Technology

 

 

Late to the Projecthttps://iaonline.theiia.org/2017/Pages/Late-to-the-Project.aspxLate to the Project<p>​There's room for IT audit functions at the technology table, but most of them aren't inv​​olved in all stages of IT projects, the recent <a href="https://www.protiviti.com/insights/it-audit-benchmarking-survey" target="_blank">IT Audit Benchmarking Study</a> by ISACA and Protiviti Inc. reports. The organizations surveyed 1,062 internal audit and IT audit leaders and professionals from organizations throughout the world for the study.</p><p>Nearly 90 percent of respondents say their organizations have implemented an IT system or application within the past three years. Process automation and improvements to core infrastructure were the most common projects, far outpacing initiatives involving business intelligence, customer user interfaces, and collaboration. Across all regions, respondents say most of these projects were successful. </p><p>That's not the norm for such projects, the report notes. It cites a study from consulting firm McKinsey and the University of Oxford that found that IT projects on average run 45 percent over budget and 7 percent over time, while delivering just 56 percent of the promised value.</p><p>IT auditors could be helpful in imple​menting projects more effectively. In the largest companies, 71 percent of IT audit functions are moderately (45 percent) or significantly (26 percent) involved in IT projects. The problem is they are most likely to be involved at the end of projects. Although 43 percent of respondents say IT audit is involved at the planning stage, 65 percent are involved in post-implementation — usually assessing how well the project has done. IT audit is less involved in design, testing, and implementation, when the bulk of the work is performed.</p><p>"There is an opportunity for organizations to derive more value from their major IT projects by engaging IT audit earlier rather than downstream in the projects," says ISACA Chairman Christos Dimitriadis, group director of information security for Athens, Greece-based gaming technology company Intralot. "With a solid foundation of assurance at the front end, organizations can have the confidence they need to be innovative and fast-paced in pursuit of their business goals."</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>Top Business and Technology Challenges</strong></p><ol><li>IT security and privacy.</li><li>Infrastructure management.</li><li>Emerging technology and infrastructure changes.</li><li>Resource, staffing, and skills.</li><li>Regulatory compliance.</li><li>Budgets and cost control.</li><li>Cloud computing and virtualization.</li><li>Bridging IT and the business.</li><li>Project management and change management.</li><li>Third-party and vendor management.</li></ol><p>Source: ISACA and Protiviti Inc., IT Audit Benchmarking Study, 2017.</p></td></tr></tbody></table><p>In addition to post-implementation project reviews (51 percent), IT audits of major projects evaluated test phases (48 percent), project governance (48 percent), the project risk management plan (45 percent), system development life cycle (45 percent), the data conversion process (44 percent), alignment of project success measures to desired business outcomes (41 percent), the project plan (41 percent), and project requirements (40 percent). </p><p>The most significant risk factor respondents identified is frequency of updates to project goals and outcomes based on changing business requirements (26 percent). Other factors include goals that aren't clearly defined (17 percent), frequency of change in project specifications without formal assessments (14 percent), lack of a defined and documented project management methodology (13 percent), capabilities and skills of the project manager and team (12 percent), and level of employee turnover on project teams (7 percent).</p><p>Raising IT audit's profile within the organization could help it become more involved in projects, the report notes. A positive sign is that 55 percent of respondents say their organization's IT audit director regularly attends board meetings, up from 49 percent in last year's study. "Audit committee members, in particular, are seeking greater assurance around critical IT risks and controls," says Gordon Braun, managing director of Protiviti's IT audit practice. "Internal audit and IT audit leaders must be prepared to demonstrate audit coverage of key areas and articulate where the highest risks remain."</p><p>Increasingly, chief audit executives (CAEs) are becoming better able to provide assurance on IT risks, the report finds. Nearly three-fourths (72 percent) of respondents say their organization's CAE has sufficient knowledge to discuss IT audit matters with the audit committee.</p><p>But there is something missing from some organizations' IT operations: IT audit risk assessments. Most respondent organizations perform them, but they are lacking in 23 percent of organizations with less than US$100 million in revenue. Across all organizations surveyed, IT audit risk assessments typically are performed as part of internal audit's overall risk assessment. Most responding organizations update those assessments annually. Continuous assessments are most common in the largest (18 percent) and smallest (14 percent) organizations.</p>Tim McCollum0
Cyber Root Cause Alarm Bells Are Ringinghttps://iaonline.theiia.org/blogs/marks/2017/Pages/Cyber-root-cause-alarm-bells-are-ringing.aspxCyber Root Cause Alarm Bells Are Ringing<p>​<a href="https://www.tripwire.com/state-of-security/tripwire-news/new-research-highlights-top-cyber-attack-concerns-for-2017/" target="_blank" style="background-color:#ffffff;">A new study by Tripwire</a> should be setting off your alarms.</p><p>The company surveyed 403 IT security professionals, the people who should know about the true state of information security or cyber at their organization.</p><p> <strong>90 percent of organizations lack the </strong> <span style="text-decoration:underline;"> <strong>skills</strong></span><strong> to address the full range of cyber threats!</strong></p><p>There have been repeated reports that information security experts are in high demand but low supply. This confirms the problem.</p><p> <strong>97 percent of organizations lack the </strong> <span style="text-decoration:underline;"> <strong>technology</strong></span><strong> they need to address the threats!</strong></p><p>If I was on the board and heard this, I would be questioning the executive team hard.</p><p>Other surveys indicate that the majority of executives know they have been hacked in the past and expect hackers to be successful in the future.</p><p>​But do they know the true extent of the problem?</p><p>Do they know their defenses are down — and that their people don't have the ability to detect intrusions promptly?</p><p>When I took over the internal audit function at a company years ago, I was concerned by what I saw in the information security area.</p><p>Rather than audit the defenses, I had my team audit whether the company had the <strong>capability</strong> to build, maintain, and manage the defenses.