Full Speed Into the Future Speed Into the Future<p>​As internal audit functions race to keep up with their organizations' artificial intelligence (AI) initiatives, two studies reveal current trends and where the technology is going.</p><p>AI research and development is picking up speed, notes the <a href="" target="_blank">AI Index 2018 Annual Report</a> (PDF), based on trend data from a variety of studies. Categories of greatest growth include machine learning and probabilistic reasoning, neural networks, and computer vision, according to an analysis of AI research papers. Most papers published in 2017 covered machine learning and probabilistic reasoning.</p><p>In the learning space, one of the biggest trends is language processing, according to a Stanford News Service <a href="" target="_blank">press release</a> about the AI Index. Most information on the internet is text, but AI struggles to learn the intricacies of human languages. Computer scientists are trying to improve AI's comprehension of written languages to "understand that treasure trove of information," says AI Index leader Yoav Shoham, professor of computer science, emeritus, at Stanford University's Human-Centered AI Initiative.</p><p>Shoham explains that AI has learned to solve "narrow" problems such as translating languages and keyword searches. The next step is teaching AI to put different pieces of information together to answer more complex questions.</p><p>In many ways, AI already has mastered some tasks such as identifying images — often better than people can do it, the index states. And AI is learning things much faster. For example, in about one year, the amount of time needed to train an AI network to classify pictures from the ImageNet database dropped from one hour to about 4 minutes.</p><p>Companies are ramping up efforts to exploit AI, as well, the index notes. In the U.S., the number of AI startups has more than doubled since 2015, according to Sand Hill Econometrics. </p><p>McKinsey & Co. notes widespread adoption of AI across industry sectors and business functions worldwide. Telecommunications, travel and logistics, and financial services are leading users of AI for service functions. High-tech and telecommunications exploit it for product development, while retail and telecommunications are the leading AI users for marketing and sales.</p><p>Whether any of these AI trends will benefit people is the focus of a new Pew Research Center study, <a href="" target="_blank">Artificial Intelligence and the Future of Humans</a>. The nearly 1,000 technology pioneers, innovators, business and policy leaders, researchers, and other respondents say networked AI may make people more effective. For example, they say computers could exceed human capabilities for complex decision-making, sophisticated analytics, and speech recognition and language translation. Moreover, smart systems could save time, money, and lives, they say. </p><p>Despite such potential benefits, these experts are concerned about the long-term effects that AI could have "on the essential elements of being human." Concerns include:</p><ul><li>Loss of personal control over people's lives as decision-making in digital life is increasingly performed by AI, with little input or knowledge of how AI works.</li><li>Data abuse and surveillance by systems designed for profit or to exercise power.</li><li>Job loss from AI taking over jobs, which could widen economic divides.</li><li>Dependence on AI that results in people losing cognitive, social, and survival skills.</li><li>Mayhem from AI-based weapons, cybercrime, and information.</li></ul><p> <br> </p><p>"Questions about privacy, speech, the right of assembly, and technological construction of personhood will re-emerge in this new AI context," says Sonia Katyal, co-director of the Berkeley Center for Law and Technology, in the Pew report. These factors may throw beliefs such as equality and opportunity for all into question, she notes.</p><p>Despite such concerns, 63 percent of respondents are hopeful that most people will be better off in 2030. Stanford's Shoham notes that AI is more likely to supplement people with smart technologies and automated processes than to replace their jobs. "Historically, technology has been a net job creator," he says. "It just changes the nature of the jobs." </p>Tim McCollum0
Auditing Blockchain Blockchain<p>​Businesses and government agencies alike are pursuing blockchain’s promise of greater accuracy, trans-parency, and efficiency. Accounting firms are investing more than $3 billion a year on blockchain technology, while IBM predicts that two-thirds of all banks will have blockchain products by 2020. These organizations are attracted to blockchain’s ability to record relevant details of every transaction in a distributed network.</p><p>Like other new technologies, blockchain presents challenges and opportunities for internal auditors. Blockchain carries the typical IT risks such as unauthorized access and threats to confidentiality, but it also could impact traditional audit procedures. Yet, blockchain may enable auditors to be more innovative and efficient. </p><h2>The New Risks</h2><p>As with all new technologies, internal auditors need to assess the internal and external risks to business objectives posed by blockchain. One risk is a “51 per-cent,” or “‘majority rule,” attack. In this attack, a user introduces false data in the blocks to create a fraudulent transaction that most nodes on the blockchain accept as true. Hackers also could target endpoint vulnerabilities where people interact with the blockchain, which is when the data is most susceptible to attack. </p><p>Another risk is individuals in a supply chain who misuse data by manipulating a blockchain’s transparency and traceability features. Legal risks arise from the lack of standards and regulations for monitoring blockchains in diverse legal jurisdictions worldwide. </p><p>Against this backdrop, internal auditors should review whether their clients have established appropriate actions to mitigate risks, including the timelines and staff needed to deploy them. Auditors also should provide assurance on the risks associated with implementing blockchain such as technology interfaces with legacy systems and the adequacy of migration strategies. </p><h2>Testing Systems </h2><p>Unlike traditional databases, blockchain applications maintain data in blocks, also known as a distributed ledger. These blocks are accessible to all users who are permitted to access them. Because a blockchain does not have a master copy of the database controlled by a database administrator, there is no single point of failure in the event of hacking. Instead, the ledger is replicated in many identical databases, each hosted by a different party. Any change carried out in one copy will simultaneously change all the records. </p><p>Notwithstanding blockchain’s security features, internal auditors should ask these questions while testing the system: </p><p></p><ul><li>How does blockchain allow different parties with distributed responsibilities in the network to access the ledgers when there is no central administrator? </li><li>How fast and timely is data available as millions of transactions are written simultaneously? Were availability risks addressed at the design stage?</li><li>How safe are the authorizations that allow users to read and write in the blocks? Are these confidentiality risks? </li><li>How adequate are the cryptography arrangements in place to hide the database in the network to ensure completeness, integrity, and nonrepudiation of data? </li><li>How robust are the validation controls and the roles allocated in view of limitations on reversing the transactions? Once blocks in a chain are secured through hashing, they cannot be reversed. </li><li>How adequate are the arrangements over the audit trail when there is no centralized database?</li><li>How adequate are the controls over the data backup and disaster recovery processes considering there are multiple copies of the blockchain and no single point of failure? Also, what arrangements are in place to recognize the node/ledger that could be used for backups? </li></ul><h2>Impact on Procedures </h2><p>Blockchain has implications for financial statement audit procedures. Because data maintained in blockchains is available in real time, traditional sampling techniques used in financial statements may not be required. Internal auditors can provide assurance by using data analytics to scan the entire database. Additionally, conventional reconciliation and validating tasks may not be necessary because there should not be discrepancies in the financial statements in a shared ledger scenario. </p><p>Indeed, blockchain may render many current risks related to financial statement opinions obsolete. Auditors should be aware of the new risks and their impact on traditional audit procedures. </p><p>One example is the risk of auditing transactions captured in an immutable blockchain. During a financial audit in a blockchain environment, auditors will be able to assess whether the transactions recognized in the financial statements have occurred and relate to the entity. However, in doing so, they might overlook the audit evidence’s relevance, reliability, objectivity, and verifiability. This is because auditors could treat the acceptance of a transaction into a reliable blockchain as sufficient audit evidence. Likewise, blockchain might legitimatize certain off-ledger transactions or incorrectly classify the transactions, providing false