Six Audit Analytics Success Factors Audit Analytics Success Factors<p>​Data analysis technology has enabled many audit teams to achieve success and return on investment. A large car rental company transformed audit processes and reportedly reduced traditional audit work by 10,000 hours annually by using automated analysis to test all revenue transactions on an ongoing basis. Additional tests identified nearly US$1 million a year in incorrect commission payments and multiple instances of payroll fraud that may not have been discovered through manual methods.<br></p><p>Data analytics has helped such organizations increase the productivity of the audit function and improve the quality and value of audit findings by giving auditors the ability to examine and test entire populations of transactions and balances that underlie an audit area. Because internal audit has access to processes and data from across the organization, data analysis often enables auditors to provide insights into risk, control, and performance issues that no other function can provide.<br></p><h3>Realizing the Benefits</h3><p>Despite data analytics’ benefits, most internal audit departments are still in the early stages of usage and are far from achieving their full potential. This often stems from a lack of understanding of what is involved in the audit analytics process. However, six success factors can help internal audit departments overcome obstacles and realize the benefits of analytics.<br><br><strong>Strategy and Leadership</strong> Many internal audit departments fail to make progress in implementing audit analytics because they do not treat it as a strategic initiative, overall objectives are unclear, and the department lacks necessary resources. Defining the strategic objectives for audit analytics is a vital starting point. For example, The IIA’s Global Technology Audit Guides 3 and 16 discuss how combining responsibilities for continuous auditing and monitoring can enable internal audit and the organization to achieve the strategic goal of continuous assurance. Moreover, using data analysis to support both audit objectives and management’s maintenance of effective controls aligns closely with The IIA’s Three Lines of Defense in Effective Risk Management and Control model.<br></p><p>The CAE’s active support and involvement in an audit analytics implementation adds to its strategic importance and can help it deliver significant, sustainable benefits. The CAE should lead the effort by communicating the vision, strategy, and expectations.<br><br><strong>Goals and Metrics</strong> Underlying the overall strategic objective, internal audit departments can establish specific objectives by prioritizing the expected benefits. Goals and metrics could include:<br></p><ul><li>Data analysis to be used on x percent of audits within a y-month time frame.</li><li>Reduction in audit hours of x percent because of use of data analysis compared to the hours spent on the same audit using manual methods. </li><li>Data analysis results in an x percent increase in positive feedback from audit client departments about value added by internal audit.</li></ul><p>Establishing metrics and communicating progress helps align the audit team, provide a basis for managing the implementation process, and facilitate benchmarking with other organizations. It also can communicate value to senior management.<br><br><strong>Planning and Project Management</strong> Audit analytics implementations often are undermined by poor management. As with any important technology-driven initiative, effective planning and project management are critical to success. A well-managed implementation program helps ensure the use of analytics is sustainable and not overly dependent on any one individual. <br></p><p>To achieve greater benefits, audit analytics needs to be integrated into the overall audit process. This means understanding at what point in the audit cycle different forms of audit analytics are best used. All members of the audit team should be aware of when and how audit analytics are to be used, together with their own role in the process. Audit analytics can be used in virtually every stage of the audit process, including audit planning and risk assessment, controls testing, substantive procedures, reporting and quantifying audit findings, and continuous auditing. <br><br><strong>A Knowledgeable and Organized Team</strong> The success of implementing and maintaining an audit analytics program depends heavily on the extent of knowledge and skills available within the internal audit department and how the team is organized. Primary knowledge and skill requirements include:<br></p><ul><li>Data access and extraction.</li><li>Design of analysis tests to meet specific audit objectives.</li><li>Familiarity with using selected technologies.</li><li>Understanding of the overall audit analytics process.</li></ul><p>Training plans should reflect individual roles and related levels of knowledge. Those involved directly in data access and test development may require specialized training in specific software. Auditors performing simple analysis and tests may only require training in basic analysis concepts and introductory-level software usage. Managers and reviewers should be trained in audit analytics processes overall.<br></p><p>A variety of roles are involved throughout the analytics process, including data access specialist, data analysis specialist, and follow-up analyst to confirm any findings. Audit team leaders should understand how to best organize the different roles within their teams. In most audit departments, many of the roles may be combined in one or two individuals. In large departments, roles may be allocated across different team members, which allows for specialization and focus.<br><br><strong>The Business Case for Resources</strong> Internal audit departments that achieve the most success in using analytics develop a business case to identify investment costs and expected benefits and to measure progress in achieving objectives. In compiling its case, the department should consider benefits such as reducing audit staff hours, increasing productivity, increasing the value of advisory findings for audit clients, and achieving cost savings or revenue gains. Potential costs include specialist resources and implementation assistance, software, training, and startup funds. The business case also can consider the effect of cost sharing with risk management, compliance, and other related functions.<br><br><strong>Technology</strong> A wide range of data analysis software can be used to support audit analytics. Surveys indicate that more internal auditors use Microsoft Excel for analysis than any other software. However, specialized audit data analysis software is also popular, especially in organizations that are more advanced in using analytics. Other analysis technologies can play a role, although these products may not support all aspects of the audit analytics process.<br></p><h3>Leadership Is Key</h3><p>Simply acquiring software and sending a few people to a training course is not a recipe for success. Data analysis can help transform much of the audit process for the better, but it takes leadership, vision, commitment, and management execution to achieve sustainable benefits. <br></p>John Verver11584
