The IT Governance Gap IT Governance Gap<p>​Executives see benefits from IT governance, but many aren't doing enough about it, according to ISACA's <a href="" target="_blank">Better Tech Governance Is Better for Business</a> report. Ninety-two percent of executives surveyed report IT governance has led to better outcomes, and 89 percent say it makes the business more agile. Yet, 69 percent say organizations need a stronger alignment of IT and business goals. ISACA surveyed 732 members, in 87 countries, who are board members, senior executives, managers, and professionals.</p><p>"The boardroom must become hyper-vigilant in ensuring a tight linkage between business goals and IT goals, fully leveraging business technology to improve business outcomes while diligently safeguarding the organization's digital assets," ISACA CEO Matt Loeb says.</p><p>The top IT governance challenges respondents foresee in the next 12 months are cybersecurity policies and defenses (44 percent), risk management priorities (36 percent), and alignment between IT objectives and overall business objectives (35 percent). It's not surprising that cybersecurity ranked so highly, the report notes. "Boardroom worries over increased internal and external threats are so great (61 percent) that almost half (48 percent) of leadership teams have prioritized investments in cyber defense improvements over other programs, including digital transformation and cloud," it states.</p><p>Despite their concern, only 55 percent of respondents say the board and senior executives are doing all they can to protect digital assets and data records. Just 29 percent report their organization continuously assesses IT risk.</p><p>The good news is leadership teams are increasing spending on cybersecurity through security consultants (27 percent), network perimeter defense upgrades (25 percent), and cyber insurance (17 percent). However, most organizations aren't planning to spend more on cybersecurity and privacy-related training for employees and board members in the next 12 months.</p><p>Although respondents say boards and executives are taking greater interest in IT governance, the content of their meetings doesn't reflect that interest. Twenty-one percent of respondents say their board and senior management discuss IT risk topics such as cybersecurity and disaster recovery at every meeting, while 39 percent say they discuss them at some meetings. About one-third only discuss IT risk topics as needed.</p><p>Going forward, respondents say senior leaders must demonstrate that their organization has effective IT governance by:</p><ul><li>Ensuring alignment between IT and stakeholder needs (58 percent).</li><li>Monitoring and measuring results toward goals (39 percent).</li><li>Providing strong chairman, CEO, or executive guidance (33 percent).</li><li>Having strong engagement by business units and employees (30 percent).</li></ul><p><br></p><p>"There is much work to do in information and technology governance," Loeb acknowledges. "Committing to a boardroom with technology savvy and experience strongly represented provides the needed foundation for organizations to effectively and securely innovate through technology." </p><p><br></p>Tim McCollum0
Tech Vs. Fraud Vs. Fraud<p>​Organizations are adding more technology capabilities to their fraud investigation teams, according to the <a href="" target="_blank">Association of Certified Fraud Examiners'</a> (ACFE's) In-house Fraud Investigation Teams: 2017 Benchmarking Report. Building forensics and cybersecurity expertise is a big focus among the nearly 1,500 anti-fraud professionals who responded to the global survey. Forty-three percent say their organization is seeking or expected to add expertise in digital forensics to its fraud investigation team. Conversely, 39 percent say their team currently has such skills.</p><p>Additionally, 36 percent of respondents say their fraud team has cybersecurity skills. A similar percentage (37 percent) is looking to add those skills. Most fraud investigation teams aren't investigating cyber fraud and hacking, possibly reflecting a lack of expertise. Only 16 percent investigate such incidents frequently, while 27 percent investigate them occasionally. </p><p>Frauds that teams investigate frequently are:</p><ul><li>Employee embezzlement (40 percent).</li><li>Frauds committed by customers (40 percent).</li><li>Frauds committed by vendors or contractors (32 percent).</li><li>Human resources issues (30 percent).</li></ul><p> <br> </p><p>Some fraud investigators have a lot on their plates, the survey notes. Although most (51 percent) work on fewer than five cases at a time, 30 percent work on 10 or more cases concurrently. </p><p>And fraud investigations are only part of their jobs. The average team spends 56 percent of its time on investigations. The rest of the time, investigators are working in areas such as internal audit, compliance, and information security.</p><p>The high case load and demands on investigators' time would seem to call for some automated assistance, but most respondents say their organization isn't using such technologies. Just 38 percent use case management software. Forty-seven percent use data analytics software, including spreadsheet software, in their work. That's not because they don't know how to use it — most respondents (62 percent) say they have analytics and data mining skills on their team.</p><p>And what about the results of these investigations? Most respondents say their team substantiates the majority of cases, with 34 percent reporting that they substantiate more than three-fourths of alleged frauds. Forty-six percent of respondents say most fraud investigations result in disciplinary action, but just 17 percent say their team refers most investigations for prosecution. Indeed, 70 percent of respondents report that they refer one-fourth of cases or fewer for prosecution.</p><p>Organizations are even less likely to recover fraud losses, the report finds. Just 24 percent say they recover more than half of fraud losses, while 59 percent recover one-fourth or fewer. </p><p> <br> </p>Tim McCollum0
Stop Clicking, Start Coding,-Start-Coding.aspxStop Clicking, Start Coding<p>​As data grows in volume and complexity, the effective use of it is critical for making better, faster, and more informed decisions. Organizations increasingly are seeking internal auditors who can analyze data and generate insights that bring new value to the business. <br></p><p>While internal auditors typically perform data analysis using specialized audit software packages or a general spreadsheet application, there is a growing need for auditors to develop technical skills beyond those tools. For example, Fortune 500 firms such as Google and Verizon have made proficiency in structured query language (SQL) part of their job requirements for hiring internal auditors. <br></p><p>SQL is a special-purpose programming language designed for managing data held in database management systems that support widely used enterprise resource planning systems. Designing SQL procedures for transforming data into useful information requires a good understanding of data structure and the logic of how a system works. Such understanding is particularly important for internal auditors when they work with large volumes of data in today’s complex business environment. From the learning perspective, logical thinking and reasoning inherent in the SQL coding process helps internal auditors develop the critical thinking and problem-solving skills desired by the profession. <br></p><p>Moreover, SQL-based analysis has gained increasing importance with the advent of big data. SQL tools enable fast access to relational databases that store vast amounts of data, offer flexibility in developing ad hoc queries on an as-needed basis, and can be tailored to the specific needs of auditing. Furthermore, because SQL is an international standard, internal auditors are not constrained to using a specific software tool.<br></p><h2>Asking Questions of Data</h2><p>Internal auditors can write and refine SQL codes in a relational database to arrive at incrementally better solutions until the desired outcome is achieved. Consider the example of an Employees table that contains data such as employee ID, first name, last name, birth date, and hire date. Auditors can ask many interesting questions about this data, such as whether the company has complied with all employment regulations. In the context of The Committee of Sponsoring Organizations of the Treadway Commission’s <em>Enterprise Risk Management–Integrated Framework</em>, this inquiry addresses the company’s conformance with its compliance objectives.