Budgeting for Analytics for Analytics<p>​Data analytics tools are nearly ubiquitous in today’s high-performance audit functions, with most either developing their analytics capabilities or increasing its use. And while the technology offers significant capabilities for audit enhancement, its value hinges on the users’ ability to put analytics tools into practice and effectively plan analytics engagements. Accordingly, one of the most important steps in implementing a data analytics program is estimating the level of effort required. <br></p><p>Determining the right level of effort for data analytics at each engagement can be difficult, and its consequences immediate — including flawed analytics strategies and testing outlines. Some audit shops may systematically set aside a given percentage of the engagement budget for the use of data analytics. This approach is suitable for repeated audits or when the audit department has observed resource usage trends over several years. But because the objectives and scope of some engagements can be unique, requiring specific sets of testing hypotheses and data sources, developing a systematic and sustainable mechanism for determining level of effort can result in a reasonable and justifiable budget for data analytics.<br></p><p>At the author’s organization, tackling analytics budgeting involved three main steps: obtaining audit leadership support for analytics, crafting and following a methodology for determining analytics effort, and considering several critical success factors. Although the audit universe will vary from one setting to the next, and no methodology provides a one-size-fits-all approach, focusing on these three areas can provide a helpful foundation for those looking to enhance their analytics efforts. <br></p><h2>Leadership Support  </h2><p>Obtaining internal audit leadership support is critical, as it sets the tone at the top for the effort and helps ensure a strong commitment to the use of data analytics on engagements. The CAE ideally should indicate his or her support for analytics use before the start of the annual risk assessment and audit plan development process. When communicating to staff, the CAE needs to explain the data analytics strategy and stress the need to allocate sufficient staff time at the engagement level. The CAE’s open support will also reinforce budget accountability and trigger awareness and staff buy-in for the analytics budgeting process. <br></p><h2>Estimate Level of Effort </h2><p>To determine level of effort, the auditors and data analytics team can begin by using a flagging system to identify potential candidates for data analytics. The list of flagged engagements can then be used to prioritize analytics work for effort estimation. The analytics team should also adopt a methodology to assess the likelihood and intensity of data analytics activities, as well as develop a level-of-effort matrix.<br></p><p><strong>Identify Potential Candidates</strong> During audit plan development, internal audit managers should encourage their staff members to be mindful of analytics needs and to flag potential candidates for application of the technology. Because they know the organization’s business processes, auditors should be at the forefront of identifying engagements that may require the use of analytics and determining how it can be best deployed to support audit results. They should also consider challenges that may be encountered on each engagement. Basic questions that auditors can ask themselves include:<br></p><ul><li>Can the audit team use data to support potential findings?</li><li>Is the entity under consideration for review being monitored through the use of key performance indicators (KPIs)? What are those KPIs? What are the underlying data? </li><li>What are the quick data analytics wins if the audit/review were to be conducted? </li><li>Considering the objectives and scope of the engagements, what are the two or three broad testing hypotheses that can be formulated?</li><li>Are the data needed internal or external to the organization?</li><li>Does access to the data needed require additional effort and approval? </li></ul><p>For experienced, data savvy auditors, brainstorming sessions can be a useful tool for high-level consideration of potential data needs and sources. The exercise can also facilitate development of detailed testing hypotheses and help define testing limitations. Early identification of data needed and the sources of that data can help shape data access negotiations with the IT team or the data owners.<br><br><strong>Assess Likelihood</strong> Once flagging is complete, the auditors and data analytics team can assess the likelihood of analytics activity for each engagement. A three-tiered assessment system can be applied: <br></p><ul><li>None. The engagement will not involve any data analytics activities, as its focus, objectives, and scope suggest that analytics will not be required. Reviews of process design or frameworks may fall into this category. </li><li>Likely. The engagement may involve some data analytics activities. The analytics and audit teams anticipate that analytics work will be carried out — they have identified broad preliminary objectives and scope but cannot confirm them before the start of the engagement.</li><li>Certain. The analytics and audit teams have determined the need for analytics, and the objectives and scope of the engagement provide strong indication that analytics work will be carried out. The auditors have identified a preliminary data analytics scope and comprehensive testing hypotheses. <br></li></ul><p>Some gray areas might appear, as likelihood assessments are not always clear-cut. For example, at the time of audit plan development, the audit staff might not have enough information to decide whether or not data analytics activities will be carried out for some engagements. Or, the team may determine that analytics objectives and scope will be defined during engagement planning. Engagements with these characteristics should be kept in mind, and a contingent<br>budget should be set aside to cover them should the need for analytics work arise.<br></p><p>In other circumstances, the delineation between Likely and Certain might not be sharply defined. When this occurs, a hybrid assessment can be used — None/Certain, None/Likely, or simply Yes/No.<strong></strong></p><p><strong>Estimate Intensity</strong> Analytics intensity measures the degree to which analytics activities will be carried out in the selected engagements. The level of intensity can be measured using a low-medium-high scale: <br></p><ul><li>Low: Basic analysis is expected to be performed, and analytics resource usage is estimated to be low. The analysis may include profiling and pattern identification, as well stratification, gap analysis, and calculation of statistical parameters to identify outliers. Factors to consider when assessing the intensity as Low may include whether there are few data sources and if data are readily available.<br></li><li>Medium: Data analytics activities include profiling and pattern identification, stratification, gap analysis, efficiency measurement, benchmarking, and calculation of statistical parameters to identify outliers. Factors to consider when assessing the intensity as Medium may include whether data needed is external to the organization, whether the analytics team will make additional effort to gather the internal data needed, and whether the analytics team anticipates that it will join several data sources in different systems to identify inappropriate matching values.<br></li><li>High: The engagement is considered to be heavily data-driven, or analytics is the core of the review. Analytics activities include profiling and pattern identification, stratification, gap analysis, efficiency measurement, benchmarking, data sequencing, and calculation of statistical parameters to identify outliers. Additionally, the analytics and audit teams are expected to develop complex analysis and hypotheses. Factors to consider when assessing the intensity as High may include whether any data needed is external to the organization and if the analytics team will make additional effort to gather the internal data needed.<br></li></ul><p><strong>Develop a Matrix</strong> Using the likelihood and intensity data gathered, the analytics and internal audit team can create a level-of-effort matrix to help determine analytics budget estimates. The matrix should capture the thought process for assessing the level of data analytics activities.