Editor's Note: What the Future Holds's Note: What the Future Holds<p>​Technology is evolving at a breathtaking pace. Just in the past 10 years, we’ve seen dramatic advancements in the areas of mobile computing, wireless connectivity, cloud technology, big data, and even artificial intelligence. It’s altered the way we communicate, how we purchase goods and services, and the way we do business. But where is all this heading, and what impact will it have? What changes will we see in the next 10 years? <br></p><p>Bruce Schneier, chief technology officer at Resilient, an IBM company, says in a recent <em>Forbes</em> article that we’re moving toward what he calls the World-sized Web (WSW). This massive interconnected system, he says, will have two main components: sensors and actuators. The sensors will collect data, leveraging the multitude of devices connected to the web, and the actuators will affect our environment by carrying out actions. The WSW’s “brains” will reside in the cloud, comprising some form of artificial intelligence. According to Schneier, the system will essentially be a “benign robot.”<br></p><p>That’s a heady concept, but perhaps not so far-fetched. In fact, the foundational components of Schneier’s robot — the Internet of Things (IoT) and cloud computing — are very much a reality for today’s organizations. As author Jane Seago explains in <a href="/2016/Pages/A-World-of-Connections.aspx">“A World of Connections,”</a> the impact of IoT on businesses is already well underway, and it’s an area that calls for close monitoring by internal auditors. She points to the abundance of connections that comprise IoT as a source of both potential benefits and great risk — working with management on both fronts, she says, will be key to auditors’ involvement in the organization’s IoT efforts. <br></p><p>Cloud computing, the decision-making center in Schneier’s WSW model, is the subject of <a href="/2016/Pages/Auditing-the-Cloud.aspx">“Auditing the Cloud.”</a> “With cloud computing becoming mainstream,” the authors say, “internal auditors need to devise new ways of pinpointing the risks these services pose and verifying the security ... of critical data housed by an outside provider.” They examine the many challenges presented by cloud platforms and outline key areas auditors should consider in their assessments.<br></p><p>Most likely, the risks and challenges associated with cloud computing, as well as IoT and other emerging technologies, will only continue to grow in the coming years. And while the shifts thus far may be substantial, and their implications for organizations vast, what’s to come may be truly seismic. Schneier says the impending technology will be increasingly powerful and eventually capable of autonomy. Acting on behalf of users, it will help maximize profits but also “empower criminals and hackers.”<br></p><p>Regardless of whether this prediction ultimately comes to pass, it’s a reminder of the need to constantly look ahead and consider how emerging technology may impact the organization. To paraphrase Schneier, whatever all of this means, we don’t want it to take us by surprise. </p>David Salierno0797
The Opportunity of Things Opportunity of Things<p>​In recent years technology threats have been at the top of the risk agenda for most organizations as lax data protocols and cybersecurity incidents have become more prevalent, more serious, and more costly to remediate. And while such events highlight the dangers of poor IT controls, management and boards must be careful that their attitudes toward embracing new technologies does not make them risk-averse or deter them from exploiting the terrific opportunities th​at such cutting-edge applications can bring to their businesses. Experts believe, in fact, that internal audit has a role in identifying the rewards as well as the risks.</p><p>Many IT analysts say that the next new wave of technological development will be through the growth of the Internet of Things (IoT). IT developer Cisco Systems estimates that investment in developing new IoT technologies will reach US$14.4 trillion by 2022. Furthermore, more than half of major new business processes and systems will incorporate some element of IoT by 2020, according to analyst firm Gartner.</p><p>Already companies are waking up to the opportunities that the technology may afford them, and some are beginning to make substantial investments. For many organizations, IoT technologies tend to be deployed in a "smart office" scenario, where embedded sensors are used in doors and ID cards to improve physical security protocols, or to improve daily office functions, such as connecting paper printers via IoT so that they can "sense" when they need fresh paper supplies or toner refills and then automatically order them. Many are also using IoT capabilities to facilitate real-time training and real-time accounting.</p><p>Several major companies have invested in more cutting-edge IoT technology to enhance their business and product capabilities, and it is here that more forward-thinking and innovative management teams and boards may be able to see a way of not only enhancing their service offerings, but also changing their business model. For example, IT giant Microsoft uses IoT software to collect data on what features are being used for its products so it can strip away the least popular ones and focus on those that customers prefer. </p><p>Automobile and aero-engine maker Rolls-Royce has taken a highly innovative approach and now uses data taken from IoT devices to support processes in three key areas of its operations — design, manufacture, and after-sales support. The company fits aircraft engines with sensors that send real-time data on the engine's function back to monitoring stations on the ground so that the chance of an engine malfunctioning mid-flight is significantly reduced. It also uses sensors to monitor manufacturing faults and achieve better quality control. For example, sensors used in the manufacturing processes at its new factory in Singapore generate half a terabyte of data on each individual fan blade that is produced, thereby more easily locating stress fractures and other problems. </p><p>However, as IoT relies on generating more and more data for companies to mine, the risks surrounding data protection and security also increase, which has been a barrier to some companies becoming early adopters. But Mark Homer, vice president for global customer transformation at ServiceMax, a company that provides cloud-based services for executives and employees away from the office, says that "boards need to understand the advantages inherent in using IoT devices, and not just concentrate on the cybersecurity risks that are associated with them." He adds: "Just as internal audit is there to warn boards about risk, they should also take a more strategic view and flag up the rewards."</p><p>Chris Price, global leader, people advisory services at professional services firm EY, says that the commercial opportunities IoT offers should not be ignored. Price explains that IoT can produce a "smart workforce" where employees are mobile and can operate just as effectively outside an office with access to the same online resources, and it can result in "smart equipment" in which sensors send data to measure operating conditions, quality results, and faults. He also cites the technology's enablement of "smart maintenance," where the data sent from the production sites can be monitored to see if there will be any machinery breakdown — and so reduce downtime — and request replacement parts there and then. </p><p>But Price adds that while using IoT to collect data may be useful, it is how companies analyze that data — and put it to use — that is important, which is an area that internal audit may need to make management and boards aware. "Collecting data is merely a starting point," he says. "Analyzing it, and then taking action based on the data — such as using it to understand customers and trends, and tailoring products and services to meet specific demands — is absolutely key as you turn raw data into information, and information into actionable insight. In this way, data analytics enabled by IoT provides companies with visualization (what has happened), insight (why it has happened), and foresight (where the company needs to go)."</p><p>Experts say more tech-savvy organizations will recognize that IoT usage can help create revenue by identifying potential problems for customers and providing opportunities to upsell. Furthermore, internal audit can make the business case that having that kind of insight into customer needs can deliver real business value, and that boards and management should embrace these capabilities rather than focus solely on the risks surrounding data security.​​</p>Neil Hodge1619
