​​​Internal Audit, Risk Management, and Technology,-risk,-and-technology.aspx​​​Internal Audit, Risk Management, and Technology<p>Protiviti has shared another useful report with us in the latest issue of <a href="" target="_blank">Internal Auditing Around the World</a>.</p><p>Two managing directors summarize the productive use of technology by internal audit departments and feature a number of organizations.</p><p>It is interesting that every CAE they interviewed is female. I don't know whether that was because they only selected female CAEs or whether the organizations they contacted all had female leaders.</p><p>Either way, I am not surprised.</p><p>I am also not surprised that these organizations have embraced technology.</p><p>After all, if it is critical to our companies and their success, we should not only be aware of the related risks but use technology to full advantage ourselves.</p><p>I want to share a few quotes before making what I consider a key point. That key point is, I believe, critical for both internal audit and risk practitioners — as well as those responsible for the oversight of these activities.​</p><blockquote><ul><li>Technological innovation is rapid and disruptive, and touches almost every aspect of our lives. People and machines are becoming increasingly interconnected, accelerating digitization and shaping the Internet of Things. And almost every business today is, at its core, a technology business — one that relies on IT not only to operate, but also to innovate and enable future success.</li><li>Without question, the dramatic technological change of the digital age has created a world of new and previously unimagined opportunities for businesses across industries. But it also has made the risk landscape for these organizations more expansive and treacherous than ever before.</li><li>"With technology at the heart of the business, we feel technology is also at the heart of what we do as internal auditors." (Dominique Vincenti)</li><li>Fittingly, today we find many leading internal audit functions around the globe relying heavily on technology tools to help them identify risk and control issues, conduct audits, share results with management and the business, and closely monitor issues to ensure they are resolved.</li><li>Of particular note, many of the internal audit teams we profile are expanding their use of data analytics so they can bring more efficiency to the audit process. Some functions are using data analytics to identify emerging risks and potential fraud and pinpoint cost-saving opportunities throughout the business. Others are employing data science. They have hired specialists and designated teams to work with big data and derive business intelligence that can help internal audit provide management with insights they can apply to business decision-making.</li><li>Beili Wong, chief audit executive and executive director for the Liquor Control Board of Ontario, says that given businesses' ever-deepening dependency on technology, it is imperative for internal audit to transcend its traditional role as the third line of defense so it can be present on the front lines as the organization considers adopting new technologies. "We are about more than just defense," she explains. "We should also be a proactive partner at the first line."</li><li>"We have invested in different technologies in the past two to three years," Perrott [CAE of Accenture] says, "and these tools are helping us reap significant benefits." The technologies support the risk assessment process and development of the annual audit plan, and also enhance collaboration among internal auditors.</li></ul></blockquote><p> <br> </p><p>When you read these features on the various companies, I expect you will share my reflections:</p><ol><li>The fundamental principles of how technology can help us have not really changed.</li><li>But, the tools are more sophisticated and powerful.</li><li>Some new sets of tools, like data visualization, are appearing alongside traditional ones like data analytics.</li></ol><p>Overall, it is encouraging.</p><p>BUT ...</p><p>I am somewhat concerned (my key point) when I read about internal audit spending its limited resources (now including the use of sophisticated technology) to identify and assess the organization's risks.</p><p>Some of the profiled organizations conduct extensive interviews with many, many executives once a year.</p><p>First, I would prefer helping management improve their ability to identify and assess risk rather than internal audit taking on that task. </p><p>Teach them to fish instead of giving them fish.</p><p>After all, isn't this a management responsibility?</p><p>If management doesn't identify and assess risk effectively, then report that to the board as a serious issue rather than feeding a bad habit.</p><p>Second, risk is changing all the time. We must move toward a continuous audit plan based on a current understanding of the risks that matter to the organization.</p><p>That means that we have to find a way to leave the massive annual exercise behind and replace it, in conjunction with management, with a continuous process.</p><p>Technology should be part of the answer.</p><p>But technology for risk monitoring should belong to and be used by management!</p><p>There are times when internal audit should independently monitor risk — but let's not do it when we should be able to rely on management.</p><p>What is your opinion?​</p><p> <br> </p>Norman Marks01205
The Recovery Playbook Recovery Playbook<p>​Cyber resiliency is tod​ay's security emphasis, as organizations are pivoting toward becoming better prepared to respond to cyberattacks, rather than focusing primarily on preventing them. That strategy may have its merits, as organizations with more experience addressing past cyber incidents have more​ mature cybersecurity capabilities than other organizations, according to the latest Cybersecurity Poverty Index study from RSA.</p><p>​Perhaps no organization has greater combined experience in dealing with such incidents than the U.S. federal government. Now the U.S. National Institute of Standards and Technology (NIST) has compiled the best practices of the many federal agencies into a draft publication, <a href="" target="_blank">Guide for Cybersecurity Event Recovery</a> (Special Publication 800-184) (PDF).</p><p>The draft guidance fills a need to remedy inconsistencies in the way federal agencies respond to cyber incidents, which were documented in 2015 in the Cybersecurity Strategy and Implementation Plan. The draft is intended to help agencies develop a recovery plan built around a customized playbook. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>Framework Update Coming</strong></p><p>Changes are on the way for the NIST Framework for Improving the Critical Infrastructure Cybersecurity. The institute announced in June that it plans to update the Cybersecurity Framework in 2017 based on feedback from a December 2015 request for information and an April 2016 workshop. </p><p>That feedback covered the framework's "use, best practices, outreach, prospective updates, and governance," says Matthew Barrett, the NIST Cybersecurity Framework program manager. Barrett describes the revision as a minor update that "should not disrupt anyone's ongoing framework use."</p><p>The feedback also will lead to other NIST a​ctivities, including publishing a governance process for maintaining the framework, working with framework stakeholders, and providing outreach to business, regulatory, and other stakeholders. Moreover, the institute is developing a Cybersecurity Excellence Builder tool to aid organizations in assessing their cyberrisk management process.</p></td></tr></tbody></table><p>Planning plays a big part in developing a playbook for responding to a cyber event, the draft guidance notes. "Taking resiliency into consideration across the enterprise security life cycle, everything from planning technology acquisitions and developing procedures to executing recovery and restoration efforts, is critical to minimizing the impact of a cyber event upon an organization," according to the publication. To that end, organizations need to identify and prioritize critical systems in their recovery playbook, using processes such as threat modeling and evaluation of containment principles. Recovery plans should cover service-level agreements, management staff members with authority to activate the plan, recovery team members, recovery details and procedures, a communication plan, off-site storage details, operational workarounds, facility recovery details, and details about access to infrastructure, hardware, and software during the recovery process.</p><p>The guidance points out that recovery isn't just about the immediate response to an incident. It's also about continuously improving response capabilities, as the RSA study findings confirm. "Recovery should be utilized as a mechanism for identifying weaknesses in the organization's technologies, processes, and people that should be addressed to improve the organization's security posture and the ability to meet its mission," the NIST draft states.</p><p>To that end, organizations need to validate that the technologies, processes, and people that are part of recovery efforts are prepared to recover business operations from a cyber incident. This can be done by gathering input from participants, conducting exercises to test recovery capabilities, documenting lessons learned from previous incidents, and identifying weaknesses in technologies, processes, and people.</p><p>The guidance also recommends collecting metrics throughout recovery activities that can be used to improve the quality of recovery actions, fulfill reporting obligations, or share information. Metrics can be particularly helpful in assessing incident damage and cost, and improving risk assessments. "For well-defined and repeatable activities, metrics can help measure progress as well as provide valuable feedback to improve the activity," the draft points out. But gathering metrics also can hinder recovery activities when it's not clear which type of metrics to collect or when metrics could be misused in a way that gives a false sense of recovery. </p><p>In addition to describing these elements of a recovery playbook, the NIST draft includes an appendix detailing core components and controls that can support recovery. These are built around the five functions outlined in the NIST Framework for Improving the Critical Infrastructure Cybersecurity: identify, protect, detect, respond, and recover.​</p><p>​<br></p>Tim McCollum0433
