CAE Action Steps in Response to Recent Cyberattacks Action Steps in Response to Recent Cyberattacks<p>By now nearly every chief audit executive (CAE) has heard of the wave of cyberattacks that rolled out across the globe <a href="" target="_blank">over the last week</a>. ​While there is no certainty that we currently know all the details about what allowed this attack to be so successful — or the scope of its impact — there are some key concepts for CAEs to keep in mind and action steps they can take in the near future to help their organizations address this type of risk.</p><p> <strong>Cyberthreats are constantly changing and never-ending. </strong>What was experienced last week was different than prior significant issues, and will probably be different than future issues. Organizations need to be up-to-date, flexible, and address cyber risk holistically. The next major attack on your organization could very well be something you were not expecting. In addition, the hard reality is the "next" attack has possibly already happened, you just have not found it yet. Cyberthreats are a constant risk requiring you to be looking forward, not in the rearview mirror. It cannot be a checklist topic driven from past experiences.</p><p> <strong>The primary focus of cyber risk must be its business impact. </strong>What is important is the impact of a cyberattack on business processes, reputation, ability to accomplish objectives, etc. Relegating a cyberattack to merely the result of bad operating practices for testing and installing patches misses the critical question — how does the attack impact the business? Any risk assessment and consideration of responses to cyber issues needs to start with an evaluation of how attacks could impact business operations. For those old enough to remember, this is analogous to Y2K. The issue there wasn't computer systems shutting down, but the impact of the ability to conduct critical business activities.</p><p> <strong>Risk assessment is hard, especially with the type of risks in which cyber falls. </strong>Cyber risk can be either high-likelihood low-impact or low-likelihood high-impact — or probably both. The low-impact issues are relatively easily handled by good IT practices. The high-impact but infrequent risks are much more complicated and need much more attention to assess. For example, any new cyberattack typically is high velocity (appears seemingly out of nowhere overnight), highly complex (is not isolated to only one aspect of the business), and can be highly persistent (impact sticks around for longer than anyone wishes). Simple X-Y grids of risk assessment cannot properly consider a risk like cyber. Cyber risk assessment requires IT knowledge, but, as important, also requires strong understanding of the business, its activities, and its objectives. In short — it requires business acumen.</p><p> <strong>Cyber risks involve more than protecting the "crown jewels." </strong>Many who look at cyber risk primarily focus their efforts on making sure the organization's crown jewels are protected. These are the portion of electronic data that have the most value to the organization.<strong> </strong>While you may have protected the crown jewels, many critical, routine operations may be supported by systems that have very inadequate protection.</p><p> <strong>Cyber risk is not an "IT thing."</strong> Cyber risk is primarily a business risk magnified, modified, and mystified by being supported by IT systems. If the primary drivers on cyber risks and responses are only IT personnel, there is a high risk the approach will be unnecessarily limited and incomplete.</p><p> <strong>Never forget the "human element."</strong> While this attack does not seem to have been primarily driven by an employee opening a phishing email, data suggests this is the source of a large number of successful cyberattacks. Training employees, communicating with them, testing them with "fake" phishing emails, training them some more, and communicating with them some more, are all part of the never-ending process to help employees understand their critical role in preventing an external hack.</p><p>So what should a CAE do today? Management and boards are invariably buzzing about the recent wave of attacks and trying to understand their exposure to this risk. The IIA's Audit Executive Center suggests CAEs do the following:</p><p></p><ol><li>Carefully evaluate the critical operational activities of your organizations and identify the supporting electronic infrastructure to ensure the scope of your organization’s cyber risk assessment is adequate. Do not start from a list of systems or the protections currently in place. Start from critical business activities and reach back into the supporting infrastructure.​<br></li><li>Reevaluate the robustness of the risk assessment for cyber risks. Ensure this risk assessment considers all the inherent complexities and nuances of cyber risks and is not relegated to a simplistic form of risk assessment used for less difficult risks.<br></li><li>Review business continuity plans under all the various scenarios that can occur from cyberattacks — denial of service, ransomware, loss of proprietary data, etc. Ensure the plans cover all these scenarios and address how the business will keep operating, not just whether the crown jewels are protected.<br></li><li>Consider initiating ethical hack routines to seek out vulnerabilities that could be exploited by a cyberattack. With the pace of change in technology, this should be an ongoing effort, not one only done periodically when an issue arises.<br></li><li>Review basic IT operations around patch management. This should not be a new idea, but given current events, it would probably be a good idea to accelerate timing of this on your audit plan.<br></li><li>Review programs and efforts to keep employees well-trained and informed of their critical role in preventing cyberattacks from being successful. <br></li></ol><p></p><p> <em>​This article originally appeared on the <a href="" target="_blank">Audit Executive Center's website​</a>.</em></p><p></p>Jim Pelletier0
Elevating the Board’s Oversight of Cyber Risk’s-oversight-of-cyber-risk.aspxElevating the Board’s Oversight of Cyber Risk<p>​I have known Jim DeLoach of Protiviti for a very long time. He's a friend. </p><p>While we may disagree on details and the way of saying things, we tend to agree more than we disagree.</p><p>For example, I frequently quote Jim when it comes to the periodic review of a list of risks. As he says, this is "enterprise <em>list</em> management," not enterprise risk management — which is about taking the right level of the right risks (my expression).</p><p>When it comes to cyber risk and the board's role, I think we again agree on more than we disagree. He has written a couple of posts for the (U.S.) National Association of Corporate Directors (the second is a continuation of his thinking):</p><ul><li><a href="" target="_blank">Elevating Board Oversight of Cyber Risk</a>, March 2017.</li><li><a href="" target="_blank">Ask These Key Questions to Assess Cyber-Risk Oversight</a>, April 2017.</li></ul><p><br></p><p>These are both good food for thought. But are they enough? Are his questions and insights consistent with what I would do as a board member?</p><p>Frankly, no.</p><p>I would take each of the organization's key objectives (such as the earnings target, customer satisfaction goal, and so on) and ask the executive team how a breach might affect their achievement. It's a simple question, but it's not simple for them to answer. They would have had to complete a careful assessment of the risk to the enterprise, the effect on its various business initiatives, of a breach. </p><p>Most don't go far enough. They may consider the effect on a critical application and its availability, or the cost of disruption, but they haven't thought through how a breach could affect its ability to provide quality products and services to their customers, the organization's reputation and what that means to revenue, and so on.</p><p>So, I would start with a single simple question. The discussion may extend to consideration of his other points, such as the ability to detect a breach and then respond. I have decided that it is better for the board (and management, including the risk officer) to stop trying to manage or mitigate risk. Instead, they should focus on what it will take to achieve the objectives of the organization: How will potential events, situations, and decisions affect that achievement?</p><p>It is easy to go overboard with concern about cyber risk. Of course it is important. But is it the most significant threat to earnings per share?</p><p>The only way to know is to answer my question: "How would a breach affect our ability to attain our critical targets, our measures for success?"</p><p>I welcome your thoughts and comments.</p><p><br></p><p>Please join the conversation by subscribing to this post. See link below.</p><p> </p>Norman Marks0