A World of Connections World of Connections<p>​Depending on the source you consult, by 2020 the number of internet-connected devices worldwide could range from 26 billion (Gartner) to 50 billion (Cisco). At either end of the spectrum, the number is staggering. Clearly, marketplace forces such as increasingly available broadband internet, decreased cost of connecting, expanded use of the cloud, growing numbers of devices built with Wi-Fi capability and sensors, and the lowered cost of technology have combined to create the perfect environment for the Internet of Things (IoT).<br></p><p>The impact of IoT is already well underway. This latest and perhaps most ubiquitous technology trend, which Jim Tully, chief of research for IoT at Gartner, London, defines as “a network of physical objects that contain technology that allows those objects to sense and interact with their surroundings and interact with those surroundings for business benefit,” is an integral part of our lives (see “Examples of IoT” below). Its fans extol IoT’s convenience, speed, personalization, and ease of use. Businesses tout its cost savings, safety enablement, revenue generation, and data-gathering abilities. <br></p><p>However, some view the implications of IoT’s billions of connections and terabytes of data and know that the benefits, while substantial, have a dark side: security risks, loss of privacy, and a diminished capacity for people to control their own lives. Kenneth Mory, principal for Stronghold Solutions International and former city auditor for Austin, Texas, states, “The horizon risks that IoT introduces are orders of magnitude beyond those of the present. These new vulnerabilities have grave implications for IT security and cybersecurity.” <br></p><p>Internal auditors have distinct reasons to ponder what IoT means for their organization. They may be called on to offer advice to management on the benefits and potential competitive edge IoT can provide. However, they must also monitor the new risks it introduces and the compensating controls required. They cannot afford to assume that something once fixed stays fixed. Just as a high tide raises all boats, the rapid development cycle for IoT means an equally rapid evolution of risks. Internal auditors need to stay attuned to these changes and be prepared to keep their organizations apprised.<br></p><h2>An Array of Risks</h2><table width="100%" cellspacing="0" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Examples of IoT</strong><br><br>Many IoT devices are so well embedded in everyday, modern life that we may not realize they are there. But IoT abounds, as indicated by this small sample suggested by Jim Tully, chief of research for IoT at Gartner, London:<br><ul><li><strong>Cars:</strong> Modules track a driver’s behavior — how he or she accelerates, takes the corners, stamps on the brakes. This information allows insurance companies to match the risk of individual drivers with their own specific premium. It can also enable insurance companies to offer “pay as you go” insurance, in which the premium is determined by the amount of time the car is driven or where it is — on a remote country road or in a big city at rush hour.</li><li><strong>Parking: </strong>Sensors monitor city streets and determine whether parking spots are being used. They then link to a mobile app that guides the driver to an available spot.</li><li><strong>Lighting:</strong> New lighting can track the location of people in buildings, providing safety benefits (ensuring their area is lighted) and cost savings (shutting off lights in unoccupied spaces). </li><li><strong>Toys:</strong> Some toys are equipped with cameras that can recognize the faces of individual children. They can then “learn” about those children and interact with them in a highly personalized way.</li><li><strong>Agriculture:</strong> Sensors in the fields track moisture and sunlight, suggest better use of irrigation, and even predict the timing of the harvest.</li><li><strong>Government:</strong> Many cities employ IoT-enabled “smart city” apps to handle tasks such as pollution monitoring and traffic management.</li></ul><br></td></tr></tbody></table><p>Few would likely disagree that IoT’s hyperconnectedness presents risks. There are, however, differences of opinion on the nature of those risks.<br></p><p>Some see the risks in fairly apocalyptic terms. They believe that when everyday activities are monitored and people output information on a near-continual basis, the level of profiling and targeting will grow, leading to increased social, economic, and political struggles. They suggest a need for ways people can disengage from the network, to stop sending and receiving data. Tully considers the disconnect options with some skepticism: “IoT is everywhere,” he says. “There’s no way to get away from a lot of it.” <br></p><p>However, other views of IoT-related risks are more pragmatic: financial loss affecting profitability (a hacker taps into a smart electric meter and steals energy), business interruption (due to a denial-of-service attack), loss of competitive advantage (attacks of any kind by a business rival), governmental upheaval (propaganda or hacktivism), and even loss of life (damage to pacemakers or equipment in hospital operating theaters). Mory points to another risk, loss of market share, which results when “the organization fails to adopt IoT and take advantage of the opportunities and benefits it can provide.” <br></p><p>Mory refers to the upside risk of IoT, a perspective that is sometimes overlooked in the very real concern about security and privacy. But there is a reason the IoT market is expanding rapidly, despite the inherent risk: It provides benefits that many individuals and businesses believe outweigh the associated risk. Customers appreciate the way IoT devices make their lives easier by anticipating and addressing their needs and preferences (e.g., constantly adjusting household temperature based on home conditions and homeowners’ schedules; brewing a cup of coffee to the individual’s precise taste, with the ability to monitor brew status remotely). </p><p>Businesses that use IoT devices in their own processes, or whose employees use IoT devices, may realize competitive advantage over less tech-savvy rivals, save money through device-generated efficiencies and real-time monitoring, enjoy more immediate and personalized engagement with customers, and reap increased return on their marketing investment through more effective and precisely targeted marketing messages. Companies that manufacture IoT devices are likely to see increased earnings due to customer demand and may even find opportunities to create new lines of business. And everyone, individuals and businesses alike, will benefit from the increased focus on cybersecurity — and resulting adoption of commonly accepted standards and business efforts to earn consumer trust — that IoT devices generate. <br></p><p>Whether the risk is upside or downside, it is a pragmatic issue that presents internal audit an active playing field in which to identify, assess, and mitigate risk. But internal audit cannot serve as the lone outpost on risk. Other areas must engage as well. However, Steven Babb, director and independent consultant at Newton Leys Consulting Ltd., Berkshire, U.K., says that management may not be fully aware of the risk — possibly because it is not articulated in business terms — and that policy has not caught up to define IoT usage. “IoT is typically wrapped up as part of cybersecurity, which is getting increased management exposure, but more still can be done,” he says. “Also, IoT covers areas that are typically not under the remit today of information security departments.”<br></p><p>Corbin Del Carlo, director, internal audit, IT security and infrastructure at Discover in Riverwoods, Ill., points to another group that needs to engage in management of IoT risks: software developers (programmers). “A lot of programmers have always dealt with closed systems,” he says. “They may not be aware of what connectedness implies. As the third line of defense, auditors need to talk to them and make them aware of the risk.”<br></p><h2>Bringing Risks to Light</h2><p>For Babb, internal audit’s role in IoT is “all about visibility and risk — helping risk management teams highlight that the risk is real, quantify the exposure, and bring it to management’s attention,” he says.<br></p><p>Del Carlo echoes that focus. “We have to challenge threat vectors,” he explains. “We have to be willing to offer suggestions of things that could be done to improve security. We have to be willing to ask questions about vendor-driven threats.” Del Carlo adds that vendors likely are not manufacturing the devices they produce alone. He questions whether vendors know who is making the parts they rely on in their supply chain. “Are they testing those parts to ensure they are up to our security specifications?” he asks. <br></p><p>Peter Rhys Jenkins, Worldwide Watson IoT architect, IBM, in Dartmouth, Mass., reinforces the need for security throughout the manufacturing process. “I want my refrigerator to be every bit as secure as a government device,” he says.<br></p><p>Organizations that implement IoT devices should have a strategy for their deployment. M. J. Vaidya, principal, EY, Atlanta, notes that although the internal audit function may not participate in defining that strategy, “It is a critical ingredient in ensuring the strategy is implemented in a good way, from a risk management perspective.”<br></p><p>A productive first step for internal auditors to address IoT is to conduct a risk assessment of the IoT in use in their organization. The risks will vary from one company to the next, depending on the type of IoT systems present and the business process they support. Once the risks are identified, internal audit can ensure that mitigating controls are in place and operating effectively, always keeping in mind the context in which the IoT systems function.