<br>To check compliance with child labor laws, internal auditors can query the data to determine whether any employees were underage at the time of their hiring. For example, the minimum age for employment in the U.S. is 14; and there are specific requirements for the age group between 14 and 18. Auditors can begin answering this question using this code:<br><br><em>SELECT EmployeeID, FirstName, LastName, </em><br><em>(HireDate-BirthDate)/365</em><br><em>FROM Employees;</em><br><br>The SELECT statement in the code retrieves all of the values in the EmployeeID, FirstName, and LastName columns, and calculates the age of the employee at the time of hiring as the difference between the HireDate and BirthDate divided by 365 days. The FROM clause specifies the tables from which the data are selected. <br>The query returns a total of 11 employees. Of these employees, the results identify four questionable employees: two are under 18 and the other two have no age information. At first glance, the design of the query seems to answer the question, but this solution only works well for small organizations. Imagine a large company that has thousands of employees. In such a situation, auditors would have to sift through a long list of employees to identify those with age problems. An additional issue is that the system-generated title of the column for the age data, “Expr1003,” is not descriptive, and the data, itself, has 10 decimal places. To address these drawbacks, internal auditors can improve the SQL statement: <br><br><em>SELECT</em><br><em>EmployeeID, FirstName, LastName</em><br><em>ROUND((HireDate-BirthDate)/365, 1) </em><br><em>AS AgeAtHire</em><br><em>FROM Employees</em><br><em>WHERE (HireDate-BirthDate)/365 < 18;</em><br><br>This revision aims to filter out unnecessary data and improve the readability of the report. Adding the WHERE clause restricts the result to employees under age 18. The ROUND function rounds the age number off to one decimal place. The heading of the column containing the age data is also renamed to AgeAtHire. The query result now contains only two suspicious employees who were under 18 at the time of their hiring. <br>However, there is something missing from the report. The first query uncovered two additional suspicious employees without any age information. Further examination of the Employees table reveals that birth and hiring dates are not available for these two employees. While only a conjecture, these two individuals may have been “ghost employees” as the result of payroll frauds. Internal auditors should include these two suspicious employees in the report, as well.<br>To find this information, internal auditors can amend the SQL query:<br><br><em>SELECT</em><br><em>EmployeeID, FirstName, LastName</em><br><em>ROUND((HireDate-BirthDate)/365, 1) </em><br><em>AS AgeAtHire</em><br><em>FROM Employees</em><br><em>WHERE (HireDate-BirthDate)/365 < 18</em><br><em>OR (HireDate-BirthDate) IS NULL;</em><br><br>In this solution, auditors add another condition “(HireDate-BirthDate ) IS NULL” in the WHERE clause with the OR operator. The OR operator performs a logical comparison and specifies that an employee should be included in the report if either of the two conditions is met: age at the time of hiring is less than 18, or age data for this employee is NULL (i.e., left blank). Now the report shows all four suspicious employees. <br></p><p>This is not the end of the data analysis, however. Based on this result, internal auditors would need to investigate further to determine why the age information is missing for two employees and how the two underage employees were hired in the first place. <br></p><h2>Powerful Analytical Tools</h2><p>The underage employee example demonstrates how SQL can be a useful database tool for solving audit-related problems. However, it has only scratched the surface of the capabilities of SQL-based data analysis. Indeed, SQL and other audit software can form a powerful set of analytical tools for internal auditors, particularly in the context of ever-growing volumes of data available for business use. <br></p>Ken Guo1
Building a Data Analytics Program a Data Analytics Program<p>​In today’s data-hungry world, an analytics-capable audit function is a necessity. However, relatively few audit teams have developed sophisticated analytics capabilities and an embedded, integrated approach to analytics. So how can internal audit functions initiate and advance their analytics capabilities? Internal audit functions that have successfully implemented sustainable analytics activities have not only been able to clearly visualize and articulate the value analytics can deliver to their functions and the broader business, but also have started to realize that value in enhanced efficiency, effectiveness, and risk awareness. <br></p><p>Along the way, many functions have experienced missteps and setbacks. The lessons they have learned should benefit internal audit departments embarking on their own analytics journeys or those attempting to overcome false starts of the past. Some of these hard-earned insights are what one might expect. Difficult access to enterprise data stores marks a widespread pitfall, as does insufficient planning. Other data analytics lessons will surprise the uninitiated. Investing in robust technical skills training and analytics tools implementation often can be a distraction to getting an analytics program off the ground. By knowing what to avoid, internal audit departments can keep a data analytics program on track to reach its full potential.<br></p><h2>Tools for Success </h2><p>When internal audit leaders commit to introducing or furthering a data analytics program, there are six strategies that can positively impact these initiatives.<br></p><h2>1. Create awareness rather than a silo </h2><p>Internal audit leaders should resist the inclination to start by creating a data analytics silo within the larger function. While dedicated analytics functions are present within many internal audit functions with advanced analytics capabilities, this structure should more appropriately be treated as a long-term goal or possible target state than an immediate to-do item when getting started.<br></p><p>While it is necessary to have the appropriate technical competence within the team, creating a silo structure from the start can reduce focus on a more important driver of success: data and analytics awareness. This mindset helps internal auditors understand how data is created, processed, and consumed as it flows throughout the organization, the key systems where it resides, and the key business processes and decisions that it supports. This understanding represents a business-centric view of analytics as opposed to a technology-only view, a critical distinction in developing the right kind of thinking among the internal audit team.<br></p><p>When an internal audit function decides to reassign a technical resource as the team’s analytics champion, problems often ensue. Creating this type of structure too soon can cause the rest of internal audit, as well as the business, to view audit analytics as a purely technical exercise as opposed to an integrated component of internal audit’s culture, strategy, and activities. Insight from analytics are the result of the intersection between business awareness and the application of analytics tools and methodologies. These are two sides of the same coin and both must be present for success.<br></p><p>Internal audit leaders also should reflect on how they source their analytics talent. While there is no one way to do this, leaders should recognize that hiring analytics professionals or repurposing technical resources can pose risks to the development of an analytics mindset throughout the entire internal audit team. It takes time to understand business processes and what valuable information can be gleaned from the systems and data that underpin them. Building a more pervasive analytics mindset across the internal audit department is critical. The most effective audit analytics programs operate in a tightly coordinated — if not seamless — manner with all other parts of the audit team. All members of the team think about the data that exists in the environment, its business relevance, and the stories it can tell. The analytics teams then layer in their view and capabilities.<br></p><p>Dedicated analytics functions and externally hired analytics experts are common hallmarks of top-performing analytics capabilities; however, neither of these elements should be used in place of the initial establishment of the right analytics mindset throughout the internal audit function.<br></p><h2>2. Understand the data before investing in a tool </h2><p>One of the most common start-up lessons involves resisting the desire to acquire the latest and greatest analytical tool. Given the impressive power, look, and feel of analytics tools, it’s difficult to not be sold on a new piece of software with the promise that, within hours, internal audit will be generating a flurry of queries and new intelligence insights.<br></p><p>Rather than a first step, however, implementing an analytics tool should be a more deliberate step in the rollout of an analytics program. A rush to start using these tools, without establishing a plan and set of initial, high-value use cases, often leads to results that lack business impact, which can be detrimental for a start-up analytics activity.<br></p><p>Before using a tool, internal auditors should carefully evaluate a high-value area to target, understand the data source, validate it, and identify how the results will be evaluated and shared. When it comes to analytics tools, it is helpful to adhere to the 80/20 rule: 80 percent of the analytics team’s work should consist of understanding the data, the business process it supports, and the activities and decision-making that it drives, along with the business value the analysis is designed to deliver; 20 percent of the effort should focus on the technical aspects of the analysis, including the audit tool.<br></p><h2>3. Plan sufficiently </h2><p>Too many analytics initiatives suffer from too little planning. Plunging into data analytics does not mean that internal audit functions should give short shrift to key planning considerations.