Digital Signatures Deciphered Signatures Deciphered<p>​In today’s digital business environment, internal auditors have to assess the risk and security of large volumes of digitally originated transactions and documents. Among the many methods, protocols, and products for securing online transactions are digital signatures. For example, the mortgage industry uses digital signatures for approving real estate negotiations by affixing them to price or contract changes until both parties agree on terms and a price. Once they have reached an agreement, the parties execute the title transfers with a notarized ink signature.<br></p><p>Digital signatures improve efficiency, provide security around transactions, and enhance collective approvals in a fraction of the time compared to conventional ink signatures. Nonetheless, there is always the danger and fear of unauthorized or malicious use of digital signatures. Internal auditors and organizations need to assess the level of risk and to what extent the organization should secure its digital signature platform. Moreover, auditors should consider the trade-off between the level of risk digital signatures pose and the level of authentication required to provide desired levels of assurance while accepting them.<br></p><h2>Proof of Authenticity</h2><p>A digital signature is an electronic sound, symbol, or process attached to or logically associated with a record and executed by a person with the intent to sign the record. In layman’s terms, it is a person’s electronic expression of agreement to the terms of a particular document with the intent to sign. A scanned or photographed image of a written signature does not constitute a digital signature, as it is analogous to affixing a rubber stamp of the signature that can be duplicated or misused without the signer’s knowledge. Instead, digital signatures provide a secure encryption environment for the data associated with a signed document and verify the authenticity of a signed record.<br></p><p>To authorize transactions, digital signatures use a combination of content capture, method of signing, data, and user authentication. They use electronic authentication to establish confidence in user identities that are electronically presented to an information system. Individual authentication is the process of establishing an accepted level of confidence and assurance for an accepted level of risk.<br></p><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​<strong>How Digital Signatures Work</strong><br><br>Digital signatures use private/public keys and hash results of the original and destination documents. The digital representation or summary of the document unique to a message <em>origin-hash result</em> (OHR) is created by the hash function of the digital signature software. In turn, this software uses the signer’s <em>private key</em> to transform the hash result into a digital signature that is unique to the message. Upon receipt of the document, the transmitted message computes a new <em>destination- hash result</em> (DHR) by using the same hash function used to create the digital signature. Using the corresponding <em>public key</em> and DHR, the receiving computer confirms whether the affixed digital signature was created using the matching private key and whether both the OHR and DHR match. If both the keys and hash results are a match and confirmed, the validity of the message, signer, and receiver are verified.<br></td></tr></tbody></table><p>There is a direct relationship between the associated risk and the complexity of authentication needed to provide a higher degree of assurance in the use of digital signatures. Higher levels of assurance need complex, multifactor authentication methods that, in turn, require a secure IT infrastructure and user training. This correlation poses a trade-off challenge to auditors and organizations willing to accept digital signatures, thereby compelling them to identify those business processes that require an optimum level of authentication to offset risks.<br></p><p>Digital signatures are built on an encryption/decryption technology that a) collects evidence of the document such as metadata and IP address, b) verifies the identity of a signer and receiver, and c) provides an audit trail of the transactions. This technology uses a public key infrastructure (PKI) in which the signer uses his or her private key to encrypt the document and the recipient uses the corresponding public key to decrypt it (see “How Digital Signatures Work” at right). A digital signature requires a signer to establish a certificate-based digital ID, commonly enclosed in a token, smart card, or other physical device, to provide a high level of authentication, integrity, and security to the transaction and the identity of the parties signing. The executor or signer is presumed to be legally responsible for any document signed with a private key.<br></p><p>The important consideration when assessing the risk for digital signatures is their provisioning through e-mail communications, which makes Internet security critical. If the e-mail platform is compromised, the digital signature and PKI lose their authenticity and validity.<br></p><h2>The Risk–Assurance Trade-off</h2><p>“Digital Signature Risk to Authentication” on this page depicts the trajectory for risk tolerance versus level of authentication for a typical business process. The trajectory slope may vary with the nature of the business process. For example, financial transactions, approvals, or decisions generally have a higher degree of risk, based on their monetary value, than administrative functions such as leave requests.