<br></p><p><span id="DeltaPlaceHolderMain"><span><span id="DeltaPlaceHolderMain"><span><img class="ms-rteiaPosition-2" src="/2015/PublishingImages/Pinga-level-of-effort-matrix.jpg" alt="" style="margin:5px;width:576px;" /></span></span></span></span>“Level-of-effort Matrix” at right depicts an example matrix, showing the extent of data analytics activities at the engagement level. The dark tan color indicates that heavy analytics activities will be carried out in the engagements that fall into that category. For example, Engagement E2, with a likelihood of Certain and High intensity, will receive the highest percentage of the engagement’s total budget — say, 50 percent. Engagement E1, in which likelihood and intensity are assessed as Likely and Low, respectively, will receive a percentage significantly lower than that of Engagement E2 — perhaps 10 percent. Engagements with likelihood assessed as None will receive no budget allocation for analytics activities. The analytics team should set percentages using professional judgment, taking into consideration trends observed in the past. <br></p><h2>Key Success Factors </h2><p><span id="DeltaPlaceHolderMain"><span></span></span>To ensure an adequate level-of-effort estimation, the analytics team should view the budgeting exercise as a dynamic, multidimensional activity that takes into account some additional elements. Specifically, success factors for the continuous improvement of the data analytics level of effort include validation of the analytics budget, adoption of a mechanism for funding the budget, and variance measurement.<br><br><strong>Validation Process</strong> Although analytics level-of-effort estimation is primarily the analytics team’s responsibility, team members should work closely with internal audit. During level-of-effort formulation, the analytics team should ensure critical inputs are considered, including minutes of relevant audit staff brainstorming sessions, audit clients’ feedback on the proposed audit plan, and, if available, analytics usage trends observed during prior years.<br></p><p>The analytics team should constantly seek feedback from internal audit staff and management to ensure the assumptions and measurement indicators are well-understood. After applying the matrix, the team should conduct validation meetings with stakeholders, which may result in changes to the level of effort for each engagement.<br></p><p>The analytics team should record both calculated and adjusted levels of effort and document significant changes. This documentation is critical, as it can help refine the criteria for assessing likelihood and intensity of data analytics activities for subsequent years.</p><p><strong>Funding Mechanism</strong> Because data analytics can increase engagement efficiency, support for a specific analytics budget should be clearly communicated across the entire audit department. Before sharing the finalized budget, however, the department must first decide whether to increase the original budget for the engagement by the analytics budget or to make the analytics budget part of the original engagement budget. “Data Analytics Budget Funding” below depicts each of these scenarios.<br></p><p><span id="DeltaPlaceHolderMain"><span><strong><img src="/2015/PublishingImages/Pinga-data-analytics-budget-funding.jpg" alt="" style="margin:5px;" /></strong></span></span>In Scenario 2, the general budget of Engagement E2 is increased by 20 days, which corresponds to the data analytics level of effort. This scenario suggests that the analytics budget comes out of a central contingency envelope. By nature, this practice might defeat any efficiencies gain through the analytics work. <br>In Scenario 1, Engagement E1 has an unchanged general budget. This scenario reflects the notion of “doing more with less” on an individual engagement. Moreover, it generates a high perception of accountability among the data analytics and audit teams. </p><p><strong>Variance Measurement</strong> After each engagement or at year-end, the analytics team should compare the initial or adjusted budget with the actual days spent. Any variances observed can help gauge the quality of level-of-effort matrix estimates. Low variances may indicate that empirical assessment was effective, whereas high variances might be an indicator that the criteria for assessing effort need some refinement. When budget overruns occur, the<br>analytics team should consider two important factors: <br></p><ul><li>Experience Level. If the data analytics team is too inexperienced, substantial deviations from the initial budget can be expected. But as the team gains more experience, deviations caused by this factor should decrease.</li><li>Analytics Process Maturity. In early years of data analytics use, level of effort can be significant. Factors that may contribute to budget overruns include absence of a strong partnership/relationship with data owners or the IT department, absence of a clear process for identifying data needed, poor quality assurance surrounding the data analytics activities, absence of a robust infrastructure that supports the analytics team’s work, and poor quality of interactions between the analytics and audit teams. </li></ul><p></p><h2>Benefits and Bottom Line </h2><p>Upfront identification of engagements that lend themselves to data analytics is critical, and it can yield several benefits. First, not only does it help determine the level of effort required, but it also provides a high-level indication of the types of data needed for those engagements. That way, the data analytics team can engage the IT function or the data owners early enough to avoid the bottlenecks of late requests. Additionally, it can have a direct impact on the CAE’s decision-making process by identifying the analytics skills needed as well as isolating areas where co-sourcing would be cost-effective.<br></p><p>Estimating data analytics level of effort for each engagement within the audit plan can be challenging — even daunting, especially if the assessment is performed during audit plan development. And while the matrix system yields a considerable amount of useful data for decision-making, professional judgment ultimately should be the cornerstone of the entire process. An auditor’s knowledge and experience should guide decision-making, using the level-of-effort methodology as a means of informing and supporting conclusions. <br></p>Rigobert Pinga Pinga01648
Big Data Risk and Opportunity Data Risk and Opportunity<p>​To an internal auditor, just the term big data can elicit a sinking feeling. The challenges associated with the volume, complexity, and variety of big data can be overwhelming. The good news is, with a solid action plan, internal auditors can do more than just mitigate the risks associated with big data. Internal audit also can help exploit big data to identify and mitigate existing risks.<br></p><p>Big data is the collection of data sets that are so large and complex that they are difficult to process using conventional database tools. Big data comes in two flavors: structured data (e.g., data in spreadsheets and databases) and unstructured data (e.g., social media posts, emails, audio, video, and GPS data). And, of course, big data can have multiple sources. Typically, working with big data requires new technologies to identify usable business insights, trends, and correlations — often in real time.<br></p><p>Businesses are using big data not only to boost performance, but also to reduce risks and prevent loss. From a risk management perspective, companies can identify risks and create value by using big data in three areas: business opportunities and risks, IT governance, and internal audit opportunities and risks.<br></p><p>First, business opportunities result from the fact that companies have valuable data but often don’t know how to use it to gain actionable insights. Rules creation and testing, personalization of product offerings, using social media to spot consumer trends, and the ability to make data-driven business decisions all represent significant big data opportunities.<br></p><p>But these opportunities come with risk. For example, how does a company store personally identifiable information, and who owns it? How does it address regulatory issues and privacy breaches? What about increased exposure to reputation risk? And how should data retention, such as timing of disposals, be managed?