<br></p><p>When examining context, it’s important to remember that nothing exists in a vacuum. Del Carlo recalls an incident from the 2015 Black Hat USA Conference, during which hackers assumed the challenge of remotely taking over the controls of an internet-connected vehicle. Their approach was relatively simple. The vehicle manufacturer had not implemented password protection on the internet-facing aspect of the car’s radio. “The designers felt there was nothing sensitive in the radio, so there was no need to protect it,” Del Carlo explains. “And they were right about the radio alone. But that point of entry was the gateway to the rest of the car.” Context is everything.<br></p><h2>Areas of Engagement</h2><p>Taking on the risks associated with IoT is a massive challenge that depends on teamwork across the organization. However, in the spirit of even the longest journey beginning with a single step, there are several initial activities in which internal audit can engage.<br><br><strong>Look for a Policy</strong> When addressing security-related issues within an enterprise, one of the first steps is to determine whether a policy exists and is up to date. While few organizations appear to have an IoT-specific policy at this point, many reference the topic through their “bring your own device” (BYOD) policy. Babb explains that most BYOD policies cover only a small subset of devices that fall under the IoT banner. He adds, “Many of the devices will be brought in by staff, but equally many will be purchased by the organization and used. Of these, many will fall outside the remit of IT and security, so the risks emanating from them may be hidden.”<br></p><p>Mory adds that although his previous employer, the City of Austin, had no umbrella policy to deal with IoT, there were policies to address the use of flash, portable drives, and other portable devices such as phones and laptops. <br></p><p>IoT security shortcomings present an opportunity for internal audit to play a significant role by working with the cybersecurity team, IT, legal, and the privacy function to advise on the development of an IoT policy. Existing policies relating to passwords, patching, and system monitoring will need to be revised to place IoT clearly within their scope. New or updated policies may be required around network segmentation and access control. Approved devices and uses must be spelled out, and the implications clearly identified not only for employees, but also for business partners, suppliers, and customers who have connections to the company’s network.<br><br><strong>Check Inventory</strong> Enforcing an IoT policy is difficult without a clear understanding of the number and types of IoT devices present within the organization. Babb and Mory agree that inventories, if they exist, are likely to be incomplete or siloed, as opposed to presenting a comprehensive view. Some inventories may cover devices the organization has purchased, but fail to mention the consumer devices brought in by employees. <br></p><p>Once the inventory provides the needed information, appropriate controls can be put into place. Del Carlo’s company, Discover, places a priority on protecting its network. “We have a general ban against noncompany devices,” he says. “We won’t allow them onto our network. We provide a ‘guest’ network people can use to connect those devices; all they can get is the internet.” Discover also installs virtualization software on the phones it provides to segment the data, and it has a stringent perimeter defense system. Laptops are encrypted and the data can be wiped remotely. Even then, Del Carlo notes, “Every day these controls block hundreds of exploits from attackers of various sophistication levels. But without constant vigilance against the onslaught, it is unlikely any organization could stop every single attack.”<br><br><strong>Educate Management</strong> Regardless of management’s degree of awareness about IoT risks at this moment, there seems to be consensus that some additional education would be useful. Mory says that some management is aware of the general concepts behind IoT, but lacks a core understanding of the opportunities and threats it presents. In his view, internal audit has a clear role to play in helping management understand and manage the risks.<br></p><p>Vaidya agrees that education is important, “from the board level to the tactical level and across not just IT, not just executives, not just product development, not just manufacturing, but across the business.”<br><br><strong>Review Security</strong> Jenkins lists some basic but necessary steps auditors can test after implementation. “With regard to provisioning, when a new device joins the cloud for the first time, make sure the mechanism used to connect is encrypted,” Jenkins says. He also advises verifying that the cloud itself is secured, password hashes are stored away from other related identification, and data coming from and to devices is encrypted. Jenkins adds: “Over-the-air firmware updates are necessary to keep equipment up to date. Make sure that process is done securely.”<br></p><h2>Getting a Handle on IoT</h2><p>It seems impossible to discuss IoT for any length of time without landing back at a mention of risks. But Tully points out that quite a few IoT devices are deployed for safety. They exist to reduce risk. “Take structural sensors in bridges, for example,” he notes. “These sensors warn of excessive loads and stresses — they are linked to traffic control systems that will stop traffic entering the bridge. Internet-connected carbon monoxide detectors and smoke detectors are similar. They are deployed directly for risk reduction.”<br></p><p>But most in the internal audit and information security fields might argue that it’s not the purpose of the device that worries them — it’s the connectedness and the near-certain impossibility of completely securing an organization, its assets, or the people who use the systems. Del Carlo agrees, but he won’t stop trying to lock it down. “There’s a saying that you can’t make anything foolproof because fools are so ingenious,” he says. “But we can’t just give up. I work for a bank. We are where the money is — literally. We have to maintain the highest possible level of security.”<br></p><p>IoT offers internal auditors an opportunity to serve in a role they don’t often get to inhabit: advocate. They can stand up for individual and enterprise users of IoT devices. “Installing security inside IoT devices is difficult and time-consuming, but necessary,” Jenkins says. “The companies that manufacture the devices say they are doing it, and doing it well. But, are they? Internal auditors need to make them prove it.” <br></p>Jane Seago13067
​​​Internal Audit, Risk Management, and Technology,-risk,-and-technology.aspx​​​Internal Audit, Risk Management, and Technology<p>Protiviti has shared another useful report with us in the latest issue of <a href="" target="_blank">Internal Auditing Around the World</a>.</p><p>Two managing directors summarize the productive use of technology by internal audit departments and feature a number of organizations.</p><p>It is interesting that every CAE they interviewed is female. I don't know whether that was because they only selected female CAEs or whether the organizations they contacted all had female leaders.</p><p>Either way, I am not surprised.</p><p>I am also not surprised that these organizations have embraced technology.</p><p>After all, if it is critical to our companies and their success, we should not only be aware of the related risks but use technology to full advantage ourselves.</p><p>I want to share a few quotes before making what I consider a key point. That key point is, I believe, critical for both internal audit and risk practitioners — as well as those responsible for the oversight of these activities.​</p><blockquote><ul><li>Technological innovation is rapid and disruptive, and touches almost every aspect of our lives. People and machines are becoming increasingly interconnected, accelerating digitization and shaping the Internet of Things. And almost every business today is, at its core, a technology business — one that relies on IT not only to operate, but also to innovate and enable future success.</li><li>Without question, the dramatic technological change of the digital age has created a world of new and previously unimagined opportunities for businesses across industries. But it also has made the risk landscape for these organizations more expansive and treacherous than ever before.</li><li>"With technology at the heart of the business, we feel technology is also at the heart of what we do as internal auditors." (Dominique Vincenti)</li><li>Fittingly, today we find many leading internal audit functions around the globe relying heavily on technology tools to help them identify risk and control issues, conduct audits, share results with management and the business, and closely monitor issues to ensure they are resolved.</li><li>Of particular note, many of the internal audit teams we profile are expanding their use of data analytics so they can bring more efficiency to the audit process. Some functions are using data analytics to identify emerging risks and potential fraud and pinpoint cost-saving opportunities throughout the business. Others are employing data science. They have hired specialists and designated teams to work with big data and derive business intelligence that can help internal audit provide management with insights they can apply to business decision-making.</li><li>Beili Wong, chief audit executive and executive director for the Liquor Control Board of Ontario, says that given businesses' ever-deepening dependency on technology, it is imperative for internal audit to transcend its traditional role as the third line of defense so it can be present on the front lines as the organization considers adopting new technologies. "We are about more than just defense," she explains. "We should also be a proactive partner at the first line."