<br></p><p><img class="ms-rteiaPosition-2" src="/2015/PublishingImages/Hullavarad-Digital%20Signature%20Risk%20to%20Authentication.jpg" alt="" style="margin:5px;width:450px;height:380px;" />The digital signature risk-to-authentication (SRA) model depicted in the chart provides a framework for internal auditors to establish the desired level of trust for an electronic transaction, as well as the authenticity, integrity, and reliability of such transactions. This can be accomplished through a quantitative risk assessment for each transaction specific to a functional unit by estimating the risk and the likelihood of occurrence. Use of the SRA model can give internal auditors an understanding of internal controls and security needed when their organization implements digital signatures.<br></p><p>The SRA model provides a semi-quantitative approach to assessing the risk associated with a given level of authentication used to provide a digital signature. As a general rule, the higher the level of authentication, the lower the likelihood that an incident, or breach, will occur and the lower the risk. Although the nature of the risk versus authentication curve may be different for different business processes, the pattern will tend to follow the path of reduced risks for higher authentication. Internal auditors or management can develop a risk chart based on the formula: <em>Risk (R) = Likelihood of occurrence of event (L) x Magnitude (M)</em>.<br></p><p>To illustrate the formula, assume that one in 30 email accounts are hacked. Based on this assumption, the risk can be calculated by assessing the monetary magnitude of the effect of hacked emails on an organization. The trade-off zone depicted in the chart provides an opportunity window to secure the digital signature environment to achieve the desired level of assurance, thereby enabling organizations to identify those processes that require optimum levels of authentication to offset risks.<br></p><p>The key factor to consider in implementing digital signatures is to identify the level of risk tolerance and the associated risk for a business process. Institutional risks may involve financial, brand-value reputation, and other key administrative communication. Based on the various types of business processes and the level of severity, the assurance levels — which are a combination of authentication and validation — as well as the trust levels must be established by the appropriate business-unit management. To secure an electronically signed document as evidence, auditors should consider the risks associated with the signing process and with the significance of the information. Security must be approached with the objective of managing potential risks and should be weighed against the level of authentication needed to achieve the desired level of risk tolerance (see “Authentication Levels” below).<br></p><p>Internal auditors can use this model to assess the risk/assurance needed for digital signatures. Because systems are imperfect, auditors should consider the reliability of the information obtained through the digital signature validation process. For example, they should consider whether digital signatures can enhance internal control over online sales orders by authenticating the validity of customers.</p><p><img class="ms-rteiaPosition-4" src="/2015/PublishingImages/Hullavarad-Authentication-Levels.jpg" alt="" style="margin:5px;width:750px;height:303px;" /><br></p><h2>Digital Assurance</h2><p>As the Internet is an essential tool for transmitting digital signatures, it is necessary to have a secure transmission process that ensures a document signed through a digital signature is not tampered with by a third person and reaches the recipient in the form in which it left the signatory. Organizations also need to determine which business processes are not appropriate for digital signatures, such as creating wills, testamentary results, and certain types of contracts.<br></p><p>Internal auditors and their organizations need to identify the various processes for which they plan to use digital signatures, as well as perform a comprehensive risk assessment of those processes. The digital signature risk to authentication model can help auditors assess the level of authentication suggested for a specific business process to ensure it provides the desired level of assurance. <br> <span class="ms-rteiaStyle-authorbio">Shiva Hullavarad, PHD, is statewide ECM/ERM System Administrator with the University of Alaska System in Fairbanks.<br>Russell O’Hare, EDD, CRM, is chief records officer with the University of Alaska System.<br>Ashok Roy, PHD, CIA, CFSA, CBA, is vice president for finance and administration with the University of Alaska System.</span></p>Shiva Hullavarad01690
