Technology

 

 

Partners in Protectionhttps://iaonline.theiia.org/2018/Pages/Partners-in-Protection.aspxPartners in Protection<p></p><p>Despite organizations increasing cybersecurity spending by 23 percent last year, successful security breaches rose 27 percent compared to 2016, according to the 2017 Cost of Cyber Crime Study. The joint study by Accenture and the Ponemon Institute is based on interviews with more than 2,100 cybersecurity and IT professionals worldwide. To find out what went wrong, researchers looked at the value organizations gained from nine areas of cybersecurity investments. What they discovered is that organizations are investing in the wrong areas when it comes to cybersecurity and risk. </p><p>Take perimeter security, for example. Advanced perimeter controls are the highest spending category, while being fifth in cost savings. Yet, focusing primarily on perimeter security makes less sense when most companies can’t even define their perimeter in the age of the Internet of Things. Research firm Gartner predicts there will be 20 billion internet-connected devices by 2020, up from 6 billion devices in 2014. </p><p>As the areas where attackers can target continue to expand, organizations need their cybersecurity and internal audit functions to partner to more effectively deploy resources against cyber threats. Cybersecurity teams and executive management can leverage internal audit’s insight into organizational risks to invest in areas that can provide the greatest protective and efficiency value to the business. To build this relationship, both internal audit and cybersecurity professionals will need to change how they do business and collaborate to build cybersecurity and risk management strategies and inform executive management.</p><h2>Hiding Flaws</h2><p>Neither cybersecurity professionals nor internal auditors are wholly innocent when it comes to how they work together. Too often, cybersecurity teams are defensive when it comes to internal audit. They don’t want to look bad in front of their peers and management, so they try to conceal their flaws from auditors. At best, this produces a strained relationship between internal audit and cybersecurity, and at worst, it exposes the business to vulnerabilities and threats. </p><p>Executive management needs clear information about the risks so it can make the best decisions on where to spend resources to enable the business to operate securely. Internal auditors can help cybersecurity professionals provide this information by giving them a second pair of eyes to find security flaws before a malicious user might exploit them. In addition, a strong relationship with auditors can provide the cybersecurity team a broad view of the organization and its risks. Otherwise, the cybersecurity team can lose sight of the organization’s overall risks as it concentrates to protect the business’ systems and assets. Finally, with its access to executive management and the board of directors, internal audit can communicate the severity of risks and their impact to the business when the cybersecurity team cannot get the appropriate visibility. </p><h2>Ignoring Cybersecurity Plans</h2><p>Internal auditors share blame, too. Often, auditors are quick to make independent assessments outside of the cybersecurity team’s plans, which can lead to inappropriate prioritization of risks. Consider this example:</p><p>Bill performs an IT security audit of his business. While planning his audit, he researches the generally accepted frameworks, best practices, and the company’s IT security policies. Bill does not consider the cybersecurity team’s roadmap or plans, which show that the team’s No. 1 priority is to shore up the business’ asset management program.</p><p>During the fieldwork, Bill finds that not all systems have the appropriate security agents installed on them. He reports his finding and a management action plan and date are set. Because the company takes internal audit seriously, that action plan takes priority over the cybersecurity team’s roadmap. </p><p>The problem with this scenario is that if the cybersecurity team is forced to concentrate on agent deployment, it can’t shore up its asset management. That can lead to future issues with agent deployment because the business lacks a clear understanding of its hardware and software assets. Without a clear partnership between internal audit and cybersecurity, the business may overspend and under protect its assets.</p><p>Internal audit, itself, stands to benefit from partnering with the cybersecurity team. Cybersecurity professionals can become deep experts in their field and have access to the latest research from security-focused professional associations. They can give auditors a better understanding of current and upcoming threats to the business and how they interplay with other business risks. </p><p>Auditors also can benefit from learning how the tools and strategies the cybersecurity team has deployed work with each other to build defense in depth. Often, auditors may have a single understanding of how a certain set of controls should be implemented to protect an area of the business. For example, developer access to production historically has been considered a security issue that must be addressed, with clearly defined lines of segregation of duties needed. However, DevOps and continuous release change management are blurring the lines of traditional segregation of duties risks. Today, small, agile teams rapidly create, test, and auto-deploy application code. This would be impossible in traditional segregation-of-duties-based development life cycles. Partnering with the cybersecurity team will help auditors understand the risks this new way of working brings to the business.</p><h2>Team Building</h2><p>A successful collaboration between cybersecurity and internal audit requires two essential ingredients: communication and empathy. Communication should happen at least monthly, and the two functions should conduct a full agenda focused on risk management and cybersecurity threats and plans at least quarterly. The other meetings can be less formal with some emphasis on getting to know people to cultivate empathy.</p><p>Empathy is about walking in someone else’s shoes. There is no better way to do that than to actually do that person’s job. Cross-training employees can help an organization be successful. Because internal audit and cybersecurity have a common concern with risk management, they are a natural fit for job rotations between them. </p><p>Another way to build empathy is to have internal audit and cybersecurity team members pair up to present training sessions at events such as in-house lunch and learns and local conferences. Finally, the two teams can partner to perform the organization’s cyber risk assessments.</p><h2>A Symbiotic Relationship</h2><p>Ultimately, the key byproduct of internal audit’s partnership with the cybersecurity team will be to give management and the board a clear understanding of the cyber risks and opportunities the business faces. That information can enable them to make the best decisions about which security tools to invest in and how and where to deploy those resources. This can’t happen without a symbiotic relationship between auditors and cybersecurity professionals. By gaining a deeper view into the organization’s security risks, internal audit can produce a global assessment of cyber risks and leverage its relationships with executive management and the audit committee to drive effective change to protect the organization.  </p>Cliff Donathan1