Does Your Organization’s Cyber Culture Make You #Wannaaudit?’s-Cyber-Culture-Make-You-Wannaaudit.aspxDoes Your Organization’s Cyber Culture Make You #Wannaaudit?<p>​It didn't take long for social media to adopt #wannacry for last week's massive cyberattack, which hit computer networks in nearly 100 countries from the U.S. to the U.K. to China. The ransomware virus, called Wanna Decryptor, encrypted valuable data on compromised networks, then threatened to destroy it unless payments were made.</p><p>For those of us who have spent our careers promoting good internal controls and risk management, this latest cyberattack could indeed bring tears of frustration because the attack successfully exploited some of the most basic and easily mitigated cyber risks.</p><p>First, the perpetrators relied on simple phishing to introduce the virus through an email attachment, according to cybersecurity experts quoted by multiple news outlets.</p><p>The news media also reported that a patch to fix vulnerabilities to the specific malware was distributed by Microsoft Corp. at the end of March. Yet, many of the attack's targets, including the U.K.'s National Health Service, fell victim because they failed to apply the patch.</p><p>It is unfathomable to me that such attacks continue to succeed, yet the global reach of Friday's attack reflects how vulnerable we remain. It has become vogue to declare that it is no longer a matter of "if" but "when" an organization will be successfully hacked. But that message, designed to urge organizations to focus beyond prevention, may be enabling weak cybersecurity cultures.</p><p>The recently released <a href="" target="_blank">2017 Data Breach Investigations Report</a> by Verizon offers telling information that confirms just how much work is left to be done. Here's a sampling of its findings, based on analysis of data breaches in 2016:</p><ul><li>80 percent of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.</li><li>1 in 14 users were tricked into following a link or opening an attachment.</li><li>66 percent of malware was installed via malicious email attachments.</li><li>95 percent of phishing attacks that led to breaches were followed by some sort of software installation.</li></ul><p> <br> </p><p>If those statistics don't send a chill down your spine, two other key data points should:</p><ul><li>61 percent of data breach victims were businesses with fewer than 1,000 employees.</li><li>Ransomware has gone from being the 22nd most-common form of malware in 2014 to fifth in 2017.</li></ul><p> <br> </p><p>These statistics raise the alarming specter that organizations don't appreciate the risks they face or the value of even the most basic prophylactic cybersecurity measures. As internal auditors, we must question whether our organizations' cybersecurity cultures could unwittingly allow these breaches to happen.</p><p>Providing assurance on cybersecurity involves more than just looking at whether the protocols and policies designed to block or discourage cyberattacks are in place and operating effectively. We must consider how the organization's culture influences how those protections are carried out. For example, organizations may be willing to accept higher-risk behavior in email practices in exchange for higher productivity. Efforts to protect data through encryption may be undone if rules prohibiting or limiting hard-copy versions of the data are not in place or are ignored. We also must be attuned to an organization's "IT mystique," which accepts that only IT understands certain aspects of cybersecurity and therefore can't be questioned.</p><p>Part of the solution is for internal auditors to build cooperative relationships with IT, chief risk officers, chief information security officers, human resources, and others who manage cyber risks. This is essential for internal audit to gain a clear understanding of what drives cyber risks and what influences the organization's cybersecurity culture. It must then share those insights with management and the board.</p><p>I'll leave you with a number of quick takeaways from the Verizon report that offer sound advice all organizations should take to heart:</p><ul><li> <strong>Be vigilant.</strong> Log files and change-management systems can give you early warning of a breach.</li><li> <strong>Make people your first line of defense.</strong> Train staff to spot the warning signs.</li><li> <strong>Only keep data on a "need-to-know" basis.</strong> Only staff members who need access to systems to do their jobs should have it.</li><li> <strong>Patch promptly.</strong> This could guard against many attacks.</li><li> <strong>Encrypt sensitive data.</strong> Make your data next to useless if it is stolen.</li><li> <strong>Use two-factor authentication.</strong> This can limit the damage that can be done with lost or stolen credentials.</li><li> <strong>Don't forget physical security.</strong> Not all data theft happens online.</li></ul><p> <br> </p><p>Internal auditors often deal with frustrating failures of risk management and internal controls in our organizations. Cybersecurity breaches are perfect examples of failures in multiple lines of defense. While the temptation in the face of calamitous failures is to #Wannacry, we must instead roll up our sleeves and embrace the challenges as internal audit professionals. We must #Wannaaudit.</p><p>As always, I look forward to your comments.</p><p> <br> </p>Richard Chambers0
The Drive for Data Analytics Drive for Data Analytics<p>​​​​​Demand for internal audit to incorporate data analytics into its work is growing, especially for departments that already are more expert, according to Protiviti Inc.'s <a href="" target="_blank">2017 Internal Audit Capabilities and Needs Survey​</a> of 906 internal audit professionals. Internal audit functions that have made analytics part of their audit processes are seeing real value, the survey report notes. On a 10-point scale, those respondents rate the value of analytics at 6.9.</p><p>"As recognition of these benefits grows, we expect to see chief audit executives work with management and the board of directors to make further investments to increase their data analytics capabilities, in terms of both tools and skill sets, as the practice of internal auditing shifts increasingly to analytics and continuous auditing and monitoring," says Brian Christensen, executive vice president, global internal audit and advisory for Protiviti.</p><p>Most respondents' departments have set out on the road to that future — some are going nowhere fast. Two-thirds of respondents say their department has made data analytics part of its audit process. Among the internal audit functions that haven't done so, 21 percent plan to incorporate analytics into the audit process within the next year, while 43 percent plan to within the next two years. Other audit departments (36 percent) don't plan to add analytics to their processes.