Analytics and the Small Audit Department and the Small Audit Department<p>​Many small audit departments grapple with how to use analytics to audit more efficiently. The value added through analytics is regularly discussed in research, thought leadership, and industry publications. And most auditors would readily capitalize on an opportunity to do more with less. The challenge for those audit departments with constrained resources is not what to do, but rather how to go about doing it.  <br></p><p>Small audit shops can leverage analytics and use tools already in place to implement analytics within their audit functions, reducing the need for a potentially costly up-front investment. Many of the metrics historically used to measure business performance are analytics. Examples include variance analysis, benchmarking, return on assets, turnover (inventory, accounts receivable, employee), reorder points, credit limits, and even Benford’s Law. With this in mind, small audit functions that think analytics may not be within their grasp should reconsider.<br></p><h2>Getting Started</h2><p>Analytics can be used at various phases of the internal audit process, including the risk assessment process, macro-level audit planning, and micro-level audit planning. During risk assessment, analytical data can be used in combination with qualitative data to better understand and prioritize the organization’s risks. At the most basic level, analyzing financial and operational information, prior audit findings, and key performance indicators (KPIs) across the enterprise can be a useful tool in completing the risk assessment. At macro- and micro-audit level planning, analytical data can be used to assess specific controls and to examine existing and emerging risks. This will help determine specific areas of audit coverage and the extent of testing within each area. The size of the audit department should not be the only factor in determining whether to implement an analytics program, as there are analytic tools that can be used even by one-person audit departments.<br></p><p>With the right approach, moving analytics from concept to practice can be simple. As an internal audit department of any size begins using analytics in its audit process, an important first step is determining what it wants to understand. The analytics initiative must have clearly defined goals and performance measures. Further, internal auditors should critically assess the questions they need to ask to ensure they understand how the business objectives and operating cycle will impact the underlying data to be analyzed.<br></p><p>Organizations may have different responses to the same question. For example, “How does weather influence your organization?” will have different meanings and different outcomes, depending on the industry. Thunderstorms may drive ticket sales for movie theaters while they wreak havoc on energy providers. In addition, the time of year, day of week, time of day, and geographical location likely will impact how weather influences any organization. In this situation, there is no right or wrong answer — it’s what makes sense for the organization.  <br></p><p>There are numerous questions an internal auditor may want to answer with the analytics program, which should closely correlate with the specific objectives of the program, itself. Examples include, “How frequently are credit limits overridden?” as related to the order-to-cash cycle; “Is inventory turnover in line with historical and/or budgeted averages” related to the inventory cycle; and “Do company buyers have an over-reliance on key vendors?” related to the vendor management process.<br></p><h2>Potential Roadblocks </h2><p>Internal audit departments often fail to identify the correct data source for the data to be analyzed when beginning an analytics program. Selecting the wrong source could be detrimental to getting an analytics program up and running; therefore, a critical decision is determining which data sources are the most appropriate to address the questions being asked. Several ways to overcome such roadblocks are to review the preliminary data, determine whether there is anything in the data that raises questions, and ask questions to confirm and validate the accuracy of the data source. <br></p><p>Similar to validating the criteria used to assess the audit entity, auditors should validate that the data can be used to address audit objectives. To do this, understanding the business, including typical operating cycle and key drivers that influence relationships within the data, is critical. The ability to look beyond the data to understand what it does or does not represent (e.g., identifying all systems in which revenue/expenditure transactions are recorded and confirming data files being used contain both accurate and complete data for the entity being analyzed) and application of critical thinking skills also are important steps in steering clear of roadblocks. Finally, this often is an iterative process, in which there may be multiple conversations with the data and business process owners before determining whether the data source contains the specific information needed to answer the questions at hand. Simply asking, “Can this data be used to answer the audit objective?” will smooth the path not only for obtaining the data but also accepting analysis results.<br></p><h2>Brainstorming</h2><p>Although the fraud brainstorming process documented in the American Institute of Certified Public Accountants’ Statement on Auditing Standards No. 99 (SAS 99), Consideration of Fraud in a Financial Statement Audit, is not required for the internal audit process, research has demonstrated that it is an effective tool when used within the internal audit activity. While fraud is only one consideration of an analytics process, brainstorming should help identify key data and relations that should be evaluated.  <br></p><p>One starting point is reviewing significant audit reports from the prior year. For example, in analyzing audit reports with low ratings, and considering uncontrolled risk or ineffective controls, the auditor could identify potential data points that would improve monitoring of the process in question. Likewise, in analyzing audit reports with high ratings, the auditor could identify potential elements in the process-level risk management that could be leveraged for other processes.  <br></p><p>Another approach is asking management in risk assessment interviews, “What are the most important KPIs you are managing?” and follow-up questions such as, “What are the key variables that impact those specific KPIs?” Brainstorming during the internal audit planning process can identify additional factors that may impact those KPIs that are not already being considered. <br></p><p>Brainstorming also can be used in the evaluation of various company-generated reports to identify if there is information that may be further explored for additional insight. Financial statements and reports are great tools for understanding relationships in financial data and brainstorming where additional analysis may add value to the audit process. Other examples of using company-generated reports for brainstorming include evaluation of employee hiring and turnover reports as compared to historical and industry averages, review of inventory metric reports as compared to budget as well as prior year, and analysis of asset reports to consider whether the percentage of lost or stolen IT assets has increased or decreased.<br></p><h2>Analytic Methods </h2><p>Another important consideration for small audit departments is the analysis methods to be used. Some examples of analytic tools that can be used by small audit departments include correlation analysis, regression analysis, Benford’s Law, and visualization. Internal audit functions may already be using several of these tools, but they may not be commonly thought of in terms of analytics. When identifying desired relationships, the analytic method should be considered when identifying data and sources necessary to perform the analysis. The analysis that the auditor is interested in performing, and the extent of data available, will dictate the analytic method to be used and the tool that can assist in facilitating analysis. <br><br>Correlation analysis is the comparison of X and Y to see how they relate to each other. An internal auditor might use correlation analysis in a production process audit to measure the strength of the relationship between product defects and factory overtime. If the association is strong, the auditor might then use inquiry and observation to assess whether an overworked and stressed labor force is the cause of the defects, or perform regression analysis to predict future defects and then confirm the projection against actual defects that have occurred. This would allow the audit team to add some discussion of the coefficient of determination; namely, how much of the change in product defects is explained by the change in overtime. <br><br>Regression is the functional relationship between two or more correlated variables that is often empirically determined from data and is used especially to predict values of one variable when given the values of others. It can be used to evaluate the association between X and Y when a control exists for other known relationships. For example, in the event that overtime and employee turnover are both increasing, then regression analysis would provide for a more thorough analysis of what is causing the increase in defects. This would potentially allow for identification of changes, which may directly address the root causes and implementation of actions to bring the defect rate to an acceptable level.