Health Care Targeted Care Targeted<h3>​Why are hackers targeting health-care companies? </h3><p>Individual patient records are loaded with private data that can be used for medical fraud, including buying drugs for resale and submitting false claims. We’re not just talking about financial data, but also the details of patient diagnoses, treatment plans, and medications. Some estimates place the value of this information at US$5 per patient record compared to US$1 per credit card record because patient records not only specifically link this medical information to a patient identity, but also the theft is often not immediately identified like credit card fraud can be by financial institutions.<br></p><h3>How can internal auditors help boards turn their concern about cybersecurity into concrete action? </h3><p>Internal auditors need to discuss with their boards not only the cost to recover from such an exposure but also the reputational risk from these types of incidents. They need to know what actions can be managed internally and when a third-party review is needed to objectively evaluate an organization’s policies, procedures, controls, risk assessment, and intrusion detection.</p><h3>How can internal auditors help boards turn their growing concern about cybersecurity into concrete action? </h3><p>A major data security breach can have a deep and lasting impact on the future viability of an organization. Internal auditors need to discuss with their boards not only the cost to recover from such an exposure — including loss of business and prospective fines/penalties from the U.S. Office for Civil Rights — but also the reputational risk from these types of incidents. They need to know what actions can be managed internally and when a third-party review is needed to objectively evaluate an organization's policies, procedures, controls, risk assessment, and intrusion detection. Third-party reviews can also be valuable in assessing and auditing physical sites where protected health information is stored or exchanged. This includes both covered entities and business associates such as offshore and cloud service providers.<br></p>Staff0648
Difficulties Assessing and Addressing Cyberrisk Assessing and Addressing Cyberrisk<p>Two of the attributes traditionally used in assessin​g risk are likelihood/probability or frequency* (P) and impact/consequence (I). Some limit themselves to evaluating the level of risk based on a single value of P x I. That is a mistake (<a href="">see this earlier post on risk levels</a>) and I will touch on an issue or two here.</p><p>Let's look at (P) and (I).</p><p>I have seen reports that predict that 80%-90% of organizations will suffer a breach in the next 12 months (based on the level of breaches in the last 12 months). But, some will have a breach that affects non-sensitive information and only causes embarrassment – such as changes to their web page – while others will have very serious intrusions with significant damage.</p><p>How can you estimate which consequence your organization will suffer (going on the 90% likelihood that your organization will be breached)? How do you know that you won't have <em>multiple</em> breaches, by different actors, with different impacts in the next twelve months?</p><p>I think, if I were doing it, I would ask the information security professionals to consider the assets we are trying to protect, assess the strength of the defenses, and then estimate the likelihoods (plural) of severe, moderate, and lower impact (but still at least embarrassing) sets of consequences.</p><p>The estimation of 'damage' must be based on the impact to the <em>business</em>, not simply on some IT valuation of the information assets 'at risk'. How will the ability of the business to continue with its planned activities, including new initiatives, be affected? Can a value be placed on any reputation damage?</p><p>A troubling and complicating factor in the assessment is the duration of the breach and, possibly, the continuing damage it can be causing.</p><p>According to several reports, many breaches are not detected until months after they occur – and often detected by third parties, not by the breached organization! </p><p>Further, it can take months to expel the invader and repair the defenses. I understood it took something like 6 months for JP Morgan Chase to get the intruders out of its system.</p><p>A new report, <a href="">discussed in SC Magazine</a>, has this to say:</p><p>"On average, nearly half a year passes by the time organizations in the financial services industry and the education sector remediate security vulnerabilities, according to new research from NopSec."</p><p>"According to the findings, organizations in the financial services industry and the education sector remediate security vulnerabilities in 176 days, on average. Meanwhile, the healthcare industry takes roughly 97 days to address bugs, and cloud providers fix flaws in about 50 days."</p><p>This has to be taken into account when assessing cyberrisk.</p><p>So, I would not limit the risk assessment to a single possible level of impact: there are multiple, each with a different likelihood/frequency. The impact level can be seriously affected by the duration of the intrusion and continuing damage to the enterprise – which needs to be built into the (I).</p><p>I don't know whether it is possible to place a precise value on either (I) or its (P). The likelihood and severity of a breach are constantly changing.</p><p>What should not change, however, is the level of cyberrisk that an organization is willing to take. Since cyberrisk cannot be eliminated, and business has to continue, management and the board must accept that some level of risk will remain and must be accepted. This needs to be known so that management can determine (a) whether the current level of risk requires treatment, and (b) how much investment should be made in prevention and detection.</p><p>Two points come immediately to mind when it comes to treating cyberrisk:</p><ol><li>It is essential to beef up the ability of the organization to detect an intruder who has succeeded in breaching the defenses</li><li>It is critical to have response processes that can work promptly to limit any damage (including the duration of the breach and its effect), expel the intruder, understand what damage has occurred and how the defenses were breached, and communicate with all necessary and appropriate parties</li></ol><p> published a piece on "<a href="">the cyber security outlook for 2015</a>" in which they identified, as a serious mistake organizations are making:</p><p>"Over-focusing on prevention and not paying enough attention to detection and response. Organisations need to accept that breaches are inevitable and develop and test response plans, differentiating between different types of attacks to highlight the important ones."</p><p>When the organization does not have effective, tested, response capabilities, the (I) increases significantly.</p><p><a href="">An article on ZDNet</a> got me thinking. It talks about a software product that helps with the response by searching for corporate data that has made its way onto the "dark ​web."</p><p>Once an organization has identified the information it wants to protect, should it proactively monitor the dark web to see if any of it appears – even before they are aware of a breach?</p><p>Do you have thoughts on this topic of ​assessing and treating cyberrisk?</p><p>​<br></p><p><span style="font-size:11px;">*Frequency is used when there is a likelihood of an event multiple times a year.</span></p>Norman Marks01562
