Pandemic Poses Dual Cybersecurity Challenges Poses Dual Cybersecurity Challenges<p>​The shift to remote work was like an army retreating to safer ground, its personnel scattered in the face of the oncoming pandemic. IT functions raced to reconnect these employees to the organization and reestablish communication as their businesses began to understand what disruption really means.</p><p>Meeting the technology demands and solving the problems that arose during the early days of the COVID-19 crisis taxed beleaguered IT functions, but it also put many IT initiatives on hold. For 44% of organizations, cybersecurity was one of those initiatives, according to the <a href="" data-feathr-click-track="true" target="_blank">2020 Work-from-home IT Impact Study</a> from cybersecurity firm Sectigo and Wakefield Research.</p><p>Since then, IT functions have been catching up on safeguarding remote work. Now as organizations have settled into a more long-term — and even permanent — remote operating environment, their IT teams have turned their attention to what comes next.</p><p>Those organizations need a dual cybersecurity mindset, a recent McKinsey & Co. article advises. They must secure the technology needed for remote work, while anticipating how to design security for life after the pandemic.</p><p>In the current crisis, "cybersecurity teams are being perceived anew," according to <a href="" data-feathr-click-track="true" target="_blank">"A Dual Cybersecurity Mindset for the Next Normal."</a> Going forward, the authors note, "They must no longer be seen as a barrier to growth, but rather become recognized as strategic partners in technology and business decision-making." Internal audit functions may find McKinsey's recommendations helpful when assessing cybersecurity risk, and advising executives and IT management about future plans.</p><h2>Securing Remote Work</h2><p>Five months into remote operations, organizations must fortify their security work, while considering how to safeguard new technology and processes adopted during the pandemic, the McKinsey article advises. The authors recommend focusing on:</p><ul><li>Assessing hot spots by remedying operational, process, and technology gaps.</li><li>Fixing operations by evaluating new risks and implementing controls.</li><li>Fortifying security gains by standardizing remote work procedures and evaluating technologies to reduce long-term risk.</li></ul><h2> The Next Phase</h2><p>While they continue to address the pandemic, IT and cybersecurity leaders should look at how new business conditions may affect the organization, the article says. The authors point to four areas where leaders should act to protect the organization's ability to create value.</p><p><strong>Secure Workforce in New Ways of Working</strong> In response to fundamental changes in the way organizations work, the authors recommend undertaking cybersecurity initiatives, including:</p><ul><li>Dynamic security of users, assets, and resources.</li><li>Cloud-based tools and infrastructure.</li><li>"Contact-aware" workforce privacy that may involve employee consent.</li><li>People defense to reduce fraud and other vulnerabilities that may result from employees' anxiety.</li><li>A remote cybersecurity operating model and talent strategy.</li></ul><p> </p><p><strong>Secure Customers in Shift to Digital</strong> Customers expect a "secure and seamless" digital experience with greater choice and availability, the article notes. IT and cybersecurity functions should prioritize:</p><ul><li>A frictionless customer security experience across all web, mobile, and customer service channels.</li><li>Cybersecurity controls that function at scale.</li><li>Privacy by design that includes controls on the use of customer data.</li><li>Advanced analytics that integrate security into fraud controls.</li></ul><p> <br></p><p><strong>Rethink Supply Chain and Third-party Risk</strong> Organizations need to assess the resilience of their supply chain as they adopt new ways of operating. The article recommends:</p><ul><li>Expanding assessment coverage to review all vendors and potential third parties.</li><li>Updating security controls to account for third parties' remote operations.</li><li>Securing partner collaboration.</li><li>Planning for geopolitical challenges to critical vendors.</li></ul><p> </p><p><strong>Sustaining Increased Sector Collaboration</strong> Organizations need to strengthen partnerships with peers, their industry sectors, and regulators to support changing processes, the authors say.<br></p><h2>Align Security With Changing Business Strategies</h2><p>Flexibility will be key for IT and cybersecurity functions to adopt a dual cybersecurity mindset, the McKinsey authors say. Leaders of these functions should "plan their security strategies to best align with business strategies and priorities," which may have changed during the pandemic. The article recommends that leaders assess opportunities to "leapfrog" current security capabilities, set parameters that prioritize essential initiatives, and clearly communicate time frames for cybersecurity efforts.<br></p>Tim McCollum0
The Digitally Transformed Enterprise Digitally Transformed Enterprise<p>Nearly every organization — from multinational corporations to small, brick-and-mortar enterprises — is in some stage of digital transformation, but just where businesses are along the technology spectrum varies significantly. What is clear is that the challenges and complexities behind getting it right are daunting, especially for internal audit functions that must provide assurance over digital transformation while relying on traditional processes.</p><p>“At San Francisco Bay-area companies, you probably see a lot more chief audit executives being successful with data and data analytics,” says Tom Rudenko, head of audit at Yelp. “I think it’s just the nature of our companies — you have to adopt their methods, adopt their tools, because if you don’t, you’re going to become obsolete very, very fast. Whereas in the more traditional companies that are not in technology, it’s more of a struggle to get to that point.”</p><p> Whatever stage organizations find themselves, digital transformation is ultimately about data — how businesses present data to customers; how they use and manage customer data; and how they aggregate and analyze business data to increase efficiency, accuracy, profit, and speed. The technology used to parse or deliver this data encompasses cloud computing, data analytics and data mining, robotic process automation (RPA), and artificial intelligence.<br></p><p> Chief audit executives (CAEs) must be aware of the strategic risks associated with embracing or neglecting data and new technology, and they must understand its inherent ability to disrupt business plans and models. Indeed, CAEs rank data and new technology risk as likely to grow markedly in relevance over the next five years, according to The IIA’s OnRisk 2020 report.</p><div class="subhead-article"><h3>COVID-19 Accelerates Need <span style="letter-spacing:0px;">f</span><span style="letter-spacing:0px;">or Digitization</span></h3><p>The COVID-19 pandemic has had an economic impact on organizations worldwide. Businesses that were already technology- and data-driven have had an advantage, even in challenging sectors.</p><p>Organizations that were already comfortable with “virtualization” tools and working with digital data were able to more easily transition to setting up remote workforces and processes, connecting with customers, and delivering some services online.</p><p>For instance, while Uber has definitely lost revenue from the slowing of its ride-sharing services, the company’s Uber Eats division was ready to ramp up to meet the growing demand for food deliveries and groceries. Meanwhile, in April, the company launched Uber Direct and Uber Connects — pilot projects involving the delivery of other types of goods, such as over-the-counter medications and packages to loved ones. “We were already using the technology platforms, so it’s really adapting the technology platform to embrace the new activities,” Vincenti explains.</p><p>The pandemic has also pushed customers and businesses alike into developing new behaviors and habits. Telemedicine, previously slow to catch on as a viable alternative to office visits, is becoming more mainstream.</p><p>For example, telehealth provider Carenet Health reported an 80% spike in telehealth visits during the first weeks of the pandemic. Other examples include transportation and logistics companies switching to “contactless” paperwork and internal auditors using drones and security cameras to conduct inventory audits, according to an April 2020 <em>Wall Street Journal</em> article. And a recent study on U.S. attitudes and consumer behavior during the pandemic shows that for as many as 23% of respondents, the shift to more online working, shopping, and meal ordering may be a permanent one.</p><p>As a result of these societal shifts, digital transformation is now even more urgent than before, Vincenti says. “If people needed a reminder to accelerate the process, I think that reminder is loud and clear.”</p></div><p> Still, acknowledging the risk does not always translate into its successful management. Despite recognizing that this risk is likely to grow in relevance, CAEs give themselves and their organizations low marks in relation to their personal knowledge of data and new technology risk and their organizations’ ability to manage it, the report notes.</p><p> Many factors affect just how invested organizations are in technology, such as whether they developed before the computer age or were “born digital.” Either way, organizations that embrace the use of data and new technology have enjoyed a decided advantage in connecting with customers, coordinating with new digital platforms, or shifting to remote operations during the pandemic (see “COVID-19 Accelerates Need for Digitization,” at right). But it is not too late. Organizations that accelerate their digital transformation can still reap the benefits moving forward — and internal auditors can provide valuable assistance along the way. </p><h2> Digital Maturity</h2><p> Part of the reason some companies are further behind than others when it comes to adopting technology and data processes has to do with culture. Dominique Vincenti, who serves as global head of Internal Audit and CAE for Uber, likes to use the generational term <em>digital native</em> to describe organizations that were “born” using and manipulating technology and data — such as Uber and Yelp.</p><p> Vincenti explains that older industries and those that are not inherently digital are facing some of the same challenges Baby Boomers and Generation X have faced in comparison to digital-native Millennials and Generation Z. “Those who’ve been operating in industries where data and technology is not at the heart of the business model, [but are] ‘going there because we have to’ — they’ve found themselves in that non-digital-native situation, and it’s probably more uncomfortable,” Vincenti says. </p><p> For Rudenko, there are pros and cons to working with digitally savvy companies like Uber and Yelp, but one clear advantage is that they are naturally faster at adopting and using technology to solve problems. “The tech companies are not as mature, and they might not have those best practices, but they are very nimble and move fast, and you’re not weighed down by decades of legacy systems, people, and processes,” he says.