</p><p>In terms of maturity, 40 percent say their department is at the initial, ad-hoc stage of developing their analytics capabilities, while 34 percent say they have documented analytics processes sufficiently to make the steps repeatable. That leaves 26 percent of departments that have at least made analytics a defined business practice or have reached the managed and optimized stages.</p><p>Overall, 42 percent of respondents report that their department uses analytics on 25 percent or fewer of its audits. Another 26 percent say their department uses it on up to half of its audits. </p><p>"It can be overwhelming for organizations just getting started with using data analytics," Christensen says, citing issues such as budget constraints and the need to establish processes and train auditors. "Companies just need to pick a starting point and get the help they need so that, over time, they can truly optimize their internal audit functions."</p><p>Departments that have reached the managed and optimized stages of maturity have seen a greater payoff from analytics. Thirty-eight percent of those departments use analytics on more than 75 percent of audits. That pushes the value of analytics up to 8.1 on a 10-point scale.</p><p>Accessing data is one of the biggest challenges organizations face in developing their analytics capabilities. Common problems include identifying where data is stored, system constraints, and coordination with the IT function. Furthermore, less than one-fourth of respondents say the quality of data for analytics is very good or excellent.</p><p>One solution to data access and quality problems is for internal audit to maintain its own warehouse of organizational data, similar to one established by internal auditors at the Canada Revenue Agency (see <a href="/2017/Pages/The-Data-Museum.aspx">"The Data Museum"</a>). Twenty-eight percent of departments using analytics have a dedicated data repository, but 55 percent of the managed or optimized audit functions have one.</p><p>One bright spot for audit functions with more advanced analytics capabilities is that 62 percent are practicing continuous auditing, long touted as a principal benefit of analytics. Continuous auditing enables those departments to monitor areas with known risk issues, data related to controls in scope for compliance initiatives, fraud risk indicators, and key performance indicators in operational processes.</p><p>Progressing to such a stage will take a long-term strategy, the survey report advises. It outlines action items for internal audit functions, including:</p><ul><li>Looking for opportunities to expand the department's knowledge of data analytics capabilities.</li><li>Conducting modest demonstrations of analytics capabilities in the early stages of development.</li><li>Establishing a champion to lead analytics efforts.</li><li>Expanding internal audit's access to quality data and identifying internal and external data sources.</li></ul><p> <br> </p><p>Moreover, it recommends that internal audit functions devise ways to measure the progress of their data analytics efforts and report that to stakeholders.​</p><p> <br> </p>Tim McCollum0
The Data Museum Data Museum<p>​​​​​More packets of data pass through the internet than there are grains of sand on the earth. Some organizations have already recognized the great potential that lies hidden within their operational and administrative data stores. For that reason, data management and data quality are among the most important considerations for business intelligence practitioners. However, practitioners must spend most of their effort on curating, cleaning, and preparing data before they can glean any meaningful information through analytics.</p><p>Increasingly, internal audit functions also are expected to use data analytics to tap into their organization's data stores. To do so, auditors need a way to understand, structure, and catalog that data so it tells a story. In the words of the movie hero, Indiana Jones, "it belongs in a museum."</p><p>Internal auditors and data analysts within the Canada Revenue Agency's (CRA's) Audit, Evaluation, and Risk Branch (AERB) are adapting data warehousing principles to create a data museum to support internal audit engagements. This database environment contains useful data curated from various sources to describe historical and current performance levels of CRA operations and administrative activities. The data museum is intended to support a wide variety of engagements at any given time, and could increase internal audit intelligence. </p><p>Internal auditors, program evaluation analysts, and risk managers will be able to browse the data museum, helping them provide more insight, oversight, and foresight for the entire organization. The data will be easily accessible in a format that is ready for analysis, and auditors will be able to browse through the relevant exhibits to gain insight into the controls they are examining. </p><h2>Curating Data</h2><p>In setting up a data mus-eum, internal audit departments need dedicated "archaeologists" to discover and curate new data sources. These individuals select data sets to add to the museum based on four criteria:</p><ul><li>Relevance – Would the data provide information about internal controls, identifying and mitigating risk? Would it help make data-driven business decisions?<br></li><li>Reliability – Is the data relatively free from integrity issues? Would it be easy to prepare the data for permanent display and use by auditors?<br></li><li>Reusability – Will the data be able to support a critical mass of engagements? <br></li><li>Rarity – Is the data currently unavailable in a format that is ready for immediate use?<br></li></ul><p> <br> </p><p>In addition to curation, the data museum relies on thoughtful arrangement of exhibits into themes, similar to how traditional museums are organized. Data are extracted from the CRA's data warehouse and source systems, assessed for value, and prepared and made into exhibits that are displayed by theme for internal audit use. Some data artifacts also can be reused in multiple exhibits and categorized in other themes. </p><p>If a particular engagement requires new data, which is not available, then a new exhibit can be created. If the new exhibit proves to be reusable for future engagements, then it can become part of the data museum's "permanent collection."  </p><h2>The HR Exhibit</h2><p>One of the exhibits in the CRA's internal audit data museum contains information about all employees within the agency. The human resources (HR) exhibit is a curated set of data tables from the CRA's HR database, which was prepared and loaded into the museum. These tables include employee status, personal information, payroll, time reporting, and assignment. </p><p>In setting up the exhibit, the AERB studied the structure of each table and the relationships among them, allowing the department to automate some aspects of data preparation and maintenance. It used Microsoft SQL Server Integrated Services to extract, transform, and load the data, which is refreshed regularly. The department also continues to search for and add new artifacts to the exhibit to keep it relevant, which enables internal auditors to retrieve recent information about any employee or groups of employees. </p><p> <strong>Using SQL</strong> The fastest way to start exploring the AERB's HR exhibit is to run query statements using Structured Query Language (SQL), which selects records from the exhibit and can be exported into reports. Basic SQL statements are not difficult to formulate, and some of the department's internal auditors are already using them to browse the exhibit to access, analyze, and review its data. </p><p>A simple SQL statement is comprised of these elements and expressions:​​​​​​​​​</p> <img src="/2017/PublishingImages/Pages/the-Data-Museum/ITAudit_Simple-SQL-Statement.png" alt="ITAudit_Simple-SQL-Statement.png" style="margin:5px;width:255px;height:179px;" /> <p>​</p><p>Internal auditors can use the information in the HR exhibit as evidence in support of engagement observations and findings. There is also potential to uncover risks to achieving control objectives through trend analysis and data analytics.