</li><li>"We have invested in different technologies in the past two to three years," Perrott [CAE of Accenture] says, "and these tools are helping us reap significant benefits." The technologies support the risk assessment process and development of the annual audit plan, and also enhance collaboration among internal auditors.</li></ul></blockquote><p> <br> </p><p>When you read these features on the various companies, I expect you will share my reflections:</p><ol><li>The fundamental principles of how technology can help us have not really changed.</li><li>But, the tools are more sophisticated and powerful.</li><li>Some new sets of tools, like data visualization, are appearing alongside traditional ones like data analytics.</li></ol><p>Overall, it is encouraging.</p><p>BUT ...</p><p>I am somewhat concerned (my key point) when I read about internal audit spending its limited resources (now including the use of sophisticated technology) to identify and assess the organization's risks.</p><p>Some of the profiled organizations conduct extensive interviews with many, many executives once a year.</p><p>First, I would prefer helping management improve their ability to identify and assess risk rather than internal audit taking on that task. </p><p>Teach them to fish instead of giving them fish.</p><p>After all, isn't this a management responsibility?</p><p>If management doesn't identify and assess risk effectively, then report that to the board as a serious issue rather than feeding a bad habit.</p><p>Second, risk is changing all the time. We must move toward a continuous audit plan based on a current understanding of the risks that matter to the organization.</p><p>That means that we have to find a way to leave the massive annual exercise behind and replace it, in conjunction with management, with a continuous process.</p><p>Technology should be part of the answer.</p><p>But technology for risk monitoring should belong to and be used by management!</p><p>There are times when internal audit should independently monitor risk — but let's not do it when we should be able to rely on management.</p><p>What is your opinion?​</p><p> <br> </p>Norman Marks02143
The Recovery Playbook Recovery Playbook<p>​Cyber resiliency is tod​ay's security emphasis, as organizations are pivoting toward becoming better prepared to respond to cyberattacks, rather than focusing primarily on preventing them. That strategy may have its merits, as organizations with more experience addressing past cyber incidents have more​ mature cybersecurity capabilities than other organizations, according to the latest Cybersecurity Poverty Index study from RSA.</p><p>​Perhaps no organization has greater combined experience in dealing with such incidents than the U.S. federal government. Now the U.S. National Institute of Standards and Technology (NIST) has compiled the best practices of the many federal agencies into a draft publication, <a href="" target="_blank">Guide for Cybersecurity Event Recovery</a> (Special Publication 800-184) (PDF).</p><p>The draft guidance fills a need to remedy inconsistencies in the way federal agencies respond to cyber incidents, which were documented in 2015 in the Cybersecurity Strategy and Implementation Plan. The draft is intended to help agencies develop a recovery plan built around a customized playbook. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>Framework Update Coming</strong></p><p>Changes are on the way for the NIST Framework for Improving the Critical Infrastructure Cybersecurity. The institute announced in June that it plans to update the Cybersecurity Framework in 2017 based on feedback from a December 2015 request for information and an April 2016 workshop. </p><p>That feedback covered the framework's "use, best practices, outreach, prospective updates, and governance," says Matthew Barrett, the NIST Cybersecurity Framework program manager. Barrett describes the revision as a minor update that "should not disrupt anyone's ongoing framework use."</p><p>The feedback also will lead to other NIST a​ctivities, including publishing a governance process for maintaining the framework, working with framework stakeholders, and providing outreach to business, regulatory, and other stakeholders. Moreover, the institute is developing a Cybersecurity Excellence Builder tool to aid organizations in assessing their cyberrisk management process.</p></td></tr></tbody></table><p>Planning plays a big part in developing a playbook for responding to a cyber event, the draft guidance notes. "Taking resiliency into consideration across the enterprise security life cycle, everything from planning technology acquisitions and developing procedures to executing recovery and restoration efforts, is critical to minimizing the impact of a cyber event upon an organization," according to the publication. To that end, organizations need to identify and prioritize critical systems in their recovery playbook, using processes such as threat modeling and evaluation of containment principles. Recovery plans should cover service-level agreements, management staff members with authority to activate the plan, recovery team members, recovery details and procedures, a communication plan, off-site storage details, operational workarounds, facility recovery details, and details about access to infrastructure, hardware, and software during the recovery process.</p><p>The guidance points out that recovery isn't just about the immediate response to an incident. It's also about continuously improving response capabilities, as the RSA study findings confirm. "Recovery should be utilized as a mechanism for identifying weaknesses in the organization's technologies, processes, and people that should be addressed to improve the organization's security posture and the ability to meet its mission," the NIST draft states.</p><p>To that end, organizations need to validate that the technologies, processes, and people that are part of recovery efforts are prepared to recover business operations from a cyber incident. This can be done by gathering input from participants, conducting exercises to test recovery capabilities, documenting lessons learned from previous incidents, and identifying weaknesses in technologies, processes, and people.</p><p>The guidance also recommends collecting metrics throughout recovery activities that can be used to improve the quality of recovery actions, fulfill reporting obligations, or share information. Metrics can be particularly helpful in assessing incident damage and cost, and improving risk assessments. "For well-defined and repeatable activities, metrics can help measure progress as well as provide valuable feedback to improve the activity," the draft points out. But gathering metrics also can hinder recovery activities when it's not clear which type of metrics to collect or when metrics could be misused in a way that gives a false sense of recovery. </p><p>In addition to describing these elements of a recovery playbook, the NIST draft includes an appendix detailing core components and controls that can support recovery. These are built around the five functions outlined in the NIST Framework for Improving the Critical Infrastructure Cybersecurity: identify, protect, detect, respond, and recover.​</p><p>​<br></p>Tim McCollum0904
Analytics and the Small Audit Department and the Small Audit Department<p>​Many small audit departments grapple with how to use analytics to audit more efficiently. The value added through analytics is regularly discussed in research, thought leadership, and industry publications. And most auditors would readily capitalize on an opportunity to do more with less. The challenge for those audit departments with constrained resources is not what to do, but rather how to go about doing it.  <br></p><p>Small audit shops can leverage analytics and use tools already in place to implement analytics within their audit functions, reducing the need for a potentially costly up-front investment. Many of the metrics historically used to measure business performance are analytics. Examples include variance analysis, benchmarking, return on assets, turnover (inventory, accounts receivable, employee), reorder points, credit limits, and even Benford’s Law. With this in mind, small audit functions that think analytics may not be within their grasp should reconsider.<br></p><h2>Getting Started</h2><p>Analytics can be used at various phases of the internal audit process, including the risk assessment process, macro-level audit planning, and micro-level audit planning. During risk assessment, analytical data can be used in combination with qualitative data to better understand and prioritize the organization’s risks. At the most basic level, analyzing financial and operational information, prior audit findings, and key performance indicators (KPIs) across the enterprise can be a useful tool in completing the risk assessment. At macro- and micro-audit level planning, analytical data can be used to assess specific controls and to examine existing and emerging risks. This will help determine specific areas of audit coverage and the extent of testing within each area. The size of the audit department should not be the only factor in determining whether to implement an analytics program, as there are analytic tools that can be used even by one-person audit departments.