<br></p><p>The most effective and sustainable analytics programs tend to begin with a planning effort that includes:<br></p><ul><li>Understanding the system and data landscape; how data is created, processed, and consumed; and how it drives business activities and decision-making.</li><li>Educating internal auditors on the power, benefits, and applications of audit analytics (the analytics mindset).</li><li>Laying out how analytical talent will be trained or hired and retained.</li><li>Seeking business partners’ input on areas of their domains that might benefit from audit analytics. </li><li>Carefully identifying which initial analytics are likely to yield the most valuable results — and, as a result, support from business partners.</li></ul><p><br></p><p>Neglecting any one of these items can lead to initial results that are low impact or miss the mark entirely.<br>When educating internal audit team members about the use of data analytics, it is helpful to steer the focus away from the technical inner workings of the capability by presenting real examples that demonstrate how analytics enhance the efficiency, effectiveness, or risk awareness of the internal audit function and the broader organization (i.e., how data can be turned into information that provides risk and business insights).<br></p><h2>4. Think big picture </h2><p>The expansive reach of audit analytics has, oddly enough, resulted in narrow thinking about its application. For years, internal audit professionals and experts have marveled at the way analytics and continuous auditing techniques can be deployed to test massive populations of transactions. This capability is rightly trumpeted as a massive improvement over the traditional approach of manually sampling large data sets, often months after the associated activity has occurred, to identify problems. While accurate, this view of analytics is severely limited.<br></p><p>Leading internal audit functions now use analytics throughout the audit life cycle to support dynamic risk assessments; monitor trends, fraud, and risk and performance indicators, or deviations from acceptable performance levels; and model business outcomes. These functions tend to view analytics as a way to interpret data that helps tell a story to the business that may not have been told before. To be successful here, there has to be an acute understanding of the data that is created, processed, and consumed within — and across — the organization and how it is used to drive business activity and decision-making.</p><h2><br>5. Partner with IT </h2><p>Given that data typically exists in a multitude of different systems throughout organizations as well as within third-party (e.g., cloud) environments, internal audit frequently encounters difficulties when attempting to access data for analytics. This problem relates not only to accessibility (the protracted data request process with IT), but also to completeness, accuracy, and validity of the data. Without understanding the specifics of what they are asking for, internal auditors cannot reasonably expect to get what they need — at least, not the first time around. In some cases, lengthy and ineffective data request back-and-forth between internal audit and IT departments results in data integrity issues (at best, perhaps) or the planned analytic being canceled entirely.<br></p><p>To succeed, audit analytics teams need to partner with IT departments to develop a robust process for data acquisition — either through specific and easily understood data requests or through direct connections to data repositories. This all starts by understanding the data environment. While this marks a common goal, it takes time, effort, and coordination to get there. Auditors should consider discussing how to decide which data elements should be created and captured, the business rationale for doing so, and how internal audit and business partners will use the information that analytics produce.<br></p><p>Thanks to recent advancements, current analytical tools more easily integrate with other enterprise systems. Internal audit functions’ growing tendency to use dedicated data warehouses also helps address data access and quality challenges, which can reduce stress on business production systems by giving internal auditors their own sandbox to play with data. However, there are risks with this approach, particularly with regard to security and privacy. Ultimately, establishing a dedicated data warehouse requires a sound business case that, among other things, addresses these risks.<br></p><p>Other, less technical qualities and practices also come in handy. Internal audit functions that have earned a reputation for collaborating with the business consistently encounter fewer data management obstacles when deploying data analytics. Their success stems partly from the fact that collaborative internal auditors are more apt to learn about, and apply, data governance standards and practices from their IT colleagues, which can help ease access to quality data residing in systems scattered throughout the organization.<br></p><h2>6. Take advantage of visualization tools for inspired reporting </h2><p>A picture is worth a thousand words. The same principle applies to the presentation — or visualization — of the analytics results. Tabular formats and simple charts are a thing of the past. Analytics reporting packages should be making use of widely available visualization tools. These tools allow for the dynamic presentation of results (e.g., a country map that shows the top locations where purchase card spending occurs) and real time, drill-down capability that represents a far cry from the static analytics presentations of the past. Visually compelling, high-impact reports can help internal audit’s clients quickly draw insights from the data.<br></p><h2>A Fundamental Shift</h2><p>At present, data is being created and collected at a pace that is far beyond anything seen before. While there is always some risk in undertaking a new program — and a desire to prove the return on investment — the bigger risk is doing nothing. It is simply not an approach that internal audit functions can afford to take if they want to keep up with the business, stay relevant, and deliver value and insight. The most innovative companies are looking at ways to capture and use data to transform their business operations as part of digitalization initiatives. Internal audit must be equally innovative and embracing of the need and value to make the company’s data work for them.<br></p><p>A key method to overcome common time and resource constraints with setting up a discrete analytics group within internal audit is by focusing on an “analytics mindset.” Further, internal audit functions are encouraged to work with business partners to identify areas where analytics can have high impact and high value, provide real business insight, and help address business challenges (rather than focus on a return on investment calculation). The value delivered in these initial analytics projects will set the stage for the program. Internal audit should look for parts of the business that are particularly data dense, or that have high volumes of data processing but still rely heavily on manual procedures. For example, focus on ways to: <br></p><ul><li>Pull business insight from the data-heavy areas (and show management a story they have not seen before). </li><li>Work with management to convert audit analytics into reports that can be used in place of time-intensive procedures (e.g., “real time” monitoring of large, disparate data sets for key fraud indicators). </li><li>Quantify the impact of findings and deliver more insight through audit reports.</li></ul><p><br></p><p>These are some of the ways that internal audit functions are able to quickly demonstrate and communicate value in their investment in, and use of, analytics. Ultimately, however, stakeholders must recognize that there is a fundamental shift in how business is being conducted, and as such auditors must match that with a fundamental shift in how they audit.<br></p><h2>Each Journey is Unique</h2><p>Establishing a robust analytics program may take several years to mature. The process for developing a data analytics capability tends to be unique for each internal audit function. Some standard general assessments exist and can help, but each internal audit leader should chart a path forward that reflects the unique qualities and needs of his or her function and the unique characteristics of the industry, the organization, and the team’s relationships with business partners.</p><p>For additional guidance, download <a href="">GTAG: Understanding and Auditing Big Data</a>. <span><span></span></span><br> </p>Gordon Braun1