</p><p>Key questions include:</p><ul><li>Do you understand the risk to the business (the consequences) if there is a successful intrusion? How will the objectives of the organization be affected? Can you and have you assessed cyber risk in business terms? How recent is that assessment?</li><li>Are you satisfied and if so why? If not, what are you doing about it?</li><li>Do you have the people to understand (on a continuing basis) and then address cyber risk?</li><li>Do they have the tools? Is that your opinion or theirs?</li><li>Is the voice of information security heard and listened to at senior and board levels?</li><li>Would a reasonable, prudent individual believe the risk to the organization is at an acceptable level, and will continue to be at an acceptable level over the next year?</li><li>How often is an <strong>objective</strong> assessment of information security performed and is it reliable? Are its recommendations acted on?</li><li>Does it still make sense to expect employees to handle cyber risk? Is it better to outsource it, and to what extent should we do that?</li></ul><p> <br> </p><p>I welcome your comments.</p><p> <br> </p>Norman Marks0
Data Mininghttps://iaonline.theiia.org/2017/Pages/Data-Mining.aspxData Mining<p>​The vast amount of data generated by business and the increase in data warehouses and legacy systems have created a treasure trove of information to be mined to draw meaningful insights regarding fraud indicators, emerging risks, and business performance. Companies such as Amazon, Facebook, Google, and Netflix are built on foundations of data exploration and mining.<br></p><p>Data mining, which includes text mining, is the discovery of information without a previously formulated hypothesis where relationships, patterns, and trends hidden in large data sets are uncovered. It involves using methods at the convergence of artificial intelligence, machine learning, statistics, and database systems. With the advent of big data, this niche-driven research discipline, developed in the 1980s, is now a powerful tool.  <br></p><p>There are no roadmaps or directions in data mining. Instead, it requires thinking outside the box to come up with a range of scenarios. Questions like, “What are the risks?” “What opportunities exist for business improvements?” “How can this data be leveraged?” and “What fraudulent activities can occur?” can lead to developing algorithms.<br></p><h2>Data Mining Techniques</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Examples of Data Mining</strong><br><br>Data mining can detect a range of fraud indicators such as bogus vendors, kickbacks, money laundering, insider trading, and claims fraud. <br><br>In a telecommunications audit, for example, a model can be built to show patterns of call destinations, duration, frequency, and time of day. Over time, when actual calls vary from expected patterns, it will alert internal audit to the possibility of fraud. <br><br>Outcomes also can indicate cost-saving opportunities, potential irregularities, and patterns worthy of further investigation. For example, in a procurement audit, using text mining that brings up common products and services may determine that there is an annual savings or discount to ordering cleaning supplies from one vendor instead of several vendors. <br><br>In a retail audit of a bank branch, a review of customer accounts can show single bank accounts converted to joint accounts, indicating marriage. Internal audit may recommend cross-selling mortgages and consumer loans to the joint account owners, which can grow branch profitability. <br><br>In a loan audit, nonperforming loans can be segmented to show different factors for loan failures. This can help guide the revamping of credit models and tightening of lending practices, which can reduce the number of nonperforming loans.<br></td></tr></tbody></table><p>The most common techniques used in data mining are predictive modeling, data segmentation, neural networks, link analysis, and deviation detection.<br><br><strong>Predictive modeling</strong> uses “if then” rules to build algorithms. For example, during a loan audit, auditors can create rules to show which customers in a specific age range (18-25, for instance) with balances exceeding US$5,000 are likely to default. <br><br><strong>Data segmentation</strong> involves partitioning data into segments or clusters of similar records. Also called <em>clustering</em>, this technique lets auditors see common factors underlying each segment. For example, a marketing audit can look at residents of urban neighborhoods and affluent areas where wealthier, older people live.<br><br><strong>Neural networks</strong> are a type of artificial intelligence that uses case-based reasoning and pattern recognition to simulate the way the brain processes, stores, or learns information. In fraud detection, neural networks can learn the characteristics of fraud schemes by comparing new data to stored data and detecting hidden patterns.<br><br><strong>Link analysis</strong> establishes links between records or sets of records. Such links are called <em>associations</em>. Examples include customers buying one product at a specific time and then a different product a few hours later or a vendor supplying a raw material and purchasing a byproduct. Or, in the case of a money laundering audit, identifying addresses that have many wire transfers attached to them.<br><br><strong>Deviation detection</strong> is pinpointing deviations from the observations or model worthy of further investigation. An example is detecting an unusual transaction on a credit or purchase card that does not fit the typical spending patterns of a cardholder, such as buying a refrigerator or booking a vacation on a company’s purchase card. <br></p><h2>Email Mining </h2><p>The rapid evolution of data mining techniques on unstructured or semi-structured textual data now provides opportunities for audit analysis. Mining this vast text field is a key tool in the internal auditor’s arsenal for fraud prevention and detection. Word searches using “kickback,” “bank account,” “funds,” “money,” and “override” could uncover fraud, while words such as “flowers,” “anniversary,” “chocolate,” “gift,” “bar,” and “drink” could indicate office romances that breach a company’s code. <br></p><p>Analysis of email logs can uncover key information about employees’ interests, activities, and behaviors. Email contents might include potential evidence of fraud and issues of audit concern. For instance, emails from an employee to customers when the employee does not hold a position that normally communicates with customers would be a red flag.<br></p><p>Emails might contain an exchange of information between parties that can provide evidence of a wide range of managerial fraud. Also embedded in email contents might be issues relating to breaches of compliance requirements and their cover ups, privacy matters, and theft of intellectual property. As emails pass through gateways, they are easy to archive, index, categorize, and monitor for keywords.