<br></p><p>With the right approach, moving analytics from concept to practice can be simple. As an internal audit department of any size begins using analytics in its audit process, an important first step is determining what it wants to understand. The analytics initiative must have clearly defined goals and performance measures. Further, internal auditors should critically assess the questions they need to ask to ensure they understand how the business objectives and operating cycle will impact the underlying data to be analyzed.<br></p><p>Organizations may have different responses to the same question. For example, “How does weather influence your organization?” will have different meanings and different outcomes, depending on the industry. Thunderstorms may drive ticket sales for movie theaters while they wreak havoc on energy providers. In addition, the time of year, day of week, time of day, and geographical location likely will impact how weather influences any organization. In this situation, there is no right or wrong answer — it’s what makes sense for the organization.  <br></p><p>There are numerous questions an internal auditor may want to answer with the analytics program, which should closely correlate with the specific objectives of the program, itself. Examples include, “How frequently are credit limits overridden?” as related to the order-to-cash cycle; “Is inventory turnover in line with historical and/or budgeted averages” related to the inventory cycle; and “Do company buyers have an over-reliance on key vendors?” related to the vendor management process.<br></p><h2>Potential Roadblocks </h2><p>Internal audit departments often fail to identify the correct data source for the data to be analyzed when beginning an analytics program. Selecting the wrong source could be detrimental to getting an analytics program up and running; therefore, a critical decision is determining which data sources are the most appropriate to address the questions being asked. Several ways to overcome such roadblocks are to review the preliminary data, determine whether there is anything in the data that raises questions, and ask questions to confirm and validate the accuracy of the data source. <br></p><p>Similar to validating the criteria used to assess the audit entity, auditors should validate that the data can be used to address audit objectives. To do this, understanding the business, including typical operating cycle and key drivers that influence relationships within the data, is critical. The ability to look beyond the data to understand what it does or does not represent (e.g., identifying all systems in which revenue/expenditure transactions are recorded and confirming data files being used contain both accurate and complete data for the entity being analyzed) and application of critical thinking skills also are important steps in steering clear of roadblocks. Finally, this often is an iterative process, in which there may be multiple conversations with the data and business process owners before determining whether the data source contains the specific information needed to answer the questions at hand. Simply asking, “Can this data be used to answer the audit objective?” will smooth the path not only for obtaining the data but also accepting analysis results.<br></p><h2>Brainstorming</h2><p>Although the fraud brainstorming process documented in the American Institute of Certified Public Accountants’ Statement on Auditing Standards No. 99 (SAS 99), Consideration of Fraud in a Financial Statement Audit, is not required for the internal audit process, research has demonstrated that it is an effective tool when used within the internal audit activity. While fraud is only one consideration of an analytics process, brainstorming should help identify key data and relations that should be evaluated.  <br></p><p>One starting point is reviewing significant audit reports from the prior year. For example, in analyzing audit reports with low ratings, and considering uncontrolled risk or ineffective controls, the auditor could identify potential data points that would improve monitoring of the process in question. Likewise, in analyzing audit reports with high ratings, the auditor could identify potential elements in the process-level risk management that could be leveraged for other processes.  <br></p><p>Another approach is asking management in risk assessment interviews, “What are the most important KPIs you are managing?” and follow-up questions such as, “What are the key variables that impact those specific KPIs?” Brainstorming during the internal audit planning process can identify additional factors that may impact those KPIs that are not already being considered. <br></p><p>Brainstorming also can be used in the evaluation of various company-generated reports to identify if there is information that may be further explored for additional insight. Financial statements and reports are great tools for understanding relationships in financial data and brainstorming where additional analysis may add value to the audit process. Other examples of using company-generated reports for brainstorming include evaluation of employee hiring and turnover reports as compared to historical and industry averages, review of inventory metric reports as compared to budget as well as prior year, and analysis of asset reports to consider whether the percentage of lost or stolen IT assets has increased or decreased.<br></p><h2>Analytic Methods </h2><p>Another important consideration for small audit departments is the analysis methods to be used. Some examples of analytic tools that can be used by small audit departments include correlation analysis, regression analysis, Benford’s Law, and visualization. Internal audit functions may already be using several of these tools, but they may not be commonly thought of in terms of analytics. When identifying desired relationships, the analytic method should be considered when identifying data and sources necessary to perform the analysis. The analysis that the auditor is interested in performing, and the extent of data available, will dictate the analytic method to be used and the tool that can assist in facilitating analysis. <br><br>Correlation analysis is the comparison of X and Y to see how they relate to each other. An internal auditor might use correlation analysis in a production process audit to measure the strength of the relationship between product defects and factory overtime. If the association is strong, the auditor might then use inquiry and observation to assess whether an overworked and stressed labor force is the cause of the defects, or perform regression analysis to predict future defects and then confirm the projection against actual defects that have occurred. This would allow the audit team to add some discussion of the coefficient of determination; namely, how much of the change in product defects is explained by the change in overtime. <br><br>Regression is the functional relationship between two or more correlated variables that is often empirically determined from data and is used especially to predict values of one variable when given the values of others. It can be used to evaluate the association between X and Y when a control exists for other known relationships. For example, in the event that overtime and employee turnover are both increasing, then regression analysis would provide for a more thorough analysis of what is causing the increase in defects. This would potentially allow for identification of changes, which may directly address the root causes and implementation of actions to bring the defect rate to an acceptable level.<br><br>Benford’s Law is a theory based on a logarithm of probability of occurrence of digits (pattern anomaly of leading digits). Benford’s analysis may allow small audit functions to more efficiently analyze revenue and expenditure transactions based on whether unexpected patterns exist within operations. Such analysis could be conducted across the entire organization, as well as within divisions or functions to identify additional risk concerns. This would be beneficial if there are specific data patterns associated with errors or potential fraud activities. One such example from M.J. Nigrini’s Forensic Analytics: Methods and Techniques for Forensic Accounting Investigations would be an analysis of organizational expenditures. Although on the surface we may expect the first (two) digits of invoices would have an equal likelihood of occurrence, according to Benford’s, the pattern of occurrence is not uniform, but a declining logarithmic pattern from 1 (10) to 9 (99). More specifically, the likelihood of “1” being the leading digit in a random number set would be 30.1 percent compared to 4.6 percent for the occurrence of “9” as the leading digit. Using Benford’s analysis to evaluate invoices would identify specific leading digits of transactions, which should be further investigated via substantive testing. While initial analysis may not identify fraud, it identifies potential transaction anomalies, which may be linked to inappropriate expenditures. <br><br>Visualization comprises graphs and charts that often tell a story that is not easily understood by looking at the data alone. The internal auditor might use visualization to analyze the number of lost or stolen laptops year over year to evaluate whether laptop theft/loss is increasing or decreasing. Perhaps even further, the auditor could determine whether there are certain locations or business units that are driving the trend. If the trend line shows the number is increasing, the auditor might investigate to understand the root cause for the increase, including evaluating the effectiveness of the controls in operation.