</p><p> Larger, older organizations may have more mature, formal processes, which can be a good thing, Rudenko says. On the other hand, they are also more likely to have bureaucratic processes or silo mentalities where people are reluctant or unable to share information or effectively collaborate across business units. “In my experience with more mature companies, navigating through the organization and just getting access to the data can be a time-consuming and difficult process,” he says. “By the time you were able to analyze it, it was already kind of old news.”</p><p> Regardless of their organization’s level of digital maturity, Vincenti says CAEs looking for a better grasp of data and new technology risk need to understand how their organization is approaching the risk strategically. As with any risk assessment, auditors must know what they’re dealing with. They need to consider how important data and new technology are to the organization’s evolving business model and where their organization is with respect to digital transformation. </p><p> Vincenti suggests CAEs ask themselves: “Is data and new technology becoming a core enabling function? Or is it just sitting on the side as technology has been for many, many years, and is just a way of making things a little bit more efficient — not necessarily an enabler of business but just a support of business?”</p><h2> A New Way of Thinking</h2><p> While every industry is different, Vincenti says it is important to consider competitors: “Are we at odds with how literally the world is evolving, and can we become the next Kodak or Blockbuster in our industry? If auditors determine that digital transformation is now embedded in their business model — fundamentally, how business is now done — then the audit function must change its approach, as well,” Vincenti says.</p><p> Although internal auditors may have had a strong grasp of previous business processes, she adds, they need to realize fundamentally that today’s business is done primarily with data and technology. They must understand the new business world as well as they grasped the former, less digitally based one. </p><p> Vincenti says CAEs also need to recognize that data, along with money and people, is a fundamental asset in this new way of doing business, whereas technology is just the means to use the data. “What I’ve told my team and what I’m trying to tell people is that before understanding technology, do you understand data like you understand dollars? Because this is the raw material.”</p><h2> Building Trust With Small Steps </h2><div class="subhead-article"><h3>Building Technology Into the Audit Process</h3><p> In a May 2020 IIA webinar titled “Utilizing Technology to Advance Internal Audit and Stay Relevant in a New Risk Environment,” presenters Scott Madenburg, director of Solutions Advisory Services, AuditBoard, and Eric Groen, managing director, Protiviti, provided examples of ways analytics technology can be used for reporting and planning: </p><ul><li>Root cause investigation.</li><li>Real-time exception management (continuous risk management).</li><li>Risk quantification.</li><li>Control simulation.</li><li>Predictive risk identification. </li><li>Risk profiling.</li><li>Test data simulation.</li><li>Statistical sampling.</li><li>Continuous controls monitoring.</li><li><p>Identification of fraud indicators.</p></li></ul><p>A key takeaway from the webinar is that internal audit functions looking to incorporate data processes into their own work may not have to reinvent the wheel. There may already be technology tools, data, and people (such as business analysts) that CAEs can leverage to start incorporating data analytics testing and processes into internal audit engagements. CAEs might also consider forming a specialized committee that includes participants from IT, management, and elsewhere to determine how data analytics could be incorporated into and benefit current business practices. </p></div><p> While understanding data and technology is important, it can take time for internal audit to become a trusted resource on data and technology risk if this is not already part of the organization’s culture. Rudenko recommends that internal audit build trust with easy wins using data analytics within the audit function. Although most organizations have all but eliminated travel in the current environment, one of the easiest places to piece together early wins is with travel and expense reporting. As an area at high risk for fraud and one that likely is already part of a reporting system, he says, it can be a good candidate for adaptation to an automated system.</p><p>“You can extract the data out of that system and run it through a series of data-driven tests,” Rudenko says. “Run those tests a couple of times, get the process stabilized, and hand that back to the business. They usually love it, and they’re very happy for something that helps them manage their expenses.” </p><p> Both Rudenko and Vincenti agree that relationships are crucial. “You need to have very robust relationships with the tech and data science communities of your company,” Vincenti says. “And one of the reasons is to leverage the systems and technologies that are already in place so that there are economies of scale.”</p><p> Vincenti asks, for example, why the audit function would consider buying RPA licenses if a privileged RPA vendor relationship and license agreement have already been established elsewhere in the organization. Understanding what technology is available and “piggybacking” wherever possible is key, she says. (See “Building Technology Into the Audit Process” at right.)</p><p> According to Rudenko, once internal audit can demonstrate the efficacy of using data analytics tools, the payoff in trust can be great. “You get a trophy, and you put it on the shelf,” he says. “And you start to build your brand inside the organization, and people start to see the value that you’re bringing back to the company.” </p><p> Management at Yelp sees internal audit as an important part of the company’s strategic planning, rather than as an interloper. Rudenko and his team are consulted for advice on website development, data pipelines, reporting dashboards, and more. “They want our insight,” he says. “They want our knowledge of risks and controls.”</p><h2> The Right Team</h2><p> Building competencies within the internal audit team is also important if the audit function intends to become more technically savvy, but that can take time. According to Rudenko, it is unrealistic to expect everyone on the team to be experts in data analytics, coding, and internal audit because such employees are considered “unicorns” — hard to find even in Silicon Valley.</p><p> At Yelp, Rudenko aims for at least half of the internal audit team to be technically savvy, but he also focuses on people who are a good cultural fit for the company. To do this, he invites people from around the organization to participate in interviews for internal audit positions. Getting buy-in from people who will be working with his auditors helps promote teamwork and trust, Rudenko explains. </p><p>“In the end, it’s about building relationships,” he says. “That’s really what this all comes down to, but that doesn’t happen overnight.” <br><br>At Uber, Vincenti says she has strong technology audit muscle on her team. “One of my directors is the technology specialist, and he is our point-of-contact with the [chief technology officer] of the company,” she says. “On a daily basis, we’re touching base with the engineering teams.” </p><p> Vincenti describes her team of auditors as “specialized generalists.” In other words, while everyone has broad, general knowledge, they each have deep knowledge of one or two specialized areas relevant to Uber’s business model. In addition, the audit activity has its own data science team. While the data scientists understand internal audit enough to work well with the auditors, they are the only true data specialists on the team.</p><h2> The Digital-first Imperative</h2><p> Vincenti points out that, ultimately, analyzing data is not a new concept for internal audit. The difference is that the tools and the focus have changed. And internal auditors, like the organizations they serve, need to adopt a digital-first mindset.</p><p>“The challenge today is to bring data and technology at the core of everything,” Vincenti says. “So today the core is the internal auditor, and the data analytics and technology are on the side — we need to turn the model upside down. We need to put technology in the middle and the internal auditors around to leverage it and add value.”<br></p>Christine Janesko1
Auditing in a Disruptive Environment in a Disruptive Environment<p style="text-align:left;">Emerging or disruptive technologies, such as artificial intelligence (AI), robotics, the Internet of Things, nanotechnology, and quantum computing, are permeating almost every industry. These technologies not only alter the way the business is done but ultimately hold the key to future organizational success. Without them, few businesses will be able to survive, much less remain competitive, in the long term.<br></p><p style="text-align:left;">Internal audit takes on greater importance in digitally transformed environments. Disruptive technologies, in addition to the value they provide, can multiply potential harm and magnify risks significantly. Stakeholders will expect internal audit to be more engaged as they look to manage these risks and seek assurance that controls are effective. To meet the organization's needs, internal audit must evolve, grow, and adapt to rapidly changing conditions.</p><h2 style="text-align:left;">Rising Expectations</h2><p style="text-align:left;">Significant levels of change in any business environment create uncertainties, increased complexity in operations, and greater risks. New technologies will compel businesses to identify the right strategies, determine the best business models, and recruit people with right skills through a multidisciplinary approach. These initiatives may introduce new strategic and operational risks, which will be a concern for management and auditors.