<br></p><p>The SQL statement below is an example of a simple query of the HR exhibit, which produces a list of managers and executives assigned to various cost centers within the CRA.​<br></p><p> <strong><em>SQL Statement (Pseudo Code)</em></strong></p><p> <img src="/2017/PublishingImages/Pages/the-Data-Museum/ITAudit_SQL-Statement_Pseudo-Code.png" alt="ITAudit_SQL-Statement_Pseudo-Code.png" style="margin:5px;width:420px;height:163px;" /> <br> </p><p> <strong><em>Corresponding SQL Statement (From Pseudo Code)</em></strong></p><p> <strong><img src="/2017/PublishingImages/Pages/the-Data-Museum/ITAudit_Corresponding-SQL-Statement.png" alt="ITAudit_Corresponding-SQL-Statement.png" style="margin:5px;width:550px;height:79px;" /><br></strong></p><p> <strong><strong><em>SQL Query Results (From SQL Statement)</em></strong></strong></p><p> <strong><strong><img src="/2017/PublishingImages/Pages/the-Data-Museum/ITAudit_SQL-Query-Results.png" alt="ITAudit_SQL-Query-Results.png" style="margin:5px;width:470px;height:173px;" /><br></strong></strong></p><p>Internal audit also designed more complex queries to identify managers and employees who used a large amount of sick leave relative to their vacation leave. The information was used to test management oversight of leave usage and identify where high-risk governance issues may exist.<br></p><p> <strong>Tools</strong> In addition to using SQL statements, there are other means to browse and analyze the HR exhibit. Because the data museum resides on a platform that supports Open Database Connectivity, auditors can connect to the data with more sophisticated analysis tools as well as import data into traditional audit tools.</p><p>For data visualization and advanced reporting, auditors can establish a direct connection to the data with Microsoft SQL Server Reporting Services. For simple reporting, auditors export the results of queries to Excel. The flexibility of the AERB's environment will also allow the department to consider using other data visualization tools.​</p><p> <strong>A Horizontal View</strong> A horizontal view of an organization can be achieved by exploring the various exhibits within a data museum holistically. For example, the AERB's HR exhibit could be explored along with a financial transaction exhibit. If high-risk transactions are found within some organizational units, further analysis of HR data could determine whether there is a sufficient number of employees with various roles to achieve effective segregation of duties.</p><h2>Gaining Insight</h2><p>Establishing a data museum can give internal audit departments insight from the vast amounts of data within their organization. To get started, they should: </p><ul><li>Take stock of recent engagements and determine whether there are any frequently used domains of data, which can be formed into exhibits.<br></li><li>Decide on an environment to house the museum. Choose a relational database system that will meet internal audit's needs. <br></li><li>Start small. Design the first exhibit, and understand the business line and corresponding data repository. Decide which tables and data fields the department should keep.<br></li><li>Learn how to write basic SQL statements. This will allow auditors to "interview" the exhibits within the data museum.<br></li><li>Ensure audit trails and logs have been activated so browsing activities comply with internal security policies. Leverage this ability to validate whether management follow-up occurred.<br></li></ul><p> <br> </p><p>As an integral part of the internal audit strategy, a data museum can give auditors insight into the functioning of controls, the achievement of business objectives, and the identification of risk. Information extracted from queries also can help auditors scope audit programs appropriately. Auditors can perform more sophisticated analytics on the data during the audit testing phase as well as during audit follow-up to assess whether management action plans resulted in improvements. If the data museum is visited regularly — independent of any particular engagement — then the information could be used as input into risk-based audit planning activities, helping to increase overall internal audit intelligence.  </p>Kevin Leung1
Infusing IT Auditing Into Engagements IT Auditing Into Engagements<p>​Modern technology is growing rapidly, as is the level of disruption driven by it. In the 2016 Technology Industry Outlook, Deloitte describes the technology sector reaching a tipping point "where cognitive computing, big data analytics, cloud computing, and the rapidly growing Internet of Things are transforming businesses around the globe — including those outside the technology sector." </p><p>Internal audit is being transformed, as well. As advancements in technology drive changes in business operations, internal audit must perform IT audits to help organizations accomplish new and evolving business objectives. That requires the internal audit department and individual auditors to develop IT-related capabilities that are aligned with business risk. Skills that were once considered specialties of IT auditors are now required of all internal auditors. Those practitioners who cannot incorporate technology into their assurance and advisory work will not be able to keep up with the evolving risks, strategies, and needs of their organizations. </p><p>Like any new audit endeavor, internal audit needs to gather information and form a plan for incorporating IT audit techniques into their audit work. Although each organization will require a different mix of effort and materials to obtain this information, some common elements are needed to prepare a comprehensive plan over the short (2 to 3 years), middle (3 to 5 years), and long term (5 to 7 years). The timing in which internal audit implements these elements may vary based on the organization, internal audit department, and internal auditors' capabilities. At each stage, the elements should be completed concurrently, with the internal audit department thinking holistically about the future of integrated auditing at its organization.</p><h2>Short Term: Core IT Audit Capabilities</h2><p>A separate IT audit is not required to start infusing IT-related capabilities into the current internal audit function; already-scheduled audit engagements can incorporate elements of IT auditing, further enabling the internal audit department to identify resources and education needed in the long term. As the internal audit department becomes more knowledgeable about the organization's IT environment, auditors can educate organizational management about the benefits of IT auditing in relation to business objectives. In the short term, the department should focus on creating a solid foundation that allows for development of future efforts.</p><p> <strong>Incorporate IT Perspective Into Current Audit Engagements</strong> Internal audit management should encourage staff members to incorporate IT audit methods into their engagements. During the planning phase, auditors should recognize the role IT plays in the internal controls for the processes currently being audited. Document internal audit's understanding of the organization's IT environment. For example, when auditing the accounts payable process, auditors should not only interview the accounts payable clerk about internal controls, but also talk to the individuals responsible for maintaining and supporting accounts payable data and processing systems. Moreover, internal audit should document automated controls such as access controls to the vendor master file.