assurance. </p><p>Blockchain may require internal auditors to allocate more resources to obtain assurance on the adequacy of controls in recording transactions. Moreover, auditors will continue to focus on issues related to other nonautomated key activities such as governance, risk management, monitoring, reporting, and evaluation. Indeed, value-for-money audits and other types of audits may grow as organizations seek to evaluate the costs and benefits associated with blockchain applications. </p><h2>Opportunities for Audit</h2><p>Blockchain may not completely redefine the rules of internal auditing, but it could provide new opportunities. First, auditors could lobby their clients to involve them during system development either as observers or advisors. This would help auditors understand the nuances of the blockchain operating environment from its inception, including its implementation challenges. Moreover, auditors may be able to suggest and determine the terms of reference for developing appropriate audit modules in blockchain-based systems. </p><p>Second, blockchain may encourage audit management to streamline and reorient its staff, while building the department’s capacity to provide quality services to clients. Staff members will need to be able to work with a range of new technologies. Conversely, by automating some tasks, internal audit functions may not need as many auditors as before. </p><p>Third, artificial intelligence may enable auditors to quickly process, extract, and identify risks up front using publicly available blockchain ledgers. This ability may make the audits more cost-effective. Also, auditors could use data mining to identify the highest risks such as frauds, resulting in more relevant audits.</p><h2>Built to Thrive</h2><p>As blockchain changes the way business is conducted globally, it presents an opportunity for internal auditors to migrate to a challenging, new operating environment. To get there, internal audit must evolve its procedures while staying focused on the risks that matter most to the organization. By monitoring blockchain developments, auditors can help the business thrive in the future.<br></p>Israel Sadu1
Assurance in the Privacy Regulatory Age in the Privacy Regulatory Age<p>​Public outcry about the growing severity of data breaches has led to enhanced regulations around the world to protect consumers' personal information. The most prominent of these data privacy regulations is the European Union's (EU's) General Data Protection Regulation (GDPR). Other regulations, like California's Consumer Privacy Act of 2018, are modelled after GDPR.</p><p>These data privacy laws can increase compliance risk for organizations and disrupt business operations. Besides businesses that reside within the EU borders, GDPR applies to non-EU organizations that do business with EU residents<strong><em>. </em></strong>Organizations in violation of GDPR may face increased fines and penalties of $20 million or 4 percent of annual worldwide revenue, whichever is greater, for each incident. The law shortens the interval for notifying victims of a breach to within 72 hours after discovery. </p><p>Additionally, data privacy regulations such as GDPR prescribe requirements such as having written information security programs, policies and procedures, and compliance with a security program. New regulations also could impact organizations' long-term planning by forcing them to change current or future business approaches. Opportunities abound for internal audit to add value to ensure the organization complies with data privacy regulations.</p><h2>Breach Management </h2><p>With only 72 hours to notify victims after a data breach is discovered, organizations subject to GDPR need an established and tested incident response plan to ensure notifications occur succinctly and timely. The plan should ensure all third-party contractual data breach notifications are aligned. In auditing the plan, internal audit should:</p><ul><li>Review the current incident response plan and policy to ensure it contains GDPR's 72-hour notification provision. </li><li>Observe or participate in periodic tests of the incident response plan to ensure people are aware of their roles and that notification will occur timely. Also, interview participants to validate the plan and role awareness. </li><li>Review third-party contracts to ensure they outline breach notification timelines that will allow the organization to report a breach, if applicable, within the 72-hour requirement. </li><li>Validate that third-party reporting is incorporated into the incident response plan and testing. </li></ul><h2>Choice of Consent </h2><p>GDPR allows EU residents to choose whether and how organizations can use their personal data. The organization's legal team should provide guidance about when consents must occur. This requires the organization to document and maintain consents. Internal audit should:</p><ul><li>Perform a walk-through of the process to review for any potential control improvements or efficiency opportunities. </li><li>Test the consent process by entering a consent to see whether the system has logged and retained it. </li><li>Obtain customer records sent to third-party vendors and compare them to the consent-tracking system to validate that consumers consented to having their records sent to the third party. </li><li>Review audit trails to ensure they cannot be altered. </li></ul><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​GDPR Opportunities</strong><br></p><p>An August <em>Internal Auditor</em> article, <a href="/2018/Pages/GDPR-and-Internal-Audit.aspx"> <span class="ms-rteForeColor-9">"GDPR and Internal Audit,"</span></a> discusses the main aspects of GDPR compliance. Author Jan Hertzberg advises internal auditors to include independent assessments and compliance testing in their audit plans. Hertzberg says these activities can raise executive and board awareness of GDPR noncompliance by highlighting poorly designed or missing controls. Moreover, they can identify opportunities to audit common processes across departments.<br></p></td></tr></tbody></table><h2>Limitations </h2><p>Under GDPR, organizations must not retain customer data longer than required for its intended purpose. Data is either stored online or backed up. Backups can be performed online or offline on removable media such as tapes. As a best practice, the organization's retention policies should document the time period in which it retains customer data and comply with respective data privacy regulations. </p><p>Data removal should be documented and tracked to show compliance. Removing data from online sources can be done easily using a database query. Removing data from offline storage can be a more tedious process, depending on the backup model used and rotation plan. </p><p>For tape storage, this may require removing the record from full and incremental backups, including those for data file restoration and full disk backup for disaster recovery planning. Additionally, retaining a large number of previous backups could lead to a somewhat cumbersome process in which the organization would need to recall and remove each record on each tape.</p><p>In reviewing data retention practices, internal audit should: </p><ul><li>Perform a walk-through of the process to look for potential control improvements or efficiency opportunities. </li><li>Select a sample from the tracking system of deleted customer records and query the production system and active online backups to validate that the customer records were removed. </li><li>Select a sample of offline tape backups and review whether the customer records were removed. </li><li>Compare data retention policy requirements to the tracking system to ensure data was removed as stipulated.  </li><li>Validate whether the current data retention policy complies with associated data regulations.</li></ul><h2>Third-party Vendor Management </h2><p>GDPR requires organizations to gather third-party guarantees for compliance along with proof of compliance. These guarantees usually are included in contractual provisions along with provisions for overall vendor monitoring and oversight processes. Steps internal audit should take include:</p><ul><li>Performing a walk-through of the process to discover potential control improvements or efficiency opportunities. </li><li>Reviewing a sample of third-party contracts to validate whether GDPR contract provisions exist. Also note any other contract provisions that allow for monitoring of the vendor's control environment. Such provisions could include the right to audit, third-party assessments, or other service-level reporting that demonstrates compliance. </li><li>Testing a sample of contractual requirements to ensure there is supporting evidence of monitoring activities. </li><li>Participating in the organization's testing of the third-party vendor's controls, if there is a right to audit. Note this could be an opportunity for internal audit to add value by performing select GDPR third-party vendor audits. </li></ul><h2>Privacy Policy</h2><p>An organization's online privacy policy should note customers' rights and align with associated privacy regulations. Examples include the customers' rights to know how their data is used, request removal, and correct their data. Additionally, the privacy policy may include types of security practices the organization may use such as encryption. </p><p>Overall, internal audit's assurance activities should align with the respective online data privacy policies. These assurance activities may include:</p><ul><li>Conducting a walk-through of processes used to provide customers stated rights for any potential control improvements or efficiency opportunities.