<br></p><h2>Software Tools </h2><p><img src="/2016/PublishingImages/Analytics-maturity-classification.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Tools to perform computer-assisted audit techniques have improved and expanded capabilities during the past two decades. While the internal audit profession has traditionally considered such tools as analytic tools, there are many additional tools that can be used in analytics. However, during the initial phases of developing an analytics program, particularly for small audit departments that may have more limited budgets, it may be more valuable to use tools that are already in place within the organization. <br></p><p>One objective in the early phase of analytics is attaining small wins to make the case for expanding the use of analytics. In many cases, small wins can be more easily achieved when the investment cost is low. Given that Microsoft Excel remains one of the top analytical tools used by internal auditors, its versatility and ability to perform each of the previous analytic methods allows it to be a first step in implementing an analytics program. However, despite all of its flexibility, data limitations (Excel is limited to 1,048,576 records of data) may prevent the use of Excel during early stages of program implementation.<br>While starting small can produce early successes, it is critical to have an analytics plan that will allow internal audit to continue to improve its analytics capability. This should include a path that is scalable so the early successes can be built upon and not thrown away.<br></p><p>As the use of analytics matures and evolves, many organizations ultimately reach the continuous monitoring phase, in which process owners are responsible for continuous analysis of key risk areas (see “Analytics Maturity Classification” at right). Furthermore, team members will be much more likely to understand the broader software needs to expand the analytics processes. With greater understanding of functional needs, software selection may become a greater consideration, given the cost of the software as compared to the expected benefit to be received. <br></p><h2>Implementation Tips </h2><p>Despite rapid changes in technology, many audit functions have not significantly modified their audit process to keep up with the data available as a result. While change can be difficult, it often provides increased opportunity to maximize the value that internal auditors can contribute. Although this contribution may be a lengthy process, failing to implement analytics into the audit risk assessment, testing, and monitoring processes limits the value that can be provided. So whether it’s for the next risk assessment or audit, consider when, where, why, and how to use data in the process. Starting small is better than not starting at all. <br><br><span class="ms-rteStyle-Quote">Jared Soileau, CIA, CPA, CISA, is an assistant professor of accounting at Louisiana State University in Baton Rouge.</span><br class="ms-rteStyle-Quote"><span class="ms-rteStyle-Quote">Laura Soileau, CIA, CRMA, CPA, is a director in Postlethwaite & Netterville’s Consulting Department in Baton Rouge, La. </span></p>Jared S. Soileau13672
The Tech-savvy Auditor Tech-savvy Auditor<p>​According to The IIA’s 2015 Global Internal Audit Common Body of Knowledge (CBOK) Practitioner Study, 62 percent of CAEs report their departments use technology infrequently and rely primarily on manual systems. While electronic workpapers have a high usage rate, about half of all internal audit departments say they use data mining or analysis software only minimally or not at all. <br></p><p>Internal auditors also have weak IT backgrounds. Thirteen percent of CBOK respondents have completed higher education in information systems or computer science, just 10 percent hold ISACA’s Certified Information Systems Auditor (CISA) designation, and only 3 percent have an IT security certification.<br></p><p>That situation is not acceptable, because deploying technology and possessing IT knowledge are necessary components for internal audit to add value. A technology-oriented internal audit can provide internal support to software projects, identify weaknesses in data processing, and transfer data analytics know-how to operational functions. Adopting technology also can make audits more efficient.<br></p><h2>The Case for Technology</h2><p>The <em>International Standards for the Professional Practice of Internal Auditing</em> (<em>Standards</em>) requires internal auditors to be knowledgeable about IT risks and controls, as well as audit technologies. But sometimes internal audit’s inability to leverage technology is the result of a poor audit environment, rather than a poor department.<br></p><p>Take for example a small audit department that has not audited double payments to suppliers; variable data such as transaction and accounting data sets; or master data contained in product, price, and customer databases. After the department’s five auditors return to the office from a seminar about the use of big data analysis, the CAE proposes investing in a software tool. However, the company’s chief financial officer rejects the proposal, saying, “We have a functioning enterprise resource planning system that automatically identifies potential double bookings. Therefore, double bookings and double payments are impossible.” Knowing that double payments are always possible — costing the company an average of US$2,000 per case — the CAE plans a manual audit of suppliers’ invoices instead. <br></p><p>CAEs can cite three reasons to justify greater use of audit technology. First, technologies such as data analysis and continuous auditing are more efficient and effective than manual audits, resulting in faster audits, cost savings, satisfied clients, and measurable value.<br></p><p>Second, proactive use of data monitoring and analysis software can significantly cut fraud losses. According to the Association of Certified Fraud Examiners’ 2016 Report to the Nations, such software reduces median losses from reported fraud cases by 54 percent (from US$200,000 down to US$92,000) and cuts the duration of such cases in half (12 months compared to 24 months) compared to organizations without that software in place. <br></p><p>Third, new business risks such as big data, cyber threats, and digital services demand a higher level of audit technology in the next few years. Although a 2015 PricewaterhouseCoopers study predicted that audit technology such as data analytics would be one of four priority capabilities for the profession, its 2016 State of the Internal Audit Profession Study reveals that just 40 percent of internal audit functions use technology.<br></p><h2>Using Technology Better </h2><p>The biggest technology challenge internal audit faces is finding a way to improve its ability to use audit software. CAEs and IT audit managers can take several steps to achieve that objective.<br><br><strong>Demonstrate the Potential</strong> A broad base of theoretical and empirical data, experts’ opinions, and Standards requirements support the need and usefulness of technology-based auditing. It might be motivating for “technology-oriented auditors” to provide testimonials about their experiences in using audit software. For example, an expert could give a live presentation of advanced tips and tricks for using Excel, which many auditors may not have tried before. <br><br><strong>Training and Practice</strong> Internal auditors need adequate training to use the software. Training can include frequent practical IT challenges that must be fulfilled under supervision — such as extraction, set up, and analysis of files from databases — or joint audits in teams with experienced auditors. But training alone is not enough if the software is not used frequently to gain experience with it. Additionally, achieving certifications such as the Certified Internal Auditor or CISA can educate auditors about structured approaches for problem-solving such as IT models, standards, and best practices. <br><br><strong>Build Know-how</strong> Depending on the organization’s size, the internal audit department should consider establishing a data analytics center in-house. The center can enable auditors to share experiences with audit technology through workshops and practitioner seminars. Smaller organizations should at least have regular meetings with external experts to gain such knowledge. In addition, rotating business and operational auditors to perform technology audits can help them learn best practices in using audit software. <br><br><strong>Review Software Usage</strong> The process of investing in audit technology should not only follow a management decision, but also a review step. Some audit departments seldom use the software they purchase. Regular reviews of how the department uses audit technology can identify weaknesses and improve audit efficiency, such as reducing the time it takes to prepare data sets for analysis. Performing a software inventory check can locate and enable internal audit to leverage software the organization already has in place. <br><br><strong>Management Feedback</strong> If management is dissatisfied with the current use of audit technology, but is confident about the value that digital technologies can create for the organization, internal audit should discuss how it is using audit technology with management. Internal audit can demonstrate the monetary value of audit results created with audit technology. For example, recovering US$10,000 from three double payments identified using analysis software can easily exceed the amount the department spent on a software licence. <br></p><h2>An Effective Approach</h2><p>Internal auditors do not simply need more audit technology, but also a more effective approach to using those tools to deliver value. Internal audit can start by reviewing how — or whether — it uses the audit software currently in place. Next, it should create a plan for integrating audit technology more into daily audit work. Measures can encompass training, adjusting audit plans with a stronger focus on IT aspects, and identifying potential technology gaps, such as equipment or training. Finally, the department should monitor its use of technology to ensure performance improvement. <br></p>Hans-Ulrich Westhausen12128