The Data Analytics Strategy Data Analytics Strategy<h2>​What are the key components of an effective data analytics strategy?</h2><p><strong>CERNAUTAN</strong> Successful data analytics strategies should start by building an internal business case, as these programs often lose momentum and fail if their value is not appropriately "sold" within the organization. Next, address the knowledge and skill gaps by allocating funding to resource and train the audit teams. When it comes time to buy, invest in modern technologies that are easy to use and implement. For maximum impact, integrate data analytics requirements into the audit methodology. Make the use of analytics required rather than optional. Aim for quick wins that will naturally progress to larger successes by phasing the program in with an agile methodology. By focusing on automating routine audit areas, teams can self-fund the program through efficiency gains and demonstrated return on investment.</p><p><strong>DAVIS</strong> The key component for developing an effective data analytics strategy involves changing the way you think about your work. Start with defining the objectives you are trying to achieve either for your audit team or your audit cycle. Then plan and execute a vision for using data analytics to achieve your objectives. You'll need strong support from senior management and buy-in from the audit staff to gain efficiencies in meeting your objectives. Tools that are easy to use, train on, and deploy will lead to quick wins and help with buy-in and boost the data analytics strategy momentum for more advanced analytical strategies down the road. An analytics lead or champion should be responsible for executing the strategy. To track progress, set targets and monitor key performance indicators such as the percentage of audits performing at least one analytics test.</p><h2>What do CAEs need to know before jumping in?</h2><p><span><span><strong><img src="/2017/PublishingImages/Stefan-Davis.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />DAVIS</strong></span></span> Changing from traditional audit techniques to incorporating analytics is not always an easy exercise. Including analytics is a significant change in methodology, especially for experienced auditors, and it requires careful change management. The chief audit executive (CAE) needs to set expectations for the analytics effort, making it clear to the auditors that analytics is a priority for the department to gain efficiencies in meeting audit and department objectives. Knowing when to apply analytics and identifying opportunities for efficiency gains with analytics are critical to implementing a strategy. </p><p><span><span><strong>CERNAUTAN</strong></span></span> Over the past 20 years, the CAEs I've worked with who struggle to implement a successful analytics program all cite at least one of three factors: 1) difficulty in accessing data; 2) lack of data analytics skills; and 3) the high costs to implement. This may have been true years ago, but in today's world it is simply not the case: Data is easier to access; analytic tools are powerful, flexible, and easy to use; and the cost of not implementing vastly outweighs the cost to implement. To remain relevant, internal audit must adopt analytics literacy as a basic requirement. In today's world of big data, social media, and increasing risk velocity, it is impossible to fulfill the internal audit mandates of "adding value and improving an organization's operations" and "improving the effectiveness of risk management, control, and governance processes" using antiquated manual audit processes that focus solely on post-detection techniques. </p><h2>How can data analytics be leveraged to strengthen risk assessments and the audit plan?</h2><p><span><span><strong><img src="/2017/PublishingImages/Sergiu-Cernautan.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />CERNAUTAN</strong></span></span> The greatest risk is the unknown. Integrating analytics into risk assessments confirms the completeness of identified risks, and assumptions made about them, while illuminating potential gaps. By applying data analytics to support your risk assessments, the resulting audit plans will be better informed and developed from objective measures rather than subjective ones, which are prone to error. Forrester analyst Nick Hayes puts it this way: "Your assumptions about risk are deeply flawed without analysis of actual transactional data." </p><p><span><span><span><span><strong>DAVIS</strong></span></span></span></span> In the past, analytics have been primarily focused on fieldwork, but they can add huge value to risk assessment and planning. In audit planning, data analytics allow audit departments to gather company, industry, and prior audit results to help drive the audit plan. Visualization and summarization, along with regression and trend analysis, can highlight changing and emerging risks as well as issues to target and explain current and future audit coverage.</p><h2>How can data analytics be leveraged to strengthen individual audit engagements?</h2><p><span><span><span><span><span><span><strong>DAVIS</strong></span></span></span></span></span></span> Starting with engagement planning, auditors should consider opportunities to incorporate data analytics. If an audit is repeated, revisit audit programs to see where analytics will add value, rather than repeating manual tests. Getting data relevant to the audit objectives before fieldwork begins will allow preliminary analytics to identify risks that may influence audit scope. In fieldwork, data analytics will strengthen an audit through the ability to analyze complete data sets, rather than sampling. Complete testing leads to deeper insights into processes and procedures. Testing every instance of a control provides more robust audit evidence and increased coverage provides greater assurance. When reporting issues, deeper insights can be supported by tangible, measurable valuations. Rather than saying "we tested 30 purchases and found two without authorized purchase orders," analytics allows you to say "we tested the full population of purchasing transactions, and found $84,234 in purchases with unauthorized purchase orders." When they can see the dollars involved, management has a reason to follow or correct a control. </p><p><span><span><span><span><strong>CERNAUTAN</strong></span></span></span></span> One cannot truly achieve a risk-based audit approach and add value without being data driven throughout. From the initial risk assessment, to scoping and planning, to executing fieldwork, to raising issues, and all the way to preparing the final audit report — the nature, timing, and extent of procedures to be performed are largely driven by the magnitude of the risks. What better way to quantify the risks, rationalize your audit effort, and support your results with evidence than by analyzing actual data? </p><p>What's more, executives constantly ask "so what?" to challenge the value of audit findings. Transform that response by supporting findings with objectively quantifiable data and key performance metrics. Consider a process recommendation to "take advantage of procurement discounts by accelerating net payment terms," subjectively rated as high impact. Consider the same recommendation, objectively supported by data. "If we had taken advantage of the procurement discounts offered over the last year, we could have avoided $10 million in costs." Which is more compelling and relevant to the organization?</p><h2>How can auditors use data visualization to communicate audit results?</h2><p><span><span><span><span><strong>CERNAUTAN</strong></span></span></span></span> To be effective, visualizations must be social, interactive, and actionable. In an increasingly technological and social world, auditors can communicate visualizations more effectively using social media tools such as virtual storyboards. Incorporating elements of interaction further increases stakeholder engagement by allowing recipients to pull relevant information and trigger responses or actions based on what they see.</p><p><span><span><span><span><span><span><span><span><strong>DAVIS</strong></span></span></span></span></span></span></span></span> Presenting data visually makes it easier to digest. You need to start with the message that you are trying to communicate, which in the case of audit results can be complex. Through the use of visualization, you can communicate a single message and answer detailed questions in a single image. For example, you can show the highest risk category over the last year by location from one visual as opposed to reviewing pages of detail. Visualizations do not need to be complicated. The key is to keep it simple with line charts showing trends over time and bar charts for non-time-based information. </p>Staff1
Heightened Focus on Security Risk Focus on Security Risk<p>​IT research firm Gartner Inc. forecasts that worldwide spending on IT security will top $86 billion this year, up 7 percent from 2016. That spending is expected to reach $93 billion next year, <a href="" target="_blank">Gartner estimates</a>. </p><p>Security services, including IT consulting, implementation services, and outsourcing, is the fastest-growing segment. Gartner predicts 40 percent of managed security service contracts will be bundled with other security services and broader IT outsourcing projects by 2020. That's twice the current percentage of such bundles today. </p><p>"Rising awareness among CEOs and boards of directors about the business impact of security incidents and an evolving regulatory landscape have led to continued spending on security products and services," says Sid Deshpande, Gartner's principal research analyst.</p><p>One growing area of cybersecurity risk is internet-connected medical devices, <a href="" target="_blank">a Deloitte poll notes</a>. In a May survey of 370 professionals working with medical Internet of Things (IoT) devices, 35 percent reported their organizations had experienced a cybersecurity incident in the past year. The respondents were participants in a webcast on medical devices and the IoT, and represented medical device manufacturers, health-care IT organizations, device users such as health-care providers, and regulators.</p><p>IoT devices in health care often store data such as sensitive patient information. That's made them targets of botnet attacks and ransomware schemes.