Privacy in the Workplace in the Workplace<p>​Digital technology has changed workplace behavior — and expectations — for both employees and their employers. The ubiquitous use of smartphones and other devices, company issued and personal, places communications and data management continually at users’ fingertips. Internet use alters the traditional dimensions of employees’ work flexibility requirements and need for expression, as well as employers’ need to monitor employees’ online activity. <br></p><p>Employee concerns have been amplified by the ever-evolving technologies and data collection methods that can seem personally intrusive. Any privacy expectations employees may have are being curtailed by privacy policies, privacy pop-up screens during computer log-ins, background checks, and other workplace measures. At the same time, governments worldwide have issued regulatory guidance to address privacy issues, but guidance often falls short when it comes to balancing employers’ needs to monitor and employees’ expectations of privacy. Both noncompliance with regulations and balancing privacy needs represent major concerns. <br></p><p>Of respondents to PricewaterhouseCoopers’s (PwC’s) Global State of Information Security Survey 2016, 32 percent of security professionals say their board members review security and privacy risks — up from 25 percent in 2015. Employees remain one of the most-cited sources of compromise, with 34 percent of respondents citing current employees as sources of security incidents and 29 percent saying former employees were sources. Organizations have legitimate reasons for wanting to keep tabs on employee data, but employees also want some measure of protection from prying eyes. Evolving expectations on both sides are changing where employees, and their employers, draw the line. Internal auditors tasked with examining privacy in the organization should know where the risks lie, and what requirements their clients may face.<br></p><h2>Drivers of Privacy Disruptions</h2><p> </p><table width="100%" cellspacing="0" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Sound Privacy Program</strong></p><p>An effective privacy strategy comprises numerous practices. Organizations that manage privacy well typically feature several components in their approach: </p><ul><li>An organizational view of what privacy means.</li><li>An understanding of how privacy and data protection fit into the organization’s overall business strategy.</li><li>Complete knowledge of what data is held, where it is, and who has access to it.</li><li>A clear understanding of data ownership and of circumstances under which data is protected and under which it is not. </li><li>Understanding and management of the risks introduced to the data by third parties.</li><li>Data governance that ensures data is being used for the purpose that the organization has committed to, and nothing more.</li><li>A privacy model with agility in mind, given the ever-changing privacy landscape.</li><li>Thorough familiarity with legal obligations in the U.S. and abroad, and tracking of developments in regulatory enforcement actions and case law.</li></ul></td></tr></tbody></table><p>Historically, employee monitoring has been limited to checking internet and email usage. Today, digital disruption trends powered by mobile devices, social media, analytics, big data, and the Internet of Things have opened up a host of additional channels for employee activity. Plus, increased competition has fueled mergers and acquisitions, as well as use of offshoring models and reliance on third parties, resulting in constantly changing privacy expectations in the workplace. Organizations are also starting to apply data analytics to better match people to jobs and to more efficiently and cost-effectively recruit, manage, and retain talent. Employees have a need to be heard and to contribute, and they use internal messaging boards and social media sites to do that. Most organizations do not even realize how much data is being collected and analyzed — and exposing them to legal and compliance risks.<br><br><strong>Employee Expectations</strong> With the rise of a constantly mobile and fluid workforce and the consumerization of technology, trust is essential in the digital world. More and more employees expect to use their own devices and applications at work, as well as cloud services they’re familiar with, because they believe those mechanisms make them more productive. <br></p><p>As employees use these devices with greater frequency, and as they become increasingly responsible for the data they hold in their cloud accounts, trust becomes a more significant factor. For instance, who’s responsible if cloud data gets stolen or a device gets hacked? If disabling software is installed to protect the employer, what is that employer’s responsibility for any personal information that gets lost? If the company comes under investigation by the authorities, would personal devices and data have to be handed over? <br></p><p>Employees might be more inclined to use wearable technology such as a smart watch if the information collected were leveraged for managing work hours or stress levels. They may trade personal data for flexible working hours, free health screening, and fitness incentives and approach data sharing more openly if the information is anonymized and shared at an aggregate level. Wearable technology, GPS tracking devices, radio frequency devices, and video cameras deployed in mobile workforces have great potential to track employee movement and productivity, but at the same time, each individual will have a personal limit to what is considered shareable. <br><br><strong>Employer Expectations and Drivers</strong> Employers’ concerns generally center on the need to protect themselves from loss of confidential information, shield against cyber threats, and comply with laws and regulations. Those needs require that employers monitor employee communications on company-issued computers, cell phones, tablets, and social media sites. Employers also need to collect personal information, such as Social Security numbers and health-related information, to provide health and compensation benefits. Companies are expected to act reasonably regarding their possession of that personal information and to respect employees’ rights to privacy. E-discovery tools are now more commonly deployed to investigate suspicious behavior, and so are data loss prevention tools to monitor network traffic and secure computers. <br><br><strong>Regulatory Landscape</strong> Regulatory developments in recent years have focused mainly on the types of data that should be protected, such as personally identifiable information (PII), health information, financial information, and certain demographic information such as income and union representation. Employees in the U.S. have minimal expectations of privacy compared with their counterparts in Europe and Japan, where privacy expectations are absolute and supersede most other laws and regulations despite varying from country to country. <br></p><p>Employee rights are protected by privacy laws such as the Constitution’s Fourth Amendment, the Electronic Communications Privacy Act, and the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. and various European Union (EU) data protection laws in EU member states. However, outside of specific data privacy laws such as HIPAA, interpretations of those laws and regulations are based on <em>reasonable expectations</em> of privacy and refer to both an employee’s expectation and an employer’s implementation of privacy policies in the workplace. Certainly, reasonable expectation can be interpreted differently by different societies, and regulations as such have not kept pace with changing technological advancements. Each country has a multifaceted legal framework in place to govern that country’s employers globally (see “Global Privacy Laws and Regulations” at the end of this article for examples). <br></p><h2>Audit Considerations</h2><p>Organizations should consider taking a holistic approach to managing privacy in the workplace. Moreover, their privacy framework should be agile enough to accommodate changing regulations. Internal auditors should evaluate the framework and other areas of privacy management to gauge the effectiveness of organizational efforts and overall governance. <br><br><strong>Governance Framework</strong> Internal audit should evaluate the organization’s governance framework, if one exists, to verify whether roles and responsibilities for managing privacy have been identified. An adequate framework will incorporate not only a chief information security officer or chief risk officer but also cross-functional partnerships across departments and geographies. Auditors should make sure that management defines a strategic vision and framework, if one does not exist, while ensuring it meets current and long-term business objectives. <br><br><strong>Privacy Risk and Compliance</strong> Execution of a privacy risk and compliance assessment is an essential step in evaluating if the organization has translated its strategic vision and framework into practical implementation. This step entails a gap assessment of applicable laws and regulations within all geographies, as well as the discovery and data flow mapping of data elements that are stored, transmitted, or transferred either on organizational networks or on hard copies. Internal audit should execute such assessments periodically and perform a risk assessment on a more frequent basis to evaluate the impact of organizational and regulatory changes.