</p><p>Locate and read IT policies, focusing on change management, segregation of duties, and information security. Consider obtaining training from IT experts on applications used within the organization such as enterprise resource planning (ERP) software. Areas in which internal audit should develop skills include cybersecurity, data mining, audit analytics, crisis management planning, vendor governance, corporate and data governance, continuous auditing, and software and system life cycle management.</p><p> <strong>Identify Resources</strong> Leveraging their knowledge of the organization's IT environment, internal auditors should inventory the IT resources used across the organization. Start with core functions, including resources driving financial, human resources, and customer data. IT resources include IT platforms (servers, routers, and workstations) and software (databases, and proprietary and off-the-shelf applications). In the accounts payable example, IT resources could include ERP software and other electronic records such as spreadsheets used to house important calculations. </p><p>Second, pinpoint data stored on these core IT resources that are vital to current operations and achieving key business objectives. Key data could include vendor bank account, address, and contact information, as well as invoice distribution coding. Analyze current risk assessments of the underlying risks of this data. Examples of accounts payable risks include phantom vendors, duplicate payments, and corrupt or incorrect data. Assessing the current landscape reveals the most critical IT systems and data that need to be audited. Map core IT resources and data to key business objectives. </p><p> <strong>Respond to IT Risks and Identify Audit Objectives That Can Add Value</strong> IT supports nearly all business functions and allows management to make accurate, timely, and appropriate decisions that drive business operations. Integrated audits can support management's risk assessment to help align business objectives and IT. Research by Peter Weill and Jeanne Ross, published in the MIT Sloan Management Review, shows that appropriate alignment of organizational objectives and IT can deliver as much as a 20 percent higher return on investment. </p><p>Internal audit should identify top areas for review, with estimated resource requirements, based on the risk assessment and the risk tolerance of the organization. For example, the business may have an objective to take advantage of potential vendor discounts by making timely payments. Related IT risks include inappropriate access to vendor data,  delayed access to invoice information that hinders decision-making, and incorrect calculation of the cost/benefit of taking discounts. An integrated audit of accounts payable could leverage accessing and identifying critical information to meet the business objective. </p><h2>Middle Term: Advanced IT Audit Capabilities</h2><p>While using the current audit engagement schedule in the short term, chief audit executives (CAEs) should evaluate the department's preparedness to grow into a more mature model in which individual IT audit engagements are expected and the CAE has worked with organizational management to link business risks with IT audit techniques. In the middle term, internal audit must get the right people on board and work with the IT department and the organization at large to use a common IT framework. Moreover, it should partner with management and the IT department to facilitate long-term planning. </p><p> <strong>Build a Team</strong> Audit leaders should recruit qualified personnel with IT skills within the internal audit department. Look for people within the department who have current IT audit skills or an aptitude for technology that would enable them to gain those skills. Create a training plan that will address the core IT systems used within the organization and IT audit areas that will need to be covered in future audits. Consider hiring an IT expert into the internal audit department to help the department establish a solid relationship with the IT department.</p><p> <strong>Understand the IT Framework</strong> Organizations perform optimally when they use a consistent IT framework, which requires assessing the current state of the IT environment, defining a target state, implementing improvements, operating and measuring, and monitoring and evaluating. Examples of frameworks and standards include the International Organization for Standardization's ISO/IEC IT standards, ISACA's COBIT, and the U.S. National Institute of Standards and Technology Cybersecurity Framework. If the organization has not implemented an IT framework, internal audit should highlight the need for one that will allow for communication across business functions. Use of an IT framework helps determine whether the organization's IT business objectives comply fully with business rules and are structured, maintainable, and upgradable.</p><p> <strong>Perform IT Audits</strong> Identify the scope of IT audits that can be handled internally based on the IT experience of internal auditors and outsource coverage of any remaining risks. Consider the organization's adoption of the IT framework and the amount of resources management has devoted to the endeavor. Specific areas audits should address include: 1) segregation of duties to ensure the integrity of automated controls; 2) security, including physical and logical access, to safeguard the core systems as well as critical and sensitive information; and 3) change management to ensure integrity of system changes. A benefit to implementing an IT framework is access to audit programs that are available for these three areas as well as additional auditable areas for future engagements. Internal auditors should devote time to understanding the audit programs and the areas they cover so they will obtain efficiencies.</p><p> <strong>Foster Relationships With IT and Management</strong> Internal audit's relationship with the IT department is the foundation of a successful IT audit engagement. Internal audit should understand the metrics and goals the IT department uses in the monitoring and evaluation process of the IT framework. Through this process, internal audit can determine whether the linkage of IT metrics and objectives aligns with organizational goals. Moreover, it can allow internal audit to help discover and articulate to organizational management which IT initiatives can produce cost savings. Additionally, understanding the IT department's goals and metrics can help internal audit facilitate communication between the IT department and management. The value provided from these efforts can position internal audit to recommend enhancements to achieve operational goals. </p><h2>Long Term: Advanced and Emerging IT Audit Capabilities</h2><p> As the department's IT audit capabilities solidify and mature, it is a good time to start thinking about the long-term direction in which they will be applied to audit engagements. Performing IT audit engagements should give the department the foundational knowledge needed to help its consulting efforts. In the long term, internal audit should continue to develop and mature integrated engagements, grow consulting engagements, and improve IT audit skills with a focus on how organizational IT objectives will shape internal audit. </p><p> <strong>Leverage Data Analysis</strong> Data analytics allow internal audit to search for patterns and plausible interrelationships and anomalies, helping improve operational efficiency and effectiveness, as well as fraud detection and prevention. Moreover, analytics can enable reliable financial reporting and adequate compliance with laws and regulations. </p><p>The best time for internal audit to perform data analysis is early in the IT life cycle, when it can enable auditors to use time and resources more effectively. In this way, using data analytics can better inform IT audit planning and foster a more dynamic internal audit environment that moves from a traditional and post-mortem planning strategy to one that is more innovative and consultative.