</p><p>Thirty percent of Deloitte poll respondents said identifying and mitigating the risks of connected devices is their industry's biggest cybersecurity challenge. Moreover, just 18 percent of respondents said their organization is very prepared to address litigation, internal investigations, or regulatory matters related to medical device cybersecurity incidents in the next 12 months.</p><p>"As regulatory, litigation, and internal investigation activities start to focus on post-market cybersecurity management, leading organizations are taking a more forensic approach to discerning the time line and size of cyber incidents so the impact to intellectual property, client data, and other areas can be addressed more quickly," says Scott Read, risk and financial advisory principal with Deloitte Transactions and Business Analytics LLP.</p><p>Pressure to meet regulatory obligations to ensure cybersecurity protections may grow soon with the introduction of two cybersecurity bills in the U.S. Congress. One Senate bill, the <a href="" target="_blank">Internet of Things Cybersecurity Improvement Act of 2017</a> (PDF), would require all IoT devices sold to the federal government to be capable of having security patches installed by users. Currently, many IoT devices have security measures such as pre-installed passwords that cannot be changed easily. The idea behind the bill is that IoT device manufacturers would include protections to meet the federal government procurement standards in all the devices they sell. </p><p>Another Senate bill focuses specifically on medical devices. The <a href="" target="_blank">Medical Device Cybersecurity Act of 2017</a> would require medical device manufacturers to test their products' cybersecurity before they are sold. It would mandate safeguards for remote access to devices and seek to make cybersecurity updates free of charge. </p><p>Of course, regulation on its own won't protect IoT devices or corporate networks from cybersecurity incidents. Increasingly, there is a need for corporate boards to provide leadership on cybersecurity preparedness and response. But board members may not be ready to do so yet.</p><p>Among the 105 company boards that responded to the U.K. government's <a href="" target="_blank">FTSE 350 Cyber Governance Health Check Report 2017</a> (PDF), 10 percent say their organization doesn't have a plan in place to respond to a cybersecurity incident. Also, 68 percent of board respondents say they haven't received training on how to address a cybersecurity incident. </p><p>Boards appear to know what's at stake, with 57 percent reporting they clearly understand the potential impact that could result from a loss or disruption of key data assets. More than half (54 percent) say they view cyber risk as a top risk.</p><p>One concern for these boards is their company's readiness to comply with the EU General Data Protection Regulation (GDPR), which takes effect in 2018. Only 6 percent say their company is completely prepared to meet the GDPR requirements, but 71 percent say they are somewhat prepared. </p><p>While boards are still catching up with the GDPR requirements, Gartner reports that businesses are paying up to ensure they can comply. It predicts GDPR will drive 65 percent of data loss prevention buying decisions between now and 2018.</p><p> <br> </p>Tim McCollum0
Great Tech Expectations Tech Expectations<p>Internal auditors have always needed basic IT skills, a working knowledge of common audit tools, and a functional understanding of their organizations' data processes and infrastructure. What has changed in recent years as technology advances, and what will change in the future as it continues to, is what constitutes "basic," "working knowledge," "common," and "functional." </p><p>Some internal audit leaders note that new hires generally have better IT skills on day one than many veterans possess. That's not surprising for a generation of practitioners raised on smartphones and entering the workforce in an age of wearable devices. These auditors want to use their IT skills on the job as often as possible, blurring the line between internal auditors and IT audit specialists. </p><p>But that fuzzy border is also the product of a shortage of people with exceptional IT skills who want to be internal auditors. Those IT specialists will be as much in demand in the future as they are now. For chief audit executives (CAEs), that means balancing the need for core audit skills with the mandate for IT expertise in areas that may not have existed just a few years ago. </p><h2>The Basics</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>CAEs Face Higher IT Bar</strong></p><p>Nobody thinks every CAE should excel at IT, but expectations are pretty high. The bottom line: CAEs need to conceptually understand IT risk and hold their own in a conversation about strategic IT questions, even if they don’t understand “the OSI model” or “Active Directory administration” — except, perhaps, in technology-focused companies. Citigroup’s Mark Carawan puts it this way: “The CAE is responsible for ensuring the internal audit function stays relevant and nimbly adjusts to emerging risks and solutions. But the CAE is not responsible for being the fount of all knowledge.” </p><p>CAEs should know the IT risks the organization faces — privacy, security, data management, and maintenance — and how management is or isn’t addressing them. Although they needn’t be able to answer every IT question that comes up in day-to-day engagements, CAEs should be able to ask good questions. They should augment their staff with a strong IT audit manager or director. Says ADP’s Kathy Robinson: “There’s nothing wrong with ‘old school’ CAEs, as long as their thought processes are ahead of the curve. If not, they really need to step aside. The topics are that critical.”</p></td></tr></tbody></table><p>"It's hard to succeed in any audit role today without some basic technology skills," says Steve Sanders, vice president of internal audit at Computer Services Inc. in Paducah, Ky. That includes both hard and soft skills — the latter an area in which some of the cleverest IT hands aren't adept. The basic software skills, like word processing, spreadsheets, and calendar and scheduling functions, should be assumed, Sanders adds. And he says, "auditors who have other software experience, such as electronic workpapers and, especially, data analytics, will have an advantage over those who do not have it." </p><p>Moreover, experience with audit-specific software is always a plus, "but these applications can be learned on the job," notes Jennifer Goschke, vice president and CAE at Office Depot in Boca Raton, Fla. That also helps keep practitioners from becoming proficient in the wrong kind of IT, developing skills on a particular brand of software at a previous job, for example, that don't translate to what's used by the auditor's current employer. </p><p>Outside the internal audit department, auditors need a big picture view of the IT landscape. In Goschke's department, "having a high-level und-erstanding of the company's overall IT infrastructure and applications used" is foundational. In addition, every internal auditor should be familiar with IT general controls and the broad risks they were designed to help mitigate, she says. It's also important to understand key data security concepts — the principle of least privilege, passwords, and authentication — although it may not be necessary to have detailed knowledge of the IT used in specific departments.</p><p>In addition, auditors should understand how data is integrated into business processes, says Kathy Robinson, CAE at ADP in Roseland, N.J. "Regardless of the auditor's focus, he or she certainly needs to know where data resides, how it flows, and how it is accessed," she explains. That knowledge comes from the training she provides, as does a working understanding of data analytics. Some of ADP's auditors have become subject matter experts in data mining, in fact, and all of them can develop specifications for a project. </p><p>Controls are a good starting place for ensuring the audit staff is adequately versed in IT. Although new auditors are starting out with better IT skills, "they still need an understanding of controls," Sanders points out, "and new hires do not necessarily have a better understanding of controls than experienced auditors possessed 10 years ago."</p><p>Often, the auditors who excel in technical areas don't excel in soft skills, such as communications, empathy, and relationship building. New hires' tech-savvy "doesn't necessarily translate into their understanding of IT risk," Goschke comments. That lack of understanding can impede their ability to interact effectively with engagement clients. "Younger auditors need the more mature practitioners to help them communicate the risks and other issues to upper management," she says. Younger team members, she adds, "tend to favor short, digital conversations." Sanders notes that a well-qualified candidate should understand what was tested and "how to convey that to other stakeholders."