<br></p><p style="text-align:left;">Practitioners will play a key role in helping manage these risks by providing an independent and objective assessment of the new technology environment. But failing to participate upfront in discussions of system development, governance, and risk management could result in a missed opportunity to add value. Auditors need to be proactive and engaged early. To maximize their contributions, they will need to possess strong business acumen and expertise within the sectors in which their organizations operate, as well as the ability to see the secondary or tertiary effects of organizational risk. <br></p><h2 style="text-align:left;">Changing Risk Landscape</h2><p style="text-align:left;">The implications of new technologies and their convergences will introduce several uncertainties in the political landscape, turning economic networks into political weapons. This new reality will require country-specific laws involving legal challenges and at the same time increase concerns about corporate accountability. Many of these regulations will pose additional challenges to the internal audit profession. They will require auditors to have the ability to assess the sectors that are politically risky and determine whether their organization has developed new strategies and relationships that balance economic efficiency with security.</p><p style="text-align:left;">Risks related to cybersecurity will significantly influence the landscape of internal audit's work. The World Economic Forum Global Risks Perception Survey 2019-2020 identified "information infrastructure breakdown" as the sixth most impactful risk over the next 10 years. Some expected risks include the speed of technological development, integration of technologies and devices, cross-border legal issues, and unforeseen consequences. These challenges will require internal auditors to check whether existing procedures, programs, and mechanisms put in place by the audited entity are sufficient. Results of such analysis should point out to management any steps that should be taken to help ensure cybersecurity threats are mitigated. </p><p style="text-align:left;">Additionally, new markets, products,  cross-border trade, and business acquisitions will introduce risks stemming from new supply-chains, business disruptions, and opportunities for fraud. Different countries and regions have distinctly different cultures, as do different organizations that merge. Internal auditors should possess a sound understanding of the business environment, ethical framework, and fraud risk management processes. Practitioners can help companies assess the alignment of their ethics programs and evaluate the performance indicators in place to measure effectiveness and help promote ethical behavior.</p><p style="text-align:left;">Internal auditors also need to understand generational and cultural differences when communicating with employees in diverse organizations. The changes in business models and supply chains may require internal audit to adapt to a desired culture or a set of values through recruiting culturally informed staff. Practitioners will face increased challenges in providing assurance on whether organizations understand, monitor, and manage the tone, incentives, and actions that drive behavior. </p><p style="text-align:left;">Perhaps most importantly, internal auditors will be required to provide assurance on the value for the money their organization invests in the disruptive technologies and tools. Such an assessment is only possible with an integrated view of their implications for policies, governance, and the processes established to implement them.<br></p><h2 style="text-align:left;">The Way Forward </h2><p style="text-align:left;">In a worst-case scenario, disruptive technologies may pose a threat to internal audit and replace practitioner skills, depriving organizations of our most valuable assets: professional skepticism, critical thinking, and communication. While this is unlikely to happen, internal auditors should nonetheless prepare for upcoming challenges and opportunities through a two-pronged strategy.</p><p style="text-align:left;">First, the heads of internal audit functions should determine an audit universe of proposed and current change programs, factoring them into audit plans and engagements. This should provide a basis for identifying areas of audit engagement related to disruptive technologies.  </p><p style="text-align:left;">Second, audit leaders should identify alternative staffing models that provide the diversity of skills necessary to address new technology risks effectively. The coming years, for example, will witness a sharp increase in the number of "data auditors" with the ability to correlate disparate information to provide early identification of fraud and operational risks. Businesses are using automation tools or bot algorithms that mimic the actions of a person or a computer to avoid redundancies and save costs. Audit practitioners should have the ability to provide assurance on such system development processes as well as validate the security risks by quickly adopting new methods of working, including agile auditing, continuous/concurrent auditing, and automated assurance.  <br></p><h2 style="text-align:left;">Rising to the Challenge</h2><p style="text-align:left;">The whole world is struggling to keep pace with technological advancements — and internal auditing is no exception. But our core skills of critical thinking, collaboration, and communicating set auditors apart in the digital age, with technology only serving to augment them. </p><p style="text-align:left;">To remain relevant, internal auditors should recognize emerging technology-related challenges and opportunities, and prepare for future skill requirements. Practitioners need to deploy the same technologies driving the need for change to help them rise to the challenge. As IIA Standard 1230 says, "Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development." There are no better skills to develop than those that will equip practitioners to confidently face the dramatic changes on the horizon.  <br></p>Israel Sadu1
Transforming Corporate Card Audits Corporate Card Audits<p>​One of the most significant changes in auditing corporate card expenses over the past decade has been the conversion of supporting documentation from paper receipts to electronic form. Although an internal auditor's core duties of ensuring completeness and accuracy in record-keeping remain the same, the electronic form has altered the dynamics of those duties significantly.</p><p>Not so long ago, people mailed paper receipts to a central location for processing. Today, by contrast, a simple receipt photo, screenshot, or email confirmation uploaded via a website or mobile app often suffices. The convenience and efficiency of electronic files, as well as enabling technologies such as cloud storage, data visualization, and automation, have created both new opportunities and challenges in auditing corporate card transactions.</p><h2>Cloud Storage</h2><p>Cloud storage is an on-demand, self-service model where data or software as a service is stored remotely on virtual servers hosted by third parties. </p><p><strong>Opportunities</strong> Cloud storage removes the storage limitation challenge presented by retaining physical copies of paper receipts or using on-site servers, as it is easily scalable to accommodate any data storage needs. Additionally, it reduces pre-installation costs and maintenance charges associated with on-site servers.</p><p>Duplicate back-up copies of data can be stored in multiple locations worldwide, making data less vulnerable to natural disasters. Cloud storage also makes it easier to implement a document retention period for physical receipts. Corporate card data that requires long-term storage could be archived or automatically purged after a defined period.</p><p><strong>Limitations</strong> Digital documentation is susceptible to malicious software, such as ransomware, that encrypts data to an unusable form and holds it hostage unless payment is made. Focusing on data security may protect transaction information from hacking, which could result in negative publicity from a data breach or give competitors insight into prospective projects.</p><p>Use, transfer, and purge of stored personally identifiable information attached to employees' expenses is limited by regulations such as the European Union's General Data Protection Regulation and the California Consumer Privacy Act. If the data is backed-up or stored in international locations, there is the added complexity of the local regulations around the data's use. </p><p>Depending on how the information is housed and structured in a third-party's platform, organizations may have to pay extra to fully access their data the way they want. For instance, application programming interface (API) software, which allows two applications to talk to each other, often is an extra cost. API, for example, allows the expense repository system and audit software to talk to each other and is used to access features or data of a service application.</p><h2>Data Visualization</h2><p>Data visualization distills large datasets into visual graphics to allow for easy understanding of complex relationships within the data.</p><p><strong>Opportunities</strong> Combined with data analytics, data visualization allows the data to be dissected in more ways than before. For example, a dashboard template could track multiple key performance indicators linked to a database that would allow users to slice the data in real time and filter down to focus on any variable for specified business areas. </p><p>Beyond simply graph or pivot data in Excel, data visualization can simultaneously overlay multiple variables, such as transaction types, on a geographic map while highlighting the magnitude of the transactions in different sizes and colors. This could be used, for example, to target potential fraud indicators where there may be misalignment between travel plans and expense transaction locations. </p><p>Auditors can use data visualization to add value in addition to investigating noncompliance. It could highlight frequent exception trends and indicate broader implications, such as the need for additional employee training for specific parts of the corporate card policy or the need to amend the policy. For example, the corporate card policy may have a standard flat threshold for specific expense types, such as lodging or business meals. However, the policy does not consider that guideline amounts are not realistic for high-cost-of-living areas, such as New York or San Francisco, and may indicate that the policy needs to be amended to allow for fluctuations. Data visualization could help draw attention to these types of trends.</p><p>The data also could highlight opportunities to reduce costs and negotiate group rates if, for example, it finds that cross-departmental employees frequently attend the same conferences or events. On the other hand, it could flag individuals who did not use the prenegotiated group rate, and management could use it as an opportunity to educate those employees on ways to maximize their budget. </p><p><strong>Limitations</strong> Despite these benefits, there is a risk of overreliance on data visualization. The insights gleaned from it are limited by the accuracy and completeness of the data inputs, false positives, or misleading trends if used incorrectly.