Cybersecurity Aftermath: What Is Next? Aftermath: What Is Next?<p>Given the daily deluge of cyber threat reports, cybersecurity awareness continues to increase among senior executives and audit committees. As organizations implement more practical response strategies, they are becoming more focused on crisis management and response planning, security approach, and disaster recovery. </p><p>In the Ponemon Institute's 2012 report, <a target="_blank" href="">Aftermath of a Data Security Breach Study</a> (PDF),<sup> </sup>63 percent of IT professionals who responded to the global survey said their senior leadership viewed privacy and data protection as a greater priority after a breach occurred in their organizations (see "Picking Up the Pieces" below right). In respondent organizations, sensitive data was not encrypted, data breach response strategies required improvement, and privacy and data protection practices needed improvement. Since the survey was published, organizations have increased their cybersecurity posture, applying an organizationwide response to security breaches, rather than an IT response. Acting in a consulting role, internal auditors can help their organization's executives and business-unit leaders understand what is involved in developing such an organizationwide response. </p><h2>Crisis Management and Response Planning</h2><p>This shift to a more organizationwide response to cybersecurity incidents is reflected in a 2014 PricewaterhouseCoopers (PwC) report, <a target="_blank" href="">Cybersecurity Crisis Management: A Bold Approach to a Shadowy Nemesis</a> (PDF), which suggests organizations use a new philosophy to incident response aimed at bringing order to chaos. The report notes that a fiscally viable, coordinated response could mean the difference between cyber breach and cyber peace. Moreover, a well-thought-out solution can help ensure the organization's long-term survival as it manages a data breach situation. </p><p>The PwC report discusses an eight-phase approach to a structured and orderly cyber crisis response:</p><ul><li>Implementing an information security program.</li><li>Cyber event detected.</li><li>Incident response.</li><li>Internal investigation.</li><li>Third-party forensic investigation.</li><li>Contacting law endorsement.</li><li>Customer notification.</li><li>Containment and remediation plan.</li><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​ <p> <strong>Picking Up the Pieces</strong></p><p>IT respondents to the Ponemon Institute's 2012 study of the aftermath of a data breach indicated: </p><ul><li>They have more confidence than senior leadership that they can secure customer data from future security breaches.</li><li>Training and awareness programs and enforcing security policies should be a priority for organizations.</li><li>Their organizations have increased IT security budgets as privacy and data protection have become a greater priority for senior leadership.</li><li>Identity theft would result from stolen customer data.</li><li>Their organization should limit the quantity of customers' personally identifiable data it collects and what it shares with third parties.</li><li>Their organization should reduce the negative consequences of a data breach by hiring legal counsel, assessing the harm to victims, and employing forensic experts. </li></ul></td></tr></tbody></table> </ul><p>The report points out that a key element of an organization's overall cyber crisis response strategy must include a good communication plan that incorporates an integrated public relations strategy. This communication should be decisive and occur through various channels. </p><h2>Security Approach</h2><p>A new Accenture study, <a target="_blank" href="">The Cyber Security Leap: From Laggard to Leader</a> (PDF), compares companies that have taken a security leap forward to companies that remain somewhat stagnant in their security practices. Researchers at Accenture interviewed senior IT leaders and tracked the security effectiveness progress of 247 companies that are benchmarked in the Ponemon Institute's database. </p><p>The study observes that a sound security strategy is a clear priority for more forward-thinking organizations — defined as having increased their security effectiveness by at least 25 percent over a two-year period. Sixty-eight percent of survey respondents have significantly changed their approach to security management in recent years. These changes include creating a chief information security officer (CISO) role, allocating a dedicated security budget, and significantly expanding the security team. Forward-thinking companies also align their security strategy with their overall business objectives to improve security across strategy, technology, and governance. The study notes that by implementing these security best practices, organizations improved their security effectiveness by 53 percent.  </p><p>Accenture says organizations also can make cybersecurity a competitive advantage by:</p><ul><li>Eliminating security silos.</li><li>Evolving the C-suite into security champions.</li><li>Embracing innovative solutions.</li><li>Streamlining their IT security infrastructure.</li><li>Creating greater visibility into security processes.</li></ul><h2>Disaster Recovery Planning</h2><p>Disaster recovery planning focuses on business impact scenarios, risk management, and response and recovery from business disruptions. For a long time, organizations' disaster recovery planning efforts focused on business impacts from natural or physical disasters. More recently, they incorporated potential terrorist activities into business impact scenarios. Now those scenarios should include cyber threats, as well. </p><p>Inherently, this is a natural progression of threats over time. Crisis management and response planning are really elements of disaster recovery planning. Because disaster recovery planning for most organizations is an enterprise-level activity, it would be more efficient to incorporate cybersecurity into this established process. </p><h2>Other Advancements</h2><p>Organizations are implementing several strategies to manage cybersecurity threats. Besides the ones discussed previously, others include: </p><ul><li>Incorporating the cybersecurity strategy into the organization's enterprise risk management (ERM) process.</li><li>Establishing a structured, well-thought-out, crisis management strategy. </li><li>Regularly updating the board on the organization's information security posture and current cybersecurity landscape.</li><li>Incorporating into the disaster recovery planning activities cybersecurity scenarios that disrupt the organization's business, including effects on reputation, loss of data, and business.</li><li>Having the CISO report directly to the board. </li><li>Creating standard question-and-answer documents for customer organizations that inquire about the organization's data security and privacy practices, such as data encryption, two-factor authentication, and data loss prevention processes.</li></ul><h2>Additional Opportunities</h2><p>As the cybersecurity threat landscape evolves and as organizations improve their approach to managing these threats, internal audit can play an active role in helping the organization address these issues. Many organizations see cybersecurity as a new threat and create new processes to mitigate the new risk. However, internal audits could suggest incorporating the new risk mitigation strategies into existing enterprisewide processes such as ERM and disaster recovery planning efforts. These long-time processes typically have well-designed methodologies that provide a cost-effective means to manage cyber threats. </p>James Reinhard01266