<br><br><strong>Policies, Processes, and Controls </strong>Auditors should be proactive in guiding management to develop new — or enhance existing — policies, processes, and controls by incorporating privacy-by-design (i.e., embedding privacy into the design specifications of technologies, business practices, and physical infrastructures). They should, for example, evaluate the privacy impacts of new products, third parties, mergers and acquisitions, systems, and technologies; and when the organization enters new markets, auditors should make sure controls are in place to manage privacy requirements. Controls around investigations of employee behavior on an organization’s networks and computer systems should be in place and evaluated by auditors periodically. These controls might include using e-discovery tools aimed at validating internal approvals, clearly articulating the purposes for monitoring that are proportionate to the investigation underway, and involving lawyers when necessary.<br></p><p><strong>Training and Awareness</strong> When policies set the tone of data protection management and guidance, employees and third parties should be trained in their roles and responsibilities. Training and awareness should be adaptive to meet specific needs at every level: executives, management personnel, human resources personnel, supervisors, IT staff, and so on. Auditors can advise management on the development of such programs and then periodically assess employee participation to gauge training compliance.<br><br><strong>Monitoring and Response</strong> Monitoring the environment to ensure compliance with privacy regulations is not just about deploying e-discovery and other tools over the network. It requires ongoing communication and periodic reporting across departments and geographies to help identify and isolate privacy concerns timely. However, organizations with over-the-top monitoring practices could encounter incidents or privacy crises with no warnings, resulting in their reacting reflexively. In their haste, decision makers could fail to consider who should be in the room making decisions, how emerging issues should be prioritized, and how to think strategically<br>beyond the next 24 hours. Internal auditors should ensure that the business has incident management and response capabilities that align with best practices and overall business objectives.  <br></p><h2>A Matter of Trust</h2><p>Trust in the digital age can be difficult for employers to navigate because it’s closely intertwined with risk, security, and privacy. Nothing is hidden in the digital world; the views and opinions of former and current employees are available for everyone to see, and employees expect a clear explanation of what they are contributing and how they’re to be rewarded for it. For these reasons, ongoing trust levels must be built between employers and employees by way of transparency in their day-to-day interactions, and a mutual interest in balancing both parties’ priorities. </p><table width="100%" cellspacing="0" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h3>​Global Privacy Laws and Regulations</h3><br>Organizations need to carefully consider the privacy-related legal requirements that apply to areas in which they do business. A subset of some of the main laws and regulations affecting privacy worldwide may be helpful for internal auditors looking to assess the potential risks. <br><br><strong>EU–U.S. Privacy Shield</strong> was approved in July 2016 — in the form of a data transfer framework between the U.S. and EU member states — to replace the defunct Safe Harbor agreement after intense negotiations between the U.S. Department of Commerce and the European Commission. At first blush, the Privacy Shield seems to resemble Safe Harbor, but closer inspection reveals that it introduces increased compliance complexities for U.S. businesses. The framework includes stricter requirements for enrolling and monitoring, additional third-party risk managementconsiderations, new avenues for data-subject complaint escalation, and further limitations on government access to personal data. Employers must decide whether to participate in the new data transfer framework or use an alternative method to establish adequacy. More importantly, the decision about a data transfer method must be viewed in consideration of the General Data Protection Regulation — a much larger compliance obligation for U.S. companies that profile or collect data from EU citizens. <br><br><strong>U.S. Securities and Exchange Commission’s Regulation Fair Disclosure</strong> requires its issuers to disclose material information to the general public in a broad and nonexclusive manner. Registrants, therefore, must safeguard such information from inappropriate access and disclosure, in part through monitoring activities. <br><br><strong>Japanese Act on the Protection of Personal Information</strong> defines personally identifiable information (PII) as any information about a living individual that could identify the individual by name, date of birth, or other description contained in such information. The act imposes data protection requirements on PII, including securing prior consents from individuals before exchanging or disclosing PII to third parties. The act was amended in September 2015 to require organizations that employ Japanese citizens to comply with the cross-border exchange requirements for PII before September 2017. <br><br><strong>Australian Privacy Act and Australian Privacy Principles</strong> affect public and private entities in Australia as well as overseas businesses that manage the employee personal information of Australian citizens. The act and the principles specify requirements for active maintenance and notification of privacy policy and for extending liability, including the imposition of fines, to overseas businesses in cases of breaches that result in the loss of an Australian citizen’s PII.<br><br><strong>U.S. National Labor Relations Act</strong> protects the rights of employees to organize and bargain collectively with their employers and to engage in other protected concerted activity. Employers are prohibited from restricting employees from acting together, with or without union, to address work conditions that affect their personal lives. The provisions extend to conversations carried out in personal email accounts and social media sites.<br><br><strong>General Data Protection Regulation (GDPR)</strong> for EU members was officially adopted by the European Commission in April 2016 and goes into effect in May 2018 after a two-year transition period. The GDPR strengthens European data protection laws, giving EU citizens greater say in how their digital information gets collected and managed. This complete overhaul of EU privacy confers regulatory authority over any business that offers products or services in the EU and over any business that tracks and stores EU citizen data, as well as the authority to fine violating companies up to 4 percent of their annual global revenues. New compliance requirements include an appointed privacy officer, privacy by design and default in products and services, the right to be forgotten, additional privacy impact assessments, and complete inventories of personal data and third-party data processors.<br><br><strong>U.S. E-Government Act of 2002</strong> requires that a federal agency conduct a “privacy impact assessment” before developing or procuring an IT system or a project that collects, maintains, or disseminates PII about members of the public. The act also sets forth uniform confidentiality protection requirements regarding such data. <br><br></td></tr></tbody></table><p><br><br><span class="ms-rteStyle-Quote">Parthiv Sheth is a director in PwC’s Risk Assurance practice in New York.</span><br class="ms-rteStyle-Quote"><span class="ms-rteStyle-Quote">Khalid Wasti, CIA, CPA, CISA, CITP, is a partner in PwC’s Internal Technology Audit Solutions practice in New York.</span><br class="ms-rteStyle-Quote"><span class="ms-rteStyle-Quote">A. Michael Smith, CPA, CISA, CISSP, is a national partner in PwC’s Internal Technology Audit Solutions practice in the U.S.</span></p>Parthiv Sheth120
Internal Audit and the Internet of Things Audit and the Internet of Things<p>​Last month, <em>Compliance Week</em> published "<a href="" target="_blank" style="background-color:#ffffff;">Internet of Things' Role in Internal Audit & Compliance</a>."</p><p>I heartily agree that this is a topic that merits internal audit's (and the compliance function's) serious attention.</p><p>To quote the article, "Forbes provides a nice simple description of the concept as one of 'connecting any device with an on and off switch to the Internet (and/or to each other).'"</p><p>The Internet of Things (IoT) is not futuristic. It is here today. It will only mushroom in the future, with just about everything interconnected.</p><p>For example, I armed my home security system using my phone while on the way to the airport (I was not driving). If anybody tries to break in, I will receive an alarm on my phone wherever I happen to be.</p><p>Some people have their hearts monitored over the internet — <a href="" target="_blank">see this article from <em>Forbes</em></a>.</p><p>What should internal audit be doing about it?</p><p>Certainly, the level of work should be driven by the level of risk. But do we know what the level of risk is when it comes to IoT?</p><p>The article appears to expect internal audit to assess the risk by finding out how "IoT [is] deployed in our organization today."</p><p>I would take a different approach. I would find out whether management knows what is connected to what and why. If they don't know, that is a huge risk itself — how can IoT and its attendant risks be assessed and addressed if they are now known to management?</p><p>Assuming that they know the current state, I would ask for their risk assessment and how they are addressing the identified risks.</p><p>My next step would be to find out what changes are expected over the next 12 months and whether management is addressing them in its risk assessment.</p><p>These few questions would give me a "feel" for the level of risk and whether an audit engagement is merited.</p><p>I might go a step or two further and ask how they know what is connected to what, and how they have identified and addressed the risks.</p><p>That should give me sufficient confidence to know whether an audit engagement should be performed, what form of engagement it should be (assurance or advisory), and when.</p><p>Too many commentators want internal audit to identify and assess emerging risks, such as IoT.</p><p>I strongly disagree. That is management's role, not internal audit's.</p><p>Internal audit can assist by ensuring management has sound practices for identifying, assessing, and addressing risks — both emerging risks and existing risks where the level changes.</p><p>Do you agree?​</p>Norman Marks01527