</p><p> <strong>Obtain Professional Certifications</strong> IT audit techniques cannot reach their maximum potential without adequate training. One of the best ways to achieve this level of aptitude is by obtaining professional certifications that attest to the practitioner's knowledge of technology and internal audit. Working toward certification enables individuals to gain IT audit knowledge. Maintaining certifications also requires auditors to complete continuing education to meet changes in technology and their associated risks. The specific mix of professional certifications should relate to the organization's objectives and core IT systems and data. Good qualifications to start with include The IIA's Certified Internal Auditor designation and ISACA's Certified Information Systems Auditor and Certified in Risk and Information Systems Control certifications.  </p><h2>Rise to the Occasion</h2><p>Internal audit's need to establish its IT audit capabilities and apply them to all of its audit engagements is increasingly important, now that technology is tightly integrated into business processes. Technology is influencing both what is audited and the way audits are being performed. Internal audit departments need to develop the essential skills to audit IT-based controls and processes and to identify operational improvements throughout their organization. Internal audit can take a measured approach to cultivate IT-related capabilities over time in conjunction with organizational management. </p>Andrew Bowman1
The Dark Side of the Internet of Things Dark Side of the Internet of Things<p>​They targeted children and stuffed animals. Hackers gained access to account information and voice recordings of more than 800,000 consumers who had purchased Spir​al Toys' CloudPets toys, cybersecurity researcher Troy Hunt revealed last month. CloudPets are stuffed animals that enable parents and their children to exchange messages through the internet.</p><p>This anecdote reveals both the pervasiveness of the Internet of Things (IoT) and the serious threats associated with it. Personal assistants, wearables, home management systems, smart refrigerators, and other devices are becoming popular with consumers. But the IoT has become particularly entrenched in businesses — ​everything from security systems to security cameras to heating, ventilation, and air conditioning systems. </p><p>Research firm Gartner Inc. predicts that 8.4 billion connected devices will be in use worldwide this year, a 31 percent increase over 2016. That number will surpass 20 billion by 2020, Gartner forecasts. Currently, consumer devices comprise 63 percent of IoT devices, but businesses make up 57 percent of IoT spending.</p><p>"IoT services are central to the rise in IoT devices," says Denise Rueb, a research director at Gartner. Although businesses currently dominate the US$273 billion spent worldwide on IoT services, Rueb says consumer and connectivity services will grow faster. "Consumer IoT services are newer and growing off a small base," she explains. "Similarly, connectivity services are growing robustly as costs drop and new applications emerge."</p><p>Security is the dark cloud hanging over the IoT, information security experts caution. Before last year, many of those concerns were theoretical. Those theories became very real in October when a botnet based on the Mirai malware disrupted internet service in several U.S. cities. At its height, the malware infected hundreds of thousands of devices.</p><p>According to an HP study, <a href="" target="_blank">Internet of Things Security: State of the Union</a>, 70 percent of IoT devices are vulnerable to attack. A separate <a href="" target="_blank">survey​</a> (PDF) by Boston-based IT security company Pwnie Express identifies common attacks against devices, including malware (32 percent), ransomware (20 percent), and man-in-the-middle attacks that intercept communications (16 percent).​</p><p>Threats to IoT systems were front-and-center this month at the CyberUK conference in London, hosted by the U.K.'s recently established National Cyber Security Centre (NCSC). An NCSC report released in conjunction with the conference warns that IoT devices are vulnerable to threats such as remote code execution or takeover. "Many connected devices have been shipped with less secure software and default passwords," The Cyber Threat to U.K. Businesses 2016/2017 report notes. "There is often no obvious way for consumers to update them, change passwords, or otherwise fix security problems."</p><p>Most of the information security professionals (63 percent) who responded to Pwnie Express' The Internet of Evil Things survey say their organization is prepared to detect threats to connected devices. But when the survey dug deeper, it found that less than half (49 percent) of those respondents knew how many connected devices employees were bringing into the organization, while one-third did not know how many and 17 percent were not sure. </p><p>Industrial systems are a likely target. Ninety-six percent of IT security professionals <a href="" target="_blank">surveyed by Tripwire</a> (JPG) expect attacks on industrial IoT systems to increase this year, and 51 percent say their organization isn't prepared to protect them. "There are only two ways this scenario plays out," says David Meltzer, chief technology officer for the Portland, Ore.-based information security company. "Either we change our level of preparation or we experience the realization of these risks."</p><p>Health care is another area where the IoT shows great promise but carries great threats. Recent ransomware attacks have targeted health-care IT systems successfully. Gartner predicts more than one-fourth of attacks in the health-care sector will target the IoT. For health-care businesses, the IoT raises the stakes because "traditional cybersecurity doesn't always 'walk the talk' when it comes to the IoT," Damon Hopley, senior manager, product management with Verizon's IoT Security group, writes in <a href="" target="_blank"> <em>IT Healthcare News</em></a>. Hopley points out that devices deployed by providers and insurers often are located in remote locations and some of those devices may lack security features that can reduce the risk of remote hijacking.</p><p>What can be done? A recent <a href="" target="_blank">white paper</a> (PDF) from the Bellevue, Wash.-based Online Trust Alliance encourages businesses, consumers, and government to work together to secure the IoT. The paper outlines roles for retailers and ecommerce sites; developers, manufacturers, and automakers; brokers, builders, realtors, and car dealers; and internet service providers. It calls on the private sector to establish minimum security and privacy standards for IoT products, disclose security support, and enhance security offerings. In addition, it advises regulators and policy makers to allow self-regulation and provide safe harbor to device manufacturers that have adopted reasonable security and privacy practices. Finally, it recommends consumers patch and replace insecure devices, and only purchase devices that are backed by a security and privacy commitment from the manufacturer. ​</p><p><br></p>Tim McCollum0