Digital Signatures Deciphered Signatures Deciphered<p>​In today’s digital business environment, internal auditors have to assess the risk and security of large volumes of digitally originated transactions and documents. Among the many methods, protocols, and products for securing online transactions are digital signatures. For example, the mortgage industry uses digital signatures for approving real estate negotiations by affixing them to price or contract changes until both parties agree on terms and a price. Once they have reached an agreement, the parties execute the title transfers with a notarized ink signature.<br></p><p>Digital signatures improve efficiency, provide security around transactions, and enhance collective approvals in a fraction of the time compared to conventional ink signatures. Nonetheless, there is always the danger and fear of unauthorized or malicious use of digital signatures. Internal auditors and organizations need to assess the level of risk and to what extent the organization should secure its digital signature platform. Moreover, auditors should consider the trade-off between the level of risk digital signatures pose and the level of authentication required to provide desired levels of assurance while accepting them.<br></p><h2>Proof of Authenticity</h2><p>A digital signature is an electronic sound, symbol, or process attached to or logically associated with a record and executed by a person with the intent to sign the record. In layman’s terms, it is a person’s electronic expression of agreement to the terms of a particular document with the intent to sign. A scanned or photographed image of a written signature does not constitute a digital signature, as it is analogous to affixing a rubber stamp of the signature that can be duplicated or misused without the signer’s knowledge. Instead, digital signatures provide a secure encryption environment for the data associated with a signed document and verify the authenticity of a signed record.<br></p><p>To authorize transactions, digital signatures use a combination of content capture, method of signing, data, and user authentication. They use electronic authentication to establish confidence in user identities that are electronically presented to an information system. Individual authentication is the process of establishing an accepted level of confidence and assurance for an accepted level of risk.<br></p><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​<strong>How Digital Signatures Work</strong><br><br>Digital signatures use private/public keys and hash results of the original and destination documents. The digital representation or summary of the document unique to a message <em>origin-hash result</em> (OHR) is created by the hash function of the digital signature software. In turn, this software uses the signer’s <em>private key</em> to transform the hash result into a digital signature that is unique to the message. Upon receipt of the document, the transmitted message computes a new <em>destination- hash result</em> (DHR) by using the same hash function used to create the digital signature. Using the corresponding <em>public key</em> and DHR, the receiving computer confirms whether the affixed digital signature was created using the matching private key and whether both the OHR and DHR match. If both the keys and hash results are a match and confirmed, the validity of the message, signer, and receiver are verified.<br></td></tr></tbody></table><p>There is a direct relationship between the associated risk and the complexity of authentication needed to provide a higher degree of assurance in the use of digital signatures. Higher levels of assurance need complex, multifactor authentication methods that, in turn, require a secure IT infrastructure and user training. This correlation poses a trade-off challenge to auditors and organizations willing to accept digital signatures, thereby compelling them to identify those business processes that require an optimum level of authentication to offset risks.<br></p><p>Digital signatures are built on an encryption/decryption technology that a) collects evidence of the document such as metadata and IP address, b) verifies the identity of a signer and receiver, and c) provides an audit trail of the transactions. This technology uses a public key infrastructure (PKI) in which the signer uses his or her private key to encrypt the document and the recipient uses the corresponding public key to decrypt it (see “How Digital Signatures Work” at right). A digital signature requires a signer to establish a certificate-based digital ID, commonly enclosed in a token, smart card, or other physical device, to provide a high level of authentication, integrity, and security to the transaction and the identity of the parties signing. The executor or signer is presumed to be legally responsible for any document signed with a private key.<br></p><p>The important consideration when assessing the risk for digital signatures is their provisioning through e-mail communications, which makes Internet security critical. If the e-mail platform is compromised, the digital signature and PKI lose their authenticity and validity.<br></p><h2>The Risk–Assurance Trade-off</h2><p>“Digital Signature Risk to Authentication” on this page depicts the trajectory for risk tolerance versus level of authentication for a typical business process. The trajectory slope may vary with the nature of the business process. For example, financial transactions, approvals, or decisions generally have a higher degree of risk, based on their monetary value, than administrative functions such as leave requests.<br></p><p><img class="ms-rteiaPosition-2" src="/2015/PublishingImages/Hullavarad-Digital%20Signature%20Risk%20to%20Authentication.jpg" alt="" style="margin:5px;width:450px;height:380px;" />The digital signature risk-to-authentication (SRA) model depicted in the chart provides a framework for internal auditors to establish the desired level of trust for an electronic transaction, as well as the authenticity, integrity, and reliability of such transactions. This can be accomplished through a quantitative risk assessment for each transaction specific to a functional unit by estimating the risk and the likelihood of occurrence. Use of the SRA model can give internal auditors an understanding of internal controls and security needed when their organization implements digital signatures.<br></p><p>The SRA model provides a semi-quantitative approach to assessing the risk associated with a given level of authentication used to provide a digital signature. As a general rule, the higher the level of authentication, the lower the likelihood that an incident, or breach, will occur and the lower the risk. Although the nature of the risk versus authentication curve may be different for different business processes, the pattern will tend to follow the path of reduced risks for higher authentication. Internal auditors or management can develop a risk chart based on the formula: <em>Risk (R) = Likelihood of occurrence of event (L) x Magnitude (M)</em>.<br></p><p>To illustrate the formula, assume that one in 30 email accounts are hacked. Based on this assumption, the risk can be calculated by assessing the monetary magnitude of the effect of hacked emails on an organization. The trade-off zone depicted in the chart provides an opportunity window to secure the digital signature environment to achieve the desired level of assurance, thereby enabling organizations to identify those processes that require optimum levels of authentication to offset risks.<br></p><p>The key factor to consider in implementing digital signatures is to identify the level of risk tolerance and the associated risk for a business process. Institutional risks may involve financial, brand-value reputation, and other key administrative communication. Based on the various types of business processes and the level of severity, the assurance levels — which are a combination of authentication and validation — as well as the trust levels must be established by the appropriate business-unit management. To secure an electronically signed document as evidence, auditors should consider the risks associated with the signing process and with the significance of the information. Security must be approached with the objective of managing potential risks and should be weighed against the level of authentication needed to achieve the desired level of risk tolerance (see “Authentication Levels” below).