Do You Have Data Fever? You Have Data Fever?<p>​A new internal auditor receives his latest assignment. His manager asks, “How are you going to approach the review of this area?” The auditor responds, “I want to test this, and I want to test that, and I want to test the other thing.” The manager asks why the auditor wants to perform those tests. Excitedly, the auditor answers, “Because that’s where all the information is.”<br></p><p>This scenario illustrates a common mistake made by new auditors — seeking to jump in without considering the risks, the processes, the criteria, or even the audit objective. The auditor recognizes a testable area and says, “I am doing an audit of this department and I know they have expense reports, so I will test the expense reports.”<br></p><p>Of course, those of us with years of experience and knowledge would never fall into that trap, right? Not so fast.<br></p><p>We live in a world where systems hold more information than anyone can possibly fathom. We are awash in data — big, large, super-sized, venti. And data analytics has become a buzzword that draws auditors like frau​dsters to inadequate controls. When auditors see that glorious richness of data, they fall back into that rookie mind-set: “I don’t know what I want or what I’m trying to prove or what I’m going to do with it, but I want everything you’ve got.”<br></p><p>At one time or another we’ve all caught it — data fever: The desire for more and more information without considering what that data is. We turn the fire hose on full force and what we intended to be a thirst-quenching sip of real information turns into a suffocating flood of meaningless facts, figures, and folderol. <br></p><p>More is not always better. The rules for gathering data are the same as for any audit test. First determine what you want to accomplish with the audit. Then articulate what you want to do with the data, coordinating that understanding with the already-identified risks. <br></p><p>It all begins by understanding what the data represents and what it might say. Before even thinking about asking for the data, auditors should talk with the data owners to understand what is available, how it is used, and how it relates to the processes under review. Then, and only then, should auditors begin to think about what data may be needed.<br></p><p>The promise of data analytics is to assist in performing audit work more efficiently. It also represents an opportunity for internal audit to provide real value by showing the organization how all that data can be helpful to everyone. But that cannot be accomplished by just gathering every scrap of data available. Just as you would stop a new auditor from barging forward with unfocused and potentially meaningless testing, stop yourself when asking for a data dump and determine what you are really trying to accomplish. <br></p>Mike Jacka1598
Reporting on Cyber Threats on Cyber Threats<p>​Cybersecurity is at the forefront of most organizations' risk discussions, especially at the audit committee and senior executive levels. However, internal audit reporting may not reflect current cyber threats. It is time for auditors to consider revising the evaluation criteria they use to determine whether an IT finding is reportable.</p><p style="text-align:left;">Raising IT risk concerns may clash with the audit committee's threshold for materiality. For example, data breaches often involve reputation risks more so than financial risks. This is the existential question with cybersecurity: What is costly versus what makes the organization look bad. Overall, internal audit should consider whether outdated reporting criteria have created an<span style="text-decoration:underline;"> </span>expectation gap between what the audit committee expects to be reported and what internal audit considers worth reporting.</p><h2>The Current State of Reporting</h2><p>CAEs use multiple criteria to determine whether a finding is reportable to the audit committee and senior executive levels. In a survey of 163 CAEs<sup> </sup>conducted in July by The IIA's Audit Executive Center, 81 percent say their reporting criteria do not differ among different types of audits, such as fraud, compliance, and IT. </p><p>The survey reveals minimal differences in criteria used to report to the audit committee and senior management. Forty percent of respondents use a combination of criteria or additional criteria, including all internal control weaknesses, judgment, and risks to the organization, to determine what to report to senior executives. That percentage rises to 45 percent who use those criteria as a basis for reporting to the audit committee. Thirty-nine percent use pervasive internal control weakness as their criteria for reporting to both reporting levels. Overall, just 7 percent consider dollar threshold a reporting indicator for both senior executives and audit committees. </p><p style="text-align:justify;"> <img src="/2016/PublishingImages/gen-report-exec.jpg" alt="" style="margin:5px;width:425px;height:317px;" /> <em>Source: IIA Audit Executive Center</em><br> </p><p> <br> </p><p style="text-align:justify;"> <img src="/2016/PublishingImages/Gen-report-ac.jpg" alt="" style="margin:5px;width:425px;height:323px;" /> <em>Source: IIA Audit Executive Center</em><br></p><p> <br> </p><p>When asked about specific IT findings, CAEs overwhelmingly focus on whether the findings affect more than one business segment or department, or has an organizationwide impact (49 percent to senior executives and 51 percent to audit committees). Additionally, 42 percent use a combination of criteria that includes other factors such as business and reputational impact in determining which issues to report to senior executives and the audit committee. Only 5 percent of respondents consider dollar threshold a reporting criteria for either level.</p><p style="text-align:justify;"> <img src="/2016/PublishingImages/IT-report-exec.jpg" alt="" style="margin:5px;width:425px;height:329px;" /> <em>Source: IIA Audit Executive Center</em><br></p><p> <br> </p><p style="text-align:justify;"> <img src="/2016/PublishingImages/IT-report-ac.jpg" alt="" style="margin:5px;width:425px;height:339px;" /> <em>Source: IIA Audit Executive Center</em><br></p><p> <br> </p><h2>Are the Criteria Still Appropriate?</h2><table width="100%" cellspacing="0" class="ms-rteTable-0"><tbody><tr class="ms-rteTableEvenRow-0" style="text-align:center;"><td class="ms-rteTableEvenCol-0" colspan="2" style="width:50%;">​<strong>Audit Committee and Senior Executive <br>Reportable IT Findings</strong> ​</td></tr><tr class="ms-rteTableOddRow-0"><td class="ms-rteTableEvenCol-0">​<strong>Reportable</strong> </td><td class="ms-rteTableOddCol-0">​<strong>Not Reportable</strong> </td></tr><tr class="ms-rteTableEvenRow-0"><td class="ms-rteTableEvenCol-0">​User account activation process findings that impact the organization's ability to appropriately assign user access.</td><td class="ms-rteTableOddCol-0">​User access typically is assigned appropriately, but a current audit noted a couple of users whose access was assigned incorrectly. </td></tr><tr class="ms-rteTableOddRow-0"><td class="ms-rteTableEvenCol-0">User account deactivation process findings that impact the organization's ability to disable user access timely upon termination. ​</td><td class="ms-rteTableOddCol-0">​User account deactivation process works correctly, but a current audit noted one or two contractors or employees whose access were not disabled timely. </td></tr><tr class="ms-rteTableEvenRow-0"><td class="ms-rteTableEvenCol-0">​User transfer process findings where access is not removed when employees transfer to other departments.</td><td class="ms-rteTableOddCol-0">​User access is typically adjusted upon transfer, but a current audit identified one or two users whose access were not adjusted. </td></tr><tr class="ms-rteTableOddRow-0"><td class="ms-rteTableEvenCol-0">​Patching process findings where patching does not occur timely organizationwide. </td><td class="ms-rteTableOddCol-0">​Most servers are patched timely except for a few. </td></tr><tr class="ms-rteTableEvenRow-0"><td class="ms-rteTableEvenCol-0">​Two-factor authentication findings where the authentication system has organizationwide issues (i.e., does not work all the time). </td><td class="ms-rteTableOddCol-0">​Most servers have two-factor authentication enabled for interactive login, but one or two do not. </td></tr></tbody></table><p>Although organizationwide impact is the criterion survey respondents consider most impactful in deciding to report IT findings, this may cause internal audit to not report seemingly lesser findings that could potentially be big cyber threats. Findings such as having one or two untimely user account terminations or users who have been assigned incorrect access would most likely not be considered reportable under current generally used criteria (see "Audit Committee and Senior Executive Reportable IT Findings" at right). </p><p>Yet, these are similar to the causes of some of the largest data breaches reported to the <a href="" target="_blank">Identity Theft Resource Center</a> both this year and historically. These include:</p><ul><li>Stolen third-party or employee credentials.