Securing Broker-dealers Broker-dealers<p>​Financial firms have been prime targets for network and data attacks. A recent U.S. Financial Industry Regulatory Authority (FINRA) <a href="" target="_blank">report</a> (PDF) describes how securities firms such as broker-dealers are protecting themselves from cyberrisks and provides recommendations for improving their security measures. </p><p>"Broker-deals face a variety of rapidly evolving cybersecurity threats, which require a well-designed and adaptable cybersecurity program," says Susan Axelrod, executive vice president for regulatory operations at the independent regulator. </p><p>The Report on Cybersecurity Practices is based on a 2014 examination of U.S. securities firms and a 2011 survey of 224 firms. FINRA's research reveals that the top three threats broker-dealers face are hackers penetrating their systems, insiders compromising firm or client data, and operational risks. To help firms mitigate these threats, the report provides observations and guidance in eight areas.</p><h2>Governance</h2><p>The FINRA report recommends that firms implement an information security governance framework to help identify risks, determine their severity, and support decisions on managing them based on the organization's risk appetite. The framework should encompass policies, processes, structures, and relevant controls. </p><p>An organization's framework should emphasize management and board involvement in cybersecurity issues, FINRA advises. Insufficient involvement can make organizations more vulnerable to data and network breaches, as well as regulatory risks such as being cited under the U.S. Securities and Exchange Commission's "Red Flags Rule."</p><p>Beyond the board and top management, the framework also should incorporate views from business units, IT, risk management, and internal audit, the report states. Internal audit should assess the implementation and effectiveness of the cybersecurity program, especially its controls and processes.</p><h2>Risk Assessment</h2><p>The FINRA report recommends organizations perform risk assessments regularly to identify information security risks associated with their assets and vendors. The first step should be creating an asset inventory to identify the assets the organization has and their importance for protection. </p><p>Next, FINRA recommends that organizations maintain a risk assessment program to identify asset vulnerabilities, review threat and vulnerability information, document internal and external threats, determine their potential impact and likelihood, and come up with risk responses. In the agency's 2014 sweep of securities firms, more than 80 percent of firms had such programs, with many drawing on ISACA's COBIT or the ISO/IEC 27001 framework. Firms typically viewed these risk assessments as part of the organization's broader risk management process. </p><h2>Technical Controls</h2><p>The report advises organizations to implement technical controls to protect their data, as well as the hardware and software on which it is stored and processed. Key to this is a defense-in-depth strategy that applies multiple layers of security controls throughout an IT infrastructure. These layers include users, application, network and physical perimeter, server, database, and data and asset.</p><p>One of the most important controls that need to be in place is identity and access management, especially now that organizations are allowing customers and vendors access to systems, as well as access through mobile devices. Other important controls are encryption and third-party penetration testing. </p><h2>Incident Response Planning</h2><p>With security breaches becoming more common, organizations need policies and procedures for responding to incidents, the FINRA report advises. Response plans should detail the roles and responsibilities of individuals in the event of an incident. Some organizations have dedicated computer security incident response teams for such situations, the report notes. </p><p>Response plans should prepare for incidents that organizations are most likely to encounter, including compromises of customer personal data, data corruption, denial-of-service attacks, network intrusions, and malware. Moreover, plans should spell out the organization's strategy for containing or mitigating various types of incidents, recovery plans for systems and data, processes for investigating and assessing damage, and communication. </p><h2>Vendor Management</h2><p>The growing use of third-party vendors raises information security risks throughout the relationship's life cycle that some organizations may not be addressing. According to <em>The New York Times</em>, nearly one-third of banks surveyed by the New York Department of Financial Services don't require such vendors to inform them of information security breaches, and less than half perform on-site assessments of vendors. </p><p>The FINRA report recommends organizations manage vendor risks by performing due diligence on both prospective and existing service providers, and ensuring that contract terms are appropriate given the sensitivity of systems and data to which vendors may have access. Moreover, it advises organizations to make vendor relationships part of the organization's ongoing risk assessment and to have procedures for terminating vendor access at the end of the contract.</p><h2>Staff Training</h2><p>To address employee risk, organizations need to train personnel about information security risks, the report says. In FINRA's reviews, 95 percent of securities firms provided mandatory cybersecurity training to employees at least annually, which usually consisted of awareness training for all staff and targeted training for specific staff members. FINRA recommends organizations update training often to reflect changing threats.