<br><br>Benford’s Law is a theory based on a logarithm of probability of occurrence of digits (pattern anomaly of leading digits). Benford’s analysis may allow small audit functions to more efficiently analyze revenue and expenditure transactions based on whether unexpected patterns exist within operations. Such analysis could be conducted across the entire organization, as well as within divisions or functions to identify additional risk concerns. This would be beneficial if there are specific data patterns associated with errors or potential fraud activities. One such example from M.J. Nigrini’s Forensic Analytics: Methods and Techniques for Forensic Accounting Investigations would be an analysis of organizational expenditures. Although on the surface we may expect the first (two) digits of invoices would have an equal likelihood of occurrence, according to Benford’s, the pattern of occurrence is not uniform, but a declining logarithmic pattern from 1 (10) to 9 (99). More specifically, the likelihood of “1” being the leading digit in a random number set would be 30.1 percent compared to 4.6 percent for the occurrence of “9” as the leading digit. Using Benford’s analysis to evaluate invoices would identify specific leading digits of transactions, which should be further investigated via substantive testing. While initial analysis may not identify fraud, it identifies potential transaction anomalies, which may be linked to inappropriate expenditures. <br><br>Visualization comprises graphs and charts that often tell a story that is not easily understood by looking at the data alone. The internal auditor might use visualization to analyze the number of lost or stolen laptops year over year to evaluate whether laptop theft/loss is increasing or decreasing. Perhaps even further, the auditor could determine whether there are certain locations or business units that are driving the trend. If the trend line shows the number is increasing, the auditor might investigate to understand the root cause for the increase, including evaluating the effectiveness of the controls in operation.<br></p><h2>Software Tools </h2><p><img src="/2016/PublishingImages/Analytics-maturity-classification.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Tools to perform computer-assisted audit techniques have improved and expanded capabilities during the past two decades. While the internal audit profession has traditionally considered such tools as analytic tools, there are many additional tools that can be used in analytics. However, during the initial phases of developing an analytics program, particularly for small audit departments that may have more limited budgets, it may be more valuable to use tools that are already in place within the organization. <br></p><p>One objective in the early phase of analytics is attaining small wins to make the case for expanding the use of analytics. In many cases, small wins can be more easily achieved when the investment cost is low. Given that Microsoft Excel remains one of the top analytical tools used by internal auditors, its versatility and ability to perform each of the previous analytic methods allows it to be a first step in implementing an analytics program. However, despite all of its flexibility, data limitations (Excel is limited to 1,048,576 records of data) may prevent the use of Excel during early stages of program implementation.<br>While starting small can produce early successes, it is critical to have an analytics plan that will allow internal audit to continue to improve its analytics capability. This should include a path that is scalable so the early successes can be built upon and not thrown away.<br></p><p>As the use of analytics matures and evolves, many organizations ultimately reach the continuous monitoring phase, in which process owners are responsible for continuous analysis of key risk areas (see “Analytics Maturity Classification” at right). Furthermore, team members will be much more likely to understand the broader software needs to expand the analytics processes. With greater understanding of functional needs, software selection may become a greater consideration, given the cost of the software as compared to the expected benefit to be received. <br></p><h2>Implementation Tips </h2><p>Despite rapid changes in technology, many audit functions have not significantly modified their audit process to keep up with the data available as a result. While change can be difficult, it often provides increased opportunity to maximize the value that internal auditors can contribute. Although this contribution may be a lengthy process, failing to implement analytics into the audit risk assessment, testing, and monitoring processes limits the value that can be provided. So whether it’s for the next risk assessment or audit, consider when, where, why, and how to use data in the process. Starting small is better than not starting at all. <br><br><span class="ms-rteStyle-Quote">Jared Soileau, CIA, CPA, CISA, is an assistant professor of accounting at Louisiana State University in Baton Rouge.</span><br class="ms-rteStyle-Quote"><span class="ms-rteStyle-Quote">Laura Soileau, CIA, CRMA, CPA, is a director in Postlethwaite & Netterville’s Consulting Department in Baton Rouge, La. </span></p>Jared S. Soileau13299
The Tech-savvy Auditor Tech-savvy Auditor<p>​According to The IIA’s 2015 Global Internal Audit Common Body of Knowledge (CBOK) Practitioner Study, 62 percent of CAEs report their departments use technology infrequently and rely primarily on manual systems. While electronic workpapers have a high usage rate, about half of all internal audit departments say they use data mining or analysis software only minimally or not at all. <br></p><p>Internal auditors also have weak IT backgrounds. Thirteen percent of CBOK respondents have completed higher education in information systems or computer science, just 10 percent hold ISACA’s Certified Information Systems Auditor (CISA) designation, and only 3 percent have an IT security certification.<br></p><p>That situation is not acceptable, because deploying technology and possessing IT knowledge are necessary components for internal audit to add value. A technology-oriented internal audit can provide internal support to software projects, identify weaknesses in data processing, and transfer data analytics know-how to operational functions. Adopting technology also can make audits more efficient.<br></p><h2>The Case for Technology</h2><p>The <em>International Standards for the Professional Practice of Internal Auditing</em> (<em>Standards</em>) requires internal auditors to be knowledgeable about IT risks and controls, as well as audit technologies. But sometimes internal audit’s inability to leverage technology is the result of a poor audit environment, rather than a poor department.<br></p><p>Take for example a small audit department that has not audited double payments to suppliers; variable data such as transaction and accounting data sets; or master data contained in product, price, and customer databases. After the department’s five auditors return to the office from a seminar about the use of big data analysis, the CAE proposes investing in a software tool. However, the company’s chief financial officer rejects the proposal, saying, “We have a functioning enterprise resource planning system that automatically identifies potential double bookings. Therefore, double bookings and double payments are impossible.” Knowing that double payments are always possible — costing the company an average of US$2,000 per case — the CAE plans a manual audit of suppliers’ invoices instead. <br></p><p>CAEs can cite three reasons to justify greater use of audit technology. First, technologies such as data analysis and continuous auditing are more efficient and effective than manual audits, resulting in faster audits, cost savings, satisfied clients, and measurable value.<br></p><p>Second, proactive use of data monitoring and analysis software can significantly cut fraud losses. According to the Association of Certified Fraud Examiners’ 2016 Report to the Nations, such software reduces median losses from reported fraud cases by 54 percent (from US$200,000 down to US$92,000) and cuts the duration of such cases in half (12 months compared to 24 months) compared to organizations without that software in place. <br></p><p>Third, new business risks such as big data, cyber threats, and digital services demand a higher level of audit technology in the next few years. Although a 2015 PricewaterhouseCoopers study predicted that audit technology such as data analytics would be one of four priority capabilities for the profession, its 2016 State of the Internal Audit Profession Study reveals that just 40 percent of internal audit functions use technology.