<br></p><p>Internal auditors can use this model to assess the risk/assurance needed for digital signatures. Because systems are imperfect, auditors should consider the reliability of the information obtained through the digital signature validation process. For example, they should consider whether digital signatures can enhance internal control over online sales orders by authenticating the validity of customers.</p><p><img class="ms-rteiaPosition-4" src="/2015/PublishingImages/Hullavarad-Authentication-Levels.jpg" alt="" style="margin:5px;width:750px;height:303px;" /><br></p><h2>Digital Assurance</h2><p>As the Internet is an essential tool for transmitting digital signatures, it is necessary to have a secure transmission process that ensures a document signed through a digital signature is not tampered with by a third person and reaches the recipient in the form in which it left the signatory. Organizations also need to determine which business processes are not appropriate for digital signatures, such as creating wills, testamentary results, and certain types of contracts.<br></p><p>Internal auditors and their organizations need to identify the various processes for which they plan to use digital signatures, as well as perform a comprehensive risk assessment of those processes. The digital signature risk to authentication model can help auditors assess the level of authentication suggested for a specific business process to ensure it provides the desired level of assurance. <br> <span class="ms-rteiaStyle-authorbio">Shiva Hullavarad, PHD, is statewide ECM/ERM System Administrator with the University of Alaska System in Fairbanks.<br>Russell O’Hare, EDD, CRM, is chief records officer with the University of Alaska System.<br>Ashok Roy, PHD, CIA, CFSA, CBA, is vice president for finance and administration with the University of Alaska System.</span></p>Shiva Hullavarad02282
Securing Broker-dealers Broker-dealers<p>​Financial firms have been prime targets for network and data attacks. A recent U.S. Financial Industry Regulatory Authority (FINRA) <a href="" target="_blank">report</a> (PDF) describes how securities firms such as broker-dealers are protecting themselves from cyberrisks and provides recommendations for improving their security measures. </p><p>"Broker-deals face a variety of rapidly evolving cybersecurity threats, which require a well-designed and adaptable cybersecurity program," says Susan Axelrod, executive vice president for regulatory operations at the independent regulator. </p><p>The Report on Cybersecurity Practices is based on a 2014 examination of U.S. securities firms and a 2011 survey of 224 firms. FINRA's research reveals that the top three threats broker-dealers face are hackers penetrating their systems, insiders compromising firm or client data, and operational risks. To help firms mitigate these threats, the report provides observations and guidance in eight areas.</p><h2>Governance</h2><p>The FINRA report recommends that firms implement an information security governance framework to help identify risks, determine their severity, and support decisions on managing them based on the organization's risk appetite. The framework should encompass policies, processes, structures, and relevant controls. </p><p>An organization's framework should emphasize management and board involvement in cybersecurity issues, FINRA advises. Insufficient involvement can make organizations more vulnerable to data and network breaches, as well as regulatory risks such as being cited under the U.S. Securities and Exchange Commission's "Red Flags Rule."</p><p>Beyond the board and top management, the framework also should incorporate views from business units, IT, risk management, and internal audit, the report states. Internal audit should assess the implementation and effectiveness of the cybersecurity program, especially its controls and processes.</p><h2>Risk Assessment</h2><p>The FINRA report recommends organizations perform risk assessments regularly to identify information security risks associated with their assets and vendors. The first step should be creating an asset inventory to identify the assets the organization has and their importance for protection. </p><p>Next, FINRA recommends that organizations maintain a risk assessment program to identify asset vulnerabilities, review threat and vulnerability information, document internal and external threats, determine their potential impact and likelihood, and come up with risk responses. In the agency's 2014 sweep of securities firms, more than 80 percent of firms had such programs, with many drawing on ISACA's COBIT or the ISO/IEC 27001 framework. Firms typically viewed these risk assessments as part of the organization's broader risk management process. </p><h2>Technical Controls</h2><p>The report advises organizations to implement technical controls to protect their data, as well as the hardware and software on which it is stored and processed. Key to this is a defense-in-depth strategy that applies multiple layers of security controls throughout an IT infrastructure. These layers include users, application, network and physical perimeter, server, database, and data and asset.</p><p>One of the most important controls that need to be in place is identity and access management, especially now that organizations are allowing customers and vendors access to systems, as well as access through mobile devices. Other important controls are encryption and third-party penetration testing. </p><h2>Incident Response Planning</h2><p>With security breaches becoming more common, organizations need policies and procedures for responding to incidents, the FINRA report advises. Response plans should detail the roles and responsibilities of individuals in the event of an incident. Some organizations have dedicated computer security incident response teams for such situations, the report notes. </p><p>Response plans should prepare for incidents that organizations are most likely to encounter, including compromises of customer personal data, data corruption, denial-of-service attacks, network intrusions, and malware. Moreover, plans should spell out the organization's strategy for containing or mitigating various types of incidents, recovery plans for systems and data, processes for investigating and assessing damage, and communication. </p><h2>Vendor Management</h2><p>The growing use of third-party vendors raises information security risks throughout the relationship's life cycle that some organizations may not be addressing. According to <em>The New York Times</em>, nearly one-third of banks surveyed by the New York Department of Financial Services don't require such vendors to inform them of information security breaches, and less than half perform on-site assessments of vendors. </p><p>The FINRA report recommends organizations manage vendor risks by performing due diligence on both prospective and existing service providers, and ensuring that contract terms are appropriate given the sensitivity of systems and data to which vendors may have access. Moreover, it advises organizations to make vendor relationships part of the organization's ongoing risk assessment and to have procedures for terminating vendor access at the end of the contract.