</li><li>Stolen mobile device.</li><li>Unsecure wireless network.</li><li>Two-factor authentication disabled on a few servers.</li></ul><p> </p><p>These data breach trends suggest the current reportable criteria may not reflect cyber threat reality. Although only a few items, or even one item, could be found during an audit, such items may open the door for a hacker or general user to allow data theft to occur. In the world of cybersecurity, the small details matter. Failing to perform an appropriate activity for a single user or server could have an organizationwide impact.</p><p>Questions to consider include:</p><ul><li>In today's world of cyber threats, is the criteria used to decide when to report an IT finding to the audit committee and senior executives still relevant?  </li><li>Should the criteria be revised so that other IT findings currently deemed to be lesser risk would be considered reportable?</li><li>Are the board or senior executives sufficiently educated about cybersecurity to understand the impact of such findings?</li></ul><h2>Modifying Expectations</h2><p> <a href="" target="_blank">Internal Audit's Role in Cyber Preparedness</a>, a 2015 white paper from The IIA's Internal Audit Foundation, discusses the importance of taking a holistic approach to an organization's cybersecurity practices and how internal audit can assist in this endeavor. The white paper cites a <a href="">National Association of Corporate Directors (NACD) publication</a> in which 87 percent of respondents to the 2013-2014 NACD Public Company Governance Survey reported their board's understanding of IT risk needs improvement.<sup> </sup><sup> </sup>The IIA white paper says boards could gain access to cybersecurity expertise by adding members with technology industry expertise. Other suggestions include:</p><ul><li>Scheduling "deep dive" briefings from third-party experts, including specialist cybersecurity firms, government agencies, and industry associations.</li><li>Leveraging the board's existing independent advisers, such as external auditors and outside counsel, who will have a multiclient and industrywide perspective on cyberrisk trends.</li><li>Participating in relevant director education programs, whether provided in-house or externally.</li></ul><p><br></p><p>As boards increase their cyber awareness, internal audit is complimenting this awareness by becoming more technology-savvy and providing services to the organization such as helping the board understand IT risks and the impact of new technology initiatives. Becoming more adept at using technology is helping internal audit provide such services, according to a recent Protiviti Report, <a href="" target="_blank">Internal Auditing Around the World</a>. </p><table width="100%" cellspacing="0" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>Summary and Analyses of Findings That Did Not Meet the Required Reporting Threshold</strong></p><p>Fifteen users with excess or incorrect access were noted among seven audits. Upon evaluating these overall, internal auditors noted an increased trend of failure by the business owners to ensure an adequate access review is performed periodically. Further follow-up revealed that five of the seven business owners were relatively new to the company and had not received the appropriate training. As management is aware, excess or incorrect access rights increase the organization's cyber threat level.</p><p>Untimely disabling of a user's application account occurred in eight out of 10 audits. While none of these incidents met the reporting criteria on its own, internal audit noted an upward trend in untimely removal of user access. It is interesting to note that five of the eight users were contractors for whom the business areas did not provide prompt notification of the need to disable their access. Management is now considering alternatives to manage contractor access. </p></td></tr></tbody></table><p>This growing cyber awareness creates an opportunity for internal audit to report on IT findings that were once considered lower risk and less impactful organizationwide. Similar to the common experience of external auditors reporting various material or immaterial individual financial adjustments, reporting on these IT events can further educate the board and senior executives on cyberrisks. </p><h2>Reporting Alternatives</h2><p>In the world where a single IT event now can cause an organizationwide threat, internal audit needs to engage audit committees and senior executives in discussions about single detailed events and their impacts. Yet, it takes time for perspectives to change and education to occur. In the meantime, there are alternatives auditors can use to retain the current reporting criteria and further emphasize these singular IT findings, including:</p><ul><li>Modifying the reporting narrative of each audit that is distributed to the audit committees and senior executives, including elaborating on the cyber threats encompassed by the audit. Alternatively, during the audit committee presentation, auditors can spend a few moments discussing the cyber threats detailed in the audit<strong><em>.</em></strong><span style="text-decoration:underline;"> </span></li><li>Educating senior executives and audit committees on the finer cyber threat details.</li><li>Maintaining the current reporting criteria and providing an annual summarized report noting the major themes from all unreported IT issues identified (for an example, see "Summary and Analyses of Findings That Did Not Meet the Required Reporting Threshold" at right).</li></ul><p><br></p><p>Although revising reporting criteria to better reflect the current cyberrisk environment should occur, suddenly changing long-established reporting practices may not be the best solution. Using the suggested reporting alternatives and easing into new criteria will allow time for the audit committee and senior executives to adjust their perspectives. Moreover, a gradual shift will allow for additional training and understanding that a single IT finding could do as much harm as a pervasive IT finding. </p><p> <br> </p>James Reinhard01782
Analytics-driven Audits Audits<p>​Data continues to be captured and processed at phenomenal rates. In fact, Computer Sciences Corp. predicts that by 2020, data production will be 44 times greater than it was in 2009. With so much data being generated, there is a need to connect the dots and get meaningful information from it. An audit that is intuitive-based and uses a selection of random samples may not be that effective in the changing business landscape. With so many automated processes, the way internal audit departments conduct audits also needs to be automated. <br></p><p>An analytics-based approach to audit makes it possible to review large data sets and get meaningful insights into internal control processes, including probable vulnerabilities in meeting the overall assurance objectives. The use of analytics can increase audit efficiency and lead to a deeper understanding of the business, risk assessment, and real-time monitoring. Data analysis can be applied to areas such as audit planning, sample selection, risk assessment, control testing, and identifying red flags.<br></p><h2>Data Types and Storage</h2><p>Before embracing data analytics, it is important to understand the types of data being generated. The analytics methods and tools used will depend on the type of data and the manner in which the data is generated and stored. <br></p><p>Qualitative data is a categorical measurement expressed with a natural language description. In statistics, it is often used interchangeably with categorical data (e.g., favorite color = “blue” or height = “tall”). Data are classified as nominal if there is no natural order between the categories (e.g., eye color), or ordinal if an ordering exists (e.g., exam results).<br></p><p>Quantitative or numerical data are counts or measurements. The data are said to be discrete if the measurements are integers (e.g., number of people in a household) and continuous if the measurements can take on any value, usually within some range (e.g., weight). Quantities whose value differ from one observation to another are called variables (e.g., the height and shoe size of every person are different).<br></p><p>Generated data is stored in data warehouses in different formats. Structured data is information, usually displayed in columns and rows, that can easily be ordered and processed. This could be visualized as a perfectly organized filing cabinet where everything is identified, labeled, and easy to access. Unstructured data  has no identifiable internal structure. Types of unstructured data include word processing files, PDF files, digital images, video, audio, and social media posts.<br></p><h2>Data Analytics</h2><p><img src="/2016/PublishingImages/B2B_Aug%2716_chart.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Data analytics is an analytical process by which insights are generated from operational, financial, and other forms of electronic data internal or external to the organization that communicates exceptions and outliers. Exceptions are deviations from any defined criteria internal or external to the organization. Outliers are considered any data or records that are inconsistent with the population to which it belongs. Analytics relies on the simultaneous application of statistics, computer programming, and operations research to quantify performance. <br></p><p>Data analytics tools and techniques assist in transforming and improving audit approaches in terms of providing insights, predicting outcome, optimizing sampling decisions, extending audit coverage, and highlighting key deficiencies. Analytics embeds data visualization to effectively communicate insight.