<br></p><h2>Using Technology Better </h2><p>The biggest technology challenge internal audit faces is finding a way to improve its ability to use audit software. CAEs and IT audit managers can take several steps to achieve that objective.<br><br><strong>Demonstrate the Potential</strong> A broad base of theoretical and empirical data, experts’ opinions, and Standards requirements support the need and usefulness of technology-based auditing. It might be motivating for “technology-oriented auditors” to provide testimonials about their experiences in using audit software. For example, an expert could give a live presentation of advanced tips and tricks for using Excel, which many auditors may not have tried before. <br><br><strong>Training and Practice</strong> Internal auditors need adequate training to use the software. Training can include frequent practical IT challenges that must be fulfilled under supervision — such as extraction, set up, and analysis of files from databases — or joint audits in teams with experienced auditors. But training alone is not enough if the software is not used frequently to gain experience with it. Additionally, achieving certifications such as the Certified Internal Auditor or CISA can educate auditors about structured approaches for problem-solving such as IT models, standards, and best practices. <br><br><strong>Build Know-how</strong> Depending on the organization’s size, the internal audit department should consider establishing a data analytics center in-house. The center can enable auditors to share experiences with audit technology through workshops and practitioner seminars. Smaller organizations should at least have regular meetings with external experts to gain such knowledge. In addition, rotating business and operational auditors to perform technology audits can help them learn best practices in using audit software. <br><br><strong>Review Software Usage</strong> The process of investing in audit technology should not only follow a management decision, but also a review step. Some audit departments seldom use the software they purchase. Regular reviews of how the department uses audit technology can identify weaknesses and improve audit efficiency, such as reducing the time it takes to prepare data sets for analysis. Performing a software inventory check can locate and enable internal audit to leverage software the organization already has in place. <br><br><strong>Management Feedback</strong> If management is dissatisfied with the current use of audit technology, but is confident about the value that digital technologies can create for the organization, internal audit should discuss how it is using audit technology with management. Internal audit can demonstrate the monetary value of audit results created with audit technology. For example, recovering US$10,000 from three double payments identified using analysis software can easily exceed the amount the department spent on a software licence. <br></p><h2>An Effective Approach</h2><p>Internal auditors do not simply need more audit technology, but also a more effective approach to using those tools to deliver value. Internal audit can start by reviewing how — or whether — it uses the audit software currently in place. Next, it should create a plan for integrating audit technology more into daily audit work. Measures can encompass training, adjusting audit plans with a stronger focus on IT aspects, and identifying potential technology gaps, such as equipment or training. Finally, the department should monitor its use of technology to ensure performance improvement. <br></p>Hans-Ulrich Westhausen11986
The Always-on Supply Chain Always-on Supply Chain<p>​Robots, cloud computing, and other technologies are transforming supply chains, a recent study reports. More than half (52 percent) of supply executives say their organization will spend US$1 million or more on emerging technologies to enable digital supply chains in the next two years, a​ccording to the <a href="" target="_blank">2015 MHI Annual Industry Report​</a>. Twelve percent expect to spen​d at least US$10 million, and 3 percent will spend at least US$100 million, the report notes. </p><p>Deloitte interviewed 900 U.S. supply chain executives for the report, which was released in April at MHI's MODEX 2016 conference in Atlanta. MHI is a Charlotte, N.C.-based trade association representing the material handling, logistics, and supply chain industry.</p><p>"The 'always-on' supply chain has the potential to deliver massive economic and environmental rewards for our industry and society," MHI CEO George Prest says. "It can boost productivity and sustainability, drive new markets, encourage innovation, and create new, high-paying jobs."</p><h2>Eight Technologies</h2><p>The MHI report highlights eight emerging technologies that are having an impact on supply chain operations. </p><h3>Predictive Analytics </h3><p>This data-modeling technology can identify patterns that could enable organizations to predict consumer trends, inventory shortages, machine breakdowns, and other behavior and events. Thirty-seven percent of respondents say predictive analytics in the supply chain could provide a competitive advantage in their industry in the next 10 years, while 7 percent say it could disrupt their industry. The report forecasts the technology will experience the greatest growth, from 22 percent of responding organizations now to 80 percent in the next six to 10 years.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>Top Current Technologies</strong></p><ul style="text-align:left;"><li> <span style="line-height:1.6;">Cloud computing and storage – 45%</span><br></li><li> <span style="line-height:1.6;">Sensors and automatic identification – 44%</span><br></li><li> <span style="line-height:1.6;">Inventory and network optimization tools – 43%</span><br></li><li> <span style="line-height:1.6;">Robotics and automation – 35%</span><br></li></ul><p> <em> <br></em></p><p> <em>Source: MHI and Deloitte, 2016 MHI Annual Industry Report</em></p></td></tr></tbody></table><h3>Robotics and Automation </h3><p>The report notes these technologies are becoming "smarter" and less expensive, enabling organizations to use them for more "human-oriented" tasks, such as packaging, product inspections, and electronics assembly. More than half (51 percent) of respondents say robotics and automation could provide a competitive advantage or be a disruptive force in their industry.</p><h3>Sensors and Automatic Identification </h3><p>These technologies are vital to how the Internet of Things operates, with their ability to collect data from devices and communicate that data to users to aid in decision-making. There were 20 million sensors in operation in 2013, but industry advocates predict there could be 1 trillion sensors by 2022.</p><h3>Wearables and Mobile Technology </h3><p>Wearable technologies embedded in clothing, watches, and glasses can perform many tasks currently done by mobile phones and laptop computers, and can incorporate sensory and scanning capabilities those devices lack. The report notes wearables could "reshape how work gets done, how decisions are made, and how companies engage with employees, customers, and business partners." However, just 36 percent of respondents say these technologies could provide competitive advantage or disrupt supply chains.</p><h3>Driverless Vehicles and Drones </h3><p>Drone technology could aid in operations and logistics, such as monitoring functions, maintaining security, and providing data about a facility. Although new to the roadways, companies have used driverless vehicles for material handling for many years. Nearly 60 percent of respondents say these technologies are having some impact on supply chains, while 37 percent say they could provide a competitive advantage or disrupt supply chains.</p><h3>Inventory and Network Optimization Tools</h3><p>Organizations are using these decision-support tools to better deploy assets and position inventory, including transportation planning, production optimization, and inventory optimization. Nearly half of respondents (48 percent) say these technologies potentially could create a competitive advantage or disrupt supply chains. </p><h3></h3><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong style="line-height:1.6;">Future Forecast</strong> ​ <p> ​<br> </p><p>Predicted adoption of supply chain technologies in the next six to 10 years. </p><ul><li> <span style="line-height:1.6;">Inventory and network optimization tools – 90%</span><br></li><li> <span style="line-height:1.6;">Sensors and automatic identification – 87%</span><br></li><li> <span style="line-height:1.6;">Cloud computing and storage – 86%</span><br></li><li> <span style="line-height:1.6;">Predictive analytics – 80%</span><br></li></ul><p> <br> </p><p> <em>Source: MHI and Deloitte, 2016 MHI Annual Industry Report</em></p></td></tr></tbody></table><h3>Cloud Computing and Storage ​</h3><p>Cloud computing has become one of the most deployed technologies for supply chains, with 45 percent of respondents saying they have it in place. Companies are using the cloud to support data sharing with business partners, use staff resources more efficiently, and adapt to changing business needs. However, only 25 percent of respondents say it could be a competitive advantage, and only 4 percent consider cloud computing to be potentially disruptive to supply chains. </p><h3>3D Printing </h3><p>This technology uses 3D model data to build objects, which can enable businesses to create designs that might be difficult to make using traditional manufacturing methods. Despite the promise of faster and cheaper product design and development, only 17 percent of respondents say the technology could provide a competitive advantage. Just 48 percent of respondents say their organization will deploy 3D printing in their supply chain in the next six to 10 years.