</p><h2>Cyber Intelligence and Information Sharing</h2><p>The report advises organizations to gather intelligence information about cybersecurity threats to better detect and respond to them. Organizations should assign someone responsibility for collecting and analyzing threat information and have ways to communicate that information to appropriate groups. </p><p>One source of intelligence is through an information sharing and analysis center (ISAC), such as the financial services industry's FS-ISAC. In its sweeps, FINRA found that 72 percent of securities firms shared information through FS-ISAC, while half shared it with the U.S. Computer Emergency Readiness Team. Additionally, many large firms have established in-house threat intelligence centers.</p><h2>Insurance</h2><p>Finally, many firms reviewed by FINRA have turned to cyber insurance to transfer some of the risk or to obtain coverage for gaps that aren't addressed in their existing insurance policies. That may accelerate this year, as Lloyds of London reports there has been a 90 percent increase in cyber insurance applications in just the first quarter of 2015 compared to last year. </p><p>FINRA recommends organizations that need coverage evaluate how insurance plans would enhance their ability to manage the financial impact of a security incident. Organizations that already have cyber insurance should assess the adequacy of their coverage in light of their risk assessment.​</p>Tim McCollum0727
Get a View Into Suspicious Transactions a View Into Suspicious Transactions<p>​The U.S. Centers for Medicare and Medicaid Services’ June 2014 Report to Congress on Medicare’s Fraud Prevention System (FPS) describes how the state-of-the-art predictive analytics system identified US$210 million in savings during its second year of operation. The FPS’ ability to identify savings illustrates the power of data analytics to detect suspicious transactions.<br></p><p>Internal audit can leverage analytics technologies to audit for similar transactions within their organization. Data visualization is an analytic tool that can allow auditors to rapidly interrogate an entire transaction history or database to identify the most suspicious transactions to investigate.<br></p><h2>A Fraud Risk Tool</h2><p>The internal audit department at one Fortune 500 company applied data visualization tools to a project to assess fraud risk. The first phase of the risk assessment identified several high-risk scenarios such as processing duplicate payments, paying invoices for the same purchases, and submitting payments to false vendors. In the second phase, the review team deployed a data visualization tool to the existing data sets.<br></p><p>The first step involved planning and setting specific project-review objectives. The review team interviewed key process stakeholders to learn the financial process flow and studied the database structure and data dictionary. For this specific database, the team collected 700,000 transactions for a 12-month period.<br></p><p>Once the review team had loaded the transaction data into a data analytics software tool, it began the time-consuming job of cleansing and normalizing the data to support the project objectives. The data came in four different files and required three iterations to eliminate any false positives and meaningless data, as well as to provide data that could be released for an initial analysis.<br></p><h2>Creating Scripts</h2><p>The review team used its initial analysis to review and understand the expense types, attributes, characteristics, relationships, definitions, and unique data properties, giving it comfort with the entire data population and ensuring any results extracted from the total data set reflected the true nature of the data. This analysis enabled the team to organize the data for visualization.<br></p><p>Because the review team lacked experience using the data visualization tool, it contracted with a consulting firm for guidance and assistance in coding the visualization scripts. The team and consultants collaborated to prepare the scripts, define the data attributes, and determine which flags to set as conditions to search and identify transactions.<br></p><p>The consulting firm took the review team’s objectives and developed a set of scripts to capture certain data attributes and characteristics for presentation purposes. For example, the review team determined which transaction types represented risks that were higher than average. Other attributes the review team wanted to analyze included unusual transaction amounts, expenses submitted by terminated employees, and duplicate expenses, especially multiple transactions made on the same day, for the same amount, and to the same vendor. The team also used the tool to identify unusual high-dollar or volume transactions made by job classification. For example, comparing a buyer who travels frequently to a salesperson who stays in one location would reveal drastically different spending patterns.<br></p><h2>Visual Analysis</h2><p>Using the visualization tool scripts, the review team generated different reports and data representations. Easy-to-use dialog boxes enabled staff members to request reports to interrogate the underlying data. One of the most valuable reports they generated showed the highest expense spending by a single individual in a chart form (see “Employee Expense Visualization” at right).</p><p><img src="/2015/PublishingImages/Employee-Expense-Visualization.gif" class="ms-rteiaPosition-2" alt="" style="margin:5px;" />As part of the consulting firm’s deliverable, it provided documentation and trained the review team to take over scripting the data visualization tool. The team became more comfortable with collecting, normalizing, and analyzing the data, as well as with building and running the data visualization and then turning over a read-only version for users to run “what if” scenarios and identify suspect transactions.