A Boost for Cyber Resiliencehttps://iaonline.theiia.org/2018/Pages/A-Boost-for-Cyber-Resilience.aspxA Boost for Cyber Resilience<p>​Large organizations faced twice as many cyberattacks on average last year, an Accenture study notes. Despite their best efforts to ward off ransomware, distributed denial-of-service, and other attacks, organizations experienced an average of 30 breaches, according to the <a href="https://www.accenture.com/us-en/insights/security/2018-state-of-cyber-resilience-index" target="_blank">2018 State of Cyber Resilience</a> study. </p><p>Clearly, organizations need help. They need a framework.</p><p>Last month, the U.S. National Institute of Standards and Technology (NIST) updated its Framework for Improving Critical Infrastructure Cybersecurity. <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf" target="_blank">Version 1.1</a> (PDF) clarifies and enhances the framework, which has been adopted by governments and businesses worldwide. Matt Barrett, program manager for the framework, says the revision "applies to a wide range of technology environments, such as information technology, industrial control systems, and the Internet of Things."</p><h2>What's New</h2><p>One addition to the framework is a section on "Self-assessing Cybersecurity Risk With the Framework" aimed at helping organizations understand and measure cybersecurity risk. The section advises that assessing the effectiveness of cybersecurity investments starts with understanding organizational objectives, how they relate to cybersecurity outcomes, and how those outcomes are implemented and managed. </p><p>This section recommends organizations take care in how they apply metrics, and be able to explain how the measures contribute to the organization's cyber risk management. Moreover, it warns against relying "on artificial indicators of current state and progress in improving cybersecurity risk management."</p><p>The revision also expands how the framework can be used to manage cyber risk in the supply chain. Some recent cyberattacks have targeted large organizations by going through their business partners. </p><p>Additionally, cyber supply chain risk is now included in the framework's implementation tiers and the Framework Core now includes a supply chain risk management category. Moreover, a new section on buying decisions discusses how to use the framework to address risk associated with purchasing off-the-shelf products and services.</p><p>Other revisions to the framework include updates on user authentication and identity, and vulnerability disclosures. The framework's terms also have been clarified.</p><p>NIST plans to release a companion to the framework, the Roadmap for Improving Critical Infrastructure Cybersecurity, later this year. That document will cover areas such as development, alignment, and collaboration, which Barrett calls "essential to the framework's success."</p><h2>Faster Responses</h2><p>As the Accenture report findings indicate, the need to strengthen cyber risk management is greater than ever. Still, there are some positive signs. </p><p>The organizations in the study prevented 87 percent of all focused attacks, up from 70 percent in the 2017 report. Accenture defines a focused attack as one with the potential to penetrate network defenses to cause damage or extract high-value assets. </p><p>"Only one in eight focused cyberattacks are getting through, versus one in three last year," says Kelly Bissell, managing director at Accenture Security. Accenture surveyed 4,600 enterprise security professionals from large companies in 15 countries.</p><p>Organizations are also finding security breaches faster. Nearly 90 percent say they detected breaches within one month, compared to 32 percent last year. Most (55 percent) found them within one week.</p><p>There's some bad news, as well: Organizations' information security teams are only finding about two-thirds of security breaches. The remainder they are finding with help from white-hat hackers, peers, and other business and government sources. </p><p>Many respondents say the emergence of new technology tools, including cyber threat analytics, security monitoring, and artificial intelligence, may help them battle threats. "For business leaders who continue to invest in and embrace new technologies," Bissell says, "reaching a sustainable level of cyber resilience could become a reality for many organizations in the next two to three years." </p>Tim McCollum0
Embrace Change or Become Obsoletehttps://iaonline.theiia.org/2018/Pages/Embrace-Change-or-Become-Obsolete.aspxEmbrace Change or Become Obsolete<p>​Innovative, disruptive technology represents a key focus for today's organizations. With increasing regularity, we hear about a new technological advancement that will completely change the way businesses, and even internal audit functions, operate. And while some auditors welcome these developments, others shy away from them, often worrying how the technology could affect their work. But we have become accustomed to adapting to the business environment and using it to showcase our value. In fact, adaptation is not just an important part of our work — it's a professional imperative. Internal auditors must embrace and leverage technological innovations, or risk becoming obsolete. </p><p>Neglecting to familiarize ourselves with new technologies impacting organizations will cause us to fall behind and become less relevant to stakeholders. Internal auditors cannot possibly provide meaningful assurance or add value if we don't keep up with the latest developments and factor them into our work. There is no shortage of information available on topics such as artificial intelligence (AI) and blockchain, and there is no excuse for neglecting to research them. Not only do we shortchange our clients by ignoring these areas, but we also cannot make the technologies work for us without first understanding their capabilities and potential applications. </p><p>Ignorance of technological change prevents internal auditors from leveraging innovative tools as multipliers of capacity. While AI will almost certainly eliminate some jobs, the Gartner Research report Predicts 2018: AI and the Future of Work forecasts a net jobs increase due to AI by 2020. Imagine a situation where manual and tedious internal audit tasks are automated, allowing practitioners to focus on driving real value to the organization. While this scenario only scratches the surface of what may be possible with AI, it illustrates the powerful, multiplying effect of using the technology. </p><p>Ultimately, neglecting to grasp and absorb technological change is a disservice to ourselves, the organization, and the profession. The IIA has taken a clear stance on professional development through Standard 1230: "Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development." There is no better skill to develop than one that will ensure the future relevancy of our profession. </p><p>For internal auditors to genuinely embrace technology and leverage its potential multiplying effect, we must act without fear to understand the possibilities, keep an open mind, and continually evolve. But at the same time, technological advances should never be used to replace our skills — they should augment them. As always, the skills that will set auditors apart in the digital age will be the ability to think critically and communicate clearly. The most successful future audit leaders will be those who can understand and leverage technological change, as well as clearly articulate its potential impact to stakeholders.</p>Seth Peterson1
Out of Step With Analyticshttps://iaonline.theiia.org/2018/Pages/Out-of-Step-With-Analytics.aspxOut of Step With Analytics<p>​Internal audit departments still are not widely using data analytics and other technology tools that could massively impact the work auditors do and their value to organizations, according to recent reports on the profession.</p><p>These reports warn that failing to adopt such "foundational" tools may make internal audit obsolete and unprepared to address the opportunities and risks associated with technologies such as artificial intelligence (AI) and robotics. Internal audit's failure to use data analytics more extensively also may impact corporate strategy and competitiveness as company information is not being mined effectively to inform management decision-making.</p><p>Understanding where data resides and uncovering patterns and insights to enhance decision-making is increasingly critical to business success. Additionally, experts say the appropriate use of data and data analytics is equally important for internal audit's effectiveness and value to an organization.</p><p>Yet, reports such as The IIA Audit Executive Center's <a href="https://www.theiia.org/centers/aec/Pages/2018-Pulse-of-Internal-Audit.aspx" target="_blank">2018 North American Pulse of Internal Audit</a> describe many internal audit departments' use of data analytics as developing in maturity, at best. While nearly one in three of the survey's 636 respondents say they use simple analytics techniques extensively, few are automating routine tasks or adapting more advanced techniques.  </p><h2>Arrested Development</h2><p>Many internal audit departments are still struggling to develop a formal methodology for integrating data analytics, according to a survey of more than 1,500 chief audit executives by global consulting firm Protiviti. Moreover, audit functions are only using analytics tools as "point solutions" on a case-by-case basis, rather than as part of a broader initiative to leverage analytics throughout the audit process. </p><p>Protiviti's <a href="https://www.protiviti.com/US-en/insights/internal-audit-capabilities-and-needs-survey" target="_blank">2018 Internal Audit Capabilities and Needs Survey</a> notes that while two-thirds (66 percent) of internal audit functions that do not currently use data analytics plan to do so as part of the audit process within the next two years, one-third (34 percent) still have no plans to do so. For those departments that are implementing the technology, data analytics "allows internal audit to provide better and more detailed information to inform corporate strategy and for management to leverage business opportunities," says Brian Christensen, executive vice president, global internal audit at Protiviti. </p><p>One barrier to realizing these benefits is a lack of analytics knowledge and skills within the audit function. "CAEs need to focus on increasing the levels of education in their internal audit functions, and more specifically, to move from general plans and discussions about using analytics to actually advancing and integrating analytics, robotic process automation, and other digital initiatives into the audit plan," Christensen says. "Those who fail to integrate these initiatives risk becoming obsolete as their organizations continue to undergo digital transformation at an increasingly rapid pace."</p><p>Protiviti's research also finds that U.S. internal audit functions have been slower to adopt the technology than their counterparts in other parts of the world. Three-fourths (76 percent) of organizations in Europe and the Asia-Pacific region are using data analytics in the audit process more frequently, compared to only 63 percent from North America. </p><h2>Evolving, Following, or Observing?</h2><p>Results from PwC's latest <a href="https://www.pwc.com/us/en/services/risk-assurance/2018-state-of-internal-audit-profession-report.html" target="_blank">State of the Internal Audit Profession</a> report deliver more pessimistic results. Just 18 percent of respondents say their internal audit function currently uses analytics for advanced testing procedures — 38 percent plan to do so within two years. Only 13 percent say internal audit uses analytics to identify risk and determine audit scope and planning, but 30 percent plan to do so within the next two years. A mere 10 percent say internal audit has adopted tools to help with analytic visualization, and 27 percent plan to do this by 2020.</p><p>CAEs are aware of the problem. Most internal audit leaders surveyed (56 percent) say they are concerned that lack of technology adoption will result in diminishing value for their organization. </p><p>In fact, PwC deemed only 14 percent of internal audit functions surveyed as "advanced" in their technology adoption. PwC refers to these functions as "evolvers" (as opposed to "followers," which adopt new technologies at a slower pace, and "observers," which are constrained by lack of budget and technical knowledge). More than 80 percent of evolvers are self-sufficient in their data extraction, and use tools and skills for enhanced productivity. </p><p>Furthermore, evolvers are more likely to invest in technology risk management and IT training than their peers. As a result, they are rated more valuable to their organization. For example, twice as many evolvers than their peers report that their organizations' risk management programs respond to innovation very effectively. </p><p>Evolvers are realizing direct value from their adoption of analytics. For instance, they rate high on focusing on their organizations' critical risks and on auditing emerging risks. And tech-savvy audit functions benefit in other ways, too. Nearly three-fourths of evolvers excel at recruiting and training the talent they need because they are seen to invest more resources in people and training, compared to 46 percent of followers and 29 percent of observers.  </p><p>Lauren Massey, principal in PwC's internal audit, compliance, and risk management practice, says data analytics has been a topic of discussion in the profession for several decades, yet adoption continues to be slow. As a result, those internal audit departments that fail to take up analytics will be at a disadvantage as new technologies emerge. "If internal audit functions are unable to embrace the benefits that analytics has to offer, or cannot find the resources to train themselves in how to use it," she says, "there will be the constant challenge for internal audit to get up to speed with cutting-edge technologies like robotics and AI quickly."</p><h2>Making Up Ground</h2><p>Despite such warnings, it is not too late for internal audit functions to turn the situation around. Protiviti's report outlines several actions CAEs can take to improve their department's analytics capabilities. </p><p>For departments that are just beginning to use analytics, the easiest way to become familiar with the technology is to start in more familiar areas such as account reconciliations, journal entries, payables, fixed assets, payroll, human resources, and threshold/limit controls. "The internal audit function may find it easier to test data based on information it already knows," Christensen says.</p><p>CAEs also should find champions to lead and support the analytics effort. Protiviti notes that 59 percent of respondents agree that when internal audit shares detailed information about analytics with the audit committee, committee members also are highly interested in the use of audit analytics. </p><p>Other ways to increase the use of data analytics tools and techniques include embedding analytics as part of the audit process and expanding internal audit's access to quality data. Moreover, internal audit should find ways to measure and report to management and other stakeholders the successes directly associated with the technology's use. </p><p>"Internal audit groups that can successfully demonstrate tangible value will build a stronger business case for increased budgets and resources dedicated to a data analytics function, as well as underscore throughout the organization the importance of analytics and, in the process, boost internal audit's reputation internally," the Protiviti report says. </p>Neil Hodge0
Behind the Datahttps://iaonline.theiia.org/2018/Pages/Behind-the-Data.aspxBehind the Data<p>​Businesses are having a love affair with data analytics. The potential to unlock secrets hidden in the vast quantities of data generated daily makes the technology almost irresistible. And why not? Tools enabling the organization to uncover data patterns that reveal how to implement efficiencies, make better decisions, increase agility, identify untapped market niches, and appeal more viscerally to customers can be extremely valuable. </p><p>Internal audit is no stranger to using data analytics to fulfill its responsibilities to the organization. But not only does internal audit use data analytics itself, it also is called on to review the data analytics use of the business units. Such audits are performed because of the growing realization that insights are not alone, hiding in the data; risk lies there as well. And where there is risk, there is a need for internal audit.</p><p>"The same types of questions we would consider for other processes in terms of where things could go wrong apply to data as well," says Judi Gonsalves, senior vice president and manager, Corporate Internal Audit, with Liberty Mutual Insurance Group in Boston. And with ever-growing volumes of data on hand, and further organizational dependency on that data, those questions become more and more important to ask. </p><h2>Assessing the Risks</h2><p>The possibility of things going wrong explains why internal audit should start, if it has not already, reviewing the use of data analytics in the organization. More than 70 percent of chief audit executives (CAEs) surveyed in The IIA Audit Executive Center's 2018 North American Pulse of Internal Audit research indicate that their organization's net residual data analytics risks are "moderate" to "extensive." But what, exactly, are those risks?</p><p>A risk cited by several experts can be summed up in the familiar phrase, "garbage in, garbage out." If the data being analyzed is inaccurate, incomplete, unorganized, dated, or siloed, the conclusions drawn from it can hardly serve as the basis for a winning business plan. "We worry most about the completeness and accuracy of the data pulled together and upon which management may rely," notes Katie Shellabarger, CAE with automotive dealer software and digital marketing firm CDK Global in suburban Chicago. "Management may take the information prima facie and not know that the data is wrong."