<br>Analytics is not just about technology. It refers to the use of certain technologies, skill sets, and processes for the exploration, evaluation, and investigation of data generated during business operations (See “The Process of Data Analytics” at right). </p><h2>Analytical Techniques</h2><p>Analytical techniques can be used for risk assessment and control testing in various areas. It is important to link the business understanding, processes, and regulations and co-relate them with the data available to identify exceptions or outliers. There are four types of analytical stages.  <br></p><p>Descriptive analytics identifies events that occurred in the past, while diagnostic analytics looks for reasons past events occurred. Predictive analytics predicts future outcomes based on past events, and prescriptive analytics provides a feasible line of action. Auditors need to gradually move from identifying what went wrong to forecasting what may go wrong. The shift from descriptive to predictive and then to prescriptive analytics requires the application of business insights with analytical techniques supported by technology advancements.<br></p><h2>Analytics Software</h2><p>Some of the numerous tools available for carrying out data analytics require coding or scripting and may not be as user-friendly compared to tools with an easy-to-use graphical user interface. Questions that can help determine which tool to invest in include: What problem needs to be solved? What are the net costs for learning a new tool? What are the other available tools and how do these relate to commonly used tools?<br></p><h2>Changed Business Environment</h2><p>Considering the ever-increasing nature of digitization, it is inevitable that internal auditors change their approach to executing audits. Traditional methods of vouching and verification may need to be reviewed to bring them in line with the changed business environment. Considering increased expectations from stakeholders and the need to look deeper into business transactions, embedding analytics in audit is unavoidable. The proliferation of new forms of data and evolving concepts of analytics-driven audits means internal auditors can gain deeper insights into the business. <br></p>Neha Pansari1888
The Mind of a Credit Card Hacker Mind of a Credit Card Hacker<p>​One of the biggest credit card fraud rings was a collaboration between Miami hacker Albert Gonzalez and hackers in Russia. The ring used SQL injection to steal more than 90 million credit and debit card numbers from retailers such as Barnes & Noble, BJ’s Wholesale Club, Boston Market, OfficeMax, and TJX — the parent company of Marshalls and T.J. Maxx. Gonzalez and his crew were active for two years, and he was known to brag that he had to count hundreds of thousands of dollars by hand when his money-counting machine broke.<br></p><p>Gonzalez got greedy, and his flashy lifestyle caught the attention of law enforcement officials. In 2010, a U.S. federal District Court sentenced him to 20 years in a federal prison and fined him US$25,000.<br></p><p>Smart hackers keep a low profile and cover their tracks so they can continue the cycle. With the right campaign, they can obtain thousands of credit card numbers and sell them for millions of dollars. To help defend their organizations, internal auditors need to know why hackers target the business’ credit card information, how they can steal it, and what happens after the data is stolen. That means learning to think like a hacker. <br></p><h2>First, They Need a Vector</h2><p>A vector is a network, email, application, or host that delivers a viral payload to the user. To gain entry to an organization’s systems, hackers use tools, programming experience, and social engineering skills to target a user’s computer or convince that person to voluntarily give them information or access. The vector they choose determines the steps they need to steal an organization’s data. <br></p><p>Phishing is one of the more common methods. Hackers send emails to unsuspecting victims and convince them that they need to enter private information on a fraudulent website form. For example, the hacker uses PayPal’s logo and a similar domain name to trick users into typing their PayPal user name and password. Internet usage policies should instruct employees to always type the name of the official website in a browser instead of clicking random links embedded in an email.<br>A recent variation on phishing attacks is to send employees emails claiming to be from their organization’s CEO and directing them to complete a transaction. <br></p><h2>Collect the Stolen Data</h2><p>Attackers use zero-day viruses to gain access to a computer. Zero-day viruses have not been previously detected by antivirus software companies, so the software doesn’t recognize them. For this reason, a hacker can quickly collect data and transfer it to his or her private server.<br></p><p>Speed is also essential for hackers who use phishing emails. As soon as email recipients detect that the email and site are fraudulent, it’s only a matter of time before the emails are blocked and the host terminates the hacker’s account. The hacker needs to collect the data from the server and transfer it to a safe location.<br>During the data collection stage, hackers also need to cover their tracks. They can do this by using a different host for the next vector, changing malware signatures, and setting up new anonymous email accounts. <br></p><h2>Verify the Cards Are Valid</h2><p>This step is the most crucial and risky. The hacker needs to verify the cards are valid. The hacker can do this by creating accounts at websites that sell low-priced items and don’t have as much security regarding billing and shipping addresses. A list of these sites can be found through a criminal network or a search engine. The hacker makes small purchases from these online stores to verify the card is still valid and the original cardholder isn’t paying attention to purchases on it. <br></p><p>Consumers who check their debit and credit card activity frequently can detect these transactions quickly before the charges finalize. Moreover, many financial institutions have fraud detection that automatically flags a card for suspicious transactions. These card numbers won’t work, which reduces the hacker’s credibility and trustworthiness with buyers. <br></p><p>Because the hacker’s purchases are small amounts, they can more easily slip through detection. For example, the attacker might charge US$5 on a card and wait a few days. If the charges go through and the product is shipped, he or she can make larger charges or sell the card number on the black market.<br></p><h2>Create Fake Cards </h2><p>For US$100, hackers can create fake credit cards. The number printed on the front of the card is usually fake, but the card number on the magnetic strip is one of the stolen numbers. The attacker also can sell these physical cards, but it’s much more work to send the cards to a buyer.  <br></p><h2>How Auditors Can Respond</h2><p>By understanding the way hackers work, internal auditors can gain better insight into ways to protect the personal data their organization has stored. Here are recommendations auditors can provide to help their organizations shore up their defenses.<br><br><strong>System Requirements</strong> Auditors should advise the IT department or process owners to install and maintain a firewall configuration that is capable of protecting cardholder data. The organization should encrypt transmission of cardholder data across open, public networks, including wireless networks. Also, the organization should use up-to-date antivirus software and ensure that all antivirus mechanisms are current, actively running, and capable of generating audit logs. In addition, it should monitor all access to network resources and cardholder data, and test security systems and processes regularly. <br><br><strong>Access Control</strong> Internal auditors should advise the IT department to limit access to computing resources and cardholder information only to those individuals whose jobs require it. The organization should physically secure all paper and electronic media that contain cardholder data, including computers, networking and communications hardware, paper receipts, reports, and faxes. Moreover, it should use appropriate facility entry controls to limit and monitor physical access to systems that store, process, or transmit cardholder data.<br></p><h2>Becoming a Harder Target</h2><p>As their organization’s third line of defense, internal audit’s assurance and advisory services can be vital to protecting the business from today’s hackers. Auditors should review the organization’s security measures and related controls at least annually, and preferably more frequently, as risks evolve. They also can advise their organizations about ways to strengthen those measures and be better prepared to respond to an incident. With organized hackers targeting organizations from all sides, such actions can help make the difference between becoming a harder target for attackers and suffering a heavy loss from a data breach.    <br></p>Sharif A. Nogod11082