</p><h2>Automation</h2><p>Processes that can drive efficiency and cost savings in corporate card audits include robotic process automation (RPA), a software robot that mimics human actions; machine learning (ML), a subset of artificial intelligence (AI) that allows systems to learn new things from data; and AI, the simulation of human intelligence by machines. </p><p><strong>Opportunities</strong> The combination of RPA, ML, and AI creates a system that mimics human judgment in defined circumstances and could reduce time spent on repetitive and low-value tasks. With the advent of these technologies, the audit concept of reasonable assurance due to limited available audit hours and resources could move much closer to absolute assurance. In the past, internal auditors have focused on rigid criteria: a specific time period, an individual's or group's transactions, keywords, or transactions that exceed a defined threshold. Many potential noncompliant transactions that fall out of the hard-line criteria would be missed, and without software with AI capabilities, it would be impossible for auditors to review the entire volume of transactions.</p><p>Expense tracking software could incorporate a company corporate card policy so that RPA could continuously monitor and flag noncompliant transactions for additional approval or auditor review. This would ensure that auditors focus on transactions that are more likely to be exceptions and perform more meaningful work.</p><p>Optical character recognition (OCR) image-reading software could save not only the submitter's time, but also the approver's and auditor's time, by automatically pulling and matching the amounts from the uploaded receipt to the reported expense transaction. For international receipts in foreign languages, the software can translate the language, look up the local tax rates, and calculate currency exchange rates. More advanced expense-tracking software could cross-reference publicly available data, such as online menus or historical hotel rates, to determine the reasonable range for specific expenses. This would allow for variation due to seasonal or location-based fluctuations for the reasonable expense threshold range. </p><p>AI with OCR could detect split transactions where a larger receipt is paid through multiple transactions or using multiple corporate cards. Another instance of split transaction could occur if there were a deposit that was paid in advance and the remainder of the balance was paid at a later date. Image-reading software could easily detect this, while it is much harder for an auditor to find with paper receipts. The use of OCR software could reduce excessive payment for the same expenses submitted multiple times or circumvention of the policy expense guideline amount. </p><p>Another AI capability is systematic risk profiling. Low-risk recurring transactions could be auto-approved and bypass the need for manager review, saving hours of administrative time and increasing the time available for more productive tasks. This time could focus on high-risk individuals or departments more likely to be noncompliant, leading to increased policy education or behavior change. </p><p><strong>Limitations</strong> AI, ML, and RPA are relatively new and often expensive technologies. The software is only as good as the training data set inputs and what it is being programmed to do. AI involves a learning process, where users must "train" the software. Moreover, the AI tools may produce a high number of false positives, which could create more work than traditional methods. If these technologies do not detect pervasive noncompliance in the training data set, the model may never catch it — but a person could.   </p><p>ML and AI are susceptible to biases and skewed results because of bad data inputs. For instance, the technology might determine that a certain gender or race is a higher risk for noncompliance, leading auditors to focus on those individuals' transactions and possibly result in legal issues/consequences.</p><h2>Beyond Compliance</h2><p>Auditing purchase card expenses goes far beyond reviewing for policy compliance. By using the cloud, data visualization, and automation in corporate card audits, auditors can drive better stewardship of company resources. While these technologies provide tremendous benefits, it's important for internal auditors to be aware of their downsides to adjust accordingly. By building on this foundation, internal audit also can use these technologies to transform the audits of other business areas and processes. </p>Bonnie Tse1
Eight Areas of Analytics Advancements Areas of Analytics Advancements<p>Even internal auditors at a giant software firm like Microsoft have to get the basics right to make the most of data analytics. It takes a strategic plan, skilled resources, management support, and access to clients' data. "It took time and a sustained strategy to build up our data analytics muscle," says Pooja Sund, director of Technology and Analytics for internal audit at Microsoft.</p><p>Microsoft's experience is indicative of the significant progress many internal audit departments are making in implementing data analytics into their work, according to a new survey. The most advanced audit functions are applying suites of automated analytics across multiple business processes, performing sophisticated analytics, and using data from broad sources, notes The Audit Analytics Institute's (AAI's) 2020 Survey on the State of Data Analytics Usage in Internal Audit (see "Survey Highlights," below right). AAI polled audit executives, directors, managers, and analytics specialists from about 70 organizations for the report.</p><p>These departments have specialists to deal with the complex aspects of data analysis and formal procedures to ensure the quality and sustainability of analytics use.</p><h2>Moving Beyond the Basics</h2><p>Increasingly, internal audit functions are moving beyond basic uses of analytics, such as testing all general ledger transactions for suspicious journal entries or examining purchase and payment transactions for duplicates. One example of more advanced analytics is in a payroll audit in which auditors compare data from network logins and use of physical access swipe cards to payroll records to identify nonexistent employees or fraudulent overtime payments. </p><p>One survey finding calls out the strong correlation between teams that have deployed data analytics successfully and how they addressed implementation issues such as needing structures and processes. The survey findings yield takeaways across eight topic areas.</p><p> <strong>Strategy and Objectives</strong> Six out of 10 audit teams have a clearly communicated audit analytics strategy, the survey finds. Nearly half have defined goals for analytics usage, and 68% of audit leaders are highly supportive of analytics. The takeaway for internal audit is that developing a formal, well-communicated audit analytics strategy, with specific goals and audit leadership's proactive support, is critical. For example, the strategy could be that for every audit, the department will evaluate the potential use of analytics, with a goal of integrating it into 40% of audits.</p><p> <strong>Implementation Planning and Program Management</strong> The survey notes that 57% of teams have an effective approach to planning and managing the use of audit analytics. Successful teams implement a well-managed and communicated analytics program. A program addresses practical information for achieving the strategy and objectives such as acquiring skills, working with IT, getting data, and setting standards and processes. </p><p></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Survey Highlights</strong><p></p><p>In The IIA’s 2018 North American Pulse of Internal Audit, 38% of respondents were not using data analytics, with 27% of these planning to do so. Two years later, the 2020 AAI survey shows the progress internal audit functions are making, including: </p><ul><li>18% of audit teams have achieved a high level of maturity, using automated analytics across the organization, in cooperation with compliance and risk management functions.</li><li>26% rate their use of analytics as mature and well-managed. </li><li>26% are at an intermediate level.</li><li>18% occasionally use basic analytics.</li><li>12% do not use data analytics.</li></ul> </td></tr></tbody></table><p> <strong>Integrating Analytics Into the Audit Process</strong> Analytics can support virtually all aspects of internal audit's process. Surveyed functions use analytics most in control testing (65%), substantive procedures (59%), and audit planning (48%). Successful integration into the audit process requires planning and review at the beginning and end of an audit. Internal audit needs a systematic process for determining whether and how it will apply analytics in each audit stage. </p><p> <strong>Dealing With Data</strong> Obtaining timely and accurate data is a big challenge for 62% of internal audit functions. Nearly half of teams access a central audit data store. Having staff members who are skilled at identifying data requirements and extracting data without relying on the IT function is essential. Internal audit also needs efficient, independent, and secure processes for obtaining and storing data.</p><p> <strong>Analytics Usage and Technical Resources</strong> Hiring people with appropriate skills and knowledge, developing the analytics skills of existing staff members, and acquiring resources such as analytics libraries are crucial to the long-term success of analytics programs. More than 60% of audit functions have staff members who are capable of performing and developing analytics to meet most audit objectives. About one-third use a central library to encapsulate analytics knowledge, including suites of analytics and documentation to support specific audit objectives in specific areas.</p><p> <strong>Automation, Repeatability, and Sustainability</strong> Four out of 10 say they expect analytics usage to be sustainable and repeatable. At least 31% have had problems with sustainability, and 38% are aware of the risks of over-relying on specialists. Automation, documentation, and use of appropriate software are important in achieving sustainable and repeatable analytics.</p><p> <strong>Quality Assurance, Standards, and Reliability</strong> About half of internal audit functions have formal standards for ensuring the integrity of analytics and data, as well as for developing, testing, and documenting analytics. Without appropriate standards, analytics results may not be reliable for audit purposes. Organizations that lack those standards may be placing undue confidence in the accuracy of analytics results. </p><p> <strong>Organizational Structure and Skills Development</strong> Nearly half of internal audit functions surveyed rely on specialists to perform complex aspects of data analytics and to support nontechnical auditors in basic use. Another 31% rely on specialists for all analytics tasks. Additionally, 53% have analytics training programs and include development of analytics skills in auditors' performance objectives. </p><p>How audit functions organize specialists and integrate them into audit processes depends on the department's size and resources. Most audit functions implement a "blended" model combining specialists and nonspecialists, which continuously spreads knowledge and skills throughout the team.</p><h2>Strategy and Leadership Are Key</h2><p>Successfully using data analytics is vital to transforming audit processes. While some internal audit functions are making progress, many are still in the early stages of the process. These departments will need to address the eight issues mentioned above to achieve maximum benefits and sustain data analytics in their audits. Fully integrating analytics into core audit processes takes time to achieve. </p><p>Some important steps to establish a strong analytics program include a realistic strategy, goals, a practical implementation plan, and processes for integrating analytics into the audit. Although analytics involve many technical issues and skills, ultimately internal audit's success will depend on good leadership and management. </p>John Verver1