</p><h2>Staff Training</h2><p>To address employee risk, organizations need to train personnel about information security risks, the report says. In FINRA's reviews, 95 percent of securities firms provided mandatory cybersecurity training to employees at least annually, which usually consisted of awareness training for all staff and targeted training for specific staff members. FINRA recommends organizations update training often to reflect changing threats.</p><h2>Cyber Intelligence and Information Sharing</h2><p>The report advises organizations to gather intelligence information about cybersecurity threats to better detect and respond to them. Organizations should assign someone responsibility for collecting and analyzing threat information and have ways to communicate that information to appropriate groups. </p><p>One source of intelligence is through an information sharing and analysis center (ISAC), such as the financial services industry's FS-ISAC. In its sweeps, FINRA found that 72 percent of securities firms shared information through FS-ISAC, while half shared it with the U.S. Computer Emergency Readiness Team. Additionally, many large firms have established in-house threat intelligence centers.</p><h2>Insurance</h2><p>Finally, many firms reviewed by FINRA have turned to cyber insurance to transfer some of the risk or to obtain coverage for gaps that aren't addressed in their existing insurance policies. That may accelerate this year, as Lloyds of London reports there has been a 90 percent increase in cyber insurance applications in just the first quarter of 2015 compared to last year. </p><p>FINRA recommends organizations that need coverage evaluate how insurance plans would enhance their ability to manage the financial impact of a security incident. Organizations that already have cyber insurance should assess the adequacy of their coverage in light of their risk assessment.​</p>Tim McCollum0795
Get a View Into Suspicious Transactions a View Into Suspicious Transactions<p>​The U.S. Centers for Medicare and Medicaid Services’ June 2014 Report to Congress on Medicare’s Fraud Prevention System (FPS) describes how the state-of-the-art predictive analytics system identified US$210 million in savings during its second year of operation. The FPS’ ability to identify savings illustrates the power of data analytics to detect suspicious transactions.<br></p><p>Internal audit can leverage analytics technologies to audit for similar transactions within their organization. Data visualization is an analytic tool that can allow auditors to rapidly interrogate an entire transaction history or database to identify the most suspicious transactions to investigate.<br></p><h2>A Fraud Risk Tool</h2><p>The internal audit department at one Fortune 500 company applied data visualization tools to a project to assess fraud risk. The first phase of the risk assessment identified several high-risk scenarios such as processing duplicate payments, paying invoices for the same purchases, and submitting payments to false vendors. In the second phase, the review team deployed a data visualization tool to the existing data sets.<br></p><p>The first step involved planning and setting specific project-review objectives. The review team interviewed key process stakeholders to learn the financial process flow and studied the database structure and data dictionary. For this specific database, the team collected 700,000 transactions for a 12-month period.<br></p><p>Once the review team had loaded the transaction data into a data analytics software tool, it began the time-consuming job of cleansing and normalizing the data to support the project objectives. The data came in four different files and required three iterations to eliminate any false positives and meaningless data, as well as to provide data that could be released for an initial analysis.<br></p><h2>Creating Scripts</h2><p>The review team used its initial analysis to review and understand the expense types, attributes, characteristics, relationships, definitions, and unique data properties, giving it comfort with the entire data population and ensuring any results extracted from the total data set reflected the true nature of the data. This analysis enabled the team to organize the data for visualization.<br></p><p>Because the review team lacked experience using the data visualization tool, it contracted with a consulting firm for guidance and assistance in coding the visualization scripts. The team and consultants collaborated to prepare the scripts, define the data attributes, and determine which flags to set as conditions to search and identify transactions.<br></p><p>The consulting firm took the review team’s objectives and developed a set of scripts to capture certain data attributes and characteristics for presentation purposes. For example, the review team determined which transaction types represented risks that were higher than average. Other attributes the review team wanted to analyze included unusual transaction amounts, expenses submitted by terminated employees, and duplicate expenses, especially multiple transactions made on the same day, for the same amount, and to the same vendor. The team also used the tool to identify unusual high-dollar or volume transactions made by job classification. For example, comparing a buyer who travels frequently to a salesperson who stays in one location would reveal drastically different spending patterns.<br></p><h2>Visual Analysis</h2><p>Using the visualization tool scripts, the review team generated different reports and data representations. Easy-to-use dialog boxes enabled staff members to request reports to interrogate the underlying data. One of the most valuable reports they generated showed the highest expense spending by a single individual in a chart form (see “Employee Expense Visualization” at right).</p><p><img src="/2015/PublishingImages/Employee-Expense-Visualization.gif" class="ms-rteiaPosition-2" alt="" style="margin:5px;" />As part of the consulting firm’s deliverable, it provided documentation and trained the review team to take over scripting the data visualization tool. The team became more comfortable with collecting, normalizing, and analyzing the data, as well as with building and running the data visualization and then turning over a read-only version for users to run “what if” scenarios and identify suspect transactions.<br></p><h2>Generating Solid Evidence</h2><p>Data visualization can enable auditors to provide management with reports that illustrate suspicious transactions in real time. Instead of sifting through information manually or based on one characteristic, auditors can use data visualization to identify anomalies visually by looking for outliers from expected results and focusing on transactions that have multiple flagged characteristics. Displaying all the underlying transactions that make up a suspicious transaction gives internal auditors solid evidence to support the finding.<br></p><p>The Fortune 500 company’s CAE notes that implementing data visualization and predictive analysis should be internal audit’s ambition. In today’s world, mining data to establish “what happened” is interesting, but answering the question “why?” and being able to venture “what’s next” is more valuable. <br> <span class="ms-rteiaStyle-authorbio">Steve Mar, CFSA, CISA, is the IT audit director for a U.S. specialty retailer.<br>Michelle Kha, CISA, and Tricia Hardie, audit principals, contributed to this article.</span></p>Steve Mar11057