IT and the Integrated Audit and the Integrated Audit<h2>​​How do you define integrated audit from an IT perspective?<br></h2> <p> <strong>KIM</strong> An integrated audit considers IT, financial, and operational controls holistically. While a traditional audit focuses on financial, operational, or IT aspects only, an integrated audit takes a more global approach. From an IT perspective, an integrated audit provides assurance that IT controls are effective and efficient to support the business process. This approach acknowledges that IT, financial, and operational controls are mutually dependent.​<br><strong>JENKINS</strong> There are few strategic initiatives in organizations that don’t include an IT component. Our world has turned into an online world, with technology playing a role in everything we touch. The integrated audit is a more holistic approach, focused on the organization’s top risks. Internal audit won’t be able to present a complete picture of the organization’s risks without considering the technologies associated with them. <br></p><h2>What is your organization’s approach to integrated audits?</h2><p> <strong style="line-height:19.2px;"><img src="/2016/PublishingImages/pamela-jenkins.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />JENKINS</strong> Fossil is a global organization with retail, distribution, wholesale, and manufacturing facilities in many countries. Internal audit aligns its audit plan with the company’s top global risks. Our audit department has limited resources and IT auditors. We work efficiently and leverage our resources to ensure we address the top risks for the company. Our IT auditor is a part of every audit we perform. Over the last few months, we have begun socializing with the company a more integrated audit approach. We have the full support of the audit committee and top management. As we hire, we look for integrated auditors who can look at a business process, pick out where the risks are, and identify if there are any technology-related red flags. <br> <strong style="line-height:19.2px;">KIM</strong> Integrated audits are the rule rather than exception in my organization. Organizations rely heavily on IT to perform their work. To understand an audit client’s internal controls over a business process requires an understanding of the effectiveness and adequacy of IT controls. All of our staff auditors are trained to perform basic IT audits. However, for audits that are highly technical, we have a team of IT specialists with advanced IT skills. This provides us a cost-effective way to keep up with the rapid changes in technology, as well as deal with the difficulty of recruiting and retaining IT audit professionals, which can be a challenge in the current environment. <br></p><h2>What value does a successful integrated audit approach bring to the organization?</h2><p> <strong style="line-height:19.2px;"><img src="/2016/PublishingImages/Tina-Kim.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />KIM</strong>​ Integrated auditing promotes the principle of risk-based auditing. The business environment is increasingly complex, and businesses and governments are confronting a wide range of risks. Integrated auditing allows audit functions to consider and evaluate risk globally and focus audit efforts on the highest impact areas. More importantly, it increases the relevance of internal auditors’ work by providing better value to stakeholders. Study after study has shown that stakeholders are expecting more from internal audit functions, including those already receiving significant value. By helping to break down silos and increase transparency, integrated auditing provides management with increased insight on how various types of risks impact their business processes and gives auditors more exposure to different aspects of an organization’s operation, increasing their effectiveness. <br> <strong style="line-height:19.2px;">JENKINS</strong> Without an integrated audit approach, the audit results are not covering the full business process/potential risk. To ensure the largest risks of the company are addressed, the audit process needs to include IT. An integrated audit enables auditors to look at an issue holistically and identify the entire risk, not just a piece of it.​</p><h2>What IT skills and knowledge do internal auditors need to communicate with IT professionals?</h2><p> <strong style="line-height:19.2px;">JENKINS</strong> I think it goes both ways. Yes, audit professionals need to have comprehensive knowledge of IT to effectively identify risk and communicate with IT departments, but IT auditors also need to have more than just IT experience. They need to be able to see the forest for the trees, and communicate from a business perspective. It is important for the IT audit professional to have good business acumen to enable an understanding of the business process/risk and its relationship to the IT components. IT auditors need to bridge the gap between being highly technical and being able to speak in basic business terms. <br> <strong><strong style="line-height:19.2px;">KIM</strong>​</strong> Having an education background in computer science or a related field is a big plus. However, a genuine interest and desire to understand technology, coupled with the ability to quickly grasp new trends and understand new technologies, is just as critical. Moreover, as with all audit positions, not only are technical skills important, but communication and other soft skills are also vital. To be effective, internal auditors need to speak the language of their stakeholders. <br></p><h2>What types of IT-related audits should internal audit be able to perform without IT audit expertise?</h2><p> <strong><strong style="line-height:19.2px;">KIM</strong></strong> The IT audit universe represents a continuum of audit activities that run the gamut from basic to intermediate to highly technical and complex. Most internal auditors with training both in the classroom and on the job can generally progress to a level that enables them to perform a basic IT audit. In fact, one of the benefits of the integrated audit approach is that audit staff members work on a single team alongside auditors with more IT audit experience. This provides audit staff with increased exposure and experience in IT audit. That said, the continuum of IT audit activities progressively requires increasingly specialized IT skills. It is generally not cost-effective to train the entire audit team in these higher-order areas. In these instances, the use of specialists should be considered. <br> <strong style="line-height:19.2px;">JENKINS</strong> Internal audit should be able to perform any broad audit with IT components. Even if the auditor is not a certified IT auditor, he or she needs to have a good understanding of where the IT risks are and be able to identify the red flags. Most audit departments do not have the bandwidth to have several auditors with deep technical skills. This is where being a part of The IIA is very helpful, because the auditors can go to The Institute for thought leadership, resources, and benchmarking to help on certain projects. We take advantage of cosourcing. These cosourcing arrangements are ideal for larger and highly technical projects that require a deeper dive into IT.<br></p><h2>What types of IT-related audits should only be performed by IT audit specialists?</h2><p> <strong style="line-height:19.2px;">JENKINS</strong>​ Most audits will have an integrated approach. However, some projects may be just IT focused. It’s important to be able to connect the dots back to the business side. We had our IT auditor document the organization’s global IT footprint so we understand the systems in entirety and where and how they connect. We then identified where we need to drill deeper. Some of those projects may require cosourcing. <br> <strong style="line-height:19.2px;">KIM</strong>​ The internal audit standards require that auditors have the knowledge, skills, and other competencies to perform their individual responsibilities. In the context of IT audits, these standards are uniquely challenging in that technology is constantly evolving, and, due to the costs involved, not all audit staff receive the specialized training required to keep pace. Therefore, for highly technical and complex audits involving areas such as network infrastructure or emerging technology, it is better to rely on an IT audit specialist who possesses the knowledge level and skills to meet the audit needs. <br>That said, recruiting and retaining such specialists is perhaps one of the greatest challenges facing audit functions that want to adopt integrated auditing. When internal resources are not available, alternatives to be considered include guest auditors or cosourcing. While the difficulties can appear daunting, the benefits in increasing risk coverage and creating efficiencies within the audit team are well worth the effort. </p><p> ​<br> </p>1784