The Always-on Supply Chain Always-on Supply Chain<p>​Robots, cloud computing, and other technologies are transforming supply chains, a recent study reports. More than half (52 percent) of supply executives say their organization will spend US$1 million or more on emerging technologies to enable digital supply chains in the next two years, a​ccording to the <a href="" target="_blank">2015 MHI Annual Industry Report​</a>. Twelve percent expect to spen​d at least US$10 million, and 3 percent will spend at least US$100 million, the report notes. </p><p>Deloitte interviewed 900 U.S. supply chain executives for the report, which was released in April at MHI's MODEX 2016 conference in Atlanta. MHI is a Charlotte, N.C.-based trade association representing the material handling, logistics, and supply chain industry.</p><p>"The 'always-on' supply chain has the potential to deliver massive economic and environmental rewards for our industry and society," MHI CEO George Prest says. "It can boost productivity and sustainability, drive new markets, encourage innovation, and create new, high-paying jobs."</p><h2>Eight Technologies</h2><p>The MHI report highlights eight emerging technologies that are having an impact on supply chain operations. </p><h3>Predictive Analytics </h3><p>This data-modeling technology can identify patterns that could enable organizations to predict consumer trends, inventory shortages, machine breakdowns, and other behavior and events. Thirty-seven percent of respondents say predictive analytics in the supply chain could provide a competitive advantage in their industry in the next 10 years, while 7 percent say it could disrupt their industry. The report forecasts the technology will experience the greatest growth, from 22 percent of responding organizations now to 80 percent in the next six to 10 years.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>Top Current Technologies</strong></p><ul style="text-align:left;"><li> <span style="line-height:1.6;">Cloud computing and storage – 45%</span><br></li><li> <span style="line-height:1.6;">Sensors and automatic identification – 44%</span><br></li><li> <span style="line-height:1.6;">Inventory and network optimization tools – 43%</span><br></li><li> <span style="line-height:1.6;">Robotics and automation – 35%</span><br></li></ul><p> <em> <br></em></p><p> <em>Source: MHI and Deloitte, 2016 MHI Annual Industry Report</em></p></td></tr></tbody></table><h3>Robotics and Automation </h3><p>The report notes these technologies are becoming "smarter" and less expensive, enabling organizations to use them for more "human-oriented" tasks, such as packaging, product inspections, and electronics assembly. More than half (51 percent) of respondents say robotics and automation could provide a competitive advantage or be a disruptive force in their industry.</p><h3>Sensors and Automatic Identification </h3><p>These technologies are vital to how the Internet of Things operates, with their ability to collect data from devices and communicate that data to users to aid in decision-making. There were 20 million sensors in operation in 2013, but industry advocates predict there could be 1 trillion sensors by 2022.</p><h3>Wearables and Mobile Technology </h3><p>Wearable technologies embedded in clothing, watches, and glasses can perform many tasks currently done by mobile phones and laptop computers, and can incorporate sensory and scanning capabilities those devices lack. The report notes wearables could "reshape how work gets done, how decisions are made, and how companies engage with employees, customers, and business partners." However, just 36 percent of respondents say these technologies could provide competitive advantage or disrupt supply chains.</p><h3>Driverless Vehicles and Drones </h3><p>Drone technology could aid in operations and logistics, such as monitoring functions, maintaining security, and providing data about a facility. Although new to the roadways, companies have used driverless vehicles for material handling for many years. Nearly 60 percent of respondents say these technologies are having some impact on supply chains, while 37 percent say they could provide a competitive advantage or disrupt supply chains.</p><h3>Inventory and Network Optimization Tools</h3><p>Organizations are using these decision-support tools to better deploy assets and position inventory, including transportation planning, production optimization, and inventory optimization. Nearly half of respondents (48 percent) say these technologies potentially could create a competitive advantage or disrupt supply chains. </p><h3></h3><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong style="line-height:1.6;">Future Forecast</strong> ​ <p> ​<br> </p><p>Predicted adoption of supply chain technologies in the next six to 10 years. </p><ul><li> <span style="line-height:1.6;">Inventory and network optimization tools – 90%</span><br></li><li> <span style="line-height:1.6;">Sensors and automatic identification – 87%</span><br></li><li> <span style="line-height:1.6;">Cloud computing and storage – 86%</span><br></li><li> <span style="line-height:1.6;">Predictive analytics – 80%</span><br></li></ul><p> <br> </p><p> <em>Source: MHI and Deloitte, 2016 MHI Annual Industry Report</em></p></td></tr></tbody></table><h3>Cloud Computing and Storage ​</h3><p>Cloud computing has become one of the most deployed technologies for supply chains, with 45 percent of respondents saying they have it in place. Companies are using the cloud to support data sharing with business partners, use staff resources more efficiently, and adapt to changing business needs. However, only 25 percent of respondents say it could be a competitive advantage, and only 4 percent consider cloud computing to be potentially disruptive to supply chains. </p><h3>3D Printing </h3><p>This technology uses 3D model data to build objects, which can enable businesses to create designs that might be difficult to make using traditional manufacturing methods. Despite the promise of faster and cheaper product design and development, only 17 percent of respondents say the technology could provide a competitive advantage. Just 48 percent of respondents say their organization will deploy 3D printing in their supply chain in the next six to 10 years.</p><h2>Overcoming Barriers</h2><p>Despite the transformative promise of these technologies, businesses face significant challenges to adopting them, the report states. Chief among these are a lack of a clear business case to justify investment (43 percent), lack of staff with skills to use the technology effectively (38 percent), and a risk-averse culture (35 percent). </p><p>To prepare to deploy new supply-chain technologies, respondents say their organizations are training staff to use them (56 percent), partnering with vendors to understand the benefits (46 percent), changing their organizational structure and incentives (43 percent), and increasing budgets (42 percent). Managing talent is chief among the report's recommendations to supply chain leaders. "The growth in digital, 'always-on' supply chains will only widen the talent gap that already exists in our industry," Prest says. "We need to train a new breed of supply chain professional who has technical, analytical, and problem-solving skills."</p><p>​<br></p>Tim McCollum0921