<br></p><h2>Social Network Analysis</h2><p>Analysis of employees’ Facebook, Linkedin, and Twitter accounts explores relationships or networks between email senders and recipients. Social network relationships may presage kickbacks or collusion between employees and third parties. Within this context, social media analytics is a tremendous tool. However, consideration should be given to such key risks as security, privacy and confidentiality, loss/theft of intellectual property and trade secrets, and legal and compliance. <br></p><h2>Data Mining Tools </h2><p>Data mining can be performed with comparatively modest database systems and simple tools or off-the-shelf software packages. Microsoft Excel has a wide range of functions that can be used in data mining without the hours of training required for other programs. Generalized audit software and server database software also are formidable data mining tools.<br></p><h2>Raising the Bar</h2><p>Data mining demands considerable time, serious commitment, a new mind-set, and new skills. Delays in getting the data, uncooperative management, time spent understanding the data, and scrubbing it are additional challenges. Data mining raises the bar on what can be achieved by addressing issues beyond the reach of traditional analysis techniques. It is more than running complex queries on large data sets. Internal auditors must work with the data to have it reorganized and cleansed, and identify the format of the information based on the technique or analysis they want to use. Data mining increases audit coverage, and with the internet and computer-assisted audit tools, auditors should be limited only by their imaginations. <br></p>Lal Balkaran1
Principles of Cyber Oversighthttps://iaonline.theiia.org/2017/Pages/Principles-of-Cyber-Oversight.aspxPrinciples of Cyber Oversight<p>​Most corporate boards of directors discuss cybersecurity regularly, but less than half are confident that their company is appropriately secure against a cyberattack, according to the National Association of Corporate Directors' (NACD's) 2016-2017 public- and private-company governance surveys. These findings point to the challenges boards face in guiding their companies through the perils of cyberrisk, as outlined in the <a href="https://www.nacdonline.org/cyber" target="_blank">NACD Director's Handbook on Cyber-risk Oversight</a>. </p><p>Attackers seek to cash in by targeting business plans, intellectual property, trade secrets, customer and employee personal information, and financial data, the handbook notes. Other nations also are a threat. "The cyber threat picture continues to become more challenging with nation-state attacks against both public and private sectors," says handbook author Larry Clinton, president and CEO of the Internet Security Alliance (ISA), a Washington, D.C.-based cybersecurity trade association.</p><p>In response, corporate boards are paying greater attention to cyberrisks, NACD President and CEO-elect Peter Gleason says. "Directors don't need to be technologists to play an effective role in cyberrisk oversight — but every board can take the opportunity to improve the effectiveness of their cyber-oversight practices," he says.</p><p>The updated handbook provides recent information on cyber threats, legal developments, and statistics on board oversight practices. It outlines five principles for effective oversight of cyberrisk.</p><p> <strong>1. An ERM Issue</strong></p><p>The handbook implores boards to approach cybersecurity as an enterprise risk management issue, rather than an IT concern. As such, directors should address it from strategic, cross-departmental, and economic perspectives. For most publicly listed companies (51 percent), cyberrisk oversight falls on the audit committee, but nearly all directors (96 percent) surveyed say the full board takes on the big picture risks that could impact their company's strategic direction, according to the 2016-2017 NACD Public Company Governance Survey.</p><p>Cyberrisk is magnified by the interconnections an organization has with its customers, affiliates, and suppliers, as well as the growing use of cloud computing and links to national critical infrastructure. "Progressive boards will engage management in a discussion of the varying levels of risk that exist in the company's ecosphere and take them into consideration as they calculate the appropriate cyberrisk posture and tolerance for their own corporation," the handbook advises.</p><p> <strong>2. Legal Implications</strong></p><p>The second principle calls on directors to understand the legal implications cyberrisks pose for their organization. Laws and regulations related to cyberrisk are complex, covering privacy, disclosure requirements, and infrastructure protection, the handbook points out. "Boards should stay aware of current liability issues faced by their organizations — and, potentially, by directors on an individual and collective basis," the handbook stresses. </p><p>Considerations of particular importance are maintaining board minutes that reflect the board's discussions of cybersecurity, and public disclosure and reporting requirements related to cyberrisk. </p><p> <strong>3. Discussion and Expertise</strong></p><p>The third principle addresses two concerns. It calls on boards to make cyberrisk a regular part of their agenda, with adequate time allotted. It also acknowledges that directors may need access to cyberrisk expertise. NACD's research bears these points out: Nearly 90 percent of public company directors surveyed say their board discusses cyberrisk regularly, yet only 14 percent say the board has a high level of knowledge of cyberrisks. </p><p>The most common board cyberrisk oversight practices are reviewing the company's approach to protecting its most critical assets (77 percent) and reviewing the technical infrastructure used to protect those assets (74 percent).</p><p>Although there have been calls for boards to add cyberrisk experts as directors, this might not be appropriate for all companies, the handbook states. Other strategies for tapping into expertise include briefings with outside experts, consulting with external auditors and outside counsel to gain an industry and "multiclient" perspective on risk trends, and participating in director education programs.</p><p> <strong>4. Cyberrisk Framework</strong></p><p>The fourth principle urges directors to expect management to establish an enterprisewide cyberrisk management framework. The handbook specifically discusses the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework, which was issued in 2014. The framework recommends that organizations assess their cybersecurity program along a four-tier scale progressing from 1) partial to 2) risk-informed, 3) repeatable, and 4) adaptive. </p><p>In addition, the handbook recommends organizations adopt an integrated cyberrisk management approach developed by the ISA. Key components include establishing ownership of cyberrisk on a cross-departmental basis, appointing a cross-organization cyberrisk management team, performing an enterprisewide risk assessment, developing an organizationwide cyberrisk management plan, and allotting sufficient financial resources.</p><p> <strong>5. Risk Actions</strong></p><p>The final principle advises boards to discuss with management how to make cyberrisk decisions about which risks to avoid, accept, mitigate, or transfer through insurance. "As with other areas of risk, an organization's cyberrisk tolerance must be consistent with its strategy and, in turn, the resource allocation choices," the handbook states. </p><p> <br> </p>Tim McCollum0