</li><li>Testing to ensure processes for each stated security requirement are appropriate. For example, if the security policy mandates that customer data be encrypted, then internal audit testing would include validating that the data is encrypted both online and offline (backups). In addition, internal audit would observe and test the security controls of the encryption keys.</li></ul><h2>Cross-border Data Transfers </h2><p>Cross-border data transfer regulations may prohibit data transfers or require specific data protections. Many governments are implementing cooperative agreements to permit data transfer while still appropriately protecting individual privacy. Two examples of cross-border data transfer agreements are the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System and the Privacy Shield negotiated between the EU and U.S. </p><p>Organizations should remain abreast of current developments to ensure compliance with data transfer requirements. Internal audit must understand the requirements of these intergovernmental agreements and ensure compliance with each requirement. </p><h2>Policy and Procedure Management </h2><p>Formal policies and procedures are the heart of any security or data privacy program. Effective policies and procedures receive enterprisewide buy-in. </p><p>As a best practice, annual acknowledgement and training ensures policies and procedures are communicated and understood. Internal audit assurance activities should focus on ensuring compliance with these policies and procedures and determining whether there are appropriate processes to maintain them. </p><h2>Data Management </h2><p>Knowing what data is collected, its location, and how it is used is paramount to ensuring data privacy compliance. This includes understanding what specific data is transferred to third parties and how they use the data. </p><p>Organizations usually have a data policy that categorizes types of data and provides guidance on the manner in which each type of data should be secured. They should formally define a data management program to ensure they maintain a data inventory and comply with existing policies and procedures. Internal audit tests should include:</p><ul><li>Performing a walk-through of processes to manage data for any potential control improvements or efficiency opportunities.</li><li>Testing to ensure the organization adheres to data retention requirements. </li><li>Testing to ensure appropriate security is in place as stated in the organization's data policy.</li><li>Testing to ensure data inventory is maintained.  </li><li>Assessing management's formal risk assessment processes.</li></ul><h2>Ensuring Sound Security</h2><p>Internal audit should remain abreast of current data privacy requirements that affect the organization. This includes serving as consultants for management to implement appropriate compliance measures and posting audit assurance activities. </p><p>The annual audit planning efforts should include audits that will allow validation of current data privacy compliance. This is especially necessary with organizations facing the risk of increased fines and penalties as well as a heightened potential for lawsuits by victims of data breaches. In this environment, internal audit can help ensure the organization has sound and prudent security practices. <br></p>James Reinhard0
The Rise of Automation Rise of Automation<p>​The "big" in big data hardly seems adequate to describe the scope of today's digital information. Each day, the world produces 2.5 quintillion bytes of new data, according to a 2016 IBM Marketing Cloud report. In fact, 90 percent of data created over the history of the human race was generated in the past two years alone, the report says. </p><p>Increasingly, competitive advantage is driven by organizations' ability to access, collect, synthesize, analyze, and exploit insights from that data. But the scope of this undertaking swamps traditional practices and capabilities. Tackling it effectively requires mastering emerging technologies, such as artificial intelligence (AI) and robotic process automation (RPA).</p><p>For internal auditors, these technologies present a challenge and an opportunity. The challenge? How can they help their businesses understand, codify, and develop appropriate controls around the new risks presented by RPA, AI, and other technologies? The opportunity? Where, within the internal audit function itself, can these tools be leveraged to provide deeper insights with greater efficiency?</p><h2>Emerging Technology Risk</h2><p>AI and RPA have great potential to increase efficiency, but they also can help reduce organizational risk. Processes handled by these technologies are performed quickly and with absolute consistency; humans make mistakes or skip steps, robots do not. But that speed and consistency carries its own risk. If a faulty algorithm exists, if the tools access incorrect or incomplete data, if someone tampers with the process, or if RPA does not adjust to changing business or economic conditions, then the organization's automated processes can magnify human errors. Consequently, significant follow-up work may be required to unwind the errors.</p><p>Internal auditors should ask several questions when assessing risks associated with emerging technologies:</p><p></p><ul><li>Has the organization established programs to take advantage of these technologies? Are foundational programs in place, such as data management and governance, as well as user-access controls? </li><li>Who is responsible for determining whether and how such tools can access the organization's data? Has clear accountability been established? Are appropriate safeguards in place?</li><li>Has the organization implemented appropriate development and deployment controls, addressing issues such as how and when new processes are tested and updated? </li><li>Who is accountable for ensuring that use of the technologies complies with corporate policies, as well as applicable laws and regulations?</li><li>Are these processes being considered holistically to address change management, human resources, and other related concerns?</li></ul><p><br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​AI and RPA Defined</strong></p><p>Definitions of AI vary. The <em>English Oxford Living Dictionary</em> defines it broadly as: “The theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.” RPA, on the other hand, involves the use of software with AI and machine learning capabilities to handle high-volume, repeatable tasks that previously required humans to perform. These tasks can include queries, calculations, and maintenance of records and transactions. </p><p>Consider the challenge of wading through potentially thousands of contracts that may contain embedded leases, in an effort to comply with the Financial Accounting Standards Board’s new lease accounting rules. Organizations currently use AI technologies such as text recognition and natural language processing to scan contracts for language that indicates an embedded lease may exist, and to flag those contracts for review. RPA is often coupled with this process to route flagged contracts to appropriate parties, ensuring decisions on embedded leases are made timely. Subsequently, RPA is also often used to follow up on, and to confirm, a decision has been made on those contracts. Beyond this narrow example, a variety of studies indicate that as much as 45 percent of the work performed in businesses every day could eventually be replaced by RPA.</p></td></tr></tbody></table><p>Additionally, internal auditors should determine what the organization is doing to ensure effective governance of its technology (see also <a href="/2018/Pages/A-New-Age-of-IT-Governance-Risk.aspx">"A New Age of IT Governance Risk"</a>). Audit leaders need to work with organizational leadership to help develop an appropriate governance strategy for managing these technologies — and also to help unlock their potential. Internal auditing should be involved as part of the design or launch process so key risk indicators can be identified and appropriate controls embedded. This approach is far more effective than trying to append controls as an afterthought. Audit leadership can aid the chief technology officer and chief information officer in the development of a strong governance plan. Numerous available frameworks, such as COBIT and ITIL, can serve as guides. Also, guidance from the chief legal counsel and compliance department may provide additional support. The governance structure or plan over technology should be periodically reviewed for modifications that may be needed. </p><h2>Three Lines of Defense </h2><p>One of the challenges of today's rapidly changing business technology involves working effectively across the first and second lines of defense, while maintaining internal audit objectivity. The traditional audit approach incorporated relatively static, periodic risk assessments and statistical sampling of data from past transactions to identify control issues. Auditors often identified issues months or more after they arose, making remediation untimely and allowing losses or other issues to compound. With today's tools, internal audit functions can test most or even all transactional data and can do so in close to real time. </p><p>The acceleration toward real-time auditing and the associated need to help identify and manage risks around emerging technologies means that internal auditors find themselves working more closely and more often with those in the first and second lines of defense. One of the benefits of real-time auditing involves pushing risk management down to the first line of defense wherever possible. Internal audit can play a key role in investigating how AI and RPA can be used to augment, and in many cases replace, current manual transaction testing and other risk-testing processes. Automating control testing through the use of RPA can enable organizations to spot anomalies earlier.