</p><p>Tom Rudenko, CAE with online business directory provider Yelp Inc. in San Francisco, echoes this concern about data quality. "Our audits evaluate the risks around the completeness, accuracy, integrity, and security of data," Rudenko says. "For example, if a data warehouse is part of the data analytics process, we look at risks and controls around the entire path of the data: the sources of the raw data, the methods and technology around transferring the data to the warehouse, the controls over the warehouse, and the transfer to the end user." Rudenko explains that, in this example, if there are errors or problems with the data at any point along this path, then the end result may be flawed and any decisions or conclusions relying on this data may also be flawed. "If there are any weak links along the journey to the end user, then the entire chain may break," he adds. </p><p>Alternatively, the data may be sound, but the algorithms used to analyze it flawed. They may contain an ancillary function, such as an edit check, that is doing something other than its intended purpose, without the business unit being aware. This anomaly may not influence the result. But then again, it might. </p><p>In addition, questions should be asked about the data collection process itself. Was it ethical? Is the data being used for the purpose for which it was collected? Was it collected in a way to provide objective results or to prove a point?</p><p>"We have to be careful of bias in how we, as auditors, test," says Charles Windeknecht, vice president of Internal Audit with Atlas Air Worldwide in Purchase, N.Y. "We cannot let our initial impressions drive our subsequent actions. If we are unduly influenced by an early fact, we may go down an incorrect path, getting a result that appears accurate while not realizing we are unintentionally overlooking other data."</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<p><strong>Getting Started </strong></p><p>CAEs and internal auditors just beginning to audit the organization's use of data analytics may welcome some words of wisdom to ensure favorable results. The experts offer several suggestions:</p><ul><li>Consider the advantages and drawbacks to building analytics capability in the existing team versus acquiring talent.<br></li><li>Engage with management, especially in the planning process. "If they are not involved, the process may get started, but it is less likely to be sustainable," Rudenko says. <br></li><li>Start small. Understand the process and break it into manageable, auditable parts. <br></li><li>Have realistic expectations. While the internal audit function may hope to spring from level 1 to level 4 with regard to its ability to use data analytics effectively in the audit process, the reality is that it takes a lot of effort just to go to level 2. The level of internal audit's understanding and capacity to use data analytics does influence how to effectively audit a control process with heavy reliance on similar routines.<br></li><li>Take the time to work through the false positives that are likely to arise during the initial execution of the audit testing routines. <br></li><li>Look for a win. "Start by auditing candidates, or processes, where you are likely to gain success," Windeknecht advises, "then build on that success."<br></li><li>Look to local IIA chapters for shared experience/expertise and libraries of data analytics routines and audits of data-analytics-driven control processes. Some have formed discussion groups specific to data analytics.<br></li><li>Have the end game in mind. "Know who is relying on the data and what they are using it for," counsels Robert Berry, executive director of Internal Audit at the University of South Alabama.<br></li></ul></td></tr></tbody></table><p>Other risks related to data analytics are many and varied. The more data the organization has, the more incentive it may provide malicious actors to hack into it, thus compromising security and privacy. In addition, change management techniques and monitoring/maintenance of who has access to the data are causes for internal audit attention. </p><h2>Proven Methodologies</h2><p>When faced with a diverse and complex range of risks, tried and tested audit approaches often yield the best results. Take, for example, the timing of data analytics-related audits. Windeknecht indicates that his team's audits are generally driven by the annual plan, which is updated quarterly. "However, if there's a process that's identified as risk-driven, such as analytics, we will audit that process and test those controls as an addition or replacement to the formal plan." </p><p>Often, the timing of data analytics reviews depends on the nature of the data. "If the data is critical to the production of our financial statements, then it gets reviewed as part of the ongoing Sarbanes-Oxley process," Rudenko says. "If the data relates to operational, technical, or regulatory risks, the frequency of our reviews is factored into our audit planning process."</p><p>But scheduling is not the only area where established practices can prove beneficial to review of analytics use. The techniques used to conduct the audit can be relatively standard as well. For example, Robert Berry, executive director of Internal Audit at the University of South Alabama in Mobile, asks the department he is auditing what reports it generates. "Depending on the source of the data and how it is used, we may need to look at it, because management may be making critical decisions based on it," he says. Berry's team relies on a structured approach to audit the data analytics process and reuses approaches that have worked well in one department for other departments.</p><p>A traditional approach applies also to the controls recommended to address any findings: input controls (the data's completeness, accuracy, and reliability), processing controls (reconciliation of changes made to normalize/filter the data), and output controls (accuracy, based on inputs and processes). Consider, for example, the data warehouse, which supports data analytics. It has teams of personnel dedicated to operating and maintaining it, and features pipelines from the sources of data to the warehouse and from the warehouse to the end users. In this scenario, Rudenko suggests assessing whether or not:</p><ul><li>Personnel have the necessary expertise to ensure the completeness, accuracy, integrity, and security of the data.<br></li><li>Processes and controls surrounding the use and security of data are clearly documented and communicated.<br></li><li>Appropriate and relevant access and change management controls are in place and tested for operating and design effectiveness.<br></li><li>Changes to the control environment and supporting databases are tracked and monitored.<br></li><li>The analyses are supported by built-in quality and effectiveness checks to ensure they (and the data) mirror the changes and evolution of the business. </li></ul><p><br></p><p>Personnel-related controls are critical in relation to data analytics, particularly management oversight and user education. Shellabarger points out that if users have flexibility to create their own reports/analysis, they need to know how to use the tools correctly and how to evaluate the inputs and outputs. "Essentially, they need to be able to address the completeness and accuracy issues related to using data and tools," she says.  </p><h2>The Finer Points</h2><p>While proven methodologies may come into play throughout the process of auditing the business units' data analytics use, that does not mean such audits do not present their own unique challenges. As with every audit, there are subtleties that must be recognized, understood, and resolved. </p><p>For example, Windeknecht points out that even the apparently basic exercise of identifying data analytics is far from straightforward. "What do we define as data analytics?" he asks rhetorically. "Business units are doing analyses in different shapes and forms, using different algorithms and basing their analyses on different assumptions." Risks can arise when the internal auditor or the business unit itself incompletely or incorrectly understands or agrees on such foundational issues. "Are the assumptions still valid?" he continues. "How do you perform integrity checks? When was the most recent review of the algorithm? How does one data event influence subsequent activity?"</p><p>Internal auditors make a big mistake if they do not validate key assumptions with facts (i.e., confirmation of key data points and the underlying assumptions) before continuing with testing. "I've seen audit teams reach completely inaccurate conclusions because they went down the wrong path early in testing," Windeknecht says. "The root cause for the error was not sufficiently validating assumptions and initial results. The issue is a huge hit to the integrity of the testing and audit process.