Editor's Note: The Continuous Audit's Note: The Continuous Audit<p>​In today’s ever-evolving business environment, it is clear that internal auditors need to constantly align — and realign — their audit coverage to address emerging risks and avoid damaging surprises. But are audit functions up to the task?<br></p><p>The latest North American Pulse of Internal Audit report from The IIA’s Audit Executive Center indicates they are — to an extent. More than half of the 311 CAE and audit management level respondents to the Pulse survey say internal audit’s biggest challenge in continuously assessing risks is its ability to identify emerging risks and incorporate them into the audit plan. However, nearly 90 percent of respondents say their audit planning is designed to be responsive to changes in the organization’s risk profile.<br></p><p>To be sure, 61 percent of respondents say their audit functions have the resources and expertise to assess risks continuously and analyze their potential impact to the business model. However, audit functions are waging a battle for talent, with 40 percent of those surveyed saying attracting and retaining talent is a high or critical priority.<br></p><p>The need for both a broader and deeper understanding of critical business issues comes across loud and clear in recent research by the ERM Initiative at North Carolina State University. According to the study, 59 percent of senior finance executives say the volume and complexity of risks facing their companies have changed “extensively” or “mostly” in the last five years. And 65 percent say their organization was caught off guard by at least one operational surprise “somewhat” or “extensively” during that time.<br></p><p>Continuous assessment of emerging risks can be more of a challenge for small internal audit departments than for larger, better-resourced functions. In our cover story, <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=e571ba74-69a2-42dd-934c-f3885dfb10bc">“Small Audit Functions, Big Ideas,”</a> author Arthur Piper looks at the practices some small audit departments implement to ensure they provide comprehensive, continual assessments of the risks facing the organization.<br></p><p>According to the Pulse report, geopolitical, macroeconomic, and cyber-related risks will put enormous pressure on many internal audit functions to raise their game. Given the significance of these emerging risks, it is imperative that internal audit functions be able to assess risk on a continuous basis. As the authors of the report state, “In today’s fast-paced operating environments, internal auditors need to audit at the speed of risk.”</p>Anne Millage05653
Cyberrisk on the Agenda on the Agenda<p>​With cybersecurity becoming a greater priority for both corporate leaders and their internal auditors, the organizations that are the best at managing information security risks are the ones whose boards are most engaged in addressing them, a recent Protiviti report observes. The report, <a href="" target="_blank">From Cybersecurity to Collaboration</a> (PDF), surveyed 800 internal auditors worldwide.</p><p>Thirty percent of respondents say their organization's board is highly engaged with information security risks facing the business, while 41 percent say the board has a medium engagement and 14 percent have low engagement. Respondents say high board engagement translates into greater confidence in the organization's ability to identify (47 percent), assess (43 percent), and mitigate (39 percent) cyberrisks to an acceptable level. </p><p>Moreover, organizations with high board engagement (69 percent) are more likely than other organizations (46 percent) to include cybersecurity in their internal audit plan. Overall, 53 percent of respondents say evaluating and auditing cyberrisks is part of their audit plan, while another 27 percent expect to add it to next year's plan. Top cyberrisks they are addressing include data security, brand and reputational damage, regulatory and compliance violations, leakage of employee personal information, and viruses and malware. </p><p>"Across the globe, businesses are continuing to experience cybersecurity issues, challenges, and breakdowns," says Brian Christensen, executive vice president of Protiviti's global internal audit and financial advisory group. "Those professionals who continue to engage board members and define cybersecurity measures within their annual audit plans will be poised to effectively mitigate future threats."</p><h2>Cyberrisk Assessment</h2><p>Protiviti's findings are comparable to responses to The IIA's latest <a href="" target="_blank">North American Pulse of Internal Audit</a> survey, in which 69 percent of the 311 internal audit respondents view cyber threats as a critical or high priority. Organizations that include cybersecurity in their audit plan are more likely to have a cybersecurity risk strategy and policy, Protiviti reports. Seventy percent of organizations that have included information security in their audit plan also have a cyberrisk strategy, and 65 percent have a cybersecurity policy in place. Among organizations that didn't include it in their audit plan, the percentages were 42 percent and 39 percent, respectively. </p><p>Most responding organizations address cyberrisks in their overall risk assessment or through a separate assessment. In organizations that perform such assessments, human resources (69 percent), internal audit (48 percent), and executive management (44 percent) have the most significant involvement. Seventeen percent say the audit committee is significantly involved, but another 43 percent say it is moderately involved.</p><h2>Cyber Skills in Demand</h2><p>Moves by internal audit departments to focus more on cyberrisks are complicated by their continued struggle to fill information security skill gaps. Protiviti's respondents say auditing IT security is the audit process area they most need to improve. They rate learning the U.S. National Institute of Standards and Technology's (NIST's) Cybersecurity Framework, released last year, second among general technical knowledge areas needing improvement. In general, 12 of the 13 top "needs improvement" areas cited in the report pertain to IT risks and directives. </p><p>Respondents to The IIA's Pulse survey ranked cybersecurity and privacy third in terms of skills their departments are lacking. These skills are the second-most difficult to hire, behind general IT skills, respondents say. To fill the void, 37 percent of respondents' organizations are outsourcing for these skills, while 23 percent are recruiting them.</p><h2>Taking Action</h2><p>Faced with growing cyberrisks, greater board interest, and a skills gap, the Protiviti report advises internal audit to take several actions. Chief among these are working with the board and management to develop a cybersecurity strategy and policy and seeking to increase the organization's ability to identify, assess, and mitigate information security risks "very effectively." Other recommended actions include:</p><ul><li>Recognizing the potential for breaches due to employee or business partners' actions.</li><li>Heightening the board's awareness of cyberrisks and its engagement in cybersecurity matters.</li><li>Integrating cyberrisk into the audit plan.</li><li>Evaluating the cybersecurity program against the NIST Cybersecurity Framework and other frameworks.</li><li>Making cybersecurity monitoring and incident response a top management priority.</li><li>Addressing audit staffing and resource shortages.</li></ul><p>In its introduction, the Protiviti report asks, "Will 2015 be a repeat of 2014 and become the year of the data breach?" Every week, there seem to be new security incidents in the headlines and new reminders that organizations aren't as prepared as they should be — or believe themselves to be. As the Protiviti report suggests, internal audit can contribute to making cybersecurity a priority with corporate leaders and an integral consideration in business processes. But many internal audit departments have much to do before they are capable of making a difference in security initiatives.</p>Tim McCollum06511