Cyber Resilience Resilience<p>​Despite banks spending billions of dollars to protect themselves against cyberattacks, financial regulators remain unimpressed. Mary Jo White, chairman of the U.S. Securities and Exchange Commission, told the press in May that cybersecurity was the biggest risk facing the financial system, but banks’ “policies and procedures are not tailored to their particular risks.” Regulators in Europe also want action. Chairman of the European Banking Authority Andrea Enria — again in May — urged national regulators to stress test European financial institutions to see how vulnerable they were to hackers. If they fail, he said, they should be forced to hold more capital. <br></p><p>And as if that were not enough, SWIFT, the financial payment system that handles more than US$6 trillion in transfers every day, has unveiled a customer security program that includes plans to audit its 11,000 member institutions to check that their security is fit for purpose. “We will look into if and how customers’ compliance to these baselines can be made transparent to, and enforced by, counterparties, regulators, and ourselves,” SWIFT said. Members will have to share more information and tighten the security of their systems.<br></p><p>The pressure to strengthen IT platforms and applications has come in the continuing wake of high-profile cyber failures. Three of SWIFT’s members, for example, have been hacked in the past seven months — including the Bangladesh central bank. Hackers got ahold of the SWIFT codes and transferred US$81 million from its accounts at the U.S. Federal Reserve.<br></p><p>It’s not just banks at risk, either. According to recent data released by the U.K. government, two-thirds of big U.K. businesses have been hit by a cyberattack in the past year. Most of the attacks involved viruses, spyware, or malware, the Cyber Security Breaches Survey said in May. It found that one in four large firms said they were breached once a month — sometimes more — and that attacks could cost millions of pounds to rectify. The volume, frequency, and sophistication of attacks are a game changer. <br></p><h2>Not If, But When   </h2><p>Many organizations are now working on the assumption that a cyber breach is inevitable and that they need to have rapid and effective response mechanisms in place to minimize damage. Internal audit departments are being called upon to help — providing everything from improved diagnostics to help locate where, when, and how a breach has occurred, to assistance with the very effectiveness of a business’ cyber breach response team.<br></p><p>“People now have to be in a posture that assumes you have been breached, rather than saying that you are never going to be breached,” Kelly Barrett, senior vice president of Home Services and former vice president of internal audit and corporate compliance at the Atlanta-based retailer The Home Depot, says. “That mindset changes the way you structure your security program.”<br></p><p>Barrett knows through painful experience what a data breach is like. She says no matter how much money a company spends on its defenses, hackers are likely to get ahead of the game through new techniques, or by attacking the most vulnerable part of the business or its supply chain. In addition to beefing up external defenses, Barrett advises organizations to think about what software can be used to pick up behavioral anomalies, such as employees logging into systems at unusual times or unexpected places, within the business, too. While such tools are sophisticated enough to run from day one, they improve over time as the IT team learns how the business works and eradicates any false positives the system may throw at them.<br></p><p>“The key point is that you are now assuming somebody may be looking at things, or using them, inappropriately,” she says. “And so the tools you use need to be much more proactive in looking for those unusual patterns.”<br></p><h2>Collaboration</h2><p>Home Depot’s audit team has been working with the chief information security officer (CISO) to think through the design of such programs, understand how the tools work, and ensure that they are actually controlling what the business intends them to control. Internal audit wants to know that the company is getting the full benefit from the technology it has invested in and that those people reviewing the outputs are accountable. That has also brought about a change in how audit operates in this area.<br></p><p>“Internal audit partners very closely with the CISO,” Barrett says. “They’re not sitting back and waiting to do an audit after the fact. They’re actually helping them look at the tools.” <br></p><p>Barrett realizes that some may question internal audit’s ability to remain independent, but she is clear that as long as internal audit is not implementing controls, that can be achieved. What is powerful about the partnership, she says, is its ability to bring together security experts with auditors who have an equally strong grasp on controls in a way that is proactive. In fact, Barrett is the chair of the company’s data security and policy governance committee, which helps her — and the organization — achieve a helicopter view of the security procedures across the business. “That helps us make sure all the different pieces are being considered, and we are thoughtful about what the response is,” she says. <br></p><p>In the U.S., at least, some of the impetus for smarter working and multidisciplinary cyber defense and reaction programs has come from the board as much as from those working within organizations. If there has not been a revolution that has catapulted cyberrisk to the top of the risk agenda exactly, there has been steady evolution, says Gary Pollack, senior vice president, Assurance Services Leader, American Express Co. in New York.<br></p><p>“Three to five years ago, IT risk professionals may not have been given as much time on the agenda as they are today,” he says. “We are clearly seeing an uptake in time allotment in audit and risk committees dedicated to information security and overall IT risk. It’s given us a seat at the table.”<br>being prepared<br></p><p>Pollack says, eventually, regulators are likely to mandate specialist IT skills on boards and risk committees. He says he has seen an increase of IT skills in people occupying these positions and expects that to increase as organizations continue to enhance their risk management practices.<br></p><p>For now, what is important for Pollack, as with many CAEs, is that customer trust in data protection is given top priority in the way that businesses respond to cyberattacks. “We have been aware for quite some time of the need not only to have a preventive strategy, but also a detective strategy,” he says. “There is a real need to consider a well-balanced approach to prevention and detection, as well as response mechanisms.”<br></p><p>Pollack says his organization has a dedicated team and protocols in place to respond to breach incidents ranging from how to communicate, escalate, and react timely to threats and attacks. From an internal audit perspective, that means Pollack’s team puts equal weight on auditing the preventive and detective parts of breach management controls, protocols, and escalation mechanisms. Audit also participates as an observer during test scenarios aimed at finding weaknesses in those systems before a breach occurs.<br></p><p>“Audit generally acts as an observer during test scenarios and as a reviewer of the results and action items,” he says. Audit then follows up on any actions that have been agreed on to make sure management deals with them. It also flags any gaps in defenses or reaction procedures and makes sure management fixes them.   <br></p><h2>Breach Response</h2><p>Auditors agree that having an appropriate response plan in place for a breach is critical — one that has been tested and retested before the event arises. While it would be rare for internal audit to take charge of such a team, it has a critical role to play, says Nigel Lewis, an independent audit consultant and trainer.<br></p><p>“From an audit point of view, the main thing is that we get assurance that someone will take charge of the incident response team and that there is an incident response plan linked with the business’ recovery plans,” he says. The size of the team depends on the nature of the organization, he says, but even large businesses would typically appoint only 10-15 people to it, split roughly two to one between IT experts and business executives. In an incident, those team members would call on their own teams to implement any remedial action needed.<br></p><p>"Part of the incident response will be pages and pages of plans detailing who does what and what the key activities are,” he says. “Auditing that process is important.” But what should it comprise? Lewis says auditors can cut through the complexity by dividing the process into three parts: reaction time, decision-making, and action.<br></p><p>Although more than eight in 10 breaches are detected within 24 hours, according to the latest U.K. government statistics, it can take months to detect a breach. In 2013, for example, <em>The Wall Street Journal </em>said Chinese hackers had infiltrated its systems for four months without detection. That does not mean swift action isn’t important once a hack is detected. The business needs to do a quick impact analysis to see what type of breach the team is dealing with. Fraud, breaches of confidential data, denial of service, intellectual property, and ransoms — the business needs a plan for each with specified response times. A denial of service attack, for example, is likely to need a faster technical reply than, say, a ransom demand. “You must know how quickly you can respond to each area and be able to test it,” Lewis says.<br></p><p>Many of the decisions a business might need to make can be pre-planned, too. And it is vital to know what the impact of those decisions are likely to be on the organization’s operations, staff, customers, regulators, and the media. Then it is time to put those decisions into action. Deciding which systems to close down and for how long is never easy, but being prepared makes it less likely the breach will turn into an all-out disaster.<br></p><p>“For all of this to work well, you need a good team, convened quickly, and comprising the right experts,” he says. Bringing in external support can be important, and keeping people up-to-date with the latest attack methods and breaches is essential.