A Winning Pairhttps://iaonline.theiia.org/2016/Pages/A-Winning-Pair.aspxA Winning Pair<p>​We’ve all seen the advertisements for the latest and greatest home security systems. Yet despite all of their bells and whistles  and the good they may do, security systems are useless if we forget to set the alarm. The technology and the person using it must work simultaneously to achieve the best results. In much the same way, governance and automation can be complementary, but they are not substitutes for each other. In some cases, automation may be used to force process steps and monitor actions, but a company cannot automate its way to compliance. Even the most sophisticated automated processes often contain at least an interface with what is usually the factor of greatest risk — the human being. Governance is a tool to help bridge the gap. </p><p>Take cybersecurity, for example. The Center for Internet Security’s Critical Security Controls calls for a defense-in-depth model to help prevent and detect malware. The intent is to use multiple tools, each specializing in different protections such as access control, intrusion protection/detection, malware identification, and vulnerability scanning. These products are “layered,” with each tool testing some aspect of the communication, usually with the ability to block or send alerts on questionable traffic. Only if the message passes through all appropriate gates can it be delivered to its intended destination. This is no inexpensive proposition. A company’s spending on cybersecurity may reach tens of millions of dollars.</p><p>And despite automated defenses, proactive technology tools, and the money, time, and resources invested, organizations remain at risk. Phishing, where a party with harmful intentions uses methods such as enticing emails to get recipients to click a link, is a prime example. The code behind the associated link may load malware onto the user’s machine, capturing login credentials, and spreading malware throughout the network. The intruder now has the same access as that of the victim and will seek elevated access privileges. All it takes is one person clicking one link containing malware in one email to infect the system.  </p><p>Governance can be effective in bolstering the line of defense. A sound policy, employee education, and monitoring for enforcement are all critical facets of such a program. Internal auditors should be looking for governance in all the right places.</p><p>The auditor should determine whether the organization has defined the level of risk it is willing to assume and whether there is a current risk profile. By identifying risks, mitigation activities in place, and residual risks, the organization can determine its current position. The auditor can then compare the risk appetite to the risk profile. Where the residual risk is too high, the organization can brainstorm alternatives and assess the cost/benefit of each. Results are likely to identify high-risk areas where automation alone cannot bridge the gap or is too costly to implement.</p><p>For those actionable items, ensuring good governance may be the best option. Access control is one example. When an employee or contractor is terminated, particularly for cause, access to systems and facilities must be removed immediately. While it is possible to automate access deactivation, the process must be initiated by a human interface. Having a policy that assigns responsibility for this function is best practice. </p><p>There must be widespread awareness and understanding of the policy and a sense of urgency and ownership in carrying it out. As the termination procedure may not be a frequent occurrence, reminders to all managers and inclusion in manager on-board training are necessary. Also, it’s imperative that human resources have this process top of mind. </p><p>A robust awareness program also contributes to driving behaviors. Executive behavior is key, and employees must know what is expected of them. Repeated education can be effective, as many need reminders. Auditors may recommend computer-based training, lunch-and-learn sessions, posters, gamification, and other methods to improve retention and reinforce desired behavior.  </p><p>Finally, there is a need to monitor for desired behavior. While many factors can be monitored electronically, governance still plays a role. The auditor can determine whether there are policies for monitoring employee behavior. Has there been a discussion with the legal department regarding an employee’s expectation of privacy? If employees should not have an expectation of privacy regarding company property, computerized activity on company networks, etc., have they been notified? The auditor may want to recommend a banner on the login page of the company’s systems.</p><p>Just like installing a home security system and remembering to use it, governance and automated controls should be complementary. Auditors can help companies see how a balance is needed. Desired behavior must be governed from the top, embraced by management, and exercised by all. ​</p>Debbie Shelton1
An Important Cyberrisk Framework​https://iaonline.theiia.org/blogs/marks/2017/Pages/An-important-cyber-risk-framework.aspxAn Important Cyberrisk Framework​<p>​Perhaps the most important cyberrisk framework is that published by the U.S. National Institute of Standards and Technology (NIST). Recently, NIST shared for comment a proposed update to their framework.</p><p>You can <a href="https://www.nist.gov/cyberframework" target="_blank">download the document and view related videos here</a>.</p><p>Here are some key excerpts from the executive summary:</p><ul><li>Similar to financial and reputational risk, cybersecurity risk affects a company's bottom line. It can drive up costs and impact revenue. It can harm an organization's ability to innovate and to gain and maintain customers.</li><li>The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization's risk management processes.</li><li>The Framework enables organizations — regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.</li><li>The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks — different threats, different vulnerabilities, different risk tolerances — and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks.</li></ul><p><br></p><p>Later, the authors say this:</p><p><span class="ms-rteStyle-BQ">"Enterprise risk manageme​nt is the consideration of all risks to achieving a given business objective. Ensuring cybersecurity is factored into enterprise risk consideration is integral to achieving business objectives. This includes the positive effects of cybersecurity as well as the negative effects should cybersecurity be subverted."