</p><p>An organization's risk posture can be greatly improved by helping management understand the best uses of these tools and by working to deploy them in real time. The technology can help identify control deficiencies much sooner, enable testing of entire populations, and correct deficiencies immediately upon identification. As the third line of defense, however, internal audit needs to maintain its independence. Internal auditors may assist the first and second lines in establishing the use of these technologies by providing advice, but they must also ensure audit independence remains adequate to provide the additional layer of review. </p><h2>Leveraging the Technology </h2><p>When examining RPA and AI, internal audit shouldn't limit its focus to the business's use of these technologies. The audit function itself offers ample opportunities to leverage RPA and AI to achieve efficiencies and improve results. Auditors should consider several potential applications:</p><p>Controls testing is a vital but time-consuming internal audit function, requiring consistent, repetitive application to be effective — just the sort of process that is ideally suited for RPA. In some cases, controls or testing processes will need to be modified to allow for RPA, but once it is in place, automation can produce accurate, consistent, and timely results. For example, ensuring the usefulness of data consumed from multiple sources historically would often require someone from the audit team to spend significant time stitching the data together. Today an RPA automation can quickly replicate all of those tasks with a higher level of accuracy.</p><p>Internal audit work requires a significant amount of routine, repetitive communication. For example, auditors often need to request information and then follow up on those requests, many of which are triggered by specific due dates. These processes offer key opportunities for automation. </p><p>Scorecard population, audit committee reporting, and other predictable documentation demands often can be fully or partially automated. Dashboards can be fully automated for management and the board of directors. Using RPA with a visualization tool can enable automated generation of dashboard information for these key stakeholder groups. </p><p>The specific opportunities to apply emerging technology to the internal audit function will, of course, be partly determined by the circumstances of each organization. By seizing those opportunities where they exist, audit leaders can free up their professionals to focus on the critical thinking necessary to provide real strategic insights for the business. </p><p>Delivering those insights and managing the risks of emerging technologies also requires expanded skills — internal audit leaders should keep those needs in mind as they hire and train staff. Although technology can fuel significant improvements and efficiencies, deploying the right people, skills, and approach ultimately enables the technology to work as intended. Of course, a solid accounting and audit background remains vital, but more and more skills around data science and IT must be part of the internal audit group. And the central mission of internal auditing — to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight — remains the same. But tools like AI and RPA require auditors to possess broader technological skills, strong data management capabilities, and familiarity with mathematics — such as linear algebra and statistics, which drive algorithm development. A background in coding also can be valuable. </p><p>Hiring professionals with these skills and training those already in the internal audit function is essential. Not only will it position the audit team to best understand and address emerging technology risk, but audit functions considered leaders in these areas may be seen as more attractive to top talent.</p><h2>Partners in Transformation</h2><p>The emergence of AI, RPA, and similar technologies is much like that of spreadsheet applications in the mid-1980s. Spreadsheets at that time were innovative and useful, but not yet widely adopted. Within 10 years, they became ubiquitous and revolutionized work, not only within internal audit but across the business world. </p><p>Likewise, AI and RPA are transforming businesses and their internal audit functions. And while the new technologies present new risks, these risks can be managed. The greater risk is failing to capitalize on the power and utility AI and RPA tools offer. Effectively managing emerging technology risks while also leveraging these tools are key challenges for today's internal audit leaders. By doing so, however, they can become true strategic partners in their organization's success. </p><p></p>Michael Rose1
Editor's Note: The Smart, Small Internal Audit Function,-Small-Internal-Audit-Function.aspxEditor's Note: The Smart, Small Internal Audit Function<p>​At an IIA Audit Executive Center CAE roundtable discussion early this year, some participants shook their heads when asked what it would take to make their audit functions more innovative. Participants said they didn’t have the resources to even consider innovating. However, Jim Pelletier, IIA vice president of Professional Standards and Knowledge and <a href="/blogs/Jim-Pelletier">’s innovation blogger</a>, told them they should not consider lack of resources a roadblock to innovating, as it only takes one person to think differently and challenge the status quo.</p><p>Approximately one-fourth of North American IIA members are full-time employees of small (one- to five-person) audit functions, according to The IIA’s 2018 Member Needs Survey. In this month’s cover story, <a href="/2018/Pages/Small-but-Tech-Savvy.aspx">“Small but Tech Savvy,”</a> CAEs of small functions discuss how they are using technology creatively, efficiently, and cost effectively. “Through innovative techniques and keen attention to stakeholder needs, many small audit functions are making the most of the technology tools at their disposal,” author Arthur Piper writes.  </p><p>Innovation and flexibility go hand in hand. “With limited resources comes limited time, but small audit functions must maintain flexibility when events occur that are outside the scope of the audit plan,” writes Justin Stroud, who was brought in as Western Reserve Group’s one-person audit department nearly four years ago (see <a href="/2018/Pages/Starting-Small.aspx">“Governance Perspectives”</a>). “Having laser focus and a detailed game plan can help squeeze in work that can add value to the organization.”</p><p>And small audit departments have been known to do great things! In this month’s <a href="/2018/Pages/A-Case-of-Misplaced-Trust.aspx">“Fraud Findings,”</a> read how a lone internal auditor worked with a forensic investigator to uncover a nearly $4 million embezzlement — no small feat. </p><p>So, here’s to the small but mighty audit function, the men and women who work tirelessly to enhance and protect organizational value. These small teams are succeeding through agility and innovation. </p>Anne Millage0
Small But Tech Savvy But Tech Savvy<p>​ Technologies such as artificial intelligence (AI) and robotic process automation (RPA) seem a sure way of revolutionizing the value that internal auditors can add to their organizations. But for auditors working in small departments, the budgets to implement such programs are often out of reach. </p><p>Does that mean the days of the small audit function are numbered? Will businesses outsource their audit departments to more technologically enabled consultants to enhance returns on their audit investment? Anecdotally, that seems unlikely — the small audit approach is thriving. Its practitioners are vigorous innovators often working within tight budgets. Squeezing every dollar out of their IT programs is critical, so team members use each application to its maximum capacity. There has to be a rock-solid business case for investing both time and money into new audit technologies — and, if there is, audit committees are supportive. Through innovative techniques and keen attention to stakeholder needs, many small audit functions are making the most of the technology tools at their disposal. </p><h2>Tailored Innovation</h2><p>“Small audit shops generally innovate within tight constraints,” says Ross Wescott, principal at consultancy Wescott & Associates in Portland, Ore. “They do so by using what they have differently and, if necessary, bringing some new processes to the table. Every new audit innovation should add value to the business while enhancing the audit process itself.” </p><p>Wescott says innovation is a mindset that all auditors would do well to adopt — in both small and large teams. Giving themselves permission to innovate is often the biggest step internal auditors need to take — as well as accepting that some initiatives will fail. To be effective, innovation needs to be closely tied to both the needs of the business and to the technological environment the auditor is working in.