<br> The issue is not one you want to confront during the reporting phase of the audit." </p><p>Berry points to challenges even in knowing exactly what to audit. He explains, "On a micro level, when you look at a specific department, you have to understand the objectives of the deliverables/reports, the sources of the data, and the distribution of the data." It is important to review the process undertaken to produce reports: how the data changes through the cycle and how the changes are accounted for. He advises framing the audit around "reconciling base data to final output." </p><p>On a macro level, it is important to prioritize. "Every department has data it is analyzing and using to produce a result, every department has goals and objectives, and every department has to report on how it performs against those goals," Berry says. "You have to work with the departments to identify reports used in management's decision-making process. That will help you know which activities to review and why."</p><p>And, finally, even the most thorough, meticulous audit will fail if its findings cannot be explained in a way that resonates with the business unit that has been audited. Internal auditors must consider the learning modalities of their audit clients when discussing the findings; people hear, see, and experience things differently. While the natural inclination may be to simply hand over a written, text-heavy report, it may be more effective to use visually appealing, concise images in support of the text. A verbal presentation — in support of the written report — that includes concrete examples of the findings or the risks that may accompany the findings is also likely to make a more lasting impression. This gives clients multiple ways to absorb and understand the recommendations, based on the way they process information.</p><h2>Mind the Details </h2><p>The old saying that "the devil is in the details" is particularly apt for reviewing data analytics. And, as with many aspects of internal auditing, a dose of healthy skepticism is helpful. Says Gonsalves: "We cannot assume that just because information comes out of a system, it is automatically correct." </p>Jane Seago1
Why IT Projects Failhttps://iaonline.theiia.org/2018/Pages/Why-IT-Projects-Fail.aspxWhy IT Projects Fail<p>​Technology plays a vital role in any organization's strategic initiatives, yet every year countless initiatives fail to deliver value. Take Cover Oregon, a $305 million health insurance exchange website intended to help people find, and sign up for, health coverage. When it failed in 2014, the state resorted to paper forms and hired hundreds of workers to enroll people manually. </p><p>Such failure is not limited to business applications. Today, a new car has more lines of code than Microsoft Office, and project failure can lead to death or, in the case of Volkswagen, fraud. The company's diesel emissions scandal has cost it $30 billion.</p><p>Over the past two decades, about 70 percent of IT projects have failed, according to the Standish Group, a Boston-based firm that researches software development project performance. Some of these projects are canceled and never used, while others fall short of achieving the original business intent. Despite this high failure rate, some organizations have found ways to deliver more projects on time, on budget, and with better outcomes. The Project Management Institute's (PMI's) 2018 Pulse of the Profession report calls these organizations <em>champions</em> because of their 92 percent average success rate. Internal auditors can learn from both the failures and successes of these organizations.</p><h2>Governance</h2><p>Governance is about making good decisions. Many organizations have an IT governance function, which provides a formal structure for aligning IT strategy with business strategy. The <em>International Standards for the Professional Practice of Internal Auditing</em> requires internal auditors to make sure IT governance sustains and supports the organization's strategies and objectives (Standard 2110: Governance). IT governance should address the progress and decision-making of projects. At Volkswagen, governance failed at the highest levels, while there was no single point of authority overseeing its development at Cover Oregon. These findings resonate with PMI research reports that show that an actively engaged executive sponsor is a leading factor in project success. ​</p><p><strong>Measuring Progress</strong> Projects do not fail overnight, but employees often do not accurately report project status information or speak up when they see problems, a Spring 2014 <em>MIT Sloan Management Review</em> article asserts. According to "The Pitfalls of Project Status Reporting," when employees see negative outcomes for others who have delivered bad news, they may fear that executives will "shoot the messenger." Such was the case at Volkswagen. Rather than telling management that the engineers could not meet the emission standards, they modified the software to manipulate the results, according to a whistleblower's account.</p><p>Successful organizations do not hide problems. They have a culture that encourages people to bring problems into the open where they are solved quickly. Internal auditors should assess the culture around project reporting to ensure it is transparent and honest.</p><p><strong>Decisions</strong> A $10 million IT project will have approximately 15,000 decisions, the Standish Group estimates. With each bad decision, the odds of success diminish. Yet, the most critical decision is whether to start the project at all. For Cover Oregon, this first decision could have changed the outcome of the project. The organization opted to develop a web application from scratch when an existing solution was available. </p><p>Internal auditors should review the criteria organizations use for evaluating, selecting, prioritizing, and funding IT investments. Decision-makers need an accurate picture of the resources needed for each proposed project, but estimating these resources is difficult. People tend to be overly optimistic. This is known as the planning fallacy, which can lead to time overruns, cost overruns, and benefit shortfalls. </p><p>Internal auditors should counteract the planning fallacy with a stress test. Research from Bent Flyvbjerg and Alexander Budzier, published in the September 2011 <em>Harvard Business Review</em>, found that one in six of the nearly 1,500 IT projects they studied had a 200 percent cost overrun and almost 70 percent had a schedule overrun. Based on this data, they devised a stress test. An organization should proceed with a large IT project only if it can absorb a budget overrun of 400 percent and is comfortable only achieving 25 percent to 50 percent of the projected benefits. </p><h2>Complexity</h2><p>Organizations also should consider ways to reduce the project's complexity. Technology is rarely the cause of project failure. It is the complexity of other factors that lead to failure. When planning any change initiative, the organization needs to consider the impact the project may have on the existing organizational culture, the training resources needed, the effect of new regulations, changes to the business environment, the effort to change business processes, and how the organization will manage vendor relationships. </p><p>Often, these factors fall prey to the planning fallacy, which can quickly increase the complexity of a large IT project and reduce the chances of meeting the original business intent. An example is the 2013 U.K. National Health Service System, which overran costs by £11 billion ($15.3 billion) and was delivered nine years late. The complexity resulting from using four vendors and numerous specification changes led to failure.</p><p>The most effective way to reduce complexity is to limit the size of the project, the Standish Group advises. Based on evaluating more than 50,000 IT projects, the firm's researchers found that a small project, consisting of six team members and completed in six months or less, works best. The firm recommends turning large projects into a series of small ones, which can dramatically increase the chances of success. </p><p>Research from the Boston Consulting Group aligns with these findings. The firm has developed an online tool called DICE that internal auditors and organizations can use to assess the readiness of a project based on four elements:</p><ul><li><em>Duration</em>, or the interval between the project's major "learning milestones" if it lasts six months or longer.<br></li><li>Performance <em>integrity</em> of the project team. This element encompasses both the overall skills and traits of the team, and how the team has been configured.<br></li><li><em>Commitment</em> to change shown by the senior management and the people actually undergoing the change. <br></li><li>Additional local <em>effort</em> above normal working requirements that is needed during implementation of those undergoing the change, as opposed to the project team.<br></li></ul><h2>Lessons Learned</h2><p>Although lessons learned are an important part of the project management life cycle, it often is the most ignored part of a project. Organizations with poor success rates do not have a good process for identifying and applying lessons to new projects. Many organizations have not established a repository for sharing knowledge across the business. As a result, valuable knowledge can be lost or forgotten and projects continue to fail for the same reasons. Internal auditors can review whether the organization has a culture of learning from mistakes and how it shares and applies that knowledge to future projects. </p><h2>Improving Success Chances</h2><p>Despite the high risk of IT project failure, internal auditors can help their organization beat the odds by reviewing the governance, complexity, and lessons learned from projects. Specifically, they should evaluate the risks related to large technology projects and perform health checks during key project milestones defined in the project plan. Moreover, they should benchmark the organization's current project success rate against the PMI Pulse of the Profession. A future of more successful technology initiatives starts with improved controls today.</p>Sam Khan1