</span></p><p>There's a good amount of material to like.</p><ul><li>The framework is risk-based and talks about, in my words, investing in cybersecurity commensurate with the level of risk.</li><li>When it talks about risk, it is to the achievement of business objectives. They don't talk about protecting information assets, but rather drive to what is important to the success of the business.</li><li>It uses a maturity model (although it doesn't describe it as such) as a useful way to assess the effectiveness of the cyber program.</li><li>It makes the point that those responsible for the cyber program need to be at an appropriate level within the organization.</li><li>It emphasizes that the management of cyberrisk needs to be integrated within the broader enterprise risk management activity.</li></ul><p><br></p><p>However, there are some few areas where I would have liked to have seen more discussion.</p><ul><li>Appendix B is a list of objectives for the cyber program. However, in my opinion it is over-simplified and probably incomplete. For example, I do not see anything about protecting the organization from the effects of social engineering.</li><li>While detection is emphasized, the need for <em>timely</em> detection is not mentioned.</li><li>The framework mentions the need for continuous improvement and that cyberrisk is dynamic. However, the sea is constantly rising and defenses have to adapt at least as fast as the risk changes. Investment needs to be in resources that enable threats to be monitored and defenses upgraded continuously.</li><li>The task of assessing the likelihood of a breach is hardly covered at all. There is general acceptance of the fact that a breach is almost inevitable, so the emphasis perhaps should be on the likelihood of different degrees of impact. Past experience may not be a good indicator, as prior breaches may not have been detected — leaving management with the unjustified belief that the incidence of breach is lower than it really is.</li><li>The framework suggests that the organization should have an inventory of all assets or points on the network. However, with the extended supply chain plus the Internet of Things plus the fact that employees and other individuals are hacked as entry points, the problem is far more severe than is presented. I am not persuaded that an inventory can ever be considered complete.</li><li>While the framework talks about integration with the enterprise risk management program, it is important to note that cyber may be one of several risks that might affect the achievement of one or more business objectives. Decisions about acceptable levels of risk to an objective should consider all these risks, not just one. In other words, cyber and other risks to an objective may appear to be at an acceptable level individually, but the aggregate effect may be intolerable and require action.</li><li>The framework references the ISO 31000:2009 global risk management standard (curiously not the COSO ERM Integrated Framework) but defines "risk" in its own way. It also uses the term "risk tolerance" in its own way, inconsistent with that of COSO or ISO. (It is essentially the same as COSO's risk appetite).</li></ul><p><br></p><p>A framework is simply that, a framework that any organization can build out to suit its situation and needs.</p><p>I encourage everybody to consider the document, respond with suggestions for improvement, and perhaps use it to assess and then upgrade your organization's cyber program.</p><p>Your comments?​</p><p><br></p>Norman Marks0
Must-have Controls for SMBshttps://iaonline.theiia.org/2016/Pages/Must-have-Controls-for-SMBs.aspxMust-have Controls for SMBs<p>​Although most cyber breaches reported in the news have struck large companies such as Target and Yahoo, small and mid-sized businesses (SMBs) suffer a far greater number of cyber incidents. These breaches often involve organizations such as local health-care providers or regional insurance brokers. Although the number of breached records an SMB may have is in the hundreds or thousands, rather than the millions, the cost of these breaches can be higher for SMBs because they may not be able to address the incidents on their own. <br></p><p>Many SMBs have limited or no resources committed to cybersecurity, and some don’t have an internal audit department to provide assurance. For these organizations, the questions are “Where should we focus when it comes to cybersecurity?” and “What are the minimum controls we must have to protect the sensitive information?” Internal auditors at SMBs can help answer these questions by checking that their organization has five essential cybersecurity controls. <br></p><h2>1. Scan the Network</h2><p>Regardless of the organization’s industry, SMBs must ensure their network perimeter is protected. The first step is identifying the vulnerabilities by performing an external network scan at least quarterly. SMBs can either hire an outside company to perform these scans, or they can license software to run the scans, themselves. <br>Moreover, SMBs need a process in place to remedy the critical, high, and medium vulnerabilities within three months of the scan run date, while low vulnerabilities are less of a priority. The fewer vulnerabilities the perimeter network has, the less chance that an external hacker will breach the organization’s network. <br></p><h2>2. Train Employees </h2><p>Educating employees about their cybersecurity responsibilities is not a simple check-box matter. SMBs not only need to implement an effective information security policy, they also need to ensure employees are aware of the policy and their responsibilities. The policy and training should cover:<br></p><ul><li>Awareness of phishing attacks.</li><li>Training on ransomware management.</li><li>Travel tips.</li><li>Potential threats of social engineering.</li><li>Password protection.</li><li>Risks of storing sensitive data in the cloud.</li><li>Accessing corporate information from home computers.</li><li>Awareness of tools the organization provides for securely sending emails or sharing large files.</li><li>Protection of mobile devices.</li><li>Awareness of CEO spoofing attacks.</li></ul><p><br></p><p>In addition, SMBs should verify employees’ level of awareness by conducting simulation exercises. These can be in the form of a phishing exercise in which SMBs send fake emails to employees to see if they will click on a web link, or a social engineering exercise in which a hired individual tries to enter the organization’s physical location and steal sensitive information such as passwords written near the computer screen.<br></p><h2>3. Protect Sensitive Information </h2><p>Management and internal audit should identify and protect the organization’s sensitive data. Even in small organizations, sensitive information tends to proliferate across various platforms and folders. For example, employees’ personal information typically resides in human resources software or with a cloud service provider, but through various downloads and reports, the information can proliferate to shared drives and folders, laptops, emails, and even cloud folders like Dropbox.