</p><p>“You would perhaps be surprised, but most IT shops and companies are not very technologically advanced — that is, they are not on the leading edge of technological innovation.” Wescott says. “In the majority of companies, IT lags behind the business’ strategy. The success of an auditor’s IT processes depends on how well they fit their clients’ own infrastructure.”</p><h2>Best Fit</h2><p>That does not mean audit functions in all highly digitalized businesses need to adopt the latest technology trends. Wendy Cooper arrived at the U.K. FTSE 250-listed company Sanne Group plc, London, in January as its internal audit director. Sanne Group is investing in internal audit by developing best practices and growing the team from three members to six. But Cooper is not investing heavily in the latest audit technology.</p><p>Cooper says Microsoft Office products such as templates in Word and Excel are adequate tools for most small internal audit functions. The former she uses for planning and drafting reports; the latter for the audit team’s risk and control matrix work and for tracking management actions on the team’s recommendations. Having worked at the global Lloyds Banking Group, she has used custom audit tools and understands they can be useful in coordinating the work of dozens of audit teams in multiple locations. But she thinks it is overkill for a small team — not least because it requires hours of audit time to keep them up to date. </p><p>In addition to her chosen tools, Cooper uses the business’ IT systems to download data and select samples to be audited. Those systems may be off-the-shelf packages or custom in-house IT systems. Both depend on people within the business helping the audit team.</p><p>“You have to build up good relationships and remain independent at the same time,” she says. That can mean audit staff sitting with the IT expert when requesting data and being there when it is collated. The approach has worked well for Cooper, and she is establishing links with the best people in the business with such IT knowledge.</p><p>She expects all internal audit staff members to be able to test IT controls and to be tech savvy. But for specialist reviews, such as on cyber risk, and for auditing complex financial applications, Cooper has built a co-sourcing relationship with a consulting firm. She says that if the need for specific IT audit skills increases, she would consider adding a more specialized IT auditor to the team.</p><h2>Auditing With Purpose</h2><p>David Givans is the one-person audit function at Deschutes County Administration in Bend, Ore. The county’s data is spread across the organization, usually in discreet silos, and like Cooper, he has to work with business managers to access and analyze data from disparate programs. He says auditors in small functions need to have a “very strong charter” to ensure they have the authority to access the data they need. </p><p>As county internal auditor, he deals with a wide range of government departments. In 2018, internal audits have included, for example, a health report on the inmates of the county’s jails, a controls audit over $10 million of revenue from solid waste disposal franchises, and a follow-up report on its recommendations to the Fairs and Expo team at the county. </p><p>Givans uses a mix of data mining tools and Excel to perform his audits, but understanding what he wants the technology to do is paramount. “I don’t let the technology drive what I want to do,” he says. “I have a personal passion for data and analysis, and I’ve been pretty resourceful with the data mining tools I have. But it has to be used for a purpose. I want it to help me tell a compelling story in my audit reports.” </p><p>He has recently been adding infographics to help him synthesize the data and bolster the arguments that he needs to make. Using such tools is not only an effective way to communicate his findings, but it underlines to the audit committee and to management the benefit those audit technologies provide. In fact, some of the county’s departments are keen to use Givans’ analytics tools. “That’s the perfect outcome,” he says.</p><h2>Knowledge and Maturity</h2><p>Auditors need to know their tools inside and out to be able to focus on the questions they want to ask. “The challenge in applying a technology tool is to get to a point where you can do critical thinking with it,” Givans says. Training courses are effective for learning the nuts and bolts of specific systems, but often do not address how to use those programs in the auditor’s own environment. “A tool can help you ask questions you feel need addressing, but you must understand how it can be used to come up with an answer for your organization,” he says.</p><p>Using a limited number of audit applications can be a virtue. Taking a deeper dive into existing technologies can prove more effective than adding new software programs, which often have a steep learning curve associated with them, Givans says. “If you have a week’s training course on a software package, you need to use that knowledge — otherwise, you will lose it,” he adds. Givans aims to apply the tools he has on every audit so they provide maximum value to both the audit function and the administration.</p><p>But how do small functions know whether they are keeping pace with how they should be using technology? It is not easy, says Grant Houle, director of audit at the Mohegan Tribe, which owns Mohegan Gaming and Entertainment in Connecticut. Houle’s seven-person audit team serves the central office in the state. He describes the audit tools that it uses as being “well along the maturity scale” because of the continuous resources and commitment the team has dedicated to its model. “You have to put the time and resources into the tools you have chosen to make sure you get the objectives you defined when you decided to increase your IT capabilities,” he says. </p><p>The team is heavily involved in using data analytics and the automation of internal audit processes, such as workpapers, time keeping, and risk ranking. As is typical for a smaller function, it has not dipped its toe in the water with more experimental technologies, such as AI. Houle prefers not to. When he meets other audit executives who have invested in such technologies, he often discovers that they are underused if the company has made the financial investment but has underestimated the time commitment to see it through. Even electronic workpaper solutions, which have been around for decades, will be little more than repositories if the time is not invested in the core process and behavior changes to get value from the technology.</p><p>Keeping the team’s capability mature is a “work in progress,” he says, because the business is expanding rapidly. Mohegan Gaming and Entertainment has centers in Pennsylvania, Washington state, Louisiana, and New Jersey; a second flagship property under development in Seoul, South Korea; and a new development it is adding next year in Niagara, Ontario. Houle assesses the maturity and fitness of any audit capabilities and tools at each of the new properties that comes on board. That can mean either setting up audit from scratch, or enhancing existing tools, if needed. So far, there are three additional auditors based outside of Connecticut in the wider team — but that is likely to grow.</p><h2>Second-line Partnerships </h2><p>Houle has been innovating his audit capability by finding ways to work with the second line of defense. Although his team has done whole population testing with its analytics software, a key focus that has paid dividends recently is continuous monitoring with automated processes. Under the group’s loyalty scheme, players can earn points. On the gaming tables, the way patrons earn these points has a manual side to it — handling playing cards and tracking play for the purposes of earning points. But a lot of data is also collected from real time play, such as from security cameras. The audit team extracts the tracking data files and the scripts they have developed analyzes them for what may be considered red flag incidents on the tables and passes the results of that analysis on to the second line of defense surveillance group. The surveillance team then corroborates the red flag incidents with visual evidence to assess whether there has been genuine gaming errors or potential fraud. </p><p>“Our job is to make sure we focus on the most valuable red flag incidents, because the surveillance team needs to physically watch the video material in real time for each one — and there may be 200 in a single day,” Houle says. He estimates the continuous monitoring software cost as only about 10 percent of the total project budget — the rest is allocated to the time his team has spent in making sure they get the appropriate value from the objectives they have set.</p><p>With such a success under his belt, Houle is seeking to take the model his team developed on the gaming tables and to innovate audit processes in other parts of the business. Moreover, like Cooper, he is continually keeping abreast of developments in the organization itself to understand if those systems can be better exploited by the audit team.