<br></p><p>Big data considerations in the area of IT governance tend to focus on data-center management, specifically capacity planning and monitoring because of the massive replication of data at the software level and the need to measure performance. Of course, IT security is a tremendous concern, as are access control, penetration testing, and the quality of systems testing and processes.<br></p><p>Finally, internal audit opportunities and risks are centered around the security and compliance related to big data implementation, with issues such as ownership of data, authority to access, and secure access as priorities. Also, auditors exploit big data in the areas of continuous controls monitoring, access to nontraditional data sets, and regulatory compliance.<br></p><p>An organization’s plan for addressing these three areas will vary according to its industry, goals, and challenges. However, there is a high-level, phased-action-plan approach any enterprise can customize:<br></p><ul><li>Phase 1: Identify where data resides in the organization and the roles and responsibilities related to it.</li><li>Phase 2: Define goals and priorities.</li><li>Phase 3: Assess critical data issues.</li><li>Phase 4: Identify key risk indicators (KRIs).</li><li>Phase 5: Identify opportunities to add value.</li></ul><p>By applying these phases to each of the three identified areas, internal auditors and risk management professionals can identify and mitigate big data risks and seize any opportunities.<br></p><p>An action plan for addressing IT governance, for example, should focus on the implementation team’s responsibilities in phase 1, including security, capacity planning, code writing, pinpointing the owner of specifications, and identifying internal audit’s role in the project. Phase 2 priorities should include improving system performance and test processes to reduce spurious output. Assessing available data and performing various types of testing of data sets are crucial in phase 3. In phase 4, the KRIs should be identified by addressing trending information on usage and service quality, completeness and accuracy of data, and disaster recovery capabilities. Finally, the focus in phase 5 should be on speed, indexing, and assessing storage and cloud options (private versus internal storage or public versus hybrid cloud) to create efficiencies.<br></p><p>The five phases often overlap and might not occur in sequence. In addition, both risk management professionals and senior management have specific tasks they must accomplish during each phase to make the plan work.<br></p><p>The bottom line: Auditors, risk managers, and compliance officers must work with senior management to understand and embrace big data to help identify and mitigate risks. Plus, they should take advantage of the opportunities big data offers to improve their own effectiveness. By covering risks and opportunities, they can help organizations analyze and understand big data’s potential from both a compliance perspective and a strategic and operational improvement stance. <br> <span class="ms-rteiaStyle-authorbio">Rob Blanchard, CISA, is a senior manager with Crowe Horwath LLP in Columbus, Ohio. <br> Kevin O’Sullivan, CISA, is a principal with Crowe Horwath LLP in New York.</span><br></p>Rob Blanchard04245
Shutting the Door on Social Engineering the Door on Social Engineering<p>​A busy senior executive walks into her office on Monday morning and begins to review her email. About halfway through, she sees this message: <br><br><strong>To: All employees </strong><br><strong>From: HR and IT department</strong><br><em>The IT department has contracted with XYZ Consulting to test and enhance the performance of our network. In doing so, we ask that you sign into the link below and run a few tests. XYZ has asked us to get as many people as possible to perform the tests to get a true reading of our network speed. Your help is greatly appreciated. Link here: </em><br><em></em><br><br>The executive finds it odd that she was not informed about this project and calls the IT department to find out more. She is stunned to learn that not only did IT not sanction any network testing, but that this is a phishing email and more than 100 employees had clicked the link and signed in with their network credentials before IT could stop it. <br></p><p>This scenario is a good example of social engineering in today’s highly connected business environment. Wikipedia describes it well: “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.” <br>CAEs have an interest in knowing how the information security department addresses social engineering, primarily because it is used to perpetrate fraud. Additionally, internal audit should proactively assist in detecting how these techniques play out in their organization and help deter them.<br></p><h2>How It Works</h2><p>Social engineering usually targets communications systems. The most common method is to send a phishing email that asks the user to click on a link. This link is set up by the perpetrator to request a user’s network ID and password, thus obtaining the needed credentials to access the company’s systems and data. The scammer then uses those credentials to sign onto the system legitimately, access confidential information, and download the information to sell or perpetrate fraud. <br></p><p>Some social engineering approaches are elaborate. One variation is to have the link execute a piece of malware to invade the system. Another variation is to offer an incentive to entice the user to click on the link such as money or scheduling a package delivery. Still another technique is for the sender to say he or she is acting under the direction of the IT department or a senior executive. Some scams play on a user’s personal situation or sympathetic side — a compassionate plea about a sick child or parent — to trick the user to click on a link or go to a fraudulent website. Some of the nastiest scams — particularly in the banking industry — send phishing emails purporting to be from the organization that tell its customers they need to refresh or verify their credentials or their accounts will be closed.   <br></p><p>Although the email system is the main target, scammers can use the telephone system, as well. For example, a scammer can call claiming to be a customer who has lost his or her credentials to access his or her account. Or callers might say they need to access their financial account immediately and don’t have time to verify their personally identifiable information. Another technique is to call an employee claiming to be a consultant working on the system who needs the employee’s credentials to fix something on the system.  <br></p><h2>What Internal Audit Can Do</h2><p>Addressing social engineering is not a task internal audit can tackle on its own. But there are things auditors can do to help the information security department protect the organization. <br><br><strong>Testing</strong> Performing a social engineering audit in conjunction with the information security department is one of the most effective and eye-opening things internal audit can do to discover whether the organization has a large-scale awareness issue. A good social engineering test consists of:<br></p><ul><li>Craft a phishing email similar to those used in common phishing scenarios.</li><li>Work with IT to set up a fake Web address where the link should be directed.</li><li>At the website, ask for sign-in credentials. </li><li>Send the email to employees and monitor who clicks on the link and enters their credentials.</li></ul><p><br><strong>Awareness</strong> Work with the human resources (HR) and information security departments to develop an effective information security awareness program. Employee awareness is the No. 1 way to deter email and phone phishing scams. Teach employees that while customer service is important, they should never bypass information security protocols to help customers unless they have verified through established procedures that they are truly communicating with a customer.  <br></p><p><strong>Hotline</strong> Include suspicious emails in the organization’s fraud reporting hotlines and procedures. Detecting fake emails is just as important as uncovering an employee who is misappropriating funds. The only difference is they are using a different means to perpetrate the fraudulent activity. One way to encourage reporting is to place an icon on the email tool bar that allows users to easily report a suspicious message.    <br><br><strong>Audit Procedures</strong> Include questions in audits that ask about any unusual activity related to emails or phone calls. Giving system credentials to strangers is even worse than sharing credentials with other employees. <br></p><p>In addition to these items, advise information security and HR to enact these procedures:  <br></p><ul><li>Do not allow personal email to be sent to or from work addresses. This limits the number of suspicious emails and helps deter internal fraud by disgruntled employees emailing sensitive company data to their personal email.</li><li>Monitor all email sent to noncorporate email addresses.</li><li>Recommend tools that have aggressive and effective spam filters to weed out spam and emails sent out through automated email generators.</li><li>Enforce a formal email or computer use policy.</li><li>Do not allow executive privilege to dictate email policy, which can circumvent the measures the information security function has implemented to protect the organization. Executives and senior managers are just as likely as other employees to click on a phishing message. </li><li>Never pre-announce social engineering tests. The element of surprise is important. Testing the awareness level will only be successful if it’s performed under true conditions. </li></ul><p></p><h2>Minimizing the Threat</h2><p>Internal audit has a role to play in an organization’s social engineering defenses. While it is primarily an information security responsibility, awareness, monitoring, and setting up and recommending controls are all activities that internal audit can actively be involved with to minimize the chance that the organization’s systems are breached. In addition, auditors should help detect and minimize conditions that exist for social engineering fraud. Cybercrimes are now one of the new “misappropriation of assets” frauds within organizations. The asset being misappropriated is customer and company private information, and the repercussions to the organization can be devastating.  <br></p>Kenneth Pyzik1478
Auditing the Internet of Things the Internet of Things<p>The Internet of Things (IoT) is poised to become an integral part of everyone's lives in the not-too-distant future. From coffee machines churning out the kind of coffee people want depending on their mood, to their automobile switching on by itself and adjusting the climate control as they approach it on a weekday morning, the IoT potentially could make people's lives easie​​r as their devices generate data and communicate with each other over the Internet (see "A World of Smart Things," below right). </p><p>The definition of the IoT has evolved over time. <a href="" target="_blank">TechTarget</a> describes the IoT as "a scenario in which objects, animals, or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction." </p><p>The big question is, does the IoT have a similar outlook for organizations? The answer is the possibilities are limitless, which is why many organizations already have started to adopt the IoT.  Internal auditors should evaluate the operational and financial risks that IoT can expose their organizations to and provide assurance that those risks are controlled appropriately. ​</p><h2>Auditors as IoT Advisers</h2><p>For organizations that are not yet fully awake to the IoT, an internal audit function can advise management on the importance, benefits, and competitive edge that the IoT can bring to the enterprise. Auditors can demonstrate to management how the IoT can be implemented in processes such as sales distribution and inventory control. Moreover, they can facilitate brainstorming sessions with management and perform research to understand how the IoT can be used within the organization's specific operating environment. That said, while performing such advisory services, internal auditors should maintain their objectivity and not assume management responsibility.</p><h2>Assurance on New Risks</h2><p>Management and internal auditors need to fully acknowledge that although the IoT can bring many rewards, it also gives birth to numerous risks. Inadequate understanding of the risk environment or applicable controls can lead to disaster for the organization. Furthermore, given the rapid development and advancement of the IoT, the associated risks and controls also are changing and evolving rapidly. Internal auditors need to stay abreast of IoT developments and advancements to be able to assess the risks and controls in their organization. </p><p>The first step for auditors is conducting a risk assessment of the IoT in use in their organization. Specific risks will depend on the nature of the IoT systems the organization has deployed and the overall business process they support. </p><table cellspacing="0" width="100%" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;"><p> <span style="line-height:1.6;"> <strong>A World of Smart Things</strong></span></p><p>According to the Deloitte publication <a href="" target="_blank"> <span style="color:#000066;">TMT Predictions 2015 — The Internet of Things Really Is Things, not People</span></a>, 60 percent of all IoT devices will be paid for and used by enterprises and industries in 2015. Furthermore, enterprises and industries will generate 90 percent of IoT services revenue this year.</p><p>"The development of the Internet of Things is expected to surge in the coming years," says Stéphane Richard, CEO of Paris-based telecommunications company Orange S.A., in a <a href="" target="_blank"> <span style="color:#000066;">September 2015 </span> <em style="color:#000066;"> <span style="color:#000066;">M2M Magazine</span></em><span style="color:#000066;"> article</span></a>. "By 2020, we believe that there will be more than 25 billion objects connected in the world." </p><p>​The two studies listed below illustrate the depth and breadth of possible gains from adopting the IoT:</p><ul><li> <a href="" target="_blank"><span style="color:#000066;">"Case Study: RAC Using M2M to Cut Fuel Costs by 17%,"</span></a><em>M2M Magazine</em>, May 8, 2014. </li><li> <a href="" target="_blank"> <span style="color:#000066;">"The Spanish City of Santander to Become a Global Smart City,"</span></a> by Maria Gonzalez, <em>Mobile World Capital</em>, Nov. 11, 2013. ​</li></ul></td></tr></tbody></table><p>​​Internal auditors can start by looking at these areas:</p><ul><li> <strong>Security.</strong> IoT systems are connected to the Internet, so they are prone to attacks from cyber criminals and hacktivists. Seventy-two percent of global IT and cybersecurity professionals surveyed by ISACA say there is a medium or high likelihood that an organization will be hacked through an IoT device. Among other information security audit procedures, IT auditors should perform a vulnerability assessment of such devices and consider conducting penetration tests on those systems periodically. Results of these procedures should be used to strengthen the security of IoT systems, where necessary. Auditors should carefully consider where third parties are involved to support IoT systems and assess whether third parties have adequate security controls in place to protect data residing in IoT systems. Furthermore, they should assess the adequacy of the encryption IoT systems use for communication. </li></ul><ul><li> <strong>Resilience.</strong> IoT systems may support a business process that is critical or time-bound, such as the delivery of perishable goods. IT auditors should assess whether controls are in place to recover IoT systems in the event of a failure. Auditors should determine whether management understands the potential business impact of an IoT system outage and whether appropriate and adequate policies, procedures, and processes are in place to recover affected business processes timely in the event of an outage or disaster.<br> </li><li> <strong>Health and Safety.</strong> Many of today's IoT systems can pose a serious threat to human life and safety. Examples include implantable biomedical devices, such as pacemakers and defibrillators, and assembly line robots at a manufacturing facility. An important area internal auditors should assess is whether such IoT systems have undergone sufficient testing using appropriate test cases before being deployed into production. Furthermore, controls should be in place to ensure adequate testing is performed before upgrades, patches, and changes are made to IoT systems where health and safety is a significant risk.<br> </li><li> <strong>Monitoring.