<br></p><p>Internal auditors at SMBs should check that the organization has performed these tasks to make sure it has a good handle on the organization’s sensitive information:<br></p><ul><li>Inventory all sensitive business processes and the related IT systems. Depending on the organization’s industry, this information could include customer information, pricing data, customers’ credit card information, patients’ health information, engineering data, or financial data.</li><li>For each business process, identify an information owner who has complete authority to approve user access to that information.</li><li>Ensure that the information owner periodically reviews access to all the information he or she owns and updates the access list.</li></ul><p></p><h2>4. Segment the Network </h2><p>Organizations should make it hard to get to their sensitive data by building layers or network segments. Although the network perimeter is an organization’s first line of defense, the probability of the network being penetrated is at an all-time high. Internal auditors should check whether the organization has built a layered defense to protect its sensitive information. <br></p><p>Once the organization has identified its sensitive information, management should work with the IT department to segment those servers that run its sensitive applications. This segmentation will result in an additional layer of protection for these servers, typically by adding another firewall for the segment. Faced with having to penetrate another layer of defense, an intruder may decide to go elsewhere in the network where less sensitive information is stored.<br></p><h2>5. Deploy Extra Protection for Endpoints  </h2><p>An organization’s electronic business front door also can be the entrance for criminals or bad actors. Most of today’s malware enters through the network but proliferates through the endpoints such as laptops and desktops. At a minimum, internal auditors at SMBs must ensure that all the endpoints are running anti-malware/anti-virus software. Also, they should check that this software’s firewall features are enabled. Moreover, all laptop hard drives should be encrypted.<br></p><p>A Stronger Defense<br>In addition to making sure their organization has implemented these five core controls, internal auditors should advise SMB executives to consider other protective controls:<br></p><ul><li><em>Monitor the network.</em> Network monitoring products and services can provide real-time alerts in case there is an intrusion. </li><li><em>Manage service providers.</em> Organizations should inventory all key service providers and review all contracts for appropriate security, privacy, and data breach notification language.</li><li><em>Protect smart devices.</em> Increasingly, company information is stored on mobile devices. Several solutions can manage and protect the information on these devices. SMBs should make sure they are able to wipe the sensitive information from these devices if they are lost or stolen.</li><li><em>Monitor activity related to sensitive information.</em> SMBs should log activities against their sensitive information and keep an audit log in case an incident occurs and they need to review the logs to evaluate the incident.  </li></ul><p></p><p>Combined with the five essential controls, these controls can help SMBs reduce the probability of a data breach. But a security program is only as strong as its weakest link. Through their assurance and advisory work, internal auditors can help identify these weaknesses and suggest ways to strengthen their organization’s defenses. <br></p>Sajay Rai1
​Deloitte Shares a List of "Risk" Trends to Watch in 2017 and Beyondhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Deloitte-shares-a-list-of-“risk”-trends-to-watch-in-2017-and-beyond.aspx​Deloitte Shares a List of "Risk" Trends to Watch in 2017 and Beyond<p>​Rather than the list of top risks, the people at Deloitte suggest that there are a number of trends "that have the potential to significantly alter the risk landscape for companies around the world and change how they respond to and manage risk."</p><p>They share 10 in <a href="https://www2.deloitte.com/us/en/pages/risk/articles/future-of-risk-ten-trends.html" target="_blank">The Future of Risk: New Game, New Rules</a>.</p><p>I like the way they start:</p><p><span class="ms-rteStyle-BQ">The risk landscape is changing fast. Every day's headlines bring new reminders that the future is on its way, and sometimes it feels like new risks and response strategies are around every corner. The outlines of new opportunities and new challenges for risk leaders — indeed, all organizational leaders — are already visible.</span></p><p><span class="ms-rteStyle-BQ">What you'll see is that risk's onset and consequences, and the entire nature of the risk discipline, are evolving. The good news? The strategic conversation around risk is changing too. For leaders today, risk can be used as a tool to create value and achieve higher levels of performance. It's no longer something to only fear, minimize, and avoid.</span></p><p>For the moment, let's put aside our differences about the meaning of words such as "risk" and "risk source." </p><p>The 10 trends they have listed merit consideration. As Deloitte suggests, we should all consider these trends. Do we agree with the facts as presented? Will they affect us and, if so, how? How should we respond?</p><p>Please read the report, which is fairly short, before coming back to this discussion.</p><p>The first trend is <span style="text-decoration:underline;">cognitive technologies</span>, which is a fancy term that includes big data analytics, predictive analytics, AI, machine learning, and so on. Deloitte says it is about "using smart machines to detect, predict, and prevent risks in high-risk situations."</p><p>Broadly speaking, every organization should be watching and exploring ways to use new or advances in technology for this purpose.</p><p>But more might be done.</p><p>Machine learning and similar technologies may not only detect patterns and so on, analyze them, but actually make decisions and initiate action. Smart software, as well as machines, is starting to replace humans that perform repetitive analysis and response.</p><p>The second is "<span style="text-decoration:underline;">Controls become pervasive</span>." Deloitte is not talking about internal controls, here. They are talking about controls automation. They could have easily rolled this into the first trend, since it's really about the use of technology for risk monitoring.</p><p>The third is quite different: It's about advances in <span style="text-decoration:underline;">behavioral science</span>. I'm not sure what they expect to be different in 2017 and beyond, because the study of human behavior is not new at all. The key is whether the science will be <span style="text-decoration:underline;">used</span>.