT security infrastructure. Only 38 percent are confident the organization could detect attacks against the IT infrastructure before they caused a breach. Nearly half say mobile, personal devices, cloud, and IoT are difficult to defend, and the organization lacks a security staff with skills comparable to those of today's attackers.</p><p>More than anything, inability to secure IoT devices and apps is a problem, making them a prime entry point for attacks. Just one-fourth say their IoT devices are well-secured. Most say their organization needs the ability to continuously monitor each IoT device to spot trouble early. </p><h2>Smarter Defenses</h2><p>What is needed to bridge the IT security gap are automated technologies that can discover and understand threats, respondents say. In particular, organizations need tools that can see all the endpoints and applications on their network. Respondents say such tools should be able to monitor privileged users, perform security information and event management, provide user and entity behavior analytics, and analyze network traffic.</p><p>One great hope is AI-based technologies. Most respondents say AI can find attacks before they do damage. Respondents say these tools can make security teams more effective, facilitate efficient investigations, and locate security threats that have gotten through the organization's defenses.</p><p>The most important capabilities of automated tools include reducing the time and effort needed to investigate an alert, reducing the number of false positives that must be investigated, finding attacks before they do damage, and automating key tasks during investigations and remediation. Respondents also want the tools to improve coordination among networking, operations, and security teams.</p><p>Despite that hope, only 29 percent currently are using machine learning in their IT infrastructure. That may change soon. One-fourth plan to implement machine learning within the next year, and one-fifth plan to do so in the following year. Processes most likely to be automated include containing and remedying attacks, investigating alerts, risk scoring and prioritizing risks, and aggregating forensic data.</p>Tim McCollum0
Integrated Knowledge Knowledge<h2>​What are the advantages of having an integrated audit function?</h2><p><strong>Simmons</strong> Combining the knowledge, skills, and disciplines of financial, operational, and IT auditors on audit engagements allows for a holistic view of the business, risks, and controls, revealing the bigger picture of the control environment. It also enables two-fold efficiencies in auditing business functions and opining on the strength of the overall control environment — for the audit silo responsible for coverage, as well as for the customer who gains greater assurance from how IT is supporting its business controls and whether IT issues may be impacting its practices or regulatory conformance. It provides cross-skilling of resources with IT and business knowledge information. Finally, it enables internal audit to meet board expectations and provide the C-suite with more comprehensive and connected audit universe coverage.</p><p><strong>Anunciacion</strong> Having an integrated audit function has benefits for both internal audit and the first line of defense, depending on the organization. In a more tangible sense, an integrated audit function helps minimize testing fatigue — passing tests back and forth — which minimizes redundancies. Also, internal audit builds credibility with internal clients.</p><h2>Why is it important for internal auditors to understand the impact of technology innovations on their organizations?</h2><p><strong><img src="/2018/PublishingImages/EOB-Ernest.Anunciacion.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Anunciacion</strong> Internal audit exists to provide assurance to the organization. Since technology plays an increasingly large, fundamental role for companies, auditors must fully grasp what’s involved and associated with it. Auditors must incorporate this into their risk-based audit plan, as changes in technology can easily threaten companies. Today, audit should not be conducted at the speed of risk, but rather at the speed of innovation. Internal audit must keep up with the technology changes that impact the organization to provide assurance to stakeholders.</p><p><strong>Simmons</strong> The pace of technology advancement is changing the way organizations invest in technologies to: gather and consolidate information; manage risk and regulatory pressures; and seek ways to be more efficient, agile, and insight driven. To maintain a competitive advantage, organizations must invest, yet more importantly they must understand the balance of opportunity vs. risk of doing so and how it could impact the risk landscape and ultimately change the control environment. Auditors can add value by not just flagging risks, but also by providing comfort that the risk is well-managed and worth taking. Therefore, auditors need to understand new and emerging technologies and discover innovative ways to engage the business to stay current and provide best-in-class assurance to the organization.