Fast and Hyperconnected and Hyperconnected<p>​Imagine a global network so lightning fast and seamlessly interconnected that boundless innovation flourishes. Imagine what organizations could do with a wireless network as fast as any wire-line network — and maybe faster.</p><p>That is the promise of advanced wireless networks such as 5G and Wi-Fi 6. These new technologies are making wireless an alternative for must-have, high-bandwidth applications such as artificial intelligence (AI), cloud, and edge computing, according to a new Deloitte <a href="" target="_blank">report</a>.</p><p>"As the adoption of advanced wireless technologies progresses from pilots to full-scale adoption, networking executives who understand how to use them as a way to unlock the full potential of emerging technologies will ultimately prevail," says Jack Fritz, principal, technology, media, and telecommunications, at Deloitte Consulting LLP.</p><p>Indeed, 86% of respondents to a Deloitte survey say advanced wireless will transform their organizations in the next three years, and 79% say it will transform their industry. Deloitte surveyed 415 network decision-makers at U.S.-based organizations for the Enterprises Building Their Future With 5G and Wi-Fi 6 report.</p><p>Most respondents say their organization currently is adopting these technologies, and another 37% plan to do so in the next year. That's why internal auditors need to get up to speed on the technologies.</p><h2>5G</h2><p>Despite what auditors may have heard from their wireless carriers' advertising, 5G — the fifth generation of cellular technology — isn't just for mobile phones. It can support a wide range of applications at speeds that are as much as 100 times faster than 4G connections and even faster than a fiber-optic home connection.</p><p>Perhaps more importantly, 5G reduces the latency, or response time, between when a user makes a command or request and when an action occurs to as little as 1 millisecond, <a href="" target="_blank">Cnet explains</a>. That could enable time-sensitive applications, such as performing robotic surgery or enabling self-driving vehicles to communicate with one another. At the very least, Zoom calls might be less awkward.</p><h2>Wi-Fi 6</h2><p>While 5G brings speed to external wireless networks, Wi-Fi 6 lets organizations extend speed to internal networks. The technology, which debuted last year, is about 30% faster than the previous Wi-Fi 5 standard, <a href="" target="_blank">according to Cnet</a>.</p><p>But speed isn't the only advantage of Wi-Fi 6. The technology can link more devices than ever before and enable them to communicate faster, more efficiently, and at lower power simultaneously. Additionally, Wi-Fi 6 routers and access points can send more information in a single signal. With them, applications like the Internet of Things become supercharged.</p><h2>The Power to Innovate</h2><p>Speed and connectivity are advantages, but only if they deliver real benefits to organizations. Executives surveyed by Deloitte say they expect advanced wireless technologies to become a "force multiplier" for their organizations by enabling them to adopt other emerging technologies.</p><p>Although most of these executives have been satisfied with the wireless technologies their organizations currently use, they acknowledge that those technologies limit their ability to innovate. For example, eight in 10 respondents say advanced wireless is very important to their organization's ability to fully leverage AI, cloud and edge computing, and big data analytics. Innovation is among the top three benefits respondents expect from advanced wireless, behind greater efficiency and improved security.</p><p>The report provides examples of usage scenarios and lists considerations for organizations that are implementing 5G and Wi-Fi 6, including:</p><ul><li><em>Timing.</em> Investing in advanced wireless technologies now could give organizations a jump on competitors, but implementation may cost more when the technologies are new.</li><li><em>Strategy.</em> Organizations need guidelines, a strategy, and a road map for wireless initiatives, including plans for handling the greater volume of data they may generate.</li><li><em>Benefits.</em> Organizations should think beyond incremental improvements to see how advanced wireless can spur innovation, competitive advantage, and better connections with customers and employees.</li></ul><h2>Unleash the Power of Data</h2><p>Aside from implementation challenges, internal auditors should consider issues such as security and privacy in assessing the risks involved with 5G and Wi-Fi 6. Deloitte's respondents listed security as their No. 1 challenge to adopting these technologies. The report advises organizations to consider how they will manage, authenticate, and secure wireless networks.</p><p>Organizations also need to secure the colossal amount of data these technologies can produce. That includes privacy protections, as well. In a 2019 <a href="/blogs/chambers/2019/Pages/The-Challenges-to-Internal-Audit-in-a-Zettabyte-World.aspx">blog post</a>, IIA President and CEO Richard Chambers noted that the volume of data collected presents a "risk/opportunity conundrum" that requires organizations to "rethink how they gather, use, and protect data."</p><p>But 5G and Wi-Fi 6 provide opportunities for the internal audit profession, too. "Ironically, taming the 5G data tsunami will require internal audit to embrace technology unlike ever before," Chambers wrote. To cope, auditors will need to become familiar with new technologies and better connect with IT functions, he said.<br></p>Tim McCollum0
Data Protection in a GDPR World Protection in a GDPR World<p>​Over the past decade, data has become the most important asset for companies. Big-data analytic capabilities and advancements in artificial intelligence have shifted business models and transformed how companies use information. And with data growing exponentially every day, the task of protecting it has become more and more challenging.</p><p>The passage of new regulations such as the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the U.S. imposed new requirements for how companies use and collect personal information. Noncompliance or failure to adequately safeguard personal information can result in significant fines and impact the corporate brand and consumer trust. As a result, internal audit is increasingly being asked to help evaluate data protection risks and controls.</p><p>Although many companies have implemented protection capabilities to comply with the requirements, laws are still being interpreted — and what constitutes adequate security under CCPA and GDPR is still being analyzed. Organizations must maintain their focus and monitoring efforts to remain compliant. Internal audit teams can help companies identify risks, improve controls, and work as a strategic partner in evolving data protection capabilities.</p><h2>Define Data Protection</h2><p>Data protection refers to the practice of safeguarding information from compromise, loss, and disruption. In the context of GDPR and other privacy regulations, the concept focuses on protection of personal data. And it isn't limited to just preventing that data from being hacked or stolen. The scope of data protection ranges from classification and categorization to retention of all data in an organization.</p><p>Companies need to understand the sensitivity and type of data they collect, process, and store. Moreover, they need to ensure data is available and appropriately retained based on business need. Given the broad scope of what data protection can entail, internal auditors should ensure their organization has established a governance model with defined roles and responsibilities for each team as well as procedures that detail the steps necessary to protect data. At the same time, these procedures should align with compliance and security objectives.</p><p>To help achieve this alignment, internal auditors should define a baseline framework that allows roles, activities, and controls to be mapped to specific requirements or domains. Auditors can leverage industry frameworks, such as the U.S. National Institute of Standards and Technology (NIST) Privacy Framework or International Organization for Standardization's ISO 27701 framework, to support the development of privacy controls. Defining a framework and tailoring it to the company will help ensure that only the necessary requirements are considered and tested. The framework also will enable internal auditors to identify the accountable party for each requirement or domain.<br></p><h2>Determine Audit Scope </h2><p>In defining the scope for a data protection audit, it's important to take a risk-based approach. Internal auditors should conduct a risk assessment to determine the inherent risk for each business process and system and prioritize audits of higher risk areas. The results can help determine the audit frequency for each business process and its systems.</p><p>From a data protection standpoint, the risk assessment should consider exposure factors and threats to these processes and IT systems. Internal auditors can assess several factors:</p><ul><li>The type of information being processed.</li><li>The sensitivity of the data.</li><li>Whether the process or system is external facing.</li><li>The volume of data being</li><li> processed.<br></li><li>The number of users who have access to the data.</li><li>Whether an internal or external party hosts or manages the supporting IT systems.