</strong> Like any other system, controls should be in place to monitor whether IoT systems are functioning as intended. Internal auditors should assess whether adequate monitoring controls are in place and whether all such controls have been operating effectively over time. Furthermore, auditors should assess whether exceptions and failures that occur are logged appropriately and resolutions to incidents are recorded timely. Auditors also should assess whether management has a process that takes recurring incidents into account and analyzes their root causes. <br> </li><li> <strong>Scoping of IoT systems.</strong> Because many vendor-provided IoT systems can be simple to implement, some systems may be deployed by business units without the IT department's involvement. For example, fire detection systems in enterprise facilities may have IoT capability that the IT department does not know about and risk management professionals and internal auditors may not notice. Auditors should be vigilant to see where and when IoT systems are deployed by different departments at the organization and prioritize IoT systems audits according to their criticality and sensitivity. ​</li></ul><h2>Realizing the Benefits</h2><p>It's likely that the need to perform sound audits of IoT systems will grow at organizations in all industries worldwide. Internal audit departments should gear up for the challenge of ensuring that controls related to risks of IoT systems are operating effectively. Although there is a diverse range of IoT systems in service today, auditors can use the five areas above as a guide to planning and executing an IoT systems audit. However, they should keep an open mind to understand the overall context in which a particular IoT system operates and develop creative ways to perform their audits depending on that system's specific functionality. Such internal audits can help position organizations to realize the full benefits of the IoT.​​​</p>Syed Salman01513
The Difference Between IT GRC and IT Security Difference Between IT GRC and IT Security<p>My congratulations to Michael Rasmussen for <a href="" target="_blank">his new post</a> on this topic. While a more interesting discussion could be held on whether there is a difference between "IT security," "information security," and "cyber," he makes a number of very valid points.</p><p>I especially like that he has quoted ISACA on the definition of <em>IT governance</em>.</p><p>Michael makes the very important point that when it comes to technology, there is far more to manage — risks and all — than security.</p><p>I would add that executives and the board need to balance investment in cyber against investment in new technology and other business initiatives. This can only be done when there is an informed understanding of the value realized — which includes risk reduction — in each of the investment options.</p><p>Of course, managing IT or technology in a silo is a recipe for failure. That is why I am not a fan of the concept of IT GRC. Michael "gets it," knowing him as I do and noticing his reference to business objectives.</p><p>What do you think! Is Michael right? Is this a useful discussion?</p>Norman Marks01150
Preparation for a Data Breach for a Data Breach<p>In April 2015, the U.S. Department of Justice (DOJ) published guidanc​​e on cybersecurity preparedness and incident response entitled <a href="" target="_blank">Best Practices for Victim Response and Reporting of Cyber Incidents</a> (PDF). The guidance provides expectations for organizations in preparing for and following up on a data breach. Information gathered by the organization that has the breach can assist external a​gencies such as the DOJ or U.S. Federal Bureau of Investigation in performing external investigations.​ </p><p>The guidance was drafted by the Cybersecurity Unit of the DOJ Criminal Division's Computer Crime and Intellectual Property Section. It reflects lessons learned by federal prosecutors and incorporates input from the private sector. The guidance's overall focus includes:</p><ul><li>Identifying the criticality of data assets and associated levels of protection.</li><li>Creating an actionable plan for handling intrusions.</li><li>Implementing appropriate cybersecurity technologies and services. </li><li>Using appropriate authorizations to permit network monitoring.  </li><li>Ensuring internal and external legal counsel are familiar with cyber activities.</li><li>Aligning policies with incident-response plans.</li><li>Engaging law enforcement.</li><li>Establishing relationships with cyber information-sharing organizations.</li></ul><p>​Organizations that have created preparedness and incident-response plans may want to incorporate the DOJ's guidance in their plans. Internal auditors can assist their organization by performing an independen​t evaluation of its current plans based on this guidance.​ <a href="/2015/SiteAssets/preparation-for-a-data-breach/DOJ_Audit%20Program.pdf">Click ​here​</a> (PDF) to view an audit program that describes major topics detailed in the guidance and potential audit tests that internal auditors can include in their reviews.​</p>James Reinhard01869
Consolidated Audit Programs Audit Programs<p>​Organizations contend with a long list of regulations, laws, and requirements that subject them to lots of external audits for compliance. Internal audit departments will overlay their own operational audits around the financial reporting process, project assurance, and other areas. Because of internal auditors’ role in scheduling such reviews and exchanging information with external auditors, they can help rein in the inefficiencies of back-to-back external audits. <br></p><p>One way internal audit departments can manage requirements and competing purposes is using a consolidated audit program (CAP) that provides audit efficiency and helps manage audit risk. A CAP weaves together multiple audits across many domains through detailed control mapping, audit plan development, and scope synchronization. Audit once and use for many is the basic principle of this approach. Appropriate use of technology helps make the large number of requirements and controls more manageable. <br></p><h3>Governance Needs</h3><p>Before going out with a request for proposal for multiple consolidated compliance audits, internal audit should prime the organization to create a structure that is capable of using the CAP approach. This approach will require buy-in from all key stakeholders, including those who sign off on compliance reports and the control owners responsible for performing the controls. <br></p><p>Early in the process, internal audit should identify those control owners through a mapping exercise. Specifically, auditors should be aware of the precise origin of the control for each domain, as well as the higher risk controls that are common across one or more domains, because a failure of a common control would impact multiple compliance domains. Because access control, change management, logging, backups, and other IT processes cut across so many audits, the IT portion is often the area that receives the greatest number of repetitive audits.<br></p><p>A key aspect in this mapping is selecting one compliance domain to be the anchor for the process. In all multi-compliance audits, the various standards compete for attention, and it helps to have a structure with a clear leader. <br></p><p>Once the compliance audits begin, internal audit should be the central point of contact between the external auditor and the control owner. This can save time because the internal auditor is screening requests for both evidence and interviews before they reach the control owner. Internal audit should have a reporting dotted line, or a direct line, to the compliance manager to provide an escalation point when things get difficult. Finally, internal audit should control the pace of the CAP approach because it is closely attuned to the culture of the organization and can match the CAP objectives with the organization’s readiness.<br></p><h3>Mapping Controls</h3><p>The actual CAP begins by working with control owners to map controls, often aided by technology. For example, an appropriately formatted spreadsheet with the original citation from each domain can be mapped to controls, and vice versa. This data set may contain hundreds, if not thousands, of rows. It should label the IT controls that impact more than one domain. The IT controls form the foundation for many domains, and getting those organized can enable the process to go by quickly. This output also is key to explaining to stakeholders why the controls are required and provides supplemental information about where any common controls came from and what each domain may require.