</p><h2>Overcoming Barriers</h2><p>Despite the transformative promise of these technologies, businesses face significant challenges to adopting them, the report states. Chief among these are a lack of a clear business case to justify investment (43 percent), lack of staff with skills to use the technology effectively (38 percent), and a risk-averse culture (35 percent). </p><p>To prepare to deploy new supply-chain technologies, respondents say their organizations are training staff to use them (56 percent), partnering with vendors to understand the benefits (46 percent), changing their organizational structure and incentives (43 percent), and increasing budgets (42 percent). Managing talent is chief among the report's recommendations to supply chain leaders. "The growth in digital, 'always-on' supply chains will only widen the talent gap that already exists in our industry," Prest says. "We need to train a new breed of supply chain professional who has technical, analytical, and problem-solving skills."</p><p>​<br></p>Tim McCollum0869
Defending From the Top From the Top<p>​​<span style="line-height:1.6;">Forty percent of board members and senior executives surveyed don't feel responsible for the repercussions of a cyberattack, according to a recent study, The Accountability Gap: Cybersecurity and Building a Culture of Responsibility. That lack of accountability contributes to their organization's vulnerability to such incidents, notes the report, which was sponsored by NASDAQ and security and systems management company Tanium Inc. Researchers at Goldsmiths at the University of London surveyed 1,530 nonexecutive board directors and C-level executives — including chief information officers (CIOs) and chief information security officers (CISOs) — from Denmark, Finland, Germany, Japan, Norway, Sweden, the U.K., and the U.S.</span></p><p>The reports defines cybersecurity vulnerability as a combination of awareness of risks and readiness to address those risks. By those metrics, just 10 percent of respondents' organizations are considered to have low vulnerability, while 80 percent are considered to have medium vulnerability. The remaining 10 percent deemed to be highly vulnerable are likely to encounter a crisis if they don't address cybersecurity risks quickly, the report observes.</p><p>In highly vulnerable organizations, 91 percent of nonexecutive directors say they can't interpret a cybersecurity report. Moreover, 98 percent of executives in those organizations aren't confident that their organization tracks all devices and users on their systems. </p><p>"If the potential impact of cyberrisk is high, and you do not treat it as an enterprise risk … you are remiss in terms of how you are operating as a board and you have a potential oversight gap," Eric Brown, Tanium's chief financial and operating officer, says in the report.</p><h2>Awareness and Readiness</h2><p>The Knowledge Gap report identifies seven factors that may affect cybersecurity vulnerability. The first four are related to awareness.</p><p><strong>Cyber literacy.</strong> The lack of cyber literacy is most prevalent among nonexecutive directors. For example, 59 percent of U.S. nonexecutive directors consider themselves cyber-literate, compared to 77 percent of C-level executives and 78 percent of CIOs and CISOs. The report notes that directors in high vulnerability organizations seldom get updates on cyberthreats and only half of them receive cybersecurity training. The report suggests that such training should include case studies.</p><p><strong>Risk Appetite.</strong> Sixty-eight percent of respondents' organizations have assessed the likely losses from a cyberattack, but just 13 percent of highly vulnerable organizations have done so. "Low vulnerability respondents are nine times more likely than high vulnerability respondents to be aware of and understand the implications of a breach," the report points out.</p><p><strong>Threat Intelligence.</strong> Organizations need to monitor and communicate the most current cyberthreat information to executives and the board in an accessible way such as through a real-time dashboard, the report recommends. Organizations should constantly assess their risks from the current threat landscape and evaluate whether their current measures are still adequate.</p><p><strong>Legislation and Regulation.</strong> Overall, two-thirds of nonexecutive directors surveyed receive regular briefings on cybersecurity legislation and regulatory changes, but directors at highly vulnerable organizations are 54 percent less likely to know about forthcoming regulatory changes and compliance requirements. Executives in the Nordic nations were most likely to be briefed regularly about government policy.</p><p>The three other challenges relate to cybersecurity readiness.</p><p><strong>Network Resilience.</strong> Organizations that can't identify all the devices and users accessing their network won't be able to manage their IT assets to ensure they are configured appropriately and have the most current patches, the report observes. Eighty-seven percent of respondents in high-vulnerability organizations don't consider their malware, antivirus software, and patches to be fully up-to-date. In addition, organizations need a defined IT change management process to minimize service disruptions and system downtime.</p><p><strong>Response.</strong> The report notes that only 10 percent of respondents in the most vulnerable organizations know about the appropriate actions that need to be taken to prevent, detect, and neutralize cyberthreats. Recently, many organizations have begun shifting from a prevention-based strategy to one of rapid detection and response, which is reflected in The IIA's recent North American Pulse of Internal Audit report's emphasis on "cyber resiliency." </p><p><strong>Behavior.</strong> At the least vulnerable organizations, all respondents report they understand the risks employees pose to their systems; just 17 percent of respondents from the most vulnerable organizations understand this. The report recommends organizations shift the focus of cybersecurity awareness to acknowledge that cybersecurity is everyone's responsibility, rather than just an IT or information security job.​​</p><h2>Not Just for Techies</h2><p>That emphasis on organizationwide accountability for cybersecurity starts at the top. Where boards and executives previously may have deferred cyberrisk to their IT experts, the report stresses that organizations whose board and senior management are accountable for cybersecurity are most prepared to address cyber incidents successfully.</p>Tim McCollum01516
Internal Audit Should Be on Alert for "Phishy" Business Audit Should Be on Alert for "Phishy" Business<p>​It is no longer news that cybersecurity is one of the top risks facing organizations today. Cyber criminals are exhibiting increasingly ingenious tactics to hack public and private databases that contain millions of individuals' private records.</p><p>Organizations globally are working diligently to gird themselves against these increasingly sophisticated cyberattacks and developing crisis management plans to deal with any attacks that succeed. Yet there is a growing threat from cyber criminals that requires little more than access to the Internet, a bit of brazen ingenuity, and the hope that some overworked finance executives might not be on their toes. I'm talking about a basic email scheme that has resulted in billions of dollars in business losses.</p><p>Earlier this month, the U.S. Federal Bureau of Investigation (FBI) posted an alert about the ubiquitous "phishing" scheme where a cyber criminal poses as a company executive and directs an employee — typically someone in finance — to initiate an emergency wire transfer. According to the alert, this simple scam recently led to "massive financial losses" in the Phoenix, Ariz. area in the U.S., and the number of overall victims it has claimed has jumped 270 percent since January 2015. Indeed, there were nearly 18,000 identified victims of business email compromise scams between Oct. 2013 and Feb. 2016, with losses topping USD$2.3 billion, according to the FBI.</p><p>This is not just a U.S. problem. Law enforcement has received complaints from victims in at least 79 countrie​​s.</p><p>No business is immune from becoming a target. Victims reporting thefts to the FBI's <a href="">Internet Crime Complaint Center</a> range from large corporations to tech companies to small businesses. Many times these "phishing trips" target businesses with foreign suppliers or those that use wire transfer frequently.</p><p>This type of scheme hit close to home this month when The IIA's chief financial officer (CFO) received a directive from what appeared to be my email account seeking an immediate wire transfer. She became suspicious and reached out to me before taking any action and confirmed the email did not come from me. However, this serves as a good example of just how easily these schemes can be put together.