<br></p><h2>Generating Solid Evidence</h2><p>Data visualization can enable auditors to provide management with reports that illustrate suspicious transactions in real time. Instead of sifting through information manually or based on one characteristic, auditors can use data visualization to identify anomalies visually by looking for outliers from expected results and focusing on transactions that have multiple flagged characteristics. Displaying all the underlying transactions that make up a suspicious transaction gives internal auditors solid evidence to support the finding.<br></p><p>The Fortune 500 company’s CAE notes that implementing data visualization and predictive analysis should be internal audit’s ambition. In today’s world, mining data to establish “what happened” is interesting, but answering the question “why?” and being able to venture “what’s next” is more valuable. <br> <span class="ms-rteiaStyle-authorbio">Steve Mar, CFSA, CISA, is the IT audit director for a U.S. specialty retailer.<br>Michelle Kha, CISA, and Tricia Hardie, audit principals, contributed to this article.</span></p>Steve Mar1877
Editor's Note: The Continuous Audit's Note: The Continuous Audit<p>​In today’s ever-evolving business environment, it is clear that internal auditors need to constantly align — and realign — their audit coverage to address emerging risks and avoid damaging surprises. But are audit functions up to the task?<br></p><p>The latest North American Pulse of Internal Audit report from The IIA’s Audit Executive Center indicates they are — to an extent. More than half of the 311 CAE and audit management level respondents to the Pulse survey say internal audit’s biggest challenge in continuously assessing risks is its ability to identify emerging risks and incorporate them into the audit plan. However, nearly 90 percent of respondents say their audit planning is designed to be responsive to changes in the organization’s risk profile.<br></p><p>To be sure, 61 percent of respondents say their audit functions have the resources and expertise to assess risks continuously and analyze their potential impact to the business model. However, audit functions are waging a battle for talent, with 40 percent of those surveyed saying attracting and retaining talent is a high or critical priority.<br></p><p>The need for both a broader and deeper understanding of critical business issues comes across loud and clear in recent research by the ERM Initiative at North Carolina State University. According to the study, 59 percent of senior finance executives say the volume and complexity of risks facing their companies have changed “extensively” or “mostly” in the last five years. And 65 percent say their organization was caught off guard by at least one operational surprise “somewhat” or “extensively” during that time.<br></p><p>Continuous assessment of emerging risks can be more of a challenge for small internal audit departments than for larger, better-resourced functions. In our cover story, <a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=3da8278f-5ca0-4c59-810a-c3113aec7149&TermSetId=bb519a46-9cdb-4e10-8446-505034f60087&TermId=e571ba74-69a2-42dd-934c-f3885dfb10bc">“Small Audit Functions, Big Ideas,”</a> author Arthur Piper looks at the practices some small audit departments implement to ensure they provide comprehensive, continual assessments of the risks facing the organization.<br></p><p>According to the Pulse report, geopolitical, macroeconomic, and cyber-related risks will put enormous pressure on many internal audit functions to raise their game. Given the significance of these emerging risks, it is imperative that internal audit functions be able to assess risk on a continuous basis. As the authors of the report state, “In today’s fast-paced operating environments, internal auditors need to audit at the speed of risk.”</p>Anne Millage05547
Cyberrisk on the Agenda on the Agenda<p>​With cybersecurity becoming a greater priority for both corporate leaders and their internal auditors, the organizations that are the best at managing information security risks are the ones whose boards are most engaged in addressing them, a recent Protiviti report observes. The report, <a href="" target="_blank">From Cybersecurity to Collaboration</a> (PDF), surveyed 800 internal auditors worldwide.</p><p>Thirty percent of respondents say their organization's board is highly engaged with information security risks facing the business, while 41 percent say the board has a medium engagement and 14 percent have low engagement. Respondents say high board engagement translates into greater confidence in the organization's ability to identify (47 percent), assess (43 percent), and mitigate (39 percent) cyberrisks to an acceptable level. </p><p>Moreover, organizations with high board engagement (69 percent) are more likely than other organizations (46 percent) to include cybersecurity in their internal audit plan. Overall, 53 percent of respondents say evaluating and auditing cyberrisks is part of their audit plan, while another 27 percent expect to add it to next year's plan. Top cyberrisks they are addressing include data security, brand and reputational damage, regulatory and compliance violations, leakage of employee personal information, and viruses and malware. </p><p>"Across the globe, businesses are continuing to experience cybersecurity issues, challenges, and breakdowns," says Brian Christensen, executive vice president of Protiviti's global internal audit and financial advisory group. "Those professionals who continue to engage board members and define cybersecurity measures within their annual audit plans will be poised to effectively mitigate future threats."