</p><p>“I don’t just want to see what is happening on the shop floor,” he says. “I want to be plugged in earlier than that — where are we transitioning to the cloud, for instance, and what does that mean for us?” For example, so-called stadium gaming is becoming popular. A physical dealer remains present, but up to 70 people can play the game and place bets via live video links to the internet. Houle says the process is less risky for the casino because, for example, the risk of marking cards or stealing chips is minimal. On the other hand, IT security risks may increase. Houle makes sure he is at those early meetings to understand the new processes and how his team may be able to help. </p><h2>Business Culture</h2><p>Michael Levy is the director of internal audit for Student Transportation in Wall, N.J., a multinational school bus contractor. While keeping a close eye on changing processes at his company, his team of five uses a variety of tools including data analytics, visualization, project management tools, cloud document repositories, and collaboration tools. “It is great to have the ability to use data visualization and analytics, but we as a profession need to make sure we are speaking to our audience and using their language,” he says. “Depending on the project, it sometimes can be better to have those tools used in the background — otherwise you can alienate people.” In addition, he says audit teams need to consider organizational maturity levels to ensure that they do not too far exceed the cultural norms of their organizations. “If we get too far ahead, that could be perceived as a negative,” he says. “We want to be sure as auditors that we do not head down a path that the organization will not perceive value from.”</p><p>Although he expects all team members to be conversant with data analytics — someone should be the champion — Levy says that interpersonal skills are also critical for success. “To be successful, we have to be professionals who can facilitate change in the organization and not just manipulate data,” he explains. “That requires relationship building and social skills.” Daily interaction with management helps his team members keep their fingers on the pulse of the organization and be proactive in delivering meaningful change, which data analytics can often help do.</p><p>He says he values the efficiencies that the effective use of audit technologies can bring. Automating workpapers, for example, and the process for sending out audit requests has saved his team many hours. However, when he is attending conferences and networking events, he is on a constant lookout for how to use both new and existing tools more intelligently and strategically.</p><h2>Practical Tools</h2><p>As technologies such as AI and RPA become mainstream, small audit functions will most likely use them where the business case is strongest. Audit committees and management are likely to support those efforts because returns will be demonstrable. As Levy notes: “There is no point in over-engineering something that doesn’t need it. That being said, if we can make recommendations to automate business processes, or parts of the audit, that is an intelligent and efficient way of using our resources.” There are lessons for all on how small functions maximize the return on investment from audit technologies. </p>Arthur Piper1
Mining for Process Gold for Process Gold<p>​Internal auditors need to accurately understand the underlying business processes within their audit scope. Audit objectives often require auditors to identify deviations from the designed process, determine the potential for automation, and uncover internal control weaknesses.</p><p>Traditional methods of reviewing processes — screening narratives, process flowcharts, interviews and walkthroughs with process owners, and rule-based data analytics — have limitations. An effective supplement is to use process mining to reconstruct real processes based on digital traces from information systems to obtain a clear and objective picture of how the processes actually work.</p><h2>How Process Mining Works</h2><p>Process mining is based on uncovering digital traces of business process activities. Essential for process mining is an event log that comprises a case ID, activities, and a time stamp. The time stamp brings the activities into chronological order and helps auditors visualize how process instances actually occurred. It makes deviations from the designed process obvious.</p><p>The three types of process-mining methods are:</p><ul><li> <em>Process Discovery</em> — extracting a process model based on an event log.</li><li> <em>Conformance Checking</em> — comparing the actual process as recorded in a log with the designed process to identify deviations from the designed process and vice versa.</li><li> <em>Enhancement</em> — improving an existing process model using information extracted from an event log.</li></ul><p> <br> </p><p>Applying process mining can increase internal audit's objectivity and efficiency. It increases objectivity by using digital traces from information systems, while efficiency comes from extracting the corresponding event log from those systems. </p><p>When this happens, internal audit can gain a clear picture of the actual process at the beginning of the audit. That can enable auditors to address their risk-based questions more efficiently. Moreover, auditors can conduct fewer interviews with audit clients about the process design and the actual process, saving clients time.</p><p>Another advantage is the process visualization, itself, which provides a basis for discussion between internal audit and clients. Additionally, similar to using data analytics, process mining allows internal auditors to analyze the full population of transactions using available digital traces. This enables auditors to provide a higher level of assurance and recommend specific actions.</p><p>Despite its advantages, process mining is not suitable for every purpose. One significant limitation is cases, activities, and attributes that do not leave a digital trace. Moreover, internal auditors may encounter unbreachable data discontinuity characterized by unstructured data sets that cannot be linked. </p><p>In addition, auditors may have a false expectation that process mining can solve every problem. For example, process mining is not the right tool for detecting duplicate payments not yet returned. Using rule-based data analytics would be more effective.</p><h2>Different Applications</h2><p>Process mining can be applied everywhere in which digital traces can be transformed structurally while complying with legal requirements. One common use is examining the transactional flow of the purchase-to-pay and order-to-cash processes. </p><p>Beyond transactional flows, internal auditors can use process mining to review how master data quality can be improved. Reviews of customer, material, pricing, and vendor master data have resulted in reducing changes due to inaccurately entered master data, harmonization of responsibilities, and an increased automation rate.</p><p>Recurring processes with high transaction volumes serve as a basis for internal auditors to start using process mining. Process mining can pay off especially when internal audit has a limited understanding of the actual process and the process' inherent risks are not covered yet by rule-based data analytics. In such cases, process mining can help auditors raise new questions about potential deviations from the designed process. </p><h2>Avoiding Mistakes</h2><p>Internal audit departments often make several mistakes when they begin to use process mining. Some of these involve their approach to process-mining technology.</p><p> <strong>Lack of a Systematic Concept</strong> A process-mining application does not help if the department does not first have a systematic concept in place. A systematic concept is marked by different cornerstones, including establishing objectives for using process mining (analysis vs. continuous monitoring), defining responsibilities, building competencies within the organization, and maintaining the application on the existing infrastructure. </p><p> <strong>Reliance on Plug and Play Solutions </strong>Caution is needed with plug and play solutions, which often are too generic. Such solutions, which are designated to run with no or very limited upfront implementation efforts, may produce a high number of false positives. Internal audit should not underestimate the organization's specific requirements and special conditions with regard to activities and attributes. </p><p> <strong>Department-specific Business Cases </strong>Internal audit is not the only department that can benefit from process mining. Other departments can use it to execute primary and secondary process activities. Creating an organizationwide business case for process mining is more effective than developing separate plans for each department. </p><p> <strong>Using Process Mining to Replace Rule-based Data Analytics</strong> Process mining can supplement rule-based data analytics, but it cannot replace it. Rule-based data analytics can detect relevant documents that usually are not linked to each other structurally.</p><p> <strong>Overestimating the Conformance Feature </strong>To apply the conformance feature of a process-mining application, a detailed model of the designed process is needed. This model must extend to the granularity of activities and differentiation of process variants. Without this granularity, organizations may have a high number of false positives.