</p><h2>What technologies do internal auditors need to have a working knowledge of?</h2><p><strong><img src="/2018/PublishingImages/EOB-CHARMIAN%20SIMMONS.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Simmons</strong> Several disruptive technologies are driving a new wave of processing and doing business, including artificial intelligence, machine learning, software robotics, blockchain, cryptocurrencies, semantic analysis, cloud computing, connected devices, and the Internet of Things. These technologies are being used to fight fraud, improve model and algorithmic trading, decipher unstructured data, and connect things previously unconnected. Internal auditors should be knowledgeable about these technologies to give assurance over them. In addition, auditors should understand how the underlying data is being created, consumed, and used; data is such an important element underpinning how business occurs, it cannot be overlooked. Audit functions should employ their own technology to support them with this, starting with basic to advanced data analytic tools to better analyze large data sets — for data driven audits — and reperform system outputs and interpret predictive analytic techniques used by the business. Lastly, in keeping internal audit innovative, it should consider intelligent automation and workflow automation technologies.</p><p><strong>Anunciacion</strong> Internal auditors need to have a working knowledge of core transaction systems, as well as mission-critical systems, that impact what’s being audited. Business intelligence and office productivity tools are just the start — specific industries require specific tools, as well. Ultimately, internal auditors need to be aware of the organization’s technology roadmap — where they see themselves headed in terms of the technology used — and stay aware of the technologies that could be on the horizon.</p><h2>How important is it to have team members with advanced technology skills?</h2><p><strong>Anunciacion</strong> It’s increasingly important to have team members who not only know their way around technology, but also can push the organization forward. Chief audit executives (CAEs) must pursue a well-rounded team, with expertise in a full tech stack — infrastructure, security, building complex queries, analyzing large data sets, and more. Pursuing a team that is heavily invested in technology and accounting might be difficult, but it’s invaluable in terms of strategically addressing operational risk for the entire company.</p><p><strong>Simmons</strong> One of the top challenges facing CAEs is obtaining high-quality resources with the right skills to balance technology, business knowledge, and project management. It is imperative in most industries to have a balance of IT auditors — application, infrastructure, data analysts/scientists — and financial auditors who understand the front-to-back functions and operations of the organization. Financial auditors are now expected to have basic general computer control skills and carry out testing of these, leaving the complex tech-related areas to be addressed by advanced tech auditors.</p><h2>Why is it important to develop working relationships with IT professionals?</h2><p><strong>Simmons</strong> Technology is deeply ingrained in organizations’ fundamental operations today. Data and processes typically don’t exist without it. Having good and trusted working relationships with key technology professionals and the chief information officer (CIO) ensures auditors remain in touch with current, planned, and future work/projects and keeps them abreast of how the risk landscape is affected by run-the-business or change-the-business activities. This can be achieved through a strong continuous monitoring program, an effective audit work tool that derives meaningful data, and an audit methodology that is agile enough to anticipate or react to events/incidents/programs. </p><p><strong>Anunciacion</strong> IT professionals and the CIO can help auditors get where they want to be. Auditors looking to modernize their processes and organization should not overlook relationship building with IT. After all, IT is the gatekeeper for all technology, supporting the business, helping achieve strategic objectives, and often holding the purse strings when it comes to purchasing new technology. Additionally, building rapport with the chief information security officer (CISO) is of paramount importance. Just like audit, the CIO’s goal is constant vigilance and oversight of the organization’s practices. CAEs should consider monthly meetings with their CISO to make sure all risks are acknowledged.<br></p><h2>How can internal audit use technology to manage stakeholder relationships?</h2><p><strong>Anunciacion</strong> Simply put, technology allows for unparalleled collaboration among the organization and the three lines of defense. Internal audit also can use technology to provide foresight and hindsight — not only mitigating risk before it occurs, but also simplifying the audit reporting process across the board.</p><p><strong>Simmons</strong> Technology that brings together business data, metrics, indicators, financial numbers, risk profiles, emerging risks, market trends, and insight in a connected way for an audit function demonstrates to stakeholders how well auditors understand their business, the market, and the expectations of regulators. The right technology is an enabler for auditors to drive the right conversations and be that trusted advisor. <br></p>Staff1