Defending From the Top From the Top<p>​​<span style="line-height:1.6;">Forty percent of board members and senior executives surveyed don't feel responsible for the repercussions of a cyberattack, according to a recent study, The Accountability Gap: Cybersecurity and Building a Culture of Responsibility. That lack of accountability contributes to their organization's vulnerability to such incidents, notes the report, which was sponsored by NASDAQ and security and systems management company Tanium Inc. Researchers at Goldsmiths at the University of London surveyed 1,530 nonexecutive board directors and C-level executives — including chief information officers (CIOs) and chief information security officers (CISOs) — from Denmark, Finland, Germany, Japan, Norway, Sweden, the U.K., and the U.S.</span></p><p>The reports defines cybersecurity vulnerability as a combination of awareness of risks and readiness to address those risks. By those metrics, just 10 percent of respondents' organizations are considered to have low vulnerability, while 80 percent are considered to have medium vulnerability. The remaining 10 percent deemed to be highly vulnerable are likely to encounter a crisis if they don't address cybersecurity risks quickly, the report observes.</p><p>In highly vulnerable organizations, 91 percent of nonexecutive directors say they can't interpret a cybersecurity report. Moreover, 98 percent of executives in those organizations aren't confident that their organization tracks all devices and users on their systems. </p><p>"If the potential impact of cyberrisk is high, and you do not treat it as an enterprise risk … you are remiss in terms of how you are operating as a board and you have a potential oversight gap," Eric Brown, Tanium's chief financial and operating officer, says in the report.</p><h2>Awareness and Readiness</h2><p>The Knowledge Gap report identifies seven factors that may affect cybersecurity vulnerability. The first four are related to awareness.</p><p><strong>Cyber literacy.</strong> The lack of cyber literacy is most prevalent among nonexecutive directors. For example, 59 percent of U.S. nonexecutive directors consider themselves cyber-literate, compared to 77 percent of C-level executives and 78 percent of CIOs and CISOs. The report notes that directors in high vulnerability organizations seldom get updates on cyberthreats and only half of them receive cybersecurity training. The report suggests that such training should include case studies.</p><p><strong>Risk Appetite.</strong> Sixty-eight percent of respondents' organizations have assessed the likely losses from a cyberattack, but just 13 percent of highly vulnerable organizations have done so. "Low vulnerability respondents are nine times more likely than high vulnerability respondents to be aware of and understand the implications of a breach," the report points out.</p><p><strong>Threat Intelligence.</strong> Organizations need to monitor and communicate the most current cyberthreat information to executives and the board in an accessible way such as through a real-time dashboard, the report recommends. Organizations should constantly assess their risks from the current threat landscape and evaluate whether their current measures are still adequate.</p><p><strong>Legislation and Regulation.</strong> Overall, two-thirds of nonexecutive directors surveyed receive regular briefings on cybersecurity legislation and regulatory changes, but directors at highly vulnerable organizations are 54 percent less likely to know about forthcoming regulatory changes and compliance requirements. Executives in the Nordic nations were most likely to be briefed regularly about government policy.</p><p>The three other challenges relate to cybersecurity readiness.</p><p><strong>Network Resilience.</strong> Organizations that can't identify all the devices and users accessing their network won't be able to manage their IT assets to ensure they are configured appropriately and have the most current patches, the report observes. Eighty-seven percent of respondents in high-vulnerability organizations don't consider their malware, antivirus software, and patches to be fully up-to-date. In addition, organizations need a defined IT change management process to minimize service disruptions and system downtime.</p><p><strong>Response.</strong> The report notes that only 10 percent of respondents in the most vulnerable organizations know about the appropriate actions that need to be taken to prevent, detect, and neutralize cyberthreats. Recently, many organizations have begun shifting from a prevention-based strategy to one of rapid detection and response, which is reflected in The IIA's recent North American Pulse of Internal Audit report's emphasis on "cyber resiliency." </p><p><strong>Behavior.</strong> At the least vulnerable organizations, all respondents report they understand the risks employees pose to their systems; just 17 percent of respondents from the most vulnerable organizations understand this. The report recommends organizations shift the focus of cybersecurity awareness to acknowledge that cybersecurity is everyone's responsibility, rather than just an IT or information security job.​​</p><h2>Not Just for Techies</h2><p>That emphasis on organizationwide accountability for cybersecurity starts at the top. Where boards and executives previously may have deferred cyberrisk to their IT experts, the report stresses that organizations whose board and senior management are accountable for cybersecurity are most prepared to address cyber incidents successfully.</p>Tim McCollum01571
Internal Audit Should Be on Alert for "Phishy" Business Audit Should Be on Alert for "Phishy" Business<p>​It is no longer news that cybersecurity is one of the top risks facing organizations today. Cyber criminals are exhibiting increasingly ingenious tactics to hack public and private databases that contain millions of individuals' private records.</p><p>Organizations globally are working diligently to gird themselves against these increasingly sophisticated cyberattacks and developing crisis management plans to deal with any attacks that succeed. Yet there is a growing threat from cyber criminals that requires little more than access to the Internet, a bit of brazen ingenuity, and the hope that some overworked finance executives might not be on their toes. I'm talking about a basic email scheme that has resulted in billions of dollars in business losses.</p><p>Earlier this month, the U.S. Federal Bureau of Investigation (FBI) posted an alert about the ubiquitous "phishing" scheme where a cyber criminal poses as a company executive and directs an employee — typically someone in finance — to initiate an emergency wire transfer. According to the alert, this simple scam recently led to "massive financial losses" in the Phoenix, Ariz. area in the U.S., and the number of overall victims it has claimed has jumped 270 percent since January 2015. Indeed, there were nearly 18,000 identified victims of business email compromise scams between Oct. 2013 and Feb. 2016, with losses topping USD$2.3 billion, according to the FBI.</p><p>This is not just a U.S. problem. Law enforcement has received complaints from victims in at least 79 countrie​​s.</p><p>No business is immune from becoming a target. Victims reporting thefts to the FBI's <a href="">Internet Crime Complaint Center</a> range from large corporations to tech companies to small businesses. Many times these "phishing trips" target businesses with foreign suppliers or those that use wire transfer frequently.</p><p>This type of scheme hit close to home this month when The IIA's chief financial officer (CFO) received a directive from what appeared to be my email account seeking an immediate wire transfer. She became suspicious and reached out to me before taking any action and confirmed the email did not come from me. However, this serves as a good example of just how easily these schemes can be put together.</p><p>Something as benign as LinkedIn can provide the names and email addresses of a company's CEO and CFO. All that remains is doing a little homework about the company and its financial practices, and a crafty cyber criminal can be rewarded with a major payday. According to the FBI, the average take in the Arizona scam was USD$50,000.</p><p>Internal auditors should be on the front line in protecting organizations from succumbing to these kinds of scams, and it shouldn't be a heavy lift for most audit functions. Here are some easy steps organizations can take to protect themselves:</p><div><ul><li>Establishing good governance practices on wire transfers, such as multilevel authentication (confirmation from at least two executives) and verifying vendor payment changes.<br></li><li>​Working with IT to coordinate further precautionary steps, such as intrusion detection systems that identify suspect email addresses.<br></li><li>Discouraging the use of free, Web-based email accounts for any official business, as these are more easily hacked.<br></li><li>Being careful when posting financial or personnel information on company websites or in social media posts.<br></li><li>Testing, testing, and retesting.​​<br></li></ul><p></p><p>This last tip is crucial in boosting employee sensitivity to suspect emails. A high-profile U.S. federal inspector general, who spoke at a recent IIA conference, said she routinely sends phishing emails to unsuspecting staff within her organization to test their compliance with rules about sharing sensitive information or clicking on inviting links embedded in emails.</p></div><p>I have written on several occasions that the pace of technological change has created ever-more-complex risks for organizations, and I've urged internal auditors to learn to audit at the speed of risk. The battle against email phishing schemes is the low-hanging fruit in that high-tech garden. A strong partnership with IT, effective governance practices, and a regimen of staff training and testing of those practices can significantly lower the risk of your organization becoming the next victim of an email phishing scheme.</p><p>I welcome your comments.</p>Richard Chambers03861

  • CaseWare_Aug2016_Prem 1
  • TeamMate_Aug2016_Prem 2
  • IIA All Star_Aug2016_Prem3



When Internal Audit Finds Itself at the Plaintiff's Table Internal Audit Finds Itself at the Plaintiff's Table2016-08-15T04:00:00Z2016-08-15T04:00:00Z
Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
​Contrasting Comments on Internal Audit From a CAE and a Consultant​Contrasting Comments on Internal Audit From a CAE and a Consultant2016-08-22T04:00:00Z2016-08-22T04:00:00Z
Asking the Tough Questions About Internal Audit the Tough Questions About Internal Audit2016-08-13T04:00:00Z2016-08-13T04:00:00Z