</p><p> <strong>Considering the Visualization to Be the Final Step</strong> With the visualization in hand, process mining really is about to start — not to end. The visualization, itself, is of limited value. Internal audit must address a host of questions: Which false positives can be excluded? Are the identified deviations really disadvantageous to the organization? What are the root causes for the identified deviations? Which specific measures can be taken to address any shortcomings? </p><p> </p><p>Internal audit should address these and other potential mistakes proactively. To raise prospects for success, auditors should include all points at the beginning in a systematic and structured roadmap.</p><h2>A Smarter Event Log</h2><p>Creating a smart event log provides a basis for value-added process analysis. The quality of event logs can differ significantly from each other. There are different quality attributes such as the number of activities, number of attributes, and accuracy and selectivity of activities. Without these attributes, and especially without company-specific attributes, the prospect of success is decreased dramatically. </p><p>Moreover, activities such as "change purchase order" often are too generic. The audit objective may need to be more specific to focus on only selected types of changes that are of interest and require differentiation. </p><p>Over time, quality attribute requirements change. For example, the attribute "Differentiation between human being and machine (manual vs. automated)" requires more than just differentiating by the type of user. Transactions recorded by mass uploads and use of robotic process automation applications need to be differentiated from actual manual activities to make valid conclusions and to take the right actions.</p><h2>Making a Difference</h2><p>Process mining serves as a supplementary, data-based instrument for internal audit's toolkit — it does not add value by itself. Creating a smart event log and analyzing the visualization requires creativity and logical reasoning. This makes process mining interesting and attractive: Internal auditors can personally make a difference.</p>Justin Pawlowski0
Data at Risk at Risk<p></p> <p>In the age of social media, cloud storage, and the Internet of Things, protecting one’s data has become more and more difficult. Although these technologies create valuable conveniences in people’s everyday lives, they also leave a digital footprint of our identities. With each click or swipe, we voluntarily expose our personally identifiable information and increase the risk of sensitive information loss, or wors​e, identify theft.</p><p> These same risks, of course, exist for the organizations we serve in the form of data theft, unauthorized access to systems, network attacks or intrusions, and misuse of services, information, or assets. Unfortunately, many organizations overlook these risks when performing IT assessments and remain complacent rather than taking proactive steps to protect their sensitive information. As such, internal auditors must ensure an incident management program exists as a portion of the organization’s overall information security strategy. </p><p>Effective incident management assigns personnel responsibility; details and defines requirements for identifying, investigating, and documenting an incident; and establishes escalation triggers and notification procedures. An incomplete process could hinder timely investigation into a potentially damaging incident and diminish an organization’s resilience in the wake of a threat. Accordingly, internal auditors should verify that incident management policies clearly define who needs to be notified when an incident occurs, based on the incident classification and the affected business units and systems. </p><p>The methodology should also include procedures for the collection of data, prioritization of incidents by risk severity, and preservation of compromised systems. Insufficient or incomplete procedures in these areas could exclude critical forensic data and impact the organization’s ability to recover quickly from an incident. Therefore, an effective incident management infrastructure should also follow industry standards for collection, preservation, analysis, and reporting of forensic evidence. Specifically, internal auditors should encourage organizations to use products and services that meet legal rules of evidence, such as those validated by the U.S. National Institute of Standards and Technology, the CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute, or the SANS Institute.</p><p>With more digital and technological vulnerabilities facing organizations than ever, internal auditors should ensure adequate security, privacy, and safeguards of customer and company data, while adapting to ever-changing advances in technology. As the world continues to become more interconnected in both our personal and professional lives, have we conditioned ourselves to accept that our data and personal information are no longer our own? Are internal auditors doing enough to adapt to this reality and protect ourselves and our organizations against the inherent vulnerabilities associated with the digital age? If not, now is the time to act. </p>Robin Brown1
When the SEC Speaks About Cybersecurity, We'd All Better Listen the SEC Speaks About Cybersecurity, We'd All Better Listen<p>​<img src="/2018/PublishingImages/Cyber%20padlock.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />I often find myself talking with reporters about internal audit's role regarding risks, particularly cybersecurity. Recently, a rep​orter asked me about a new U.S. Securities and Exchange Commission (SEC) investigative report, <a href="">"Cyber-Related Frauds Perpetrated Against Public Companies."</a> The report describes investigations at nine publicly traded companies that were victims of cyber fraud.</p><p>In each case studied by the SEC, employees were tricked into sending large sums to bank accounts controlled by fraudsters. Some of the scams continued for months, and often they were detected only after intervention by law enforcement or other outside parties. The nine companies wired a total of nearly $100 million to the criminals, most of which was unrecoverable, according to the SEC.</p><p>As a result of its investigation, the SEC cautioned public companies to consider cyber threats when implementing internal accounting controls. It's good advice. But as internal auditors, we know that cybersecurity preparedness is not just an issue when implementing accounting controls. It is a vitally important facet of risk management every day, in every part of the organizations we serve.</p><p>Initiatives such as October's National Cybersecurity Awareness Month have made important inroads to improving awareness of cyber threats, but there is a big difference between cybersecurity awareness and cybersecurity preparedness. At many of our organizations, there are gaping holes in our preparedness. For example, more than 90 percent of participants in the <em><a href="">2018 North American Pulse of Internal Audit</a> </em>survey from The IIA's Audit Executive Center said their organization had a business continuity plan, but when it came to cyberattacks, many of those plans offered little more than a false sense of security. Only a quarter of survey participants said their plans provided clear, specific procedures for responding to a cyberattack, and 17 percent of respondents reported that their continuity plans did not include any procedures for a response.</p><p>As internal auditors, we recognize the importance of the preventive and detective controls that help protect our organizations from cyberattacks. But sooner or later, those controls will fail. Even the most carefully crafted controls break down occasionally, and there's a strong consensus among experts that it is a matter of when, not if, our organizations will undergo a successful attack. Prevention and detection are important, but we also need to help ensure that, after an attack, our organizations can recover efficiently, effectively, and rapidly. </p><p>Cyber resilience takes into account the organization's ability to operate during an attack, and to adapt and recover after the attack. It enables our companies to deliver intended outcomes despite adverse cyber events. But making the transition from cybersecurity to true cyber resilience won't be easy. Culture changes are never easy, and changes that bring together the areas of information security, business continuity, and resilience are especially daunting. That's why cyber resilience is an "all hands on deck" issue that deserves the attention of all three lines of defense. </p><p>At some companies, there is​ a view that cybersecurity issues should reside in the domain of IT and security experts, with internal audit providing little more than support. But part of internal audit's scope must be to assess the organization's cyber culture and help build one that is cyber-savvy. According to The IIA's <a href="">Global Technology Audit Guide (GTAG) "Assessing Cybersecurity Risk</a>," internal audit plays a crucial role in assessing an organization's cybersecurity risks by considering:</p><ul><li>Who has access to the organization's most valuable information?</li><li>Which assets are the likeliest targets for cyberattacks?<br></li><li>Which systems would cause the most significant disruption if compromised?</li><li>Which data, if obtained by unauthorized parties, would cause financial or competitive loss, legal ramifications, or reputational damage to the organization?</li><li>Is management prepared to react timely if a cybersecurity incident occurs?<br><br></li></ul><p>Cybersecurity risks are relentlessly increasing, and the potential consequences extend far beyond the realm of IT. According to a <a href="">report by the Council of Economic Advisors</a>, malicious cyber activity cost the U.S. economy $57 billion to $109 billion in 2016 alone. The reputational risks may be even higher than the financial risks. In the words of Societe Generale Global Chief Information Security Officer Stéphane Nappo, "It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it."</p><p>The IIA's <em>International Standards for the Professional Practice of Internal </em> <em>Auditing ​</em>require that <a href="">chief audit executives report periodically to senior management and the board regarding significant risk and control issues</a>. The frequency and content of those reports should depend on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management and/or the board. If you, like most internal auditors, work at an organization that does not have clear, specific procedures for responding to and recovering from cyberattacks, it may be time to increase the frequency and content of communications regarding cyber threats and their potential consequences. The risks are too high to ignore.</p><p>The recent SEC report should serve as yet another reminder of internal controls regarding cybersecurity. This ever-present risk should always be on our radar, but when the SEC speaks, we should double down on our cybersecurity coverage.</p><p>I look forward to your thoughts on this important subject.<br></p>Richard Chambers0