</li></ul><p><br>From a threat perspective, internal auditors can refer to industry frameworks such as Microsoft's STRIDE — primarily focused on security threats — and the LINDDUN privacy threat modeling framework developed by the DistriNet and COSIC research group at Katholieke Universiteit Leuven in Belgium. Alternatively, auditors can build their own threat and vulnerability register. They can then map the threats to each business process and system to support the inherent risk calculation. Prioritizing the business processes and systems will help internal auditors maximize their effort and investment while providing company leadership with clear visibility into critical business operations and data protection risk areas.<br></p><h2>Understand the Data Life Cycle</h2><p>To identify data protection gaps and test control effectiveness end-to-end, internal auditors should tailor their approach to the data life cycle. Auditors should develop a standard approach based on each life-cycle stage — such as data collection, transfer, use, storage, and destruction/retention — and then customize the approach for each business process and its systems. This effort will help streamline the planning and design phase, allowing auditors to focus on the execution and control testing phase of the audit.</p><p>Understanding the life cycle provides internal auditors with insight on why data is being collected, where it's being transferred, how it's used, where it's stored, and when it's destroyed. Without this context, controls are implemented and tested in silos, making the efforts ineffective or redundant. Auditors should use this information to evaluate the risk of each business process and its systems in relation to the corresponding data protection controls. </p><p>Through the life-cycle approach, internal auditors also can evaluate the data subject right-request process. Under GDPR and other new privacy regulations, individuals — referred to as <em>data subjects</em> in GDPR — have the right to request access to their information or have it deleted. Many companies struggle to fulfill these requests due to a lack of understanding about where personal data is stored or if it can be deleted. Through a data life-cycle lens, internal auditors can provide assurance on whether IT systems are appropriately scoped to support data access or deletion requests. </p><p>Although there are tools available that can help companies discover and scan IT systems to consolidate and analyze data, gaps in knowledge of each system may still exist. Understanding the full data life cycle can help uncover data that may be stored in the cloud or with other third-party providers. Internal auditors should identify these gaps and work with the privacy and compliance teams to develop a plan for incorporating those data repositories into the company's data subject right-request processes. <br></p><h2>Data Protection by Design</h2><p>As a best practice, data protection needs to be incorporated into the design process at the onset — a concept known as <em>data protection by design</em>. While data protection traditionally was most often delegated to information security and involved managing point technology solutions — products that solve or address one specific need — such as data loss prevention tools, this narrow scope limited companies' ability to put in place effective controls. The concept of data protection has evolved as a result of GDPR and other privacy regulations, expanding the scope of protection measures.</p><p>Data protection by design focuses on identifying issues and risks throughout the entire data life cycle and implementing controls as the business processes are being developed, rather than at the end. By evaluating the entire life cycle, internal auditors can identify gaps in data protection controls and help pinpoint the life-cycle stage where these controls should be implemented. </p><p>Data protection by design does not mean that companies need to develop new processes and questionnaires that ultimately inundate the business with additional work. Instead, data protection requirements and controls should be woven into the process itself. They should be integrated into existing processes when a company evaluates a vendor, when a new solution is being designed, or when a business process changes. Internal auditors can use their broad knowledge of the organization to help companies design a process that promotes a culture of compliance while limiting business disruption.</p><p>Training and oversight efforts represent a good starting point to begin incorporating data protection by design concepts into the organization. Internal auditors can work with human resources (HR) and privacy teams to develop meaningful training programs and awareness campaigns. The training content should be relevant to each group of employees and focus on how they can apply data protection into their daily activities. Audit results can be leveraged to pinpoint areas that pose a higher risk to tailor the training content. By providing training content that is applicable to employee roles and daily responsibilities, companies can shift the way employees think. Privacy, data protection, and other compliance requirements become a part of their job instead of an extra component. </p><p>Consider, for example, an IT developer whose role is to build a customer web application. Through training that is targeted to her role and responsibilities, the developer can be made aware of privacy and data protection requirements for collecting and storing personal data. When the developer subsequently creates a mechanism for data collection, she will know that a method to collect consent should be in place, along with notice to inform data subjects of how the data will be processed and the need to adequately protect data being stored. Understanding these requirements at the beginning can provide privacy and compliance teams with ample time to evaluate and provide accurate requirements and content to business and IT teams, such as: Should the system be designed to provide opt-in or just opt-out consent? What encryption controls need to be in place? How long should data be retained? </p><p>In terms of oversight, having the right privacy and other subject matter resources — e.g., security, legal, and HR — accounted for early on in the process can help identify requirements and controls that may be missing from the design. The internal audit team can work with the various departments to form a review body tasked with evaluating new initiatives and IT systems. Inserting this body into the software development life cycle and tying funding or resources to the approval process can help ensure all new initiatives and IT systems are being reviewed. Additionally, having internal audit participate in these review sessions can be beneficial when performing control testing.<br></p><h2>Data Protection During the Pandemic</h2><p>As part of efforts to combat COVID-19 and protect human lives, many governments and companies have implemented emergency procedures. This has created some confusion and concern around privacy and data protection requirements, given the use of personal data such as health information and geolocation. In response, the European Data Protection Board released its Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak to provide guidance to governments and companies regarding the processing of personal data. The statement can be helpful to internal auditors as they navigate their organization's compliance with GDPR.</p><p>In a period where decisions and response time are critical, internal auditors can also provide the necessary support and guidance to company leadership so that privacy and data protection requirements do not act as a hindrance to implementing emergency procedures. For example, auditors can develop control decision trees — charts or data flow diagrams that consist of logic decisions and possible outcomes (controls or activities) — to help inform business and IT teams of requirements and considerations when collecting, processing, or storing personal data. Decision trees can provide a systematic way of identifying options that are least intrusive to individuals. </p><p>GDPR and other privacy regulations should not impede the organization's ability to carry out and implement emergency functions. Instead, companies and internal auditors should use the privacy requirements as guidelines for ensuring adequate controls are considered and implemented to protect the privacy rights of individuals during these unprecedented times. <br></p><h2>Preparing for the Future</h2><p>Privacy and data protection regulations will continue to mature globally. GDPR has created a strong foundation in Europe, while the U.S. landscape is still developing with other states and the federal government following California's lead. Other regions in the world have started to introduce or pass their own privacy regulations, such as the Brazilian General Data Protection Law and India's Personal Data Protection Bill. Internal auditors can help companies rationalize the different requirements to streamline assessments and control testing, which will improve efficiencies for many businesses.</p><p>Furthermore, as more data and IT systems move into the cloud and company technology boundaries continue to expand, it is harder to define responsibility and accountability for data protection. Taking a purely reactive approach toward new regulations and requirements puts companies at risk for noncompliance. The internal audit function can work with company leadership to help the entire organization embrace the concept of data protection by design, which can ensure appropriate controls are evaluated up front, protecting the organization, its employees, its customers, and their data. <br></p>Victor Chavalit1