</p><h2>Cyberrisk Assessment</h2><p>Protiviti's findings are comparable to responses to The IIA's latest <a href="" target="_blank">North American Pulse of Internal Audit</a> survey, in which 69 percent of the 311 internal audit respondents view cyber threats as a critical or high priority. Organizations that include cybersecurity in their audit plan are more likely to have a cybersecurity risk strategy and policy, Protiviti reports. Seventy percent of organizations that have included information security in their audit plan also have a cyberrisk strategy, and 65 percent have a cybersecurity policy in place. Among organizations that didn't include it in their audit plan, the percentages were 42 percent and 39 percent, respectively. </p><p>Most responding organizations address cyberrisks in their overall risk assessment or through a separate assessment. In organizations that perform such assessments, human resources (69 percent), internal audit (48 percent), and executive management (44 percent) have the most significant involvement. Seventeen percent say the audit committee is significantly involved, but another 43 percent say it is moderately involved.</p><h2>Cyber Skills in Demand</h2><p>Moves by internal audit departments to focus more on cyberrisks are complicated by their continued struggle to fill information security skill gaps. Protiviti's respondents say auditing IT security is the audit process area they most need to improve. They rate learning the U.S. National Institute of Standards and Technology's (NIST's) Cybersecurity Framework, released last year, second among general technical knowledge areas needing improvement. In general, 12 of the 13 top "needs improvement" areas cited in the report pertain to IT risks and directives. </p><p>Respondents to The IIA's Pulse survey ranked cybersecurity and privacy third in terms of skills their departments are lacking. These skills are the second-most difficult to hire, behind general IT skills, respondents say. To fill the void, 37 percent of respondents' organizations are outsourcing for these skills, while 23 percent are recruiting them.</p><h2>Taking Action</h2><p>Faced with growing cyberrisks, greater board interest, and a skills gap, the Protiviti report advises internal audit to take several actions. Chief among these are working with the board and management to develop a cybersecurity strategy and policy and seeking to increase the organization's ability to identify, assess, and mitigate information security risks "very effectively." Other recommended actions include:</p><ul><li>Recognizing the potential for breaches due to employee or business partners' actions.</li><li>Heightening the board's awareness of cyberrisks and its engagement in cybersecurity matters.</li><li>Integrating cyberrisk into the audit plan.</li><li>Evaluating the cybersecurity program against the NIST Cybersecurity Framework and other frameworks.</li><li>Making cybersecurity monitoring and incident response a top management priority.</li><li>Addressing audit staffing and resource shortages.</li></ul><p>In its introduction, the Protiviti report asks, "Will 2015 be a repeat of 2014 and become the year of the data breach?" Every week, there seem to be new security incidents in the headlines and new reminders that organizations aren't as prepared as they should be — or believe themselves to be. As the Protiviti report suggests, internal audit can contribute to making cybersecurity a priority with corporate leaders and an integral consideration in business processes. But many internal audit departments have much to do before they are capable of making a difference in security initiatives.</p>Tim McCollum06422
Tech Fraud and the Small Business Fraud and the Small Business<p>​Like large companies, small companies may become victims of computer hardware thefts that can expose company information and records. Small businesses are easy prey for hackers, too. <em>The New York Times</em> recently reported that hackers have broken into the phone networks of small companies, rerouting thousands of unauthorized calls to premium-rate overseas numbers, resulting in more than US$100,000 in charges for the impacted businesses.<br></p><p>When small businesses and startup companies experience a fraudulent event, they may be hit disproportionally harder than larger organizations and have more difficulty absorbing the losses. For those companies, a significant fraud incident can harm their reputation, cost innocent employees their jobs, cause personal investments to be lost, and make creditors wary of helping the victimized business in the future. Despite such threats, many small-business executives underestimate their company’s fraud risk.<br></p><p>Small firms are particularly unprepared for today’s sophisticated high-tech frauds. Internal auditors can help educate small-business owners and executives about such threats and conduct reviews to identify potential vulnerabilities.