What Happens When Internal Audit Is Ignored? Ask Atlantahttps://iaonline.theiia.org/blogs/chambers/2018/Pages/What-Happens-When-Internal-Audit-Is-Ignored-Ask-Atlanta.aspxWhat Happens When Internal Audit Is Ignored? Ask Atlanta<p>​<span style="font-size:12px;">Last summer, internal auditors for the city of Atlanta warned officials that their IT systems could be easily compromised if they weren't fixed immediately. The audit report minced no words, calling out the lack of resources (tools and people) available to address the "thousands of vulnerabilities" and characterizing the situation as a "significant level of preventable risk exposure," according to media reports.</span></p><p>The city apparently began to implement certain security measures, but it was a classic case of too little, too late. A ransomware attack — essentially digital extortion — crippled the city's computer network and took many departments nearly into the dark ages of pen and paper. The breach even shut down Wi-Fi service at Atlanta International Airport. Fortunately, critical services such as those supporting emergency responders (and flights at the nation's busiest airport) were not affected.  </p><p>It was a textbook example of a ransomware attack. After years of such breaches around the globe, the city's response to internal auditors' dire warnings should have been textbook, as well. It clearly was not.​ </p><p>What happened? Why did Atlanta, even with ample warning, fail to implement recommended controls to harden its systems?</p><p>While the reasons are undoubtedly numerous and complex, everything points to an override of the three-lines-of-defense risk management model. The model requires management, the first line of defense, to own and manage risks by maintaining and executing effective internal controls — including corrective actions that internal audit identifies to address process and control deficiencies.</p><p>The second line encompasses risk and compliance functions. These vary according to industry, affecting the nature of their exact responsibilities. In general, however, they support the first line by helping build or monitor the first line's controls.</p><p>The third line, as we know, is internal audit, which provides the governing body and senior management with comprehensive assurance on the effectiveness of governance, risk management, and internal controls, including recommendations for addressing vulnerabilities. It is an effective model, but only when all three lines play their part, and management listens to the third line.</p><p>In Atlanta's case, management failed in its responsibility to promptly address the recommendations made by internal audit, rendering the model ineffective. Granted, internal audit may sometimes contribute to the difficulty of management's role by failing to communicate the value or importance of a recommendation, prioritize reports according to the most critical risks, or gain management's buy-in early in the process. </p><p>But that's why we in the internal audit profession must do what is necessary to make it easy — nearly unavoidable — for management to understand the magnitude of such risks, acknowledge our recommendations, and set them in motion.</p><p>An organization's ability to act on what it knows becomes even more important as the frequency and impact of cyberattacks continue to rise. Just last week, we learned that a data breach of Under Armour's MyFitnessPal app compromised potentially 150 million accounts. Phishing emails are widely recognized as a common delivery vehicle for viruses, yet some companies fail to educate employees on what to look for and how to respond to a suspicious message.</p><p>Many companies know that hackers incessantly find and exploit software vulnerabilities, for which the software's developers issue patches as soon as each new "crack" is discovered. Still, patches often go unapplied. Passwords, too, are known to be an open door to data breaches (according to Verizon's <a href="https://nam01.safelinks.protection.outlook.com/?url=http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/&data=02%7c01%7c%7cb735d1264c0c482bdcfd08d595852796%7c84df9e7fe9f640afb435aaaaaaaaaaaa%7c1%7c0%7c636579321478738951&sdata=QSqpYEzF3YV/y09dSbyVeSYlH8OesZneOFMY%2B75roZw%3D&reserved=0">2017 Data Breach Investigations Report</a>, 80 percent of hacking-related breaches leveraged stolen, weak, or guessable passwords), yet some organizations fail to establish a policy requiring strong passwords, changed frequently. </p><p>It is easy to assume that hacking is something that happens to someone else ("We are too small to attract the attention of hackers." "We don't have any information worth stealing."), but that is classic "head in the sand" thinking. Virtually any organizations that has data is at risk, which means every organization is at risk, short of one on a small, isolated island that has found a way to stay off the grid.</p><p>Less than a year ago, following an even bigger cyberattack that hit computer networks worldwide, I penned a blog post titled "<a href="/blogs/chambers/2017/Pages/Does-Your-Organization’s-Cyber-Culture-Make-You-Wannaaudit.aspx">Does Your Organization's Cyber Culture Make You #Wannaaudit?</a>" I wrote: "It is unfathomable to me that such attacks continue to succeed." These days, the prospect of a cyberattack should be continuously on our radar and internal audit's recommendations when vulnerabilities are found should be heard and given immediate attention.</p><p>As Atlanta's employees labor to rectify a bad situation, the least we can do is take some lessons from their experience:</p><ol><li><span style="font-size:12px;">Institute a defense-in-depth model in your organization. Ensure that everyone knows their responsibilities and adheres to them.</span><br></li><li><span style="font-size:12px;">Secure expertise or hire good people for the internal audit and information security teams and respond promptly to their concerns and their recommended mitigation actions.</span><br></li><li><span style="font-size:12px;">Apply foundational security measures, such as patching, password hardening, data encryption, and multifactor authentication.</span><br></li><li><span style="font-size:12px;">Teach employees how to recognize and respond to hacking attempts.</span><br></li></ol><p>Organizations face enough risks for which they have no warning or defense mechanisms. Cybercrime need not be one of them.</p><p>As always, I look forward to your comments.​</p>Richard Chambers0