Five Trends Shaping Digital Transformation Trends Shaping Digital Transformation<p></p> <p>Digital transformation is driving change along two fronts. Organizations are using intelligent systems to solve business problems and reduce costs, yet operational complexity is increasing. Moreover, that complexity is a design problem of those systems — organizations need to focus on how people use technology. </p><p>In the face of these two factors, internal audit can help their organization retool internal controls and streamline business processes to focus on strategic risks wrought by digital transformation. Many audit leaders are preparing for transformation with strategic hires in data management and analytics to leverage talent across an expanding portfolio of risk. Meanwhile, new regulatory technology tools enable internal audit to set up analytics programs quickly. As internal audit’s role continues to grow, these audit tools will need to evolve to keep pace. </p><p>Five technology trends are set to disrupt how internal audit confronts its risk mandates in an age of transformation: audit analytics, robotics, next-generation cloud computing, cybersecurity, and performance optimization. Internal audit will need to leverage these trends to provide leadership and assurance in the emerging digital economy. </p><h2>Audit Analytics</h2><p>Proving insights from data is internal audit’s new value proposition. Auditors are leveraging analytic platforms to provide insights into control performance trends in near-real time. Trends emerging in audit automation include analysis and replacement of rules-based engines with intelligent systems, audit process automation, continuous monitoring, and a focus on deep-data analytics and visualization for better decision-making.</p><p>Ideally, analytic platforms reduce the frequency of false positives in data for a more nuanced look at risks than is possible with point-in-time sampling. Analytics engines work well for routine data sets that are well-defined — such as system user-access controls, accounting functions, and process controls — but more advanced systems are needed for complex risks.</p><h2>Robotics</h2><p>Robotics is another way of describing machine learning and artificial intelligence. These smart systems are either completely autonomous or user-directed with inputs from specific data sets to facilitate machines learning routine tasks. This technology already is used in many industries to achieve business efficiencies and provide expert guidance from zettabytes of data. </p><p>The obvious advantage of using these tools is they can run behind the scenes to alert auditors to changes in the control environment. The opportunities to automate and refine internal controls may be endless, with advances in robotics and machine learning making organizations more responsive to change. A July 16 Forbes article notes, “Auditors can use cognitive technology to redesign their work so they can conduct analyses of structured and unstructured data in ways not possible just a few years ago.”</p><h2>Cloud Computing</h2><p>Although many businesses are reluctant to move data to third-party providers, cloud computing is accelerating. IT research firm IDC projects global public cloud spending will continue at a 19 percent compound annual growth rate through 2020.</p><p>Organizations facing competing mandates, such as data security and cost reductions, have leveraged a suite of cloud services to support these demands. Cloud computing will require internal audit to develop a portfolio of internal controls and distributed controls that function along parallel lines, as well as define a distributed control environment. Distributed controls are virtual in nature and designed specifically for third-party vendors such as cloud and ecommerce providers. </p><p>Internal auditors must prepare for a future where data is decentralized among service providers on platforms independent of internal controls within the organization. This paradigm creates a new risk exposure called “robust yet fragile.” Outsourcing increases scale, making organizations more robust for growth yet more fragile to single points of failure. Reliance on a distributed network of third-party providers creates fragility from each relationship. Contractual and service-level agreements are insufficient backstops. Understanding these new points of fragility will require new assurance models.</p><h2>Information Security </h2><p>Managing risks in a distributed data environment becomes even more complex for asymmetric risks such as information security. Cybersecurity is no longer a compliance exercise to ensure that policies and procedures are followed. Internal auditors must become conversant in the greatest vulnerability in cyber risk — the human element. </p><p>Vulnerabilities in complex systems exceed simple solutions, and technology alone is not enough. People trust technology, but cybercriminals can easily exploit that trust. As the digital economy expands into trillions of connected networks and devices, internal audit must assess cyberattack vulnerabilities created by unauthorized cloud services and even employee accounts with third-party providers. </p><p>Internal auditors must anticipate how digital profiles created in cyberspace result in new vulnerabilities within the organization. This requires a boundaryless security program that educates employees about how their behavior on the internet leads to vulnerabilities inside the organization. For example, dormant personal internet account credentials can be used to socially engineer access to sensitive enterprise systems. Security programs that reward good behavior and reduce complexity serve as better incentives than blanket punitive responses.</p><p>The human-machine interaction is not a new risk. Researchers have identified this interaction as the main cause of the cyber paradox in which cyber risks continue to rise faster than investments in cybersecurity. The human-machine interaction risk is a design problem that ignores human behavior. Basic cybersecurity training has raised awareness but isn’t a solution. The problem requires a broader awareness of digital habits that inadvertently lead to unexpected internal vulnerabilities. Internal audit must take a broader view of the control environment that extends to behavioral factors. </p><h2>Performance Optimization</h2><p>Performance optimization is a process that considers user behavior, technology interface, and situational awareness. Situational awareness is the product of sense-making, comprehension, and response. Examples of performance optimization include contract automation, audit analytics, risk assessments, financial reporting, and chatbots.</p><p>To optimize performance, organizations should: </p><ul><li>Clearly define the best achievable outcomes. <br></li><li>Measure progress in incremental steps. <br></li><li>Use controlled experiments to reduce risk.<br></li><li>Anticipate and learn from failure.<br></li></ul><p>Internal audit should partner with business owners to establish use-cases for performance optimization that increases efficiency and productivity, reduces risk and uncertainty, and addresses complexity. </p><h2>A Path Toward Audit Leadership</h2><p>The era of digital transformation is an exciting time for internal audit to build on the three lines of defense to become a more proactive leader by advising on strategic business performance. Although some internal audit functions have already adopted some of these approaches, it is not too late to catch up and surpass early adopters. Audit analytics is an obvious place to start for some organizations, while organizations that are further along may be adopting more advanced technologies. </p><p>The digital economy presents new opportunities for internal audit to create new assurance models. Audit priorities that align with organizational objectives and reduce risk are a powerful combination. Lastly, automation is a powerful tool, but auditors should never underestimate its impact on the people who have to use it. ​</p>James Bone1

  • IIA Sawyer_Feb 2019_Premium 1
  • IIA AEC_Feb 2019_Premium 2
  • IIA Quality_Feb 2019_Premium 3