Attacks Test Cyber Resilience Test Cyber Resilience<p>​The world's industrial control systems are prime targets for cyberattacks. Blame it on the Internet of Things (IoT).</p><p>Three-fourths of 320 industrial system decision-makers who responded to a Kaspersky Lab survey say their organization's operational technology/industrial control systems (OT/ICS) are a likely target. More than half say the IoT's connectivity is a major cybersecurity challenge, according to the <a href="" target="_blank">State of Industrial Cybersecurity 2018 report</a>. Nearly two-thirds say the IoT is more likely to cause OT/ICS risk events to occur. </p><p>Such concerns are why most respondents' organizations are prioritizing management of connected devices as they become more tightly integrated into their networks. "The good news is that we are seeing more and more businesses improving their cybersecurity policies to include dedicated measures toward safeguarding their industrial control networks," says Georgy Shebuldaev, brand manager at Kaspersky Industrial Cybersecurity.</p><h2>Perception vs. Reality</h2><p>Beyond IoT, most respondents are concerned about the impact of advanced persistent threats (APTs) and targeted attacks on industrial systems. Yet, those fears may not reflect the actual threats they face.</p><p>Specifically, only 16 percent of respondents say their organization experienced a targeted attack in the past 12 months. That's down from 36 percent in 2017.</p><p>Meanwhile, almost two-thirds of respondents' organizations suffered a conventional malware or virus attack against their industrial systems. Thirty percent had a ransomware attack. </p><h2>Anticipating Risks</h2><p>Conventional attacks may be more common, but the threats keep changing as attack methods become more sophisticated. Being able to anticipate risks through controls testing and monitoring can strengthen security and resilience. </p><p>Yet, only 12 percent of respondents to a recent Baker Tilly Virchow Krause LLP poll say their organization has a holistic cybersecurity testing program. Such integrated testing seeks to understand the organization's current risk profile and assess the design and effectiveness of its cybersecurity program, according to a <a href="" target="_blank">Baker Tilly webinar</a>. </p><p>Combining "cyber intelligence" techniques and traditional testing methods can give an organization "a better grasp on its potential risks," says Dan Argynov, a manager with the advisory firm's cybersecurity and IT risk practice.</p><h2>Testing Techniques</h2><p>The integrated testing approach described in the Baker Tilly webinar centers on an assessment of the organization's cybersecurity risk management. Speakers advocated documenting the organization's current state using a framework such as the International Organization for Standardization's ISO27001, ISACA's COBIT, or the U.S. National Institute of Standards and Technology's Cybersecurity Framework. This approach covers four parts.</p><p><strong>Reconnaissance.</strong> At this stage, testers should build an organizationwide profile and identify targets. Testers should define the network footprint and identify worthy assets, whether they are data and network assets or people. Moreover, they should identify vulnerabilities and analyze potential motivations for attacks.</p><p><strong>Network assessment.</strong> Testers should analyze the network for internal and external risks and vulnerabilities. They should identify network components such as services, points of access, and access controls. Also, they should scan the network and look for vulnerabilities in the current infrastructure. To test the network's resilience, they should review the organization's disaster recovery capability to restore key functions. </p><p><strong>Threat modeling.</strong> This stage is about modeling how potential threats could occur. Specifically, testers should view threats from the attacker's perspective, looking for approaches that require less effort or could yield a greater reward. This gives the organization a profile of potential attackers and enables it to prioritize its efforts accordingly.</p><p><strong>Attack simulations.</strong> The objective here is to simulate high-threat scenarios identified at the modeling stage. For example, testers could simulate an attack through external system access by trying to gain remote access to an internet-connected application or system using vulnerabilities discovered during earlier stages of testing. </p>Tim McCollum0

  • Gleim_Nov 2018_Premium 1
  • Temple_ITACS_Nov 2018_Premium 2