</p><p>Deloitte then uses the term "<span style="text-decoration:underline;">vigilance</span>" for its next trend. This is another fancy word; <strong>detection </strong>would have worked just as well, perhaps more accurately, but vigilance is more exciting and appealing to the consumer of Deloitte services.</p><p>Yes, more attention needs to be placed on risk monitoring and detection controls, especially with respect to cyber.</p><p>The next one is "<span style="text-decoration:underline;">risk transfer</span>." Arguably, risk is never transferred. It can only be shared or mitigated. Also, preventive controls do not eliminate risk; they just reduce the level to hopefully acceptable levels, because there is always the possibility that the controls will fail. The only change in this area I am aware of is the emergence of (limited) cyber insurance.</p><p>Deloitte thinks that the fact that <span style="text-decoration:underline;">innovation outpaces regulation</span> is a trend. I am not persuaded. However, the relaxation of regulation under President Trump would be a change — but may not be <span><span>in effect </span></span> long-term if he is not re-elected in four years.</p><p>Using <span style="text-decoration:underline;">risk management to drive performance</span> is not a new thought. I have been pressing for it for a while myself. If it becomes a reality, that would certainly be an important trend.</p><p>"<span style="text-decoration:underline;">Collective risk management</span>" is an interesting concept. However, laws and regulations can limit the sharing of information.</p><p>"<span style="text-decoration:underline;">Disruption</span> dominates the executive agenda" is not new. I agree with Deloitte that it should be expected to increase this year and into the future.</p><p>Then Deloitte picks <span style="text-decoration:underline;">reputation </span>risk — again, not really new. The change is that new technologies can help us address it.</p><p><br></p><p>Overall, a couple of points that should stimulate some thinking. But most of this should be ho-hum for most of us.</p><p>What do you think?​</p><p><br></p><p><br></p>Norman Marks0
A Holistic Approach to IT Riskhttps://iaonline.theiia.org/2016/Pages/A-Holistic-Approach-to-IT-Risk.aspxA Holistic Approach to IT Risk<p>​With IT ingrained in most business processes, IT risk management has become a critical part of enterprise risk management. The rise of cybersecurity incidents in recent years has heightened the need for directors and executive management to understand, evaluate, and respond to IT risks. Yet, managing these risks can be daunting because of the technical complexity and far-reaching outcomes of an IT risk event.<br></p><p>Although it is tempting for the board and management to focus on cyberrisks, internal audit must consider the full range of IT risks and take a more holistic view of the business. Gaining such a view is one of the advantages of using ISACA’s COBIT framework to address risk management challenges. <br></p><p>The latest version, COBIT 5, released in 2012, can help internal auditors develop an audit plan to address IT risks, set IT audit objectives, and define the scope for IT audits. It can help simplify complex issues by giving auditors best practices and conceptual guidance on how to categorize risks, identify risk events, and understand the relationship between risk events and value creation.<br></p><p>Moreover, COBIT emphasizes the value of assessing a process from end to end, instead of auditing components of that process. In addition, the separation of governance from management highlights the need to audit IT risks related to IT governance and management, which organizations tend to overlook.<br></p><h2>COBIT Explained</h2><p>COBIT is an enterprisewide IT governance and management framework designed to enable organizations to maintain a balance between realizing benefits from IT and optimizing risk levels and resource use. It is based on five principles: meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management. <br></p><p>COBIT 5’s basic premise is that goals cascade in an organization — that is, stakeholder needs are translated into enterprise goals, which set the direction for IT goals and enabler goals. Further, the framework provides guidance on IT risk management from a functional perspective (i.e., what is needed to build and sustain core risk governance and management activities), and a risk management perspective (i.e., how the COBIT enablers can assist the core risk management processes of identifying, analyzing, and responding to risk). <br></p><p>COBIT 5 describes enablers as factors that “individually and collectively influence whether something will work.” They can be used in both IT risk management and IT audit planning.<br></p><h2>Enabling Audit Planning</h2><p>Whether developing an audit plan or planning for an individual audit, internal auditors need to determine the audit objectives, scope, timing, resource requirements, and process. COBIT suggests auditors take a holistic view of the business when planning an audit. <br></p><p>Auditors can use the seven COBIT enablers as the foundation for identifying IT audit objectives and defining the audit’s scope. These enablers are:<br></p><ul><li>Principles, policies, and frameworks that translate the desired behavior into practical guidance that can be managed.</li><li>Processes that support achievement of a set objective.</li><li>Organizational structures that are important for decision-making.</li><li>Culture, ethics, and behavior of individuals, which explain the human interactions that influence governance and management. </li><li>Information, including all information produced and used in the business.</li><li>Services, infrastructure, and application, including the IT used by the organization.</li><li>People, skills, and competencies, including people who are required for successful completion of all activities. </li></ul><p></p><p>Because COBIT provides 36 generic risk scenarios, internal auditors should begin by working with management to prioritize risk scenarios for their organization. COBIT uses primary and secondary ranking to show the impact of each risk scenario on the type of risk. COBIT categorizes the risk types based on whether the risk is strategic (IT benefit/value enablement), operations-related (IT operations/service delivery), or project-related (IT program/project delivery). <br></p><p>Second, internal auditors can identify activities pertaining to each of the enablers for the prioritized risk scenarios. For example, organizations face IT risk when selecting IT programs (risk scenario), which primarily affect the organization’s strategy and secondarily its operations. To manage this risk, management can implement a policy that indicates the types of IT investments that are a priority (policy), have a formal process to select IT projects (process), have an IT steering committee (organizational structure), communicate the importance of technology throughout the organization (culture), define IT investment selection criteria (information), have a program management application (application), and involve appropriate managers in the decision-making process (people). <br></p><p>Third, internal auditors can rank activities based on an approach that best fits the organization. For example, auditors may use a high/medium/low priority, primary/secondary, or a rank order based on weights to identify the areas that need attention. Finally, once the activities are ranked, auditors can plan the audit by first focusing on the primary/high priority activities before turning attention to secondary activities given resource, time, and personnel constraints.