Late to the Project to the Project<p>​There's room for IT audit functions at the technology table, but most of them aren't inv​​olved in all stages of IT projects, the recent <a href="" target="_blank">IT Audit Benchmarking Study</a> by ISACA and Protiviti Inc. reports. The organizations surveyed 1,062 internal audit and IT audit leaders and professionals from organizations throughout the world for the study.</p><p>Nearly 90 percent of respondents say their organizations have implemented an IT system or application within the past three years. Process automation and improvements to core infrastructure were the most common projects, far outpacing initiatives involving business intelligence, customer user interfaces, and collaboration. Across all regions, respondents say most of these projects were successful. </p><p>That's not the norm for such projects, the report notes. It cites a study from consulting firm McKinsey and the University of Oxford that found that IT projects on average run 45 percent over budget and 7 percent over time, while delivering just 56 percent of the promised value.</p><p>IT auditors could be helpful in imple​menting projects more effectively. In the largest companies, 71 percent of IT audit functions are moderately (45 percent) or significantly (26 percent) involved in IT projects. The problem is they are most likely to be involved at the end of projects. Although 43 percent of respondents say IT audit is involved at the planning stage, 65 percent are involved in post-implementation — usually assessing how well the project has done. IT audit is less involved in design, testing, and implementation, when the bulk of the work is performed.</p><p>"There is an opportunity for organizations to derive more value from their major IT projects by engaging IT audit earlier rather than downstream in the projects," says ISACA Chairman Christos Dimitriadis, group director of information security for Athens, Greece-based gaming technology company Intralot. "With a solid foundation of assurance at the front end, organizations can have the confidence they need to be innovative and fast-paced in pursuit of their business goals."</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>Top Business and Technology Challenges</strong></p><ol><li>IT security and privacy.</li><li>Infrastructure management.</li><li>Emerging technology and infrastructure changes.</li><li>Resource, staffing, and skills.</li><li>Regulatory compliance.</li><li>Budgets and cost control.</li><li>Cloud computing and virtualization.</li><li>Bridging IT and the business.</li><li>Project management and change management.</li><li>Third-party and vendor management.</li></ol><p>Source: ISACA and Protiviti Inc., IT Audit Benchmarking Study, 2017.</p></td></tr></tbody></table><p>In addition to post-implementation project reviews (51 percent), IT audits of major projects evaluated test phases (48 percent), project governance (48 percent), the project risk management plan (45 percent), system development life cycle (45 percent), the data conversion process (44 percent), alignment of project success measures to desired business outcomes (41 percent), the project plan (41 percent), and project requirements (40 percent). </p><p>The most significant risk factor respondents identified is frequency of updates to project goals and outcomes based on changing business requirements (26 percent). Other factors include goals that aren't clearly defined (17 percent), frequency of change in project specifications without formal assessments (14 percent), lack of a defined and documented project management methodology (13 percent), capabilities and skills of the project manager and team (12 percent), and level of employee turnover on project teams (7 percent).</p><p>Raising IT audit's profile within the organization could help it become more involved in projects, the report notes. A positive sign is that 55 percent of respondents say their organization's IT audit director regularly attends board meetings, up from 49 percent in last year's study. "Audit committee members, in particular, are seeking greater assurance around critical IT risks and controls," says Gordon Braun, managing director of Protiviti's IT audit practice. "Internal audit and IT audit leaders must be prepared to demonstrate audit coverage of key areas and articulate where the highest risks remain."</p><p>Increasingly, chief audit executives (CAEs) are becoming better able to provide assurance on IT risks, the report finds. Nearly three-fourths (72 percent) of respondents say their organization's CAE has sufficient knowledge to discuss IT audit matters with the audit committee.</p><p>But there is something missing from some organizations' IT operations: IT audit risk assessments. Most respondent organizations perform them, but they are lacking in 23 percent of organizations with less than US$100 million in revenue. Across all organizations surveyed, IT audit risk assessments typically are performed as part of internal audit's overall risk assessment. Most responding organizations update those assessments annually. Continuous assessments are most common in the largest (18 percent) and smallest (14 percent) organizations.</p>Tim McCollum0
Cyber Root Cause Alarm Bells Are Ringing Root Cause Alarm Bells Are Ringing<p>​<a href="" target="_blank" style="background-color:#ffffff;">A new study by Tripwire</a> should be setting off your alarms.</p><p>The company surveyed 403 IT security professionals, the people who should know about the true state of information security or cyber at their organization.</p><p> <strong>90 percent of organizations lack the </strong> <span style="text-decoration:underline;"> <strong>skills</strong></span><strong> to address the full range of cyber threats!</strong></p><p>There have been repeated reports that information security experts are in high demand but low supply. This confirms the problem.</p><p> <strong>97 percent of organizations lack the </strong> <span style="text-decoration:underline;"> <strong>technology</strong></span><strong> they need to address the threats!</strong></p><p>If I was on the board and heard this, I would be questioning the executive team hard.</p><p>Other surveys indicate that the majority of executives know they have been hacked in the past and expect hackers to be successful in the future.</p><p>​But do they know the true extent of the problem?</p><p>Do they know their defenses are down — and that their people don't have the ability to detect intrusions promptly?</p><p>When I took over the internal audit function at a company years ago, I was concerned by what I saw in the information security area.</p><p>Rather than audit the defenses, I had my team audit whether the company had the <strong>capability</strong> to build, maintain, and manage the defenses.</p><p>Key questions include:</p><ul><li>Do you understand the risk to the business (the consequences) if there is a successful intrusion? How will the objectives of the organization be affected? Can you and have you assessed cyber risk in business terms? How recent is that assessment?</li><li>Are you satisfied and if so why? If not, what are you doing about it?</li><li>Do you have the people to understand (on a continuing basis) and then address cyber risk?</li><li>Do they have the tools? Is that your opinion or theirs?</li><li>Is the voice of information security heard and listened to at senior and board levels?</li><li>Would a reasonable, prudent individual believe the risk to the organization is at an acceptable level, and will continue to be at an acceptable level over the next year?</li><li>How often is an <strong>objective</strong> assessment of information security performed and is it reliable? Are its recommendations acted on?</li><li>Does it still make sense to expect employees to handle cyber risk? Is it better to outsource it, and to what extent should we do that?</li></ul><p> <br> </p><p>I welcome your comments.</p><p> <br> </p>Norman Marks0