</p><p>Something as benign as LinkedIn can provide the names and email addresses of a company's CEO and CFO. All that remains is doing a little homework about the company and its financial practices, and a crafty cyber criminal can be rewarded with a major payday. According to the FBI, the average take in the Arizona scam was USD$50,000.</p><p>Internal auditors should be on the front line in protecting organizations from succumbing to these kinds of scams, and it shouldn't be a heavy lift for most audit functions. Here are some easy steps organizations can take to protect themselves:</p><div><ul><li>Establishing good governance practices on wire transfers, such as multilevel authentication (confirmation from at least two executives) and verifying vendor payment changes.<br></li><li>​Working with IT to coordinate further precautionary steps, such as intrusion detection systems that identify suspect email addresses.<br></li><li>Discouraging the use of free, Web-based email accounts for any official business, as these are more easily hacked.<br></li><li>Being careful when posting financial or personnel information on company websites or in social media posts.<br></li><li>Testing, testing, and retesting.​​<br></li></ul><p></p><p>This last tip is crucial in boosting employee sensitivity to suspect emails. A high-profile U.S. federal inspector general, who spoke at a recent IIA conference, said she routinely sends phishing emails to unsuspecting staff within her organization to test their compliance with rules about sharing sensitive information or clicking on inviting links embedded in emails.</p></div><p>I have written on several occasions that the pace of technological change has created ever-more-complex risks for organizations, and I've urged internal auditors to learn to audit at the speed of risk. The battle against email phishing schemes is the low-hanging fruit in that high-tech garden. A strong partnership with IT, effective governance practices, and a regimen of staff training and testing of those practices can significantly lower the risk of your organization becoming the next victim of an email phishing scheme.</p><p>I welcome your comments.</p>Richard Chambers03675
5 Steps to Agile Project Success Steps to Agile Project Success<p>​More and more organizations have been turning to the Agile methodology for their software development efforts. According to PricewaterhouseCoopers’ Global Portfolio and Programme Management Survey 2014, use of Agile has increased by 11 percent since 2012. At the same time, many internal audit functions are struggling with how to interact with Agile projects, especially those whose experience lies with more traditional, system development life-cycle (SDLC) controls. </p><p>Agile processes help project teams manage unpredictability through a focus on adaptive planning and rapid, flexible response to change. The Agile philosophy encompasses several iterative software delivery methodologies — including scrum, extreme programming, and feature-driven development — that emphasize a lean, interactive approach to product developm​ent. In fact, Agile is not confined to a single method of delivery — most organizations take a hybrid approach, drawing from multiple iterative development methodologies. The products to which Agile is applied typically emphasize making usable code available quickly to meet business needs. </p><p>Agile project management focuses on perceived value-add processes. The values that underpin this approach, as defined by the Agile Manifesto, specify that: a) individuals and interactions are more valuable than processes and tools, b) working software is a higher priority than comprehensive documentation, c) customer collaboration is more important than contract negotiation, and d) responding to change is preferable to following a rigid plan.</p><p>Auditors familiar with traditional SDLC controls will likely recognize that some of the Agile values conflict with more established methodology. The traditional controls are typically implemented “after the fact,” and they rely heavily on documentation — neither of which works well with Agile methodologies. To help close the gap between their knowledge of traditional models and the Agile method, internal auditors should consider five steps aimed at enhancing work with Agile teams. Following this approach, practitioners can help the team, and the organization, execute its compliance responsibilities effectively while making sure not to erode the value of Agile methodologies.</p><h2>1. Get Involved Early, Understand the Processes</h2><p>The earlier internal audit gets involved, the better. Working with Agile teams in the early stages of project development increases understanding of the project’s life cycle and its key benefits, drivers, and objectives. That understanding, in turn, enables internal audit to better contribute to the project as the team defines its risk management approach and strategy. </p><p>Before internal audit can begin scoping an Agile project, it has to understand the processes. Auditors should spend time with the process owners and ask them to explain their version of Agile. Although scrum is the most commonly used approach, auditors should never assume that scrum, or any other method, has been selected.</p><p>Numerous Agile variants exist, and some organizations even develop their own in-house methodology based on Agile’s core values. Several variants, in particular, are commonly encountered:<br></p><ul><li><p><strong>Scrum</strong> is often used interchangeably with Agile and focuses on the project management of the product or SDLC. The methodology emphasizes collaboration, functioning software, team self-management, and the flexibility to adapt to emerging business realities. Scrum is highly collaborative, often benefiting from cohabitation of resources.  </p></li></ul><ul><li><p><strong>Extreme programming (XP)</strong> is an Agile variant that focuses on the software engineering component of SDLC. The approach is best suited to small, focused teams and promotes simplicity of code. It features frequent releases in short development cycles, coding in pairs, and unit testing of all code. </p></li></ul><ul><li><p><strong>Lean development</strong> is a variant common to scrum that focuses on SDLC project management. Lean development’s roots are grounded in Lean manufacturing theories — the methodology consists of start-up, steady-state, and transition or renewal project phases.</p></li></ul><ul><li><p><strong>Crystal methods</strong> are a collection of various Agile-like methodologies focused on streamlined, optimized, integrated teams, with a specific method applied to each project depending on communication requirements, system criticality, and project priority. </p></li></ul><p>Other variants of Agile include hybrids such as feature-driven development, test-driven development, Waterfall-Agile, the dynamic system development model, and the Agile unified process. Internal auditors should make sure they understand the project methodology’s objectives, process controls, and documentation and process requirements before a risk management approach and strategy are defined. </p><h2>2. Assess Risk and Control </h2><p>Once the chosen methodology is understood, internal auditors should map out process control points — even if the project team doesn’t necessarily view them as controls. Two control points from the scrum methodology provide illustrative examples: <br></p><ul><li><p><strong>Product backlogs</strong> comprise the store of all user requirements in the form of stories that communicate what the end user should be able to do, and the benefits accruing from those features. A backlog, and variations of it, exists for every Agile project and should be available to everyone involved. Documentation such as test cases and results, as well as specifications, vary from team to team. If a product backlog can’t be produced, the auditor should inquire about it with members of the Agile team. </p></li></ul><p></p><ul><li><p><strong>Burn-up/burn-down charts</strong> are the primary tool many teams use for tracking their progress. They measure the total in-scope work, the amount of work that should have been completed by a particular time, and the work actually completed. In effect, the charts take the place of several traditional project controls and could be viewed as a type of earned value analysis. Such charts reveal where project efforts are focused, and where they should be focused, as well as help identify significant changes in scope. </p></li></ul><p>Once internal auditors develop an understanding of the inbuilt controls, they should examine the project’s inherent risk profile. While Agile development can provide significant benefits to a project — such as more frequent releases of code and better alignment between users’ needs and the finished product — it also introduces risks that need to be considered and managed correctly.</p><p>The traditional roles of business users, developers, testers, and IT experts have become more cross-functional and integrated to support leaner project teams and continuous delivery. Consequently, some of the traditional control gates may not exist as expected on Agile projects, particularly with regard to segregation of duties. That’s especially true in organizations that have adopted a development operations (DevOps) strategy. DevOps sees operations and development engineers working together throughout the life cycle, from design to production support.  </p><p>Auditors need to understand the project team’s approach to segregation of duties and code production, and examine controls within that approach. Agile processes should result in an increase in automation, including testing and approval, as opposed to traditional manual sign-offs. Internal audit must become familiar with those tools and processes as well as know how to interpret the outputs of automated systems and logs.