<br></p><p>However, this mapping exercise can drown organizations in a sea of documents, standards, rules, laws, and mismatched formatting that is prone to human error. The task should not be outsourced or conducted by someone who lacks knowledge of the organization — it needs to be a core exercise that obtains buy-in from the organization and forms the foundation of the CAP approach. When using existing IT frameworks, organizations should dedicate a minimum of three months to this endeavor. Some software tools can provide extracts across domains and ideally identify the common controls.  <br></p><h3>Aligning the Examination Windows</h3><p>CAP builds on the control mapping by identifying the over-arching examination windows for each domain to align these as much as possible. Internal audit should consider the time period of examination (e.g., six months, 12 months, or rolling three-year periods), the sample sizes dictated by each domain, due dates for the compliance reports, and the type of credentials required to perform each audit. For example, ISO 27001 restricts how much of its audit output can be re-used by other audit teams, and the Payment Card Industry Data Security Standard (PCI DSS) prohibits work that is not performed by someone with the Qualified Security Assessor credential. Internal audit departments should treat CAP as they would any other audit plan.<br></p><h3>Identify Audit Overlaps</h3><p>Once internal audit has identified the eligible compliance domains, it should review the overlap of controls. This review should identify the common controls and consider the timing of those controls. For example, if a risk assessment should be performed annually, the control should occur when other domains can benefit from its timing. <br></p><p>All compliance domains must be mapped back to the controls required by each standard and harmonized controls should be rolled into the mapping. Harmonized controls are important because they are abstract enough to fit multiple compliance domains, but specific enough to be readable by control owners. The mapping should be detailed in a way that the source language can be traced to the harmonized control relationship. The overlap between compliance areas is usually between 8 percent and 24 percent, with most common controls coming from the IT area. <br></p><h3>Sequence Audits</h3><p>The CAP approach will require accurately identifying the time line required by each compliance domain and the reporting period. These need to be aligned as closely as possible to obtain maximum benefits. First, internal audit should evaluate each domain to understand whether it requires testing at a point in time, such as PCI DSS and Service Organization Control (SOC) Type I, or over a period of time such as the U.S. Health Insurance Portability and Accountability Act and SOC Type II. Not all compliance areas will test the full populations annually. For example, the U.S. Federal Risk and Authorization Management Program requires that an external auditor test all controls in year one to form the baseline, but only a subset of those controls — focused on monitoring the baseline — must be tested in subsequent years.<br></p><h3>Saving Time and Money</h3><p>Completing each stage in the CAP process can prepare the organization to reduce inefficiencies from multiple external audits. Investing 200 to 300 hours to develop the CAP can enable the organization to prepare for a single external auditor, as well as clarify requirements that can be documented in a bid process to ensure that it gets the best auditor capable of maximizing time savings. Organizations that undertake the CAP approach can save between 1,000 and 10,000 hours annually because the compliance auditors will use less of the organization’s time, which could save them as much as US$500,000. <br></p>Carlos Pelaez1807
Gauge Your Analytics Your Analytics<p>​Long a staple of internal audit, data analytics is no longer a nice-to-have, but a requirement. Internal auditors now have the ability to gain insights from, and test correlations with, a vast array of information on the Internet, which can be as diverse as competitor information, regulatory filings, and conversations on social media. Data analytics provide internal auditors with the potential to deliver oversight, insight, and foresight. </p><p>Analytics can help auditors examine the audit entity from a data-driven perspective (what does the data reveal about the audit entity?), drive understanding of the risks (what is happening?), and generate insight (why is it happening?). It also provides auditors with the ability to perform prescriptive analytics to develop recommendations to address issues, as well as predictive tools to look at what will happen and help to prepare for it. And yet, study after study has shown that the data analytics capabilities of internal audit functions consistently fall below what is desired and even what is required. <br></p><p>The implementation and improvement of data analytics are the most significant challenges for audit departments. Fifty-two percent of respondents identify the advancement of their data analytics capabilities as a high or very high priority for 2015, while an additional 35 percent rate it as a moderate priority, according to the Corporate Executive Board Audit Leadership Council’s 2015 Audit Department Challenges and Priorities.<br></p><p>The key to ensuring that data analytics has the best chance of success lies in managing the people, processes, and technology aspects of the initiative. The three are integral to any effort to develop data analytics and must be considered both separately and as a whole.<br></p><h2>People</h2><p>When it comes to people, there are several questions to address. Should each audit team be responsible for developing its own analytics capabilities or should there be a data analytics function that supports the audit teams? Can the department afford to have one or more people dedicated to data analytics, particularly if it’s a small internal audit function? Audit functions seeking to develop an analytics capability have a better chance of success if they create a separate analytics function, even if it is one person who has responsibility to support the audit teams in the analysis requirements. Support includes identifying data sources, obtaining and verifying the integrity of the required data, and assisting in performing the analysis. As audit functions move along the data analytics maturity curve, audit teams can take more responsibility for data analysis, and the analytics function will shift to providing complex analysis and verifying the integrity of the analysis performed by the audit teams.<br></p><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;"><strong>​IT Skills Needed in an Analytics Function</strong><br><br>In addition to internal auditing, critical thinking, problem solving, and business acumen, the analytics function should have other IT skills:<br><br><ul><li>Understanding of data concepts (data elements, record types, database types, and data file formats). </li><li>Understanding of logical and physical database structures.</li><li>The ability to communicate effectively with IT and related functions to achieve efficient data acquisition and analysis.</li><li>Ability to perform ad hoc data analysis as required to meet specific audit objectives. </li><li>Ability to design, build, and maintain well-documented, ongoing automated data analysis routines. </li><li>Ability to provide consultative assistance to others who are involved in applying analytics.