Cyber Guidance Overloadhttps://iaonline.theiia.org/2018/Pages/Cyber-Guidance-Overload.aspxCyber Guidance Overload<p>​In addressing cyber risks, internal audit departments need to leverage industry frameworks to perform audits in line with current practices. However, the constant release of new cybersecurity frameworks and guidance makes it difficult for auditors to keep up with developments and ensure they are auditing against the latest frameworks. </p><p>Although cybersecurity has become a top risk for boards of directors and audit committees, organizations worldwide do not follow a common comprehensive framework. Instead, guidance organizations such as the Committee on Payments and Market Infrastructures (CPMI), International Organization for Standardization, U.S. Federal Financial Institutions Examination Council (FFIEC), and U.S. National Institute of Standards and Technology (NIST) have released separate cybersecurity frameworks. </p><p>These frameworks contain many of the same concepts. Some frameworks go beyond those basics to detail maturity levels that organizations can measure themselves against to see whether they are meeting the framework's target cybersecurity objectives. By evaluating each framework and selecting the one that best fits the organization's strategic vision, culture, and security posture, internal audit departments can assess the right risks and provide effective assurance on their organization's state of cybersecurity.</p><h2>Which Framework? </h2><p>One of the first steps during a cybersecurity audit is determining which framework to use and the level of granularity internal audit is willing to go to within the framework. For example, each framework has high-level domains that consist of several lower-level components, requirements, or assessment factors. The level of granularity internal audit chooses should depend on factors such as the organization's risk tolerance and regulatory expectations. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​​<strong>Sample Cybersecurity Fram​eworks</strong><br></p><p> <a href="/2018/Documents/FFIEC-Cybersecurity-Assessment-Summary.pdf" target="_blank"><span class="ms-rteForeColor-8">Click here</span></a> to view how the FFIEC Cybersecurity Assessment can be used to measure cybersecurity maturity.</p><p> <a href="/2018/Documents/NIST-Cybersecurity-Categories.pdf" target="_blank"><span class="ms-rteForeColor-8">Click here</span></a><span class="ms-rteForeColor-8">​</span> to view how the NIST Cybersecurity Framework can be used to measure cybersecurity maturity.</p></td></tr></tbody></table><p>Before selecting a framework, internal audit must determine whether it wants to give management a checklist of compliance results or it wants to present a report on the maturity of management's processes. Similar to a compliance audit, internal audit can use frameworks such as the one issued by the CPMI to determine whether the organization's cybersecurity measures meet the framework's requirements. On the other hand, frameworks issued by the FFIEC and NIST have maturity levels or benchmarks that need to be assessed more judgmentally (see "Sample Cybersecurity Frameworks," right). These frameworks reflect a progression from informal responses to innovative responses to determine how well risk-informed decisions are being managed. The decision to report on compliance or maturity will drive the overall cybersecurity audit plan. </p><p>In assessing the various frameworks, internal audit should use a risk-based approach to determine its audit scope. Not every requirement or assessment factor may be applicable for the organization. Current risk management practices, the threat landscape, legal and regulatory requirements, and organizational challenges should play a part in internal audit's assessment. However, when building its<span style="text-decoration:underline;"> </span>audit plan and scope, internal audit should ensure anything that is out of scope is documented so the department can justify its approach to senior management and other stakeholders. This practice will help certify that audit coverage is complete and right for the organization. </p><h2>Applying the Framework</h2><p>The framework internal audit selects will provide the guidance necessary to ask management the appropriate questions. It also can lead to greater understanding of how IT security teams are managing technology risks, including risks from new technologies. </p><p>Conducting walkthroughs with the IT and security functions' management will help auditors understand the controls that mitigate the organization's risks. Mapping these controls to the cybersecurity framework can ensure internal audit coverage is complete and considers the various locations, tools, and centralized vs. decentralized processes. Once internal audit has identified the organization's cybersecurity controls, the mapping exercise will document that the audit scope is complete and thorough. It also can provide evidence that internal audit understands the organization's security environment. </p><p>The next step is establishing internal audit's testing strategies. An inherent risk within every audit is that tests will not identify the material issues that may exist in the control environment. To mitigate this risk, auditors should ensure the test objectives detailed in the industry framework are tied into their audit program. If internal audit is leveraging a framework that has specific requirements, it can develop testing strategies to ascertain whether the current controls are meeting these requirements. If the purpose of the audit is to assess the organization's level of cybersecurity maturity, testing strategies will need to incorporate the framework's various maturity components to determine the measurability and repeatability of the key controls. </p><p>The good news is the current cybersecurity frameworks have the necessary details to help drive these assessments. In certain instances, internal auditors will need to judge whether the correct ratings are being reported. In an organization with strict risk and control requirements, management may find it more meaningful for internal audit to assess the maturity level of the security organization and identify any potential security gaps. This can determine whether the organization is meeting its cybersecurity goals. </p><p>Organizations that have recently implemented a more formal security department can use a framework that has specific requirements to develop a benchmark for the new function. This benchmark can help the organization begin meeting the baseline maturities of the other frameworks before internal audit performs a detailed maturity assessment.</p><h2>Validating Cyber Controls</h2><p>Basing their internal audit work on a cybersecurity framework can enable internal auditors to understand their organization's security landscape and validate that appropriate controls are in place to protect the organization. Moreover, it can enable regulators to leverage internal audit's knowledge and workpapers in assessing whether the organization complies with cybersecurity regulations.</p><p>After reviewing different frameworks, internal auditors can identify new cybersecurity requirements and explain in detailed steps how the organization can reach a higher level of cybersecurity maturity. Additionally, by performing an extensive cybersecurity review, auditors can have more meaningful conversations with senior management in the audit, information security, and IT functions to address cybersecurity risks and controls.​</p>Daniel Pokidaylo0
Internal Auditors: More Than Cybersecurity Policehttps://iaonline.theiia.org/blogs/chambers/2018/Pages/Internal-Auditors-More-Than-Cybersecurity-Police.aspxInternal Auditors: More Than Cybersecurity Police<p>​​New guidance announced by the U.S. Securities and Exchange Commission last week is raising the bar on how publicly traded companies report on their handling of one of the top challenges facing every organization — cybersecurity.</p><p>The new cyber-risk guidance, an evolution of guidance first released by the regulator in 2011, boosts reporting requirements in various ways, from disclosures about board involvement in cyber-risk oversight to enhancing internal reporting procedures that more effectively determine when cyber issues rise to the level of materiality and, therefore, should be reported publicly. The new guidelines inevitably will create new compliance challenges and, with that, additional need for internal audit to provide assurance on those compliance efforts.</p><p>The new U.S. rules, along with the upcoming deadline to meet strict European Union guidelines on data protection, are high-profile examples of where internal audit can provide important assurance on information technology (IT). </p><p>But it is important, indeed crucial, for organizations to understand that management of cyber risks and data protection are only part of the overall IT governance picture and that internal audit can and should play a larger role than simply acting as the cybersecurity police.</p><p>A recently published IIA <a href="https://global.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG17.aspx">Global Technology Audit Guide (GTAG)</a> provides direction and insight on internal audit's approach to auditing IT governance. The GTAG's executive summary captures the benefits of strong IT governance and describes how proper IT governance can help organizations achieve their goals.