</p><p>Auditors should also be mindful of the risk that Agile project iterations could become delayed by traditional functions such as change and release management. They should assess the project team’s ability to integrate with those functions, and raise issues related to interactions with them — including the functions’ ability to support rapid-delivery models.</p><p>Documentation issues may also present a risk. While Agile-delivery methodologies by their nature seek to generate less documentation than traditionally required, that doesn’t mean documentation should not exist. Auditors should work with the team to find the minimum documentation standard acceptable and determine whether the product backlog, or an extension of it, achieves the required level of comfort while still promoting Agile principles. </p><p>Lastly, one of Agile’s biggest benefits — its short turnaround cycles — also represents one of its inherent risks. The discipline’s iterative nature can make it difficult to realize the promised business value, if the effort’s scope is continually evolving. Agile teams need to put a mechanism in place that isolates the effort while still capturing future functionality in the product backlog. That functionality should then be turned into a separate effort that can be controlled independently.</p><h2>3. Know How Agile Teams Define Done</h2><p>One of scrum’s primary tenets states that teams following the methodology are self-organizing and self-directed, meaning that individual teams largely identify and implement their own standard practices and quality control metrics. And because quality measures can vary from one team to the next, differing notions of what constitutes project completion may exist. Examples of the Agile team’s methods for defining when a project is “done” include: <br></p><ul><li><p><strong>A code/configuration review process. </strong>The team may require many levels of solution-level reviews to confirm adherence to design or development standards, to promote optimized and sophisticated error logging and error handling, or to meet other required solution needs.</p></li></ul><p></p><ul><li><p><strong>Testing requirements.</strong> Different industries and their solutions may necessitate varying levels of testing standards and practices.</p></li></ul><ul><li><p><strong>Traceability.</strong> Many project teams apply the contents of the Agile Manifesto to promote a <em>document-free </em>process versus a <em>documentation-driven</em> process. However, a well-practiced Agile team can, for example, provide traceability that links working product features to requirements (user stories taken from an approved product backlog), design documentation, test evidence, and release strategy and documentation.</p></li></ul><p>Understanding the team’s definition of done leads to an entry point for a risk-based conversation about the effective use of Agile to deliver business value. The definition serves as a quality control mechanism, though it also acts to promote adherence to practices aimed at reducing risks associated with Agile development.</p><h2>4. Assemble the Right Skills</h2><p>Agile-based projects feature unique risks and control structures, and understanding them is crucial to the review process. Audit teams need to align the right expertise with planning and review activities, enabling practitioners to:<br></p><ul><li>Ensure a sound understanding of the problems and risks.</li></ul><p></p><ul><li>Establish credibility and confidence in the program team.</li></ul><p></p><ul><li>Build empathy with the delivery team.</li></ul><p></p><ul><li>Deliver practical, meaningful insight to the project team.</li></ul><p></p><ul><li><p>Provide actionable feedback that promotes more effective use of Agile without introducing additional business risk.</p></li></ul><p>Subject matter specialists with experience in both delivering and reviewing similar projects are also key to successful reviews. Specifically, auditors reviewing Agile projects should have more than a basic understanding of Agile processes, familiarity with the toolset being used, an understanding of how to extract and interpret the required information, and a grasp of the path to production that is being used by the project teams.  </p><p>Once the review team is in place, auditors should make sure their approach focuses on delivering value. In particular, they need to understand what the project team is trying to achieve and link audit activities to those aims. To achieve alignment, practitioners should consider an objectives-based audit program. Rather than reviewing compliance against a particular risk and issues template, for example, the team should determine whether the overall objective of “managing risks and issues effectively” has been met. Auditors may want to consider using an assessment framework that goes beyond control outcome.</p><p>Practitioners need to provide relevant, actionable, and timely feedback that will enhance the likelihood of project success. Moreover, reviews should not be limited to solution and delivery risk — practitioners may want to consider external and commercial risk and examine any corresponding mitigation strategies. These factors contribute to the likelihood of project success and may be critical to a meaningful review. Auditors should familiarize themselves with not only the expected controls outcomes of the project, but also the required technical and business outcomes, allowing for a more rounded view to be developed. </p><h2>5. Establish Reporting Parameters and Provide Real-time Feedback</h2><p>To deliver maximum value to the project team, auditors should explain the nature of the engagement and obtain agreement up front regarding how and when they will release reports. Is the review a formal internal audit, or is it a health check or other activity aimed at performance improvement? Will the reporting be delivered through standard channels or directly to the project’s governance structure? The answers to these questions guide the reporting for eventual review.</p><p>Internal audit and the business should also agree on the most efficient and practical reporting format. Agile projects run at high speed and in high-pressure environments — quite often, value can best be realized by near-real-time feedback. Timely, practical, and actionable reporting is key to Agile’s success. </p><h2>Relevance and Value</h2><p>As noted in PwC’s 2015 State of the Internal Audit Profession Study, internal audit functions that focus on adding value are outperforming other teams in terms of business alignment and talent models. Understanding a project’s objectives, as well as the risks associated with project methodology, helps enhance the value internal audit can deliver. The key is simple: Engage with teams early, understand what they’re doing, modify the approach as needed, and provide relevant feedback — all while helping the Agile teams and the organization better understand and control risk.</p>David Tilk03890
Advice for the Board and C-suite on New Technology for the Board and C-suite on New Technology<p>​There's an interesting new post on the Cutter Consortium ​Blog. Bu​​t first, I want to draw your attention to a more detailed discussion of disruptive technology in <em style="line-height:1.6;">McKinsey Quarterly</em>.</p><p> <a href="" target="_blank">"The Economic Essentials of Digital Strategy"</a> makes it clear that understanding and taking advantage of new technologies is essential for survival, let alone success.</p><blockquote><p>​These days, something of a mix of the fear of sharks and the thrill of big-wave surfing pervades the executive suites we visit, when the conversation turns to the threats and opportunities arising from digitization. The digitization of processes and interfaces is itself a source of worry. But the feeling of not knowing when, or from which direction, an effective attack on a business might come creates a whole different level of concern. News-making digital attackers now successfully disrupt existing business models — often far beyond the attackers' national boundaries:</p><ul><li> <span style="line-height:1.6;">Simple (later bought by BBVA) took on big-cap banks without opening a single branch.</span><br></li><li> <span style="line-height:1.6;">A DIY investment tool from Acorns shook up the financial-advisory business.</span><br></li><li> <span style="line-height:1.6;">Snapchat got a jump on mainstream media by distributing content on a platform-as-a-service infrastructure.</span><br></li><li> <span style="line-height:1.6;">Web and mobile-based map applications broke GPS companies' hold on the personal navigation market.</span><br></li></ul><p> <br> </p><p>No wonder many business leaders live in a heightened state of alert. Thanks to outsourced cloud infrastructure, mix-and-match technology components, and a steady flood of venture money, start-ups and established attackers can bite before their victims even see the fin. At the same time, the opportunities presented by digital disruption excite and allure. Forward-leaning companies are immersing themselves deeply in the world of the attackers, seeking to harness new technologies, and rethinking their business models — the better to catch and ride a disruptive wave of their own. But they are increasingly concerned that dealing with the shark they can see is not enough — others may lurk below the surface.