</li></ul></td></tr></tbody></table><p>With this approach, the next question should address the level and experience of the person that should be part of the analytics function. A related question is: Should an auditor be taught programming (data extraction and analysis) or should a programmer be taught to audit? Failures in this area have one thing in common — management did not assign the right person or people to the task. “The greatest success is usually achieved when there is a specialized analytics function with responsibilities dealing with the technical aspects of the audit analytics process,” says John Verver, global director of analytics strategy at Denver-based High Water Advisors. Too often, a junior programmer with limited or no audit experience — addressing only the IT aspects of the job — is assigned to develop the analytics function. Given the nature of the task — dealing with business process owners, system programmers, and audit team leaders — the analytics function must be staffed at the appropriate level and with the necessary experience. The biggest hurdle is having the business process knowledge to identify the types of analytics to run. According to David Cotton, chairman of Cotton & Co., an audit and accounting firm in Alexandria, Va., there are basically two skills necessary to execute analytics: 1) business knowledge to define what analyses should be run and to be able to follow up on results; and 2) the technical skill set to obtain, cleanse, massage, and produce analysis results from the data. (See “IT Skills Needed in an Analytics Function” at right). <br></p><p>The size of the analytics function will depend on the size of the audit function overall, as well as the analyses to be performed and the types of technical expertise and experience that are available in the audit organization. If responsibility is assigned to a single person, he or she must be, at a minimum, the equivalent of audit team leader level and must have data extraction and analysis and audit experience. This will mean hiring someone with the required skills if they do not exist in-house. As the use of data analytics increases, the analytics function can grow, adding junior levels, a career path, and mobility to the function.<br></p><p>The analytics function will offer a single point of contact for all technology-related requests and ensure that requests from management and team members are addressed timely. Members of this group must be visible to all auditors and knowledgeable of, and responsive to, their specific needs. At the same time, the analytics function must be proactive in recognizing opportunities for the application of data analysis and in marketing existing and new applications of technology. A common pitfall is restricting analysis to the traditional audit box. “Data analytics can be used for more than simple sampling or the audit of financial statement amounts,” says Chris Pembrook, senior manager at Crawford & Associates in Oklahoma City. “It can be implemented into operational programs, grants and contributions, compliance, fraud prevention and detection, and other areas, as well.” <br></p><p>For example, in an audit of the readiness of a U.S. Army unit for deployment on a combat mission, an audit program included interviews with soldiers and commanders at various levels to ask about readiness. The analytics specialist suggested using data analysis to determine whether all the troops had received the necessary training (e.g., nuclear biological warfare and hand-to-hand combat), if all the necessary equipment (e.g., tanks and personnel carriers) was operational, and if the unit had the full complement of soldiers at all levels and occupations (e.g., private, sergeant, demolitions experts, mechanics, and combat forces). The results provided the team leader with questions that focused on the gaps in the unit’s capabilities and produced more relevant audit results than simply asking if the unit was ready.<br></p><h2>Processes</h2><p>Data analytics needs to be fully integrated into the internal audit process. Ensuring that data analytics are embedded in the audit process will require support from all levels, starting with the CAE. Management will have to reinforce the use of analytics, the data analytics function will have to market its services, team leaders will have to be challenged by management, and team members will have to employ analytics. The CAE should establish goals for the implementation and use of data analytics, and these should be communicated to the entire audit team. It should be clear that data analytics will support the audit planning processes (examining the controls, risks, and business processes), the audit phase (testing controls, drilling down into the risks, and assessing the effectiveness of the business process), and the reporting phase. Cotton adds, “Identifying business processes, IT systems, data sources, and potential analytics should be discussed and considered not only during planning, but also throughout the engagement.” <br></p><p>“Key in obtaining buy-in is to include auditors in identifying areas or tests that the analytics group will assist in developing for the audit,” says Pembrook. Initially, it will be important to highlight success stories and educate managers and team leaders about what is possible. Improving on the traditional audit approach of sampling, auditors can benefit from the implementation of data analytics to allow for more precise identification of control deficiencies, noncompliance with policies and procedures, and areas of high risk. Pembrook says these same analytics could then be used to ensure appropriate management follow-up has occurred by elevating the identified deficiencies or implementing continuous auditing procedures in areas of higher risk.<br></p><p>While analytics can produce significant benefits, the inappropriate introduction of technology can also have serious negative consequences. In many audit organizations, credibility is a valued, but fragile, commodity. Internal audit must continually demonstrate the value and utility of its work by producing high-quality, timely audits in areas of high risk. The incorrect use of technology and data analysis could produce erroneous conclusions and damage the credibility of the audit organization with its clients. It also could make any subsequent attempt to use analytics more difficult. <br></p><p>The successful use of technology-enabled audit tools and techniques can enhance the credibility of the audit organization and provide an improved level of service. For example, with data analytics, internal audit can consider not only control weaknesses, but also opportunities to streamline business processes, maximize the organization’s use of technology, and focus senior management on the areas of highest risk. Thus, rather than simply confirming that physical inventory levels match what is recorded in the system, inventory audits also should examine the efficiency of the inventory management system and the adequacy of the IT controls. One such inventory audit identified a failure to configure automatic reorder functionality that resulted in inventory clerks having to manually process reorder requests. It also identified obsolete inventory that was taking up valuable warehouse space and causing delays in getting parts to equipment that needed critical repairs. Finally, it identified economic reorder quantities that had not been updated to reflect current usage and purchase requirements. <br></p><p>Recommendations included the enhancement of the system’s reporting capabilities to support the identification and removal of obsolete inventory, and the reconfiguring of economic reorder quantities and automatic reordering functionality, which resulted in significant improvements to the inventory management system. Rather than simply counting and confirming the number of items in inventory, the inclusion of IT audit objectives resulted in recommendations that reduced storage requirements and inventory management costs that improved the management of information to support decision-making. This, in turn, contributed to increased efficiencies in the inventory systems. The audit saved the organization hundreds of millions of dollars and was more valuable than an audit telling management that 14 widgets were missing.<br></p><h2>Technology</h2><p>The most important questions surrounding technology are whether audit software should be purchased and what the cost will be. To answer these questions, internal audit needs to understand what analytics are already in place before embarking on efforts to develop its own analysis routines. “The existence of data warehouses and business intelligence (BI) tools should be investigated before deciding whether to invest in independent analytics,” says Norman Marks, a San Jose, Calif.-based former CAE at major global corporations and blogger. The organization may already be producing reports that can be adapted for audit use. Auditors should obtain read-only access to application systems and the ability to run standard reports and access and use data warehouse and BI tools. If additional analytical capabilities are required, Microsoft Excel and Access can be useful in some circumstances, though with some limitations (such as the absence of an audit log and the inability to access certain types of files).  <br></p><p>“As analytics become an integral part of the audit process and more complex, the need for a more robust software package to support data analytics increases,” Cotton explains. In practice, the use of specialized audit analysis software has distinct advantages — particularly in terms of logging, repeatability of tests and efficient test design, working with large data sets, and dealing with complex data manipulation. Verver adds, “The cost of audit software is usually significantly less than the investment in resources and skills required for a successful audit analytics program.” Management needs to put this in perspective and be willing to invest in the initiative. <br></p><p>“Any analytics initiative must quickly demonstrate a return on investment (ROI),” Marks says. Therefore, management should start with a targeted, ad hoc analytics program that will yield immediate benefits in terms of acceptance, ROI, and the development of the analytics function. At the same time, it should be clear that the initial steps are not sufficient for a robust analytics capability and that a strategy will need to be developed to improve and deploy analytic capabilities across the organization. The CAE should ensure that there is a plan to take action and measure results accurately. The organization, systems, and processes that support the analysis of the data must be able to take action with the insights that are generated.<br></p><h2>Sustainable Success</h2><p>Organizations should not expect that an individual with strong data analysis skills, armed with software and some training, will be able to drive a successful audit analytics program on his or her own. “Sustainable success in the use of audit analytics also requires leadership, strategic and tactical goal setting, audit process knowledge, team coordination, integration, and good project management,” Verver adds. The skills required to remain effective in an increasingly technologically complex world must be developed, nurtured, and supported. In addition, to efficiently and effectively implement and use data analysis by all auditors with a variety of computer skills, the organization needs to develop a standard, user-friendly, integrated environment; provide specialized training and IT support; and provide ongoing encouragement.<br></p><p>Effective analytics requires an initial investment of time and a commitment to follow up on results. Early analytics may produce a large volume of results — including false positives — and will need to be honed and evaluated to ensure results are manageable, reliable, and can be followed up on. Because analytics take time to implement and be fully effective, Cotton says the “CAE must manage expectations of senior management as well as the internal audit function and ensure that responsibility for analytics is assigned to a champion.” <br></p><p>The question should not be “Should we embark on developing analytic capabilities?” but “How soon can we start?” Adequately addressing the people, process, and technology aspects of the initiative will increase the likelihood of success.  <br></p>David Coderre03248
Risk Ready Ready<h2>What IT risks are you most concerned about? </h2><p>Cyberthreats, data, and legacy technology are our current areas of focus. Cybersecurity is a hot topic within Citi and with our regulators globally, so our focus on cybersecurity i​s around how the company gathers threat intelligence and responds to that information, as well as how it reacts to incidents. The data governance coverage is targeted to maintaining the quality and integrity of data. Finally, we maintain a view on how the legacy technology and systems are being controlled.</p><h2>​How is Citi’s internal audit department addressing the increasing number of sophisticated attacks? </h2><p>Citi Internal Audit has a strong base of knowledgeable IT auditors with extensive technology expertise. That said, we recognize the difficulty in maintaining the same level of expertise as the attackers, or even security professionals. Therefore, we maintain close contact with the Citi Information Security Office and the processes that they operate to identify threats and respond to them proactively. We assess those processes for effectiveness, rather than trying to identify all of the emerging risks ourselves.</p><h2>How is internal audit reviewing the security of third-party providers when you are facing more regulatory pressure? ​</h2><p>​Citi uses a large number of third-party providers, and Citi Internal Audit carefully assesses the processes that are used by the organization to review third parties such as the information security assessment. Additionally, we audit the end-to-end processes as operated by these vendors. Finally, internal audit selects a sample of critical vendors and conducts on-site audits of their controls on a cyclical basis.​</p>Staff11244
Editor's Note: Are You Cyber Literate?'s Note: Are You Cyber Literate?<p>​As organizations adopt new approaches to information management and access, internal audit departments face increasingly complex challenges in helping address the related risks. In fact, a new report from The IIA’s Global Internal Audit CBOK research, Navigating Technology’s Top Risks: Internal Audit’s Role, identifies several of those risk areas, including IT governance, use of mobile devices, and social media. It also highlights the importance of increased internal audit awareness of these areas, and of strengthening IT audit capabilities.<br></p><p>These two priorities are stressed as well in this month’s cover story, “<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=9cba8f3b-4e90-4d76-bb66-741d6f7aed60">The Cybersecurity Imperative</a>." The rising number of cyberattacks against well-known companies — and the changing nature and source of those attacks — has gotten the board’s attention. Boards now want to know what the risks are to their organization, how it is protecting cyber assets, and whether it is capable of stopping attacks. In many cases, they’re turning to the internal audit function for assurance. If auditors are going to provide that assurance, says author Tim McCollum, they’ll need to increase their awareness of the latest threats and ensure they have the right skills. <br></p><p>Similarly, “<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=ea9b2d02-d619-4a8b-b8e0-b9adff1dfc6b">Protecting Customer Data</a>," by Michael Levy, discusses the role auditors must play in ensuring data privacy. Levy examines internal audit’s involvement in terms of risk assessment, governance, and security benchmarking, as well as training. He says auditors can leverage guidance material and other resources to help familiarize themselves with these areas and perform data security audits.<br></p><p>Organizational IT risks, however, are only part of the technology learning curve many auditors face. Practitioners may also struggle to stay abreast of technology specific to the profession, some of which has become essential to their work. As author Dave Coderre says of data analytics, the technology is “no longer a nice-to-have, but a requirement” (see “<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=b563274d-a398-408f-afa7-1bf4df829fad">Gauge Your Analytics</a>”). In discussing the “people” side of analytics, Coderre’s feature emphasizes the importance of having the right technical skills in the audit department, as well as business process knowledge.<br></p><p>The need for technology expertise — in both audit tools and organizational IT — will only increase. Cyberattacks are on the rise, privacy is becoming more and more difficult to protect, and the volume and complexity of data internal auditors must analyze continues to grow. All of these factors point to the importance of awareness and education. In fact, IIA Global Chairman Larry Harrington’s theme for the coming year, “<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=a4f929b7-68eb-411c-bf74-d5f414ee1120">Invest in Yourself</a>," centers on that very notion. He stresses the importance of skill-building and lifelong learning — even if it requires an investment of one’s own time and money. The message seems especially apt for technology, where change and the need to adapt are an organizational constant.</p>David Salierno0871

  • CaseWare-Analytics_Nov2015
  • ITACS_Nov2015
  • IIA CBOK_Oct2015



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Undermining Internal Audit With Low CAE Pay Is No Accident Internal Audit With Low CAE Pay Is No Accident2015-11-16T05:00:00Z2015-11-16T05:00:00Z
What the CEO Needs From the CRO the CEO Needs From the CRO2015-11-13T05:00:00Z2015-11-13T05:00:00Z