The Virtual Audit Virtual Audit<p>As people around the world continue working from home during the COVID-19 pandemic, internal auditors are adjusting to the challenges of virtual engagements. And while remote auditing is certainly not a new concept, the current vast number of practitioners — and their clients — all working this way at the same time has forced audit functions to consider how to work best when the parties involved are not physically present. </p><p>Successful remote auditing requires acknowledging and addressing the ways in which remote engagements differ from traditional on-site approaches. In other words, it is impossible for auditors to change only their physical location while trying to keep everything else the same and expect to successfully manage without in-person access. Instead, auditors must embrace and accept the unique benefits and challenges of working virtually. Whether auditing from home or an office, managing remote engagements requires specific logistical considerations and balancing the needs of multiple stakeholders. </p><h2>Assess Suitability of the Engagement</h2><p>Under ordinary circumstances, one of the keys to a successful remote audit is determining in advance whether a given engagement is an appropriate candidate for remote auditing. Not all audits are equally well-suited to a remote approach. For example, a financial statement audit is a better candidate than a review of a facility's physical security controls — the former consists primarily of documentation review and data analysis, whereas the latter requires not only testing of controls on site but the presence of the auditor to get a sense of the larger security environment. Regardless, auditors should evaluate the suitability of the engagement with an open mind, on a case-by-case basis. Some important considerations for weighing remote versus on-site auditing include:</p><ul><li>Cost savings.</li><li>Audit resources (location, remote audit experience, number of auditors required, availability, etc.).</li><li>Types of procedures to be performed.</li><li>Types of evidence that can be obtained remotely based on technology capabilities.</li><li>Security of communications and data transfers.</li><li><p>Timing.</p></li></ul><p>In the extraordinary circumstances surrounding the COVID-19 pandemic, auditors are faced with what to do when in-person or on-site procedures are not an option. When considering individual procedures, auditors have four basic choices:</p><ol><li>Execute the procedure as designed from a remote location (e.g., document review).</li><li>Substitute a modified, remote version of the procedure (e.g., virtual interviews).</li><li>Postpone the procedure (with impact to audit timeline/delivery).</li><li>Remove the procedure (with impact to audit scope/objectives).</li></ol><p>Before delving into the procedures, internal audit should first review the engagement objectives. In alignment with The IIA's Implementation Guide 2210: Engagement Objectives, internal auditors should "attain a complete understanding of why the engagement is being conducted and what the organization aims to achieve." Looking at the individual procedures through the lens of the audit's purpose and objectives helps to ensure that choosing between the four options listed above is done effectively and responsibly. Plus, in a crisis situation, such as a global pandemic, it is quite possible that management's perception of key risks around a particular business area have changed, so the objectives themselves should be reviewed to ensure they are appropriate based on current risk and the needs of the business. </p><p>Along with assessing the engagement' suitability for a virtual approach, the auditors themselves should be considered as well. During the COVID-19 pandemic, many auditors have had no choice but to remain off-site and do the best they can under the circumstances. But normally, auditor skills and preferences may also be a contributing factor when considering a remote approach. Remote procedures benefit auditors in terms of schedule flexibility, reducing travel, and allowing them to work where they are comfortable and have access to familiar surroundings and technology. But there may be some cases where the auditor feels more comfortable performing the audit on site, and practitioner comfort can potentially impact the quality of the procedures performed. Also, the adoption of remote procedures may impact internal audit resource decisions as it relates to specialization versus generalization, as virtual audits may enable the audit function to leverage a particular auditor's skills across a larger number of different engagements.</p><h2>Adjust the Engagement Plan</h2><p>When auditors choose a remote approach for an engagement that has historically included an on-site or in-person component, they must review the engagement's audit plan and revise accordingly. In particular, practitioners should pay close attention to the audit timeline and schedule, as certain activities may take more time or less time than with an on-site engagement. For example, it may take longer for a person to reply to a question via email than to respond face-to-face. Internal audit management also must think about how the engagement fits into the larger audit plan. Will the auditors be working on more than one audit simultaneously? If so, which ones make the most sense to fit together? Does the team composition still make sense for a virtual audit, or is there a gap or overlap?</p><p>The order of procedures and deliverables also should be considered. If the remote approach is new, particularly if it is replacing an on-site audit, stakeholders may want to see incremental results earlier or more frequently. Or, clients may have heightened interest from a risk perspective around key performance indicators as compared to process documentation or other controls reviews, potentially affecting the order in which auditors choose to perform procedures. In a crisis situation such as a pandemic, auditors should also be aware that usual business processes may have changed for the business area, so the audit plan should reflect those changes as well. </p><h2>Communication and Stakeholder Acceptance</h2><p>Aside from the audit process itself, stakeholder acceptance is also an important aspect of managing remote/virtual audits. The subject of the audit, other internal stakeholders, and third parties may have various reasons for being more or less open to the idea of remote audit. For example, for the subject of the audit, virtual work may alleviate some of the burden of accommodating on-site auditors but increase the burden of managing e-communications. For senior management, remote auditing may increase efficiency but still raise concern about sacrificing the direct visibility that comes from having auditors on site. Moreover, some third parties — such as regulators — may not accept remote audits under normal circumstances.</p><p>As with any change management effort, proactive communication is critical to increasing comfort level and earning support. With the COVID-19 pandemic, auditors are having to think outside the box to obtain audit evidence. It may be helpful to explain new procedures and map them to old ones (if applicable). Auditors may go further to provide a proof of concept demonstrating how virtual procedures can accomplish the audit objectives. Communicating proactively with key stakeholders in this way will help to ensure that everyone's expectations are aligned.</p><p>In terms of interpersonal communication, limiting or eliminating face-to-face contact changes the dynamics of an engagement. When the nonverbal cues present during in-person conversation are removed from the equation, so too is valuable information about the progress and overall success of the audit and potential areas of concern. Auditors should be mindful of this when considering the engagement's communication plan. For example, when working remotely, auditors may want to provide more explicit instructions about what they want from the audit subject than when they are working side-by-side with them. This helps to reduce unnecessary follow-up questions and rework. Meanwhile, auditors may need to provide more lead time in communicating when certain resources from the business area will be needed and should be made available. From a logistical standpoint, auditors should work with those in the business area to determine what modes of communication (i.e., video, voice, email, etc.) make the most sense for the various aspects of the audit in terms of comfort, efficiency, and security.   </p><h2>Adapting to a Virtual World</h2><p>During this time when so many auditors are being asked to work from home, there are many steps they can take to enhance the success of remote engagements. Communicating regularly with colleagues and clients, and being open to flexibility in working approaches, can help address the challenges of what has been, for many, an unexpected change of circumstance.<br></p>Wade Cassels1
The Analytics Journey: Analytics Development Analytics Journey: Analytics Development<p>​Here is the biggest secret in internal audit analytics: The success of new analytics has less to do with what happens in the computer, and more to do with good project definition and management. The internal audit function's analytics expert cannot know everything about all of the organization's data and everything about all of the organization's business processes. However, that individual can know how to convince the people who understand a specific process and the people who understand the data produced by that process to work with internal audit for the greater good of developing the new analytic test or process.</p><p>If developing an analytic is a project, it helps for internal auditors to keep the development in sequential stages: scoping, planning, piloting, deployment, and establishment. There will be some fluidity between stages, but in general, each has its own objectives (see "The Analytics Development Process," below).</p><p><img src="/2020/PublishingImages/Analytics-development-process.jpg" class="ms-rtePosition-4" alt="" style="margin:5px;width:635px;height:321px;" /><br></p><h2>Step 1: Scoping </h2><p><strong>Target: Go or no-go.</strong></p><p>So internal audit has an idea for a new analytic test or process. Now what?<strong>        </strong></p><p>The objective of this stage is to understand where this idea came from (background), define its general scope and objective, and decide whether to go forward with the new project based on how it will fit with internal audit's overall analytics program (see <a href="/2020/Pages/The-Analytics-Journey-Finding-the-Right-Direction.aspx">"The Analytics Journey: Finding the Right Direction")</a>. </p><h2>Step 2: Planning </h2><p><strong>Target: Team and tests.</strong> </p><p>At this stage, the analytics expert leading the project will build a team for the project and agree on what<strong><em> </em></strong>aspects, features, or objectives to pursue and how to do it. The team should comprise:</p><ul><li>The process owner, who understands what to test for and why it is important. </li><li>Someone from the process team, who knows how the test elements are captured in the process, their normal ranges, and the meaning of their deviations. </li><li>The IT person who supports that system and knows — or can find out — what tables and fields capture the information identified by the process team. </li></ul><p><br></p><p>Because each of these team members sees the process from a different angle, each will have different, and valuable, ideas about what to look for and how to test for them. Also, they all may appreciate the exposure of working in an interdepartmental effort to address the process owner's concern. The project leader should introduce the members to each other and engage them in brainstorming.</p><p>At the end of planning, the team should have a collection of simple tests, which may not mean much on their own but could indicate what the internal auditor is looking for when considered together. For each of the tests, the project leader will have a good idea of what the auditor will test for, how to perform the test, and where the data will come from. It is helpful to use a template to log that information for each of the simple test elements, as shown below. </p><p><img src="/2020/PublishingImages/Test-Plan-Template.jpg" alt="" style="margin:5px;width:785px;height:441px;" /><br></p><p>Using the logs, different team members can understand the test objective and process whenever the test is performed. Also, auditors can use these logs of the test logic to recreate the test in new systems as the program continues to evolve.