</p><p>From the GTAG executive summary:</p><p><span class="ms-rteStyle-BQ">"Effective IT governance contributes to control efficiency and effectiveness​​​​​, and allows the organization's investment in IT to realize both financial and nonfinancial benefits. Often when controls are poorly designed or deficient, a root cause is weak or ineffective IT governance." </span></p><p>The benefits of effective IT governance are significant. In addition to aligning IT strategies with organizational objectives, it helps identify and properly manage risks; optimizes IT investments to deliver value; defines, measures, and reports on IT performance using meaningful metrics; and helps manage IT resources.</p><p>Sound IT governance helps organizations address IT challenges, such as the growing complexity of IT environments, growing use of data to make business decisions, and, as previously discussed, the growing number of laws and regulations associated with the threat of cyberattacks.</p><p>As with all governance issues, internal audit is uniquely positioned to give management and the board a clear-eyed assessment on the effectiveness and efficiency of the processes and structures that make up IT governance.</p><p>The GTAG provides valuable insights on how responsibilities of multiple governance structures within the organization can overlap. For example, corporate governance oversees conformance processes and is involved in compliance and business governance oversees performance processes.</p><p>The key is for internal audit to examine — and to help management and the board understand — the interplay among all three governance structures and not view IT governance as somehow separate and apart. A key message from the GTAG captures this well:</p><p><span class="ms-rteStyle-BQ">"Alignment of organizational objectives and IT is more about governance and less about technology. Governance assures alternatives are evaluated, execution is appropriately directed, and risk and performance are monitored."</span></p><p>The GTAG provides internal auditors the tools and techniques to build work programs and perform engagements involving IT governance. These include a step-by-step description of engagement planning, from understanding the context and purpose of the engagement to reporting results. Additionally, five appendices provide related IIA standards and guidance, a glossary of key terms, a sample internal controls questionnaire, a risk and controls matrix, and a list of additional resources.</p><p>It is important to emphasize that having a well-developed IT governance audit program in place will help integrate IT into the overall governance strategy and take the mystery out of IT, which often contributes to poor IT controls. It also will help position organizations to respond quickly and efficiently to changes in regulations or IT-related risks.</p><p>The current scramble to meet upcoming European Union rules on data protection suggest that not enough organizations are taking a comprehensive approach to IT governance. Indeed, those troubles were clearly reflected in an August survey by DocsCorp, reported in <a href="https://www.docscorp.com/media/multimedia/infographics/gdpr-survey-results-emea/">The Current State of GDPR Readiness</a>. The survey found 43 percent of respondents from Europe and the United Kingdom identified financial penalties for noncompliance as their biggest concern with the new rules. In Canada and the United States, the survey found 73 percent of respondents had yet to start preparing for the new rules and 54 percent were unaware of the May 25 compliance deadline.</p><p>I encourage every chief audit executive to download and review the new GTAG and discuss IT governance with their management and boards. Providing an accurate and unbiased assessment of how IT operates within the organization is another example of where internal audit can add value and help organizations achieve their goals.</p><p>As always, I look forward to your comments.​</p>Richard Chambers0
The Runaway Threat of Identity Fraudhttps://iaonline.theiia.org/2018/Pages/The-Runaway-Threat-of-Identity-Fraud.aspxThe Runaway Threat of Identity Fraud<p>​​​​Just a reminder: The European Union's Global Data Protection Regulation (GDPR) takes effect on May 25. The new regulation ​enacts strict rules requiring organizations to protect consumer data, and it applies to any organization worldwide that gathers data on EU consumers. The aim is to protect the privacy of consumers and to combat identity theft and fraud.</p><p>Now here's another reminder: Identity fraud is getting worse. In the U.S., 16.7 million consumers were victims of identity fraud in 2017, up 8 percent from 2016, according to Javelin Strategy & Research's <a href="https://www.javelinstrategy.com/coverage-area/2018-identity-fraud-fraud-enters-new-era-complexity" target="_blank">2018 Identity Fraud Study</a>. That's one out of every 15 U.S. consumers. Javelin surveyed 5,000 U.S. adults for the study.</p><p>What's the bottom line for internal auditors and their organizations? It's time to get serious about protecting consumer data. </p><p>"2017 was a runaway year for fraudsters, and with the amount of valid information they have on consumers, their attacks are just getting more complex," says Al Pascual, senior vice president and research director at San Francisco-based Javelin.</p><p>The Javelin report makes a distinction between identity theft and identity fraud. Identity theft is unauthorized access to personal information, such as through a data breach. Identity fraud happens when that personal information is used for financial gain.</p><h2>A New Target</h2><p>The nature of identity theft and fraud shifted in 2017, the report notes. For the first time, more Social Security numbers were stolen than credit card numbers. Last year's massive Equifax hack was the most glaring example. Those Social Security numbers make it easy for criminals to open accounts in a victim's name or to take over their existing accounts. </p><p>Javelin says account takeover was one of two drivers of identity fraud last year, along with existing noncard fraud. Account takeover tripled, with $5.1 billion in losses, a 120 percent increase over 2016. This type of fraud is particularly costly for consumers, who spend on average $290 and 16 hours to resolve incidents.</p><p>Small wonder then that consumers "shift the perceived responsibility for preventing fraud from themselves to other entities, such as their financial institution or the companies storing their data," as Javelin's press release notes. Respondents rate security breaches at companies as the top identity-related threat, with 63 percent saying they are "very" or "extremely" concerned about such incidents. Nearly two-thirds of victims say breach notifications don't protect them and are just a way for organizations to avoid legal trouble. </p><h2>Going Online</h2><p>Another trend is identity fraud has moved online in response to the introduction of EMV chip cards in the U.S. Credit and bank cards with these chips make it harder for fraudsters to use stolen cards in person, but they still can be used online, where many people shop. Indeed, card-not-present fraud is 81 percent more likely than point-of-sale fraud, Javelin reports.</p><p>These frauds are becoming more sophisticated, too, according to Javelin. For example, fraudsters opened intermediary accounts in the names of 1.5 million victims of existing card frauds. Such accounts include email payment services such as PayPal or accounts with online merchants.</p><h2>Protecting Consumers</h2><p>Javelin's recommendations for preventing identity fraud focus more on what consumers can do to protect themselves, including:</p><ul><li>Using two-factor authentication.</li><li>Securing devices.</li><li>Putting a security freeze on credit reports to prevent accounts from being opened.</li><li>Signing up for account alerts.</li><li>Setting controls to prevent unauthorized online transactions.</li></ul><p> <br> </p><p>Such vigilance can help, but consumers expect financial institutions, retailers, and others they do business with to protect their information. Now they have a powerful ally in the GDPR, which puts responsibility squarely on businesses.</p><p>The GDPR requires organizations to provide a reasonable level of protection for personal data and mandates that they notify data protection authorities within 72 hours when consumer records have been breached. Compare that with some recent U.S. breaches in which several weeks passed between when the incident was discovered and the time when the organization disclosed it. </p><p>GDPR regulators can punish organizations that don't comply harshly. Fines can run up to 4 percent of an organization's annual turnover up to €20 million ($24.6 million). If protecting customers' personal data isn't a priority in itself, the potential financial penalties should raise the stakes for organizations.​</p><p> <br> </p>Tim McCollum0

  • Gleim-cia-changes-webinar_June 18-30_PRemium 1
  • SCCE 2018 June 19-30_Premium 2
  • IIA CIALS-CIA-Learning_June 2018_Premium 3