Tech Fraud and the Small Business Fraud and the Small Business<p>​Like large companies, small companies may become victims of computer hardware thefts that can expose company information and records. Small businesses are easy prey for hackers, too. <em>The New York Times</em> recently reported that hackers have broken into the phone networks of small companies, rerouting thousands of unauthorized calls to premium-rate overseas numbers, resulting in more than US$100,000 in charges for the impacted businesses.<br></p><p>When small businesses and startup companies experience a fraudulent event, they may be hit disproportionally harder than larger organizations and have more difficulty absorbing the losses. For those companies, a significant fraud incident can harm their reputation, cost innocent employees their jobs, cause personal investments to be lost, and make creditors wary of helping the victimized business in the future. Despite such threats, many small-business executives underestimate their company’s fraud risk.<br></p><p>Small firms are particularly unprepared for today’s sophisticated high-tech frauds. Internal auditors can help educate small-business owners and executives about such threats and conduct reviews to identify potential vulnerabilities.<br></p><h2>Small and Vulnerable</h2><p>Small companies are more likely to experience fraud than large firms. In the past two years, 29 percent of reported occupational fraud cases occurred at companies with fewer than 100 employees, according to the Association of Certified Fraud Examiners’ (ACFE’s) <em>2014 Report to the Nations</em>. The median loss per fraud scheme for a small business is US$154,000, the ACFE reports. Small companies tend to be more susceptible to employee misconduct, lapses in technology oversight, unauthorized technology changes, a lack of internal controls, and inadequate segregation of duties.<br></p><p>Asset misappropriation is the most common fraud among all businesses, occurring in 85 percent of cases, although it typically is the least costly fraud. Corruption schemes make up one-third of small-business fraud cases, while financial statement fraud happens in 12 percent of such cases.<br></p><p>Many technology-related frauds spawn from information security incidents such as data breaches. The Ponemon Institute, an independent privacy and security research organization, reports that 55 percent of responding small businesses have had a breach, and 53 percent have had multiple breaches. But technology-related fraud can come from within, too. IT personnel were perpetrators of fraud in 3 percent of cases, the ACFE notes.<br></p><h2>Reducing Risk</h2><p>Internal auditors at small companies can help their organization reduce the risk of technology-related fraud. They should start with fraud basics like educating management about the signs of fraud and likely perpetrators, such as employees who are living beyond their means or experiencing financial difficulties.<br></p><p>From there, auditors should advise management about the many tangible and inexpensive actions even small businesses can take to address fraud, including implementing a code of conduct and anti-fraud policy. To detect wrongdoing sooner, executives should implement a whistleblower hotline that employees, customers, and vendors can access by phone and through the company’s intranet and extranet. According to the ACFE report, only 18 percent of small companies have fraud hotlines, compared with 68 percent of other businesses, yet hotlines reduce the median duration of fraud from 24 months to 12 months. Building fraud training into the internal audit plan can help educate employees about fraud red flags and empower them to speak up about possible incidents.<br></p><p>Beyond these basics, internal auditors at small firms need to address the likely technology enablers of fraud and review the effectiveness of their organization’s safeguards.<br><br><strong>Watch out for the top causes of technology-related fraud.</strong> Many types of network attacks can put small companies at risk of fraud. For example, phishing emails are a significant threat for small businesses and startups because they may not have any rules or policies about accepting such emails, monitor for potential phishing messages, or know how to resolve incidents that may result from someone responding to their content or clicking on a link contained in a message.<br></p><p>Small businesses are particularly vulnerable to data breaches and hacking attacks, which typically target electronic records. Auditors should look for leading causes of breaches such as employee or contractor errors, procedural mistakes, and lost or stolen laptops, smartphones, and storage media.<br></p><p>Small companies also need to guard against identity theft. Identity thieves seek their business account information, employer identification numbers, bank account numbers, or even key employee Social Security numbers. Making matters worse, small businesses do not receive the same protections as consumers in identity-theft cases.<br><br><strong>Plan regular and surprise audits in areas that may pose greater risk.</strong> Based on the company’s risk assessment, internal audit should conduct an occasional deeper-dive review of areas with potential risk from technology-related fraud.<br></p><ul><li>An intellectual property audit can assess the types of sensitive information the company retains — such as credit card and personally identifiable information — what it is used for, and where it resides on the organization’s computers and servers. Auditors can confirm whether the sensitive data is isolated or segregated, and determine whether encryption methods are used for protection.<br></li><li>Internal audit should test information security controls for the company as well as for outsourced vendors. Such tests should confirm the use of strong passwords, regular password changes, and regular updates of antivirus and anti-spy software on computers and servers. Auditors should verify that the company uses a secure, encrypted connection such as Secure Sockets Layer to protect sensitive data while in transit across the Internet and that it uses secure wireless connections throughout the business. Also, they should check that the company has implemented privacy and security policies — including what can be downloaded and appropriate use of social media — and that the company has processes in place to monitor what is being said online. Moreover, internal audit should review Service Organization Controls reports regarding outside vendor services and confirm that the controls are appropriate for the organization.<br></li><li>Other areas internal audit should review are financial operations, cash-handling processes, inventory, and related-party transactions.<br></li></ul><h2>A Matter of Survival</h2><p>While the ACFE reports that companies frequently lose 5 percent of their revenues to fraud, that can be a high price to pay for a young company trying to generate income and get off the ground. Internal auditors at small companies need to help the business prevent and monitor for technology-related fraud or run the risk that it will become a victim. <br></p>Alisanne Gilmore-Allen13181

  • IdeagenAuditMngt_July2015_
  • IIA CertCIA_July2015
  • IIA_FSA Center_July2015



KPMG Advises on the Top Risks for Internal Audit in 2015 Advises on the Top Risks for Internal Audit in 20152015-07-20T04:00:00Z2015-07-20T04:00:00Z
Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
FIFA Needs Internal Audit Now Needs Internal Audit Now2015-07-20T04:00:00Z2015-07-20T04:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z