<br></p><h2>An Eye on the Big Picture</h2><p>COBIT’s recommended best practices can establish a foundation for providing assurance on the adequacy, reliability, and integrity of an organization’s information systems, regardless of its industry, technology infrastructure, or geographic location. This foundation can help internal auditors understand how the organization operates and where it wants to go. <br></p><p>Moreover, the COBIT guidance recognizes that IT risk exposure differs among organizations based on management’s risk appetite, involvement, and risk response. Internal auditors can use the framework to understand the nature of IT risks that are unique to their organization and develop an intuition that helps them recognize red flags, internal control weaknesses, and fraud.</p><p>Further, COBIT can help internal auditors identify and organize audit findings that can be instrumental in establishing and monitoring the organization’s IT risk management practices. The framework enables auditors to work at a detailed level while also keeping the big picture in mind.  <br></p>Nishani Edirisinghe Vincent1
​Do We Know How to Audit Technology-related Risks?https://iaonline.theiia.org/blogs/marks/2016/Pages/Do-we-know-how-to-audit-technology-related-risks.aspx​Do We Know How to Audit Technology-related Risks?<p>​I just read through the latest ISACA/Protiviti survey, <a href="https://www.protiviti.com/US-en/insights/it-audit-benchmarking-survey" target="_blank">A Global Look at IT Audit Best Practices</a>.</p><p>It has a wealth of generally useful information and I recommend it to all internal audit leaders but not to board members — the level of detail is too much for their use. The executive summary is the most I would have a director read. But it would be better to have the CAE summarize the report for them, focusing on what lessons should be learned for their particular organization.</p><p>Some things surprised and others disappointed me.</p><p>My most important issue is that we need to stop talking about IT audit.</p><p>We should be talking about auditing risks relating to technology!</p><p>In the days of yore, the IT department owned and ran all the technology — with the exception of minor pieces of so-called user-managed software.</p><p>But not in 2016.</p><p>A good friend of mine, Gene Kim, is co-author of <a href="http://itrevolution.com/books/phoenix-project-devops-book/" target="_blank"><em>The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win</em></a>. I recommend it to anybody interested in technology and today's approach to running the IT function.</p><p>Recently, I read <a href="https://www.linkedin.com/pulse/5-aha-moments-while-reading-phoenix-project-sara-hruska" target="_blank">a review of <em>The Phoenix Project</em> by Sara Hruska</a>. She makes a few pertinent points:</p><ul><li>Pretty much every business is so dependent on technology that the distinction between leading the IT function and the CEO/chief operating officer role is diminishing.</li><li>The success of any organization can be dependent on the ability of the IT function to deliver at speed technology solutions that will drive the business.</li></ul><p><br></p><p>So, my first point is that the topic should no longer be the IT function, but the development, maintenance, and use of technology across the extended enterprise.</p><p>Let's talk about <em>technology</em> auditing.</p><p>Then there's my constant drumbeat comment that there is no such thing as IT risk.</p><p>It's technology-related <em>business </em>risk.</p><p>What could go wrong when it comes to the development, maintenance, or use of technology that would significantly affect the achievement of <em>business</em> objectives?</p><p>For that reason, there should not be a separate IT audit plan. It should, as Protiviti reports is more often than not the case, part of an integrated audit plan that is updated as often as risks change.</p><p>According to Protiviti, about half the respondents only update their (IT) audit plan annually.</p><p>That simply won't do in an era of dynamic change, especially around technology and its use.</p><p>I find it curious that despite the point made by Sara Hruska, the ability to identify the potential for disruptive technology to drive the organization forward is not among the top technology challenges in the Protiviti report. Perhaps it is because that was not an option Protiviti allowed respondents to select. More likely, though, it is because practitioners simply don't pay enough attention to the problem.</p><p>Is that correct?</p><p>Maybe Protiviti thought that their question about auditing IT governance would cover it. But, IMHO, a single audit of IT governance is not recommended. The topic is broad and practitioners should assess only those aspects of IT governance that are more critical to their business.</p><p>Other points of interest in the survey results:</p><ul><li>Nearly half believe their IT department is not aware of all of their organization's connected devices (e.g., connected thermostats, TVs, fire alarms, cars).</li><li>83 percent of respondents say cyberattacks are among the top three threats facing organizations today, and only 38 percent say they are prepared to experience one. — Comment, I wonder if they have assessed the <em>business</em> risk of a breach.</li><li>The study also found that only 29 percent of the respondents are very confident in their enterprise's ability to ensure the privacy of its sensitive data.</li><li>Only 65 percent said their CAE has sufficient knowledge to discuss IT audit matters with the audit committee. — Comment, that is dreadful.</li><li>Half or less than half of companies have their CAE or IT audit lead meet regularly with the chief information officer!</li><li>Where there is a corporate ERM framework, less than half the IT audit work is integrated with it.</li><li>Only about half are doing a significant or even a moderate amount of work on new technology initiatives.</li></ul><p></p><p>This is a disappointing state of affairs. I was an IT auditor for many years before becoming a CAE and always made sure my team was involved in every major technology initiative. The IT audit staff was generally about a third of the team — and I am talking about from 1990 to 2012!</p><p>Today, technology-related risk is huge and merits a lot more attention that it appears, from the study, it is getting.</p><p>What do you think?</p><p>What jumps out at you from the survey?​</p><p><br></p>Norman Marks0

  • MNP_Tech-Consulting_Feb2017_Prem 1
  • IIA COSO-OnDemand_Feb2017_Prem 2
  • IIA Quality_Feb2017_Prem3

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z