Data Mining Mining<p>​The vast amount of data generated by business and the increase in data warehouses and legacy systems have created a treasure trove of information to be mined to draw meaningful insights regarding fraud indicators, emerging risks, and business performance. Companies such as Amazon, Facebook, Google, and Netflix are built on foundations of data exploration and mining.<br></p><p>Data mining, which includes text mining, is the discovery of information without a previously formulated hypothesis where relationships, patterns, and trends hidden in large data sets are uncovered. It involves using methods at the convergence of artificial intelligence, machine learning, statistics, and database systems. With the advent of big data, this niche-driven research discipline, developed in the 1980s, is now a powerful tool.  <br></p><p>There are no roadmaps or directions in data mining. Instead, it requires thinking outside the box to come up with a range of scenarios. Questions like, “What are the risks?” “What opportunities exist for business improvements?” “How can this data be leveraged?” and “What fraudulent activities can occur?” can lead to developing algorithms.<br></p><h2>Data Mining Techniques</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Examples of Data Mining</strong><br><br>Data mining can detect a range of fraud indicators such as bogus vendors, kickbacks, money laundering, insider trading, and claims fraud. <br><br>In a telecommunications audit, for example, a model can be built to show patterns of call destinations, duration, frequency, and time of day. Over time, when actual calls vary from expected patterns, it will alert internal audit to the possibility of fraud. <br><br>Outcomes also can indicate cost-saving opportunities, potential irregularities, and patterns worthy of further investigation. For example, in a procurement audit, using text mining that brings up common products and services may determine that there is an annual savings or discount to ordering cleaning supplies from one vendor instead of several vendors. <br><br>In a retail audit of a bank branch, a review of customer accounts can show single bank accounts converted to joint accounts, indicating marriage. Internal audit may recommend cross-selling mortgages and consumer loans to the joint account owners, which can grow branch profitability. <br><br>In a loan audit, nonperforming loans can be segmented to show different factors for loan failures. This can help guide the revamping of credit models and tightening of lending practices, which can reduce the number of nonperforming loans.<br></td></tr></tbody></table><p>The most common techniques used in data mining are predictive modeling, data segmentation, neural networks, link analysis, and deviation detection.<br><br><strong>Predictive modeling</strong> uses “if then” rules to build algorithms. For example, during a loan audit, auditors can create rules to show which customers in a specific age range (18-25, for instance) with balances exceeding US$5,000 are likely to default. <br><br><strong>Data segmentation</strong> involves partitioning data into segments or clusters of similar records. Also called <em>clustering</em>, this technique lets auditors see common factors underlying each segment. For example, a marketing audit can look at residents of urban neighborhoods and affluent areas where wealthier, older people live.<br><br><strong>Neural networks</strong> are a type of artificial intelligence that uses case-based reasoning and pattern recognition to simulate the way the brain processes, stores, or learns information. In fraud detection, neural networks can learn the characteristics of fraud schemes by comparing new data to stored data and detecting hidden patterns.<br><br><strong>Link analysis</strong> establishes links between records or sets of records. Such links are called <em>associations</em>. Examples include customers buying one product at a specific time and then a different product a few hours later or a vendor supplying a raw material and purchasing a byproduct. Or, in the case of a money laundering audit, identifying addresses that have many wire transfers attached to them.<br><br><strong>Deviation detection</strong> is pinpointing deviations from the observations or model worthy of further investigation. An example is detecting an unusual transaction on a credit or purchase card that does not fit the typical spending patterns of a cardholder, such as buying a refrigerator or booking a vacation on a company’s purchase card. <br></p><h2>Email Mining </h2><p>The rapid evolution of data mining techniques on unstructured or semi-structured textual data now provides opportunities for audit analysis. Mining this vast text field is a key tool in the internal auditor’s arsenal for fraud prevention and detection. Word searches using “kickback,” “bank account,” “funds,” “money,” and “override” could uncover fraud, while words such as “flowers,” “anniversary,” “chocolate,” “gift,” “bar,” and “drink” could indicate office romances that breach a company’s code. <br></p><p>Analysis of email logs can uncover key information about employees’ interests, activities, and behaviors. Email contents might include potential evidence of fraud and issues of audit concern. For instance, emails from an employee to customers when the employee does not hold a position that normally communicates with customers would be a red flag.<br></p><p>Emails might contain an exchange of information between parties that can provide evidence of a wide range of managerial fraud. Also embedded in email contents might be issues relating to breaches of compliance requirements and their cover ups, privacy matters, and theft of intellectual property. As emails pass through gateways, they are easy to archive, index, categorize, and monitor for keywords.<br></p><h2>Social Network Analysis</h2><p>Analysis of employees’ Facebook, Linkedin, and Twitter accounts explores relationships or networks between email senders and recipients. Social network relationships may presage kickbacks or collusion between employees and third parties. Within this context, social media analytics is a tremendous tool. However, consideration should be given to such key risks as security, privacy and confidentiality, loss/theft of intellectual property and trade secrets, and legal and compliance. <br></p><h2>Data Mining Tools </h2><p>Data mining can be performed with comparatively modest database systems and simple tools or off-the-shelf software packages. Microsoft Excel has a wide range of functions that can be used in data mining without the hours of training required for other programs. Generalized audit software and server database software also are formidable data mining tools.<br></p><h2>Raising the Bar</h2><p>Data mining demands considerable time, serious commitment, a new mind-set, and new skills. Delays in getting the data, uncooperative management, time spent understanding the data, and scrubbing it are additional challenges. Data mining raises the bar on what can be achieved by addressing issues beyond the reach of traditional analysis techniques. It is more than running complex queries on large data sets. Internal auditors must work with the data to have it reorganized and cleansed, and identify the format of the information based on the technique or analysis they want to use. Data mining increases audit coverage, and with the internet and computer-assisted audit tools, auditors should be limited only by their imaginations. <br></p>Lal Balkaran1

  • PwC_May2017_Prem1
  • SCCE May2017_Prem 2
  • IIA CIA LS_Prem 2



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Five Classic Myths About Internal Auditing Classic Myths About Internal Auditing2012-06-20T04:00:00Z2012-06-20T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z