<br></p><p>If that sounds straightforward, it might be puzzling to know that 37 percent of firms have no cyber response plan, according to PricewaterhouseCoopers’ (PwC’s) 2016 Global Economic Crime Survey. That is because while businesses feel they have response systems in place, they tend to be structured to deal with classic threats such as flooding or power outages, says James Rashleigh, a cybersecurity director at PwC. “While they think they’re prepared, they suddenly find out when they suffer a cyber breach that they’re dealing with something very different.” Businesses that have not nominated a specific leader for the response team, or have someone from the IT team in charge, are not likely to be able to cope well as the issues are too wide-ranging. For example, breaches affecting customers may be subject to litigation, and putting together what happened from a legal perspective is complex.<br></p><h2>Cyber Governance</h2><p>Organizations that do not yet have a sound response team in place could do worse than go back to basics. “Cyberrisk is about protecting the customer,” says Liz Sandwith, a former Chartered Institute of Internal Auditors (IIA–U.K. and Ireland) president, and now chief professional practice adviser at the institute. “So we do all sorts of really great audits in the business space, but this goes beyond that into the real world of our customer base.”<br></p><p>That makes cyberrisk a business issue rather than a technical IT issue, although she is not convinced that many auditors in the U.K. have actually grasped what this distinction means. Behind every IT risk is a business risk, and it is the significance of the latter that can be overlooked when focusing solely on technical fixes and controls. In Sandwith’s view, auditors should decline to engage solely with IT technicians and insist that people from the business also are involved so the significance of the issue to the business is understood and controlled. While those getting a better grip on the issue might do a thorough risk assessment of the threats their organizations face, she says they also need to consider the board’s risk appetite.<br></p><p>“Internal audit has to make the board and the audit committee aware that it’s not just one of those risks where we do our work and make sure it won’t happen,” she says. “Cyber is a risk that is always going to be a risk.”<br></p><p>She says there is an opportunity for risk management and internal audit to work better together by focusing on the business risks from a resilience perspective. That involves members of the audit team really understanding IT risk from a technical and controls perspective and working with risk management to provide intelligent assurance around its controls. She says working across all lines of defense — management, risk, and audit — is critical if a business is to detect and respond effectively to cyberattacks, as no one function has the skills and scope to do it alone. But audit must be a leader in the process. “There is a real risk that without the right skills and knowledge, internal audit could provide false assurance — naïve assurance — to the board and the audit committee,” she says.     <br></p><p>In addition, Sandwith urges auditors to help establish an effective governance structure around cyberrisk, with defined risk appetite statements pertaining to each threat. Auditors can help ensure the business has information security, risk management, social media, and system access policies that are well-formulated and disseminated across the organization. Finally, she says, the CAE must keep the board engaged with cyberrisk as a living issue.<br></p><p>“Let’s not talk technical at board meetings,” she says. “This is about the impact on customers, reputation, profits, and share price — as well as potential sanctions for getting it wrong. That’s what gets the attention of the board.” And it gets the attention of the regulators and the public, alike. As society gets used to the idea that breaches are an inevitable part of online life, competitive advantage will fall to those who respond best. <br></p>Arthur Piper12968
Driving Innovation Innovation<h2>​You deploy first-of-a-kind technology to improve the quality of life for county residents. How do you balance innovation with managing risk? </h2><p>We apply three criteria to all of our projects. First, it has to be a concept or technology that we can test out in a lean, iterative manner. This helps minimize risk and limit up-front investment. Second, it has to have the potential to scale up. We get a lot of ideas that are too far-fetched. Finally, it has to be somewhat experimental. If we only went after the safe bets, we’d never be innovative.<br></p><h2>How are the challenges and opportunities associated with the Internet of Things (IoT) different from the way you’ve addressed previous technologies? </h2><p>Some new ideas and technologies can be tested in a bubble. IoT is different. It will literally change every aspect of the way we deliver services and govern. Because of that, it’s going to take a comprehensive, strategic approach. It turns our buses into roving data collectors. It eliminates entire labor categories. It changes the way we deploy first responders. So it has to be something we look at from a systems perspective so that we understand the ripple effects of each mini-revolution IoT sets off in each department.</p> <style> div.WordSection1 { } </style> <h2>How does your organization decide which innovations to adopt?  </h2><p>I’m lucky to have a county executive with a leadership style that empowers his team. So many of the day-to-day decisions fall to me. However, I couldn’t do what I do without a lot of partners and support from my team in the executive’s office. With their input and support we choose what ideas should make it into the pipeline.</p><h2>What does your office do to make sure IoT is developed and deployed securely?</h2><p> Partner, partner, partner. We can’t do this on our own nor can we figure it out on our own. No local government can. So we’re working with federal agencies like the U.S. National Institute of Standards and Technology and the National Science Foundation; corporate partners like AT&T, Microsoft, and local start-ups; and other communities through initiatives like the Global Cities Team Challenge. Only by looking outward will we figure out the best way to safely and securely deploy public-sector IoT solutions internally. </p><p><br></p>Staff0705
Editor's Note: What the Future Holds's Note: What the Future Holds<p>​Technology is evolving at a breathtaking pace. Just in the past 10 years, we’ve seen dramatic advancements in the areas of mobile computing, wireless connectivity, cloud technology, big data, and even artificial intelligence. It’s altered the way we communicate, how we purchase goods and services, and the way we do business. But where is all this heading, and what impact will it have? What changes will we see in the next 10 years? <br></p><p>Bruce Schneier, chief technology officer at Resilient, an IBM company, says in a recent <em>Forbes</em> article that we’re moving toward what he calls the World-sized Web (WSW). This massive interconnected system, he says, will have two main components: sensors and actuators. The sensors will collect data, leveraging the multitude of devices connected to the web, and the actuators will affect our environment by carrying out actions. The WSW’s “brains” will reside in the cloud, comprising some form of artificial intelligence. According to Schneier, the system will essentially be a “benign robot.”<br></p><p>That’s a heady concept, but perhaps not so far-fetched. In fact, the foundational components of Schneier’s robot — the Internet of Things (IoT) and cloud computing — are very much a reality for today’s organizations. As author Jane Seago explains in <a href="/2016/Pages/A-World-of-Connections.aspx">“A World of Connections,”</a> the impact of IoT on businesses is already well underway, and it’s an area that calls for close monitoring by internal auditors. She points to the abundance of connections that comprise IoT as a source of both potential benefits and great risk — working with management on both fronts, she says, will be key to auditors’ involvement in the organization’s IoT efforts. <br></p><p>Cloud computing, the decision-making center in Schneier’s WSW model, is the subject of <a href="/2016/Pages/Auditing-the-Cloud.aspx">“Auditing the Cloud.”</a> “With cloud computing becoming mainstream,” the authors say, “internal auditors need to devise new ways of pinpointing the risks these services pose and verifying the security ... of critical data housed by an outside provider.” They examine the many challenges presented by cloud platforms and outline key areas auditors should consider in their assessments.<br></p><p>Most likely, the risks and challenges associated with cloud computing, as well as IoT and other emerging technologies, will only continue to grow in the coming years. And while the shifts thus far may be substantial, and their implications for organizations vast, what’s to come may be truly seismic. Schneier says the impending technology will be increasingly powerful and eventually capable of autonomy. Acting on behalf of users, it will help maximize profits but also “empower criminals and hackers.”<br></p><p>Regardless of whether this prediction ultimately comes to pass, it’s a reminder of the need to constantly look ahead and consider how emerging technology may impact the organization. To paraphrase Schneier, whatever all of this means, we don’t want it to take us by surprise. </p>David Salierno0973

  • TeamMate_Oct2016_Prem1
  • IIA BookstoreRiskyBusiness_Oct2016_Prem 2
  • IIA LearningOnDemadd_Oct2016_Prem 3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Internal Audit and the Internet of Things Audit and the Internet of Things2016-10-06T04:00:00Z2016-10-06T04:00:00Z
Focusing on the Wrong Line of Defense on the Wrong Line of Defense2016-10-14T04:00:00Z2016-10-14T04:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z