</p><h2>Specialists Still in Demand </h2><p>Even if the rising level of IT expertise that internal auditors generally bring to the table isn't necessarily sufficient to get the job done without additional soft skills, the new auditors' computer skills are definitely changing the distinctions between internal auditors and IT auditors. "We're not asking our auditors to be IT technical specialists," Robinson explains, "and we're not asking people to do what they're not technically trained to do, because we have auditors with specific skills. But we are asking people to have a good understanding of data flow, controls, and governance." </p><p>Because IT audit personnel can be difficult to find, afford, and retain, it may be more cost-effective to cross-train the existing audit staff on IT risks than to hire a group of IT auditors. But even then, Goschke emphasizes, "it's important to have IT subject matter experts on your team to provide the technical chops to be able to go head to head with IT." </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>Predictive Analytics</strong></p><p>One specialist skill that increasingly is being used in audits is predictive analytics, which is mining data for meaningful patterns that can predict future trends and inform strategic planning, operations, and risk management. Already, internal audit departments use predictive analytics to strengthen audit coverage by quantifying issues to better understand the risks they are dealing with. There’s no single solution; indeed, an analytics “toolbox” may be necessary for some large, complex organizations. </p><p>Predictive analytics is one of the reasons the audit team needs to be computer literate, says Citigroup’s Mark Carawan. “The most successful auditors will know enough to say, ‘This is an opportunity for predictive analytics and data mining to deliver control-enhancing assurance. Where am I going to have the greatest likelihood of a breach of policy, fraud losses, mispricing, or shortfalls in inventory?’” he explains. Carawan adds that it’s important to have data analytics experts who are familiar with the latest tools and can interpret the results they produce.​</p></td></tr></tbody></table><p>That's one reason why IT audit specialists still are in high demand. "An auditor with some technology background and a good understanding of controls might be able to do a basic IT audit," Sanders explains, "but in-depth IT audits need auditors who understand those areas well enough to speak the language of the folks doing the job." He notes that he's aware of several audit departments that use all auditors for IT audits. "The quality of work suffers just as it would if you assigned trained IT auditors to conduct financial audits," he says. "They might be able to do it, but they'll miss key things experienced financial auditors wouldn't miss. I've met some auditors who really don't have a good understanding of what they're looking at. They're not providing the value they need to provide." </p><p>In Sanders' experience, however, it can be difficult to find someone with working IT knowledge who wants to be an auditor. "Many entry-level auditors have a desire to learn IT, or they have an IT background but no audit experience," he says, blaming, at least partly, "a failure to sell the important role an IT auditor plays." </p><p>If the in-house expertise is lacking, cosourcing may be a better option than assigning technical audits to unprepared practitioners. Robinson contracts with outside firms for expertise that she doesn't need — or can't afford — to have on staff full time. </p><h2>Building IT Capability </h2><p>Indeed, issues around staffing an internal audit department and maintaining the right mix of generalists and specialists is one of a CAE's key IT challenges. Here is what internal audit leaders suggest for making sure every audit department has the IT know-how to get the job done.</p><p></p><p> <strong>Determine the Specialty Skills Needed</strong> "The desired IT skill set depends on the nature of the business one is auditing and the complexity of systems used," notes Mark Carawan, chief compliance officer with Citigroup in New York. "The larger and more complex the organization, the more likely it is that there will be a need for specialist skills to complement the deep business and product knowledge of the internal auditors following the end-to-end business processes." </p><p>The CAE, in consultation with senior business management and the audit committee chairman, should make that call. "The CAE should be working with management to understand the complexities of the business — such as robotics, process outsourcing, and cloud-based computing — and how customers use technology," Carawan says, "so the internal audit department can identify the risks to the business as a result." </p><p>There will be a point as IT evolves, he adds, where someone is likely to say, "I'm not sure how this works. The audit department needs someone to explain that, as well as what the risks are and how we mitigate them." Be aware, though, that executives "may be reluctant to invest in adding more IT specialists to the third line of defense, beyond those already in the first and second lines," he says.</p><p> <strong>Make Adequate Education Available</strong> "Every audit department should have a formal training program to make sure the team is up to speed on both changes in IT risk and controls and changes in their company's IT landscape," Goschke recommends. Sanders agrees, noting that it's the CAE's job to "ensure adequate training is in place for auditors to stay current on IT trends and developments." </p><p>The basics should do it, Sanders says. "I don't expect every auditor to have in-depth knowledge," he explains, "just as I don't expect my IT auditors to understand the latest accounting pronouncements." Team members should seek out IT training, such as a seminar or conference, to build basic, solid skills, he advises, then start to specialize in a few specific areas over time.</p><p>Sanders recommends information sharing after every training event, "typically in the form of a summary presentation at an all-hands departmental meeting." He also maintains a spreadsheet in his department to track training hours. Although it may seem like IT skills get a lot of attention and require a lot of CAE input, it's unlikely any audit department is focusing too much on expensive IT expertise. "My audit shop has traditionally been heavy in IT auditors, but also heavy in IT risk," he notes. Indeed, there are many situations that demand the investment required to field a squad of IT experts.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>The Automated Future</strong></p><p>The precise menu of IT skills internal audit practitioners will need 10 years from now is anyone’s guess. But it will likely refer to process automation. “Robotics and artificial intelligence will likely be much more prevalent in accounting and finance functions,” Office Depot’s Jennifer Goschke says. Some companies use “bots” to reconcile accounts, presenting audit challenges that don’t exist with humans. “I can’t go ask the bot a question about its process,” she notes. “And how secure is it to have bots performing processes on sensitive data?” </p><p>Citigroup’s Mark Carawan adds: “Stakeholders and the businesses for which they are responsible will continue to seek automated solutions to achieve improved customer service and efficiency, enhanced risk management and control, and speedier execution.”</p></td></tr></tbody></table> <p> <strong>Go Outside the Organization for Assistance</strong> "Auditors typically do not handle IT audits on their own, but they could supplement the IT audit team as additional arms and legs," Goschke comments. "Using an outside firm to come in for a day to train the team a few times a year is very cost-effective." Consulting firms also offer IT consulting and audit services on an hourly or project basis, she adds. Although this may be expensive, hiring someone full time with the same skills would cost even more. "Once my audit plan is determined for the year," she says, "I can decide which audit projects I'll perform with my internal team and which projects require specialized knowledge for which I should use an outside firm."</p><p> <strong>Provide Big Picture Guidance and Clear Marching Orders</strong> "Overall, it's really a CAE's job to articulate the things that can impact the company's ability to execute strategy," Robinson states, "and to help make sure that the underlying IT infrastructure is adequate and operational by auditing for security, processing, and recovery, and providing that output to stakeholders." And although there is always some IT involved in their audits, she adds, "We could get lost in data analytics because there is so much we could do with it. My leadership team is responsible for homing in on the things that are most impactful."</p><h2>Completing the Job </h2><p>Building IT knowledge and skills is a big job, but one that most internal audit departments should be able to accomplish. "It's challenging due to staff turnover and the ever-changing IT landscape," Goschke notes. "But the training is out there. You just need a plan." </p><p>But be careful about the "best laid schemes." Robinson says she is reluctant to guess what basic IT skills will look like 10 years from now. If she had tried 10 years ago, she would have been way off the mark. The iPhone was just being introduced in 2007, she explains, and "there's no way I'd have said we'd have a mobile app in 2017 that would be downloaded 11 million times — and that we'd have to audit mobile technology." </p><p>Indeed, audit departments probably won't be focused on the same issues three years from now, let alone 10. "Basic" will always be "basic," but the skills that audit leaders consider "basic" will always evolve. </p><p> <br> </p>Russell A. Jackson1