</p></blockquote><p>The authors describe many of the ways in which new technologies can disrupt an existing business as well as provide exciting opportunities for the future. They suggest one way to analyze the threats and opportunity, which I suggest is well worth considering.</p><p>Turning our attention to the much shorter Cutter<i></i> piece, it is simpler and in some ways more practical. </p><p>In <a href="" target="_blank">"Advice to C-suite(rs) About​ 'Game-Changing' Technology,"</a> Dr. Stephen J. Andriole suggests three questions that members of the C-suite should ask about new and disruptive technology:</p><ol><li> <span style="line-height:1.6;">What's your technology plan?</span><br></li><li> <span style="line-height:1.6;">What game-changing technologies are you tracking?</span><br></li><li> <span style="line-height:1.6;">How will these technologies drive revenue and profit?</span><br></li></ol><p>The article expands on each of these questions with examples of how they might be answered.</p><p>While he doesn't say so, the goal is to ensure that the organization is not only aware of the potential for new technology to contribute to its success (typically in radical fashion, as in the McKinsey piece) but has plans on which it will act to realize the potential.</p><p>If an organization does not seize the opportunity presented by new technology, it can fall behind its competitors and, eventually, fail. Just think of Nokia, Research in Motion, and so many more.</p><p>These three questions are a good start.</p><p>Let's build on them.</p><ol><li> <span style="line-height:1.6;">What is your business plan — not just technology plan? Have you considered the potential for new technologies to change your objectives and strategies?</span><br></li><li> <span style="line-height:1.6;">Which game-changing technologies are you tracking — and why? Why are you not tracking others? How do you know you have identified all the possibilities?</span><br></li><li> <span style="line-height:1.6;">Are you considering uses for the technologies that are different from what others are doing? How best can each be used in your business? Is your plan driven by the technology leaders or are the business-unit leaders taking the lead?</span><br></li><li> <span style="line-height:1.6;">What are you going to do with your current technology? Will you keep and maintain it? Will you have the resources to do so? Can you eventually migrate to new platforms and capabilities?</span><br></li><li> <span style="line-height:1.6;">Do you understand the risk as well as the reward? Will you be able to manage one and seize the other? Are you introducing new cyber, compliance, reputation, or other risks, such as providing retail customers access to your systems or creating a risk that robots will fail?</span><br></li><li> <span style="line-height:1.6;">How will you measure success? Can you delay or back out if necessary?</span><br></li><li> <span style="line-height:1.6;">How will you modify your plans if yet another new technology emerges that renders your current plans obsolete?</span><br></li><li> <span style="line-height:1.6;">Have you involved your risk, compliance, and internal audit teams to ensure you get all the insight and advice you need? Are they helping as you develop the strategy or are they only brought in after decisions have been made?</span><br></li></ol><p>If an organization does not have its eyes on the potential threats and opportunities presented by new technology, both the risk and audit teams should be concerned. The risk to the organization of being blind to either should be brought to the attention of the board.</p><p>Do you agree? Is your company ready?​</p>Norman Marks01613
Cyber in Focus in Focus<p>​Boards and internal audit departments alike are making cybersecurity a business risk issue — not just an IT risk concern — according to Protiviti Inc.'s <a href="" target="_blank">2016 Internal Audit Capabilities and Needs Survey​</a>. Nearly three-fourths (73 percent) of the 1,300 internal auditors who responded to the survey say cybersecurity is part of the internal audit plan, up from 53 percent in 2015. </p><p>Organizations are feeling outside pressure to make cybersecurity a priority. The survey notes that 57 percent of respondents' organizations have received inquiries from customers and insurance providers about their cybersecurity readiness.</p><p>Respondents say their top cybersecurity risks include brand and reputational damage, leakage of employee personal information, security of company information, and business disruption. They report that earlier identification of cybersecurity risk issues and control problems provides the greatest value to addressing cyberrisk. Monitoring reputational risk and improving operational performance also contributed to cyberrisk efforts.</p><p>The Protiviti report warns that those known risks may be just "the tip of the iceberg," though. "To focus on what may be lingering below the surface, cybersecurity risk management strategies not only should be in place, but they also must be effective," it advises.</p><h2>Boards Make a Difference</h2><p>The survey report asserts that high board engagement and understanding of cybersecurity is a big success factor in addressing cyberrisks. Organizations whose boards have a high engagement and understanding are three times more effective at identifying (57 percent), assessing (55 percent), and mitigating (45 percent) cyberrisks than other organizations. </p><table cellspacing="0" width="100%" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​ <p> <strong>Top 10 Priorities</strong></p><p>Internal auditors responding to Protiviti's latest Internal Audit Capabilities and Needs Survey identifies these priorities for 2016:</p><ol><li>ISO 27000 (data security).</li><li>Mobile applications.</li><li>NIST Cybersecurity Framework.</li><li>Global Technology Audit Guide 16: Data Analysis Technologies.</li><li>The Internet of things.</li><li>Agile risk and compliance.</li><li>ISO 14000 (environmental management).</li><li>Data analysis tools for statistical analysis.</li><li>Country-specific ERM frameworks.</li><li>​Big data and business intelligence.</li></ol></td></tr></tbody></table><p>Yet, the percentage of respondents who say their boards are highly engaged decreased this year, from 30 percent in 2015 to 24 percent today. "When it comes to cybersecurity and auditing processes, the highest performing organizations have audit committees and boards who actively engage with the internal audit function during the discovery and assessment of these risks," says Brian Christensen, Protiviti's executive vice president, global internal audit, in Menlo Park, Calif. </p><p>Likewise, organizations that have included cybersecurity in the internal audit plan are somewhat better able to identify (30 percent), assess (27 percent), and mitigate (22 percent) cyberrisks. </p><p>In both cases, respondents say they are more confident in their organization's ability to prevent a data breach or a targeted external attack than organizations with less engaged boards or that have not included cybersecurity in their audit plans. Such organizations also are more likely to have a cyberrisk strategy and policies in place, and they tend to include cyberrisk in their overall risk assessment.</p><h2>Action Items</h2><p>The Protiviti survey proffers 10 actions that CAEs and internal auditors should take to address cybersecurity risks. Chief among them is working with management and the board to develop a cybersecurity strategy and policy, and finding ways to improve the organization's ability to identify, assess, and mitigate cyberrisk to an acceptable level. Other actions include:</p><ul><li> <span style="line-height:1.6;">Assessing and mitigating potential threats coming from the actions of employees or business partners.</span><br></li><li> <span style="line-height:1.6;">Heightening board awareness </span> <span style="line-height:1.6;">of cyberthreats and ensuring the board remains engaged in cybersecurity matters.</span><br></li><li> <span style="line-height:1.6;">Integrating cyberrisk in the audit plan.</span><br></li><li> <span style="line-height:1.6;">Understanding how emerging technologies and trends affect the organization's cyberrisk profile.</span><br></li><li> <span style="line-height:1.6;">Evaluating the organization's cybersecurity program against the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as ISO 27001 and ISO 27002.</span><br></li><li> <span style="line-height:1.6;">Communicating to management the importance of combining human and technology security.</span><br></li><li> <span style="line-height:1.6;">Advising management to make cybersecurity monitoring and cyber-incident response a top priority.</span><br></li><li> <span style="line-height:1.6;">Addressing IT and audit staffing and resource shortages and technology tool needs.​</span><br><br></li></ul><p>In addition to these actions, internal auditors may benefit from refining their cybersecurity-related skills, which are among the areas of general technical knowledge survey respondents say they need to improve.​</p>Tim McCollum02038

  • SCCE_July2016_Prem 1
  • MNP_July2016_Prem 2
  • GRC2016_July2016_Prem 3



5 Global Trends in Internal Auditing Global Trends in Internal Auditing2016-07-11T04:00:00Z2016-07-11T04:00:00Z
Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Can Internal Audit Be the Canary in the Coal Mine? Internal Audit Be the Canary in the Coal Mine?2016-07-18T04:00:00Z2016-07-18T04:00:00Z
​​​Internal Audit, Risk Management, and Technology,-risk,-and-technology.aspx​​​Internal Audit, Risk Management, and Technology2016-07-19T04:00:00Z2016-07-19T04:00:00Z