</p><h2>Step 3: Piloting</h2><p><strong>Target: Sample data, draft data model, and draft visualization/reporting. </strong></p><p>The extra planning time pays off during the pilot stage. Because the auditor knows what to look for (test) and where it is (data), he or she can quickly move to the math (data model), reporting, and follow-up to validate that the test is providing the expected value. The team members will give the auditor the data and help figure out whether the test is working.</p><p>A common question at this stage is whether or not the internal auditor needs direct access to the data during the pilot. The truth is that having direct access may save time later, but it is a "nice to have" at the pilot stage. After all, the auditor doesn't know if the test will work, so as much as possible he or she should work with existing data in the form that can be provided easily to yield results and refine the approach. </p><p>That said, data must be trustworthy and useful for the test, <a href="" target="_blank">notes</a> web analytics expert Brent Dykes. It helps for auditors to keep a log of the related data sets, along with comments on their usefulness and trustworthiness, as shown below. </p><p><img src="/2020/PublishingImages/Data-Quality-Comments-resize.jpg" class="ms-rtePosition-4" alt="" style="margin:5px;" />The log can help the auditor decide what data needs to be refined, how it should be improved, and why this is important. Being able to articulate this information is invaluable when negotiating direct access with data owners in the future. </p><h2>Step 4: Deployment</h2><p><strong>Target: Established data access, integrated data modeling, and visualizations/reporting.</strong></p><p>Once the pilot has proved its value, the auditor should formalize the testing process and make it repeatable for periodic reporting. Ideally, this process should be automatic, such as using robotic process automation.</p><h2>Step 5: Establishment </h2><p><strong>Target: Documentation, distribution, and schedule.</strong></p><p>As the development work is completed, the real work of acting on the new information starts. To declare this project closed and move on to the next one, the auditor needs to: </p><ol><li>Document the testing, including why the auditor is performing the tests, where the data comes from, and what will be done to the data.</li><li>Determine who will receive the results and establish a follow-up process and expectations. </li><li>Set the re-run schedule for these new tests. Does the user need this information daily? Monthly? Must the user be contacted immediately when this happens?</li></ol><h2>Knowing When Development Is Working</h2><p>A consistent approach to analytics can show internal audit's stakeholders that they are not wasting their time giving auditors their support. It sets realistic expectations for what will be needed from stakeholders at each stage of the development process and helps keep projects on track. Along with standard templates, it improves the chances that projects are transferable and repeatable.</p><p>The development process, or "the way we do things here," is key to consistency and scalability. It can provide a shared language between team members and stakeholders, as well as allow auditors to pursue and track projects running in parallel. It also will enable other auditors to take over part, or all, of a project if help is needed. Although the process is simple, its importance should not be underestimated. </p>Francisco Aristiguieta0
Benford's Law in a Big Data World's Law in a Big Data World<p>​The power of Benford's Law has never been as critical given the rise of big data and computing power. The digital analysis tool has been used in numerous high-profile forensic investigations, including investigations of voter fraud in the 2009 Iranian election and Greece's efforts to hide its debt in 2015.<br></p><p>A Benford's Law review of 5,400 contracts at a Canadian nonprofit organization found the numeral "4" as the first digit 16% of the time, compared to the expected 9.7%. That finding enabled the internal auditor to uncover questionable contracts in amounts between $40,000 and $49,999 that totaled $15 million. Those contracts were approved by an employee who directed them to vendors who were his associates. </p><p>In addition to detecting fraud, internal auditors can use Benford's Law to identify inefficient processes and computer bugs. It does this by determining the expected frequency for any digit in a set of discrete numbers such as journal entries, disbursements, and revenues. This means that a digit in a number in a given data set is mathematically predictable. Because the expected frequency for each digit is known, every item in excess of that frequency is deemed unusual. </p><p>With large amounts of data to analyze, Benford's Law can detect anomalies better than traditional audit techniques. For example, research shows that companies whose financial statements are significantly out of compliance with Benford's Law are likely to get caught for accounting irregularities. A before-and-after comparison of restated earnings showed that the new, real numbers aligned with Benford analysis. </p><p>Internal auditors can leverage audit software with Benford's Law functionality. Additionally, some audit departments can work with the organization's IT function to adopt a step-by-step Benford analysis using established formulas to analyze company data for unusual patterns. </p><h2>Revealing Fraud</h2><table cellspacing="0" class="ms-rteTable-default" style="width:100%;"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Benford's Basics</strong><br> <p><br>Benford's Law made its debut in the audit profession in the 1990s through the efforts of Mark Nigrini, an expert on the theory. First discovered in 1881 by mathematician Simon Newcomb, the theory lay dormant for almost half a century until the 1930s when it was again discovered by physicist Frank Benford. </p><p>Benford determined that leading digits are distributed in a specific, nonuniform way. This discovery led to the mathematical theory that in large sets of data, the initial digits of amounts will tend to follow a predictable pattern. The initial digit "1" is most common as the first digit in data sets, appearing 30% of the time, followed by "2" (17.6%), "3" (12.5%), "4" (9.6%), "5" (7.9%), "6" (6.6%), "7" (5.8%), and "8" (5.1%). The initial digit "9" appears the least often (less than 5%). </p><p>Benford's Law works because the distance from "1" to "2" is far greater than the distance from "9" to "10." For example, if a data set begins with the digit "1," it has to increase by 100% before it begins with the digit "2." To get from "2" to "3" requires a 50% increase; from "3" to "4," 33%; "4" to "5," 25%; "5" to "6," 20%; "6" to "7," 16%; "7" to "8," 14%; "8" to "9," 12%; and "9" to "10," 11%.<br></p> </td></tr></tbody></table><p>Because few fraudsters know about Benford's Law, the numbers they cook up stand out. As a result, the position of each digit in their transactions will not follow Benford's analysis, revealing their crime (see "Benford's Basics" at right). </p><p>For example, during a purchasing audit at a retail company, internal auditors discovered there were 550 purchase orders issued with the first two digits "96," compared with the expected count of 289 purchase orders. Benford's Law analysis showed 145 purchase orders of between $9,600 and $9,690 were approved by a director whose approval authority was limited to $10,000. Further investigation revealed that over a two-year period, the director made $3.5 million in purchases for personal items such as electronics, jewelry, and appliances.</p><h2>Five Types of Analysis<br></h2><p>Basic tests in Benford's Law cover first-digit analysis, second-digit analysis, first two-digit analysis, first three-digit analysis, and last two-digit analysis.</p><ul><li> <strong>First-digit Analysis</strong> Auditors can chart the expected and actual occurrence for each digit from "1" to "9." They can drill down further on unusual differences for analysis and action.</li><li> <strong>Second-digit Analysis</strong><strong> </strong>Like the first-digit analysis, the second-digit analysis is a test of reasonableness. At a health-care company, an analysis of the second digits in more than 21,000 payroll records revealed that the numeral "0" turned up as the second digit twice as often as it should have. The numeral "5" showed up 60% more often than expected. Based on those findings, the records were deemed fraudulent. </li><li> <strong>First Two-digit Analysis (F2D)</strong><strong> </strong>There are 90 possible combinations (10 through 99) for the first two digits in a number. For example, the first two digits of 110,364 are "11." In an F2D test, Benford's Law would note there is a 3.8% likelihood that "11" would be the first two digits. This is a much more focused test as the purchase order example showed.</li><li> <strong>First Three-digit Analysis (F3D)</strong><strong> </strong>In F3D tests, there are 900 possible combinations (100 through 999), allowing for an in-depth analysis of large data sets. It provides greater precision for picking up abnormal duplications in sets with 10,000 or more transactions.</li><li> <strong>L</strong><strong>ast Two-digit Analysis </strong>There are 100 possible combinations (00 through 99) in the last two digits of a number. The expected proportion for each of these combinations is 1%. Any excess is rounded off or are invented numbers. </li></ul><h2>When to Use It<br></h2><p>Benford's analysis is best used on data sets with 1,000 or more records that include numbers with at least four digits. As the data set increases in size, closer conformity to the expected frequencies increases. </p><p>However, not all financial data lend themselves to such tests. Benford's analysis cannot be used in scenarios such as: </p><ul><li>A data set made up of assigned numbers such as Social Security, contract, invoice, phone, customer, and check numbers. </li><li>Psychological thresholds such as $199.99. </li><li>Minimum and maximum numbers such as a petty-cash fund disbursing between a $10 minimum and a $40 maximum. </li><li>Where no transaction is recorded such as thefts, kickbacks, and contract rigging. </li><li><p>Limiting a sample of transactions to only between a narrow range, such as between $100 and $999.<br></p></li></ul><h2>Extract Needles From Digital Haystacks</h2><p>Benford's Law can be a powerful way to combat the costly scourge of fraud. It is like placing a magnet over a haystack and extracting the needles, enabling internal auditors to analyze an entire population of data. All it takes is an interest and a willingness to learn new approaches.  <br></p>Lal Balkaran1

  • Auditboard-August-2020-Premium-1
  • GRC-2020-August-2020-Premium-2
  • Online-Testing-August-2020-Premium-3