Guarding Against Ransomware Against Ransomware<h2>​What should internal auditors ask to assess the organization's protections from ransomware attacks? </h2><p>Now is a time of unprecedented state-on-state ransomware attacks. To protect an organization from these attacks, internal auditors should question whether senior executives and the board support designing a holistic approach for people, process, and technology to make a defense strategy successful. Does IT security governance include the human factor in its corporate risk analysis and assessment? Is there a business continuity/disaster recovery cyber breach program that originated from a business impact analysis that includes vulnerability assessment and ethical hacking?</p><h2>What is the most important deterrent to mitigate the risk of an attack? </h2><p>Employees are an organization's greatest asset, but also its greatest security risk. As new types of cyberattacks grow, organizations must do people "patching" — training employees on how to recognize, analyze, and respond to vulnerabilities. Those vulnerabilities include out-of-date operating systems and software, and suspicious emails and attachments. Also, IT should make sure antivirus programs are installed and that files are backed up daily somewhere not connected to the internet.</p>Staff0
In Safe Hands Safe Hands<p>​There is no business today that is not driven by data,” Dominique Vincenti, vice president, Internal Audit and Financial Controls, at Nordstrom in Seattle, says. “The continuous high-speed evolution of technology is the No. 1 challenge for businesses and internal auditors today. There is not an hour you can rest.”<br></p><p>Vincenti says that businesses need to fundamentally reassess what data means to the success of their organizations going forward. Not only must they be able to successfully protect their data from external threats, but a new law is sparking a trend that will require many to have much more detailed control over what data can be held and how it can be used — the General Data Protection Regulation (GDPR) that goes into effect in Europe in spring 2018. Add to that data processing developments in data analytics, robotics, and artificial intelligence, and organizations that are unable to leverage their most business-critical asset effectively are in danger of being left behind, or worse. <br></p><p>“There needs to be a huge wake-up call,” Vincenti says. “Businesses need a clear answer to the question, what does data mean to the success of our company both today and tomorrow?” <br></p><p>The conjunction of GDPR and advanced data processing technologies is pushing organizations into new ground. For businesses operating in Europe, or any business using or holding data on European citizens, for example, the tougher new data laws will substantially alter the way that organizations need to seek consent and keep data records (see “Main Provisions of GDPR” below right). “GDPR is a more stringent regime than those it replaces, and has a low risk appetite built into it,” Vincenti says. “Since Europe tends to lead the way in legislation, it would be wise for U.S. businesses that are not affected today to at least consider how they might meet those requirements in the future.” <br></p><p>GDPR’s heavy fines have caught the media’s attention — the maximum is 4 percent of the organization’s global revenues. For example, telecom and broadband provider TalkTalk’s 2016 fine of £400,000 from the U.K.’s Information Commissioner’s Office for security failings that allowed hackers to access customer data could have rocketed to £59 million under GDPR. <br></p><p>Yet having the right controls over how data is used and retained will present a challenge. For example, businesses will no longer be able to request a blanket consent to use data collected from individuals in any way they choose. Consent will need to be obtained for a specific and detailed use — otherwise fresh consent will be required. This provision is diametrically opposed to how data can be leveraged by artificial intelligence and data analytics programs. Such programs are best used to find new patterns in data and novel applications of information to improve the business’ products and services. Without free license to experiment with customer data on the business’ servers, it may not be possible to achieve the full potential these technologies promise. <br></p><p>For internal auditors, these pressures could mean going back to the drawing board on the controls needed to strike the right balance between delivering value to stakeholders from these new technological possibilities and protecting the enhanced rights many customers will enjoy under GDPR. A compliance-based approach may no longer be feasible because it is unlikely to capture the nuances needed to deal with this ethically sensitive area. In fact, many are arguing that successfully handling the new data landscape will require auditors to develop ethical principles and soft skills that have been undervalued in this area.<br></p><h2>The Challenge of Consent</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Main Provisions of GDPR</strong><br>Article 5 of the General Data Protection Regulation requires that personal data shall be:<div dir="ltr" style="text-align:left;"><br>(a) Processed lawfully, fairly, and in a transparent manner in relation to individuals.</div><div dir="ltr" style="text-align:left;"><br>(b) Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.</div><div dir="ltr" style="text-align:left;"><br>(c) Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.</div><div dir="ltr" style="text-align:left;"><br>(d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.</div><div dir="ltr" style="text-align:left;"><br>(e) Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific, or historical research purposes, or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.</div><div dir="ltr" style="text-align:left;"><br>(f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.</div><div dir="ltr" style="text-align:left;">Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”</div><br><em>Source: U.K. Information Commissioner’s Office</em></td></tr></tbody></table><p>“If you don’t know what you are going to discover from a big data project, how can you possibly explain to the data subject how you will use it and get consent?” Henry Chang, an adjunct associate professor at the Department of Law at the University of Hong Kong, says. Chang is one of several academics and business organizations arguing that new regulations such as GDPR coupled with new technologies require a paradigm shift when it comes to personal data use and protection. Chang and Vincenti agree, for example, that organizations pursuing a compliance-based approach to data privacy and protection are going to run into a brick wall when trying to leverage their data innovatively. <br></p><p>“When you look at a compliance-based approach, you have to decide where the pass-mark is legally,” he says. “That tends to cause businesses to aim low and achieve low, and businesses can spend a lot of time on trivial areas because they think they need to comply in every part of their business equally, rather than where they are most at risk.”<br></p><p>He says what is required instead is a more holistic, accountable approach that has privacy controls engineered into business processes, which themselves are underpinned by ethical principles. While there is no magic solution, he urges organizations to try a cocktail of approaches to see what works best. For example, he says that data privacy is built on the notion that one has respect for the individual’s right to have a say over how that information is used. Compliance cannot address how those rights might change over time if the systems used to comply with regulations do not have some elasticity built into them. <br></p><p>“Respecting someone’s privacy rights is actually a soft skill and needs a soft approach,” he says. “Putting in an ethical boundary as an extra element into your compliance processes could help deal with shifts in the way that personal data can be analyzed and used.”<br></p><p>In practice, that could mean that if a company is using automated processes, some part of those systems could include a right for decisions to be made by a human. Or where mistakes are made with the use of data, there is a human at the end of the process and effective redress mechanisms in place.<br></p><p>“The head of audit’s role could be to bring these debates to the attention of the board,” he says. “You obviously cannot prescribe a set of ethics to the board, but you can ensure that the board has the opportunity to think ethically about personal data.”<br></p><h2>A Balancing Act</h2><p>While obtaining consent for the use of data may seem reasonable, what happens if the potential uses are beyond the understanding of the individuals involved? According to the Information Accountability Foundation (IAF), a global research nonprofit, there is a growing agreement that consent is not fully effective in governing such data and use. Many national laws include limited exemptions for processing when consent is unavailable, while others, notably European law, provide legal justification based on the legitimate interest of an organization when it is not overridden by the interest of the individuals. But such exemptions tend to be limited, unclear, or outdated, and those legitimate interests require a balancing procedure that has yet to be developed. <br></p><p>“Companies are meant to balance the legitimate interests of individuals, organizations, and shareholders,” Martin Abrams, executive director of IAF in Plano, Texas, says. “That means not only looking at the potential negative impacts on individuals, but on stakeholders, too, if you do not process that data.”<br></p><p>For example, Abrams says, next-generation clinical research by pharmaceutical companies could draw data from multiple devices — smartphones and watches, genomics, location-sensitive information, and clicks on webpages — into the data pool in a way that could be difficult to describe to people who are asked to consent because it is unclear how the various interests at play can be balanced. If some of that data is European, a difficult problem could become intractable. “It’s not clear how one could do data analytics under GDPR,” he says.<br></p><p>The IAF has been working with the Canadian government to test an ethical assessment framework it has created to help organizations develop accountability processes that go beyond the consent model. It aims to provide a common framework for developing systems of accountability and for ranking the importance of potentially conflicting interests for each project. <br></p><p>Internal auditors, he says, should be asking their boards to think about how the business is balancing the various interests at stake in its use of data. How those decisions and processes are documented and assessed, and whether the business has the right skill sets to implement such an approach, could all be the topic of audit assignments. <br></p><h2>Transparency and Communication</h2><p>One approach to addressing data concerns is for businesses to become as transparent as possible about their aims and objectives and how those interests are balanced. “It is very important for the business to tell a clear story about what its intentions are, how it is going to use the data, and how that will be for the betterment of society,” says Lisa Lee, vice president, Audit, at Google in Mountain View, Calif. <br></p><p>She says that innovation requires research and having too many rules around how data can be used could stifle developments that could benefit the community. Too many checklist-style controls are unlikely to keep pace with the speed at which technology is developing. That is why Lee says that companies need to engage people in dialogue about their ethics and articulate the benefits to society they are attempting to deliver.<br></p><p>Not everyone will align with a story. Lee says that people often have different tolerances to technology notifications, for example, and what one person would find useful, another might find intrusive. Business units need to have thought through those issues and communicate how they approach such risks and what the controls are for doing so. She says Google sets the tone for its values from the top of the company and those values inform its protocols, how it operates, and how it attempts to manage risks.<br></p><p>This approach impacts how internal audit works. “Internal audit has to have a very in-depth grasp of the business,” she says. Unlike organizations that tend to pool auditors into one team, Google has some dedicated audit teams attached to particular areas — such as data security and privacy — where a deep understanding of the systems is necessary. In addition, auditors focus on what the business objectives of the product or service are during an audit and spend time listening to how the business is attempting to approach risk and control.<br></p><p>“We work in a very dynamic environment and need to keep an open mind when we are thinking about controls and their impact or effectiveness,” she says. <br></p><h2>Grasping the Data</h2><p>Few companies are as advanced in their handling of data as Google. One of the most common problems organizations face is that they do not know where their data comes from, how it is used, and in many cases, what data they hold. Mark Brown, vice president of Software Solutions and Services at the risk management software company Sword Active Risk in Maidenhead, U.K., recently estimated that only about 1 percent of businesses could pull in and analyze internal and external data in a meaningful way. <br></p><p>“One of the biggest challenges when it comes to data is knowing what you have,” says Shannon Urban, executive director with EY in Boston and 2017–2018 chairman of The IIA’s North American Board. “As businesses have grown through expansion and acquisition, they have continued to accumulate data with no formal inventory.” In addition, is it easy for data to move around the organization via enterprise resource planning systems, email, and mobile devices, making it possible for it to be used in unintended ways.<br></p><p>“If you don’t have an identification and classification process that can identify what is sensitive, then using it effectively, never mind ethically, is going to be impossible,” she says. “The models internal auditors use can sometimes be a bit upside down — we make sure the data is accurate and complete, but spend less time on whether it is appropriately sourced and accessed. That could mean rethinking our audit plan and checking that we properly source the competencies to deal with these issues,” she adds.<br></p><p>Urban says it is important not to get overwhelmed. If auditors find their organization’s data is unstructured, she advises them to take a risk-based approach and start with the information that is most critical to the business, including intellectual property, employee, and customer data. “It is completely within internal audit’s purview to connect the dots and think about data across business lines,” she says.<br></p><h2>Center of Excellence</h2><p>Internal audit can take a lead in bringing their organization up to speed with these new challenges about the nature of data and technological innovations in data processing. “Internal auditors need to be well-versed in these developments and be able to educate management through our audits,” Nordstrom’s Vincenti says. She says internal auditors should make their function a center of excellence not only in both data protection and privacy practices but also in data governance and rapidly evolving enterprise information management approaches and capabilities. “Internal audit can be a role model. Let’s show the business how we are using data in innovative and ethical ways,” she says. </p><p><em>For more information on protecting organizational data, see the </em><a href=""><em>IIA Practice Guide, Auditing Privacy Risks, 2nd Edition</em></a><em>.</em> <br></p>Arthur Piper1
Editor's Note: A Technology Revolution's Note: A Technology Revolution<p>​The technology landscape changes at such speed that most of us have trouble trying to keep up. Smartphones, apps, and social media often leave our heads spinning with their constant updates. As soon as you master a newly launched technology, there’s another one on the horizon. Imagine the difficulty in wrapping your head around this rapid change at the business level.<br></p><span><p>Fifty-two percent of business and IT leaders rate their organization’s digital IQ — a measure of an organization’s capability to get strategic value from technology investments — as strong in PricewaterhouseCoopers’ 2017 Digital IQ survey. This is a significant drop from previous years: 67 percent in 2016 and 66 percent in 2015.<br></p><p>While businesses see the value in adopting new technologies, many of them have not adapted quickly enough to keep up with the technology curve. Technology and business are inseparable, so businesses that neglect to embrace this relationship are sure to fail. For internal auditors, that means understanding the evolving risk landscape related to the business and learning to use technology in their work. <br></p><p>“There is no business today that is not driven by data,” says Dominique Vincenti, Nordstrom’s vice president of Internal Audit and Financial Controls. In our cover story, “<a href="/2017/Pages/In-Safe-Hands.aspx">In Safe Hands</a>,” Vincenti says businesses need to fundamentally reassess what data means to their organizations going forward. New laws such as the European Union’s General Data Protection Regulation (going into effect spring 2018) will require companies to have more control over what data can be held and how it can be used. <br></p><p>More importantly, the increased risks from ransomware attacks, data breaches, blockchain adoption, the Internet of Things, use of artificial intelligence, and data collection and its ethical use — the list goes on and on — beg the question: Are internal auditors equipped to handle the technology embedded into business practices? <br></p><p>IT expertise among internal auditors is now a general expectation, according to “<a href="/2017/Pages/Great-Tech-Expectations.aspx">Great Tech Expectations</a>.” Author Russell Jackson says today’s internal audit new hires who have grown up with smartphones and technology often have more advanced IT skills on day one than their predecessors. Office Depot’s Chief Audit Executive Jennifer Goschke stresses that “it’s important to have IT subject matter experts on your team to provide the technical chops to be able to go head to head with IT.” But while auditors with IT experience are still in high demand, they continue to be hard to find, afford, and retain.<br></p><p>Technology will continue to disrupt and change the business landscape at an increasingly rapid pace — what some futurists call The Fourth Industrial Revolution. One thing is certain: Organizations that resist that change will not survive.​</p></span>Shannon Steffee0

  • MNP_Nov 2017_Prem 1
  • IIA Bookstore_Nov 2017_Prem 2
  • IIA EndOfYear CPE_Nov2017_Prem 3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z