<br></p><h2>Small and Vulnerable</h2><p>Small companies are more likely to experience fraud than large firms. In the past two years, 29 percent of reported occupational fraud cases occurred at companies with fewer than 100 employees, according to the Association of Certified Fraud Examiners’ (ACFE’s) <em>2014 Report to the Nations</em>. The median loss per fraud scheme for a small business is US$154,000, the ACFE reports. Small companies tend to be more susceptible to employee misconduct, lapses in technology oversight, unauthorized technology changes, a lack of internal controls, and inadequate segregation of duties.<br></p><p>Asset misappropriation is the most common fraud among all businesses, occurring in 85 percent of cases, although it typically is the least costly fraud. Corruption schemes make up one-third of small-business fraud cases, while financial statement fraud happens in 12 percent of such cases.<br></p><p>Many technology-related frauds spawn from information security incidents such as data breaches. The Ponemon Institute, an independent privacy and security research organization, reports that 55 percent of responding small businesses have had a breach, and 53 percent have had multiple breaches. But technology-related fraud can come from within, too. IT personnel were perpetrators of fraud in 3 percent of cases, the ACFE notes.<br></p><h2>Reducing Risk</h2><p>Internal auditors at small companies can help their organization reduce the risk of technology-related fraud. They should start with fraud basics like educating management about the signs of fraud and likely perpetrators, such as employees who are living beyond their means or experiencing financial difficulties.<br></p><p>From there, auditors should advise management about the many tangible and inexpensive actions even small businesses can take to address fraud, including implementing a code of conduct and anti-fraud policy. To detect wrongdoing sooner, executives should implement a whistleblower hotline that employees, customers, and vendors can access by phone and through the company’s intranet and extranet. According to the ACFE report, only 18 percent of small companies have fraud hotlines, compared with 68 percent of other businesses, yet hotlines reduce the median duration of fraud from 24 months to 12 months. Building fraud training into the internal audit plan can help educate employees about fraud red flags and empower them to speak up about possible incidents.<br></p><p>Beyond these basics, internal auditors at small firms need to address the likely technology enablers of fraud and review the effectiveness of their organization’s safeguards.<br><br><strong>Watch out for the top causes of technology-related fraud.</strong> Many types of network attacks can put small companies at risk of fraud. For example, phishing emails are a significant threat for small businesses and startups because they may not have any rules or policies about accepting such emails, monitor for potential phishing messages, or know how to resolve incidents that may result from someone responding to their content or clicking on a link contained in a message.<br></p><p>Small businesses are particularly vulnerable to data breaches and hacking attacks, which typically target electronic records. Auditors should look for leading causes of breaches such as employee or contractor errors, procedural mistakes, and lost or stolen laptops, smartphones, and storage media.<br></p><p>Small companies also need to guard against identity theft. Identity thieves seek their business account information, employer identification numbers, bank account numbers, or even key employee Social Security numbers. Making matters worse, small businesses do not receive the same protections as consumers in identity-theft cases.<br><br><strong>Plan regular and surprise audits in areas that may pose greater risk.</strong> Based on the company’s risk assessment, internal audit should conduct an occasional deeper-dive review of areas with potential risk from technology-related fraud.<br></p><ul><li>An intellectual property audit can assess the types of sensitive information the company retains — such as credit card and personally identifiable information — what it is used for, and where it resides on the organization’s computers and servers. Auditors can confirm whether the sensitive data is isolated or segregated, and determine whether encryption methods are used for protection.<br></li><li>Internal audit should test information security controls for the company as well as for outsourced vendors. Such tests should confirm the use of strong passwords, regular password changes, and regular updates of antivirus and anti-spy software on computers and servers. Auditors should verify that the company uses a secure, encrypted connection such as Secure Sockets Layer to protect sensitive data while in transit across the Internet and that it uses secure wireless connections throughout the business. Also, they should check that the company has implemented privacy and security policies — including what can be downloaded and appropriate use of social media — and that the company has processes in place to monitor what is being said online. Moreover, internal audit should review Service Organization Controls reports regarding outside vendor services and confirm that the controls are appropriate for the organization.<br></li><li>Other areas internal audit should review are financial operations, cash-handling processes, inventory, and related-party transactions.<br></li></ul><h2>A Matter of Survival</h2><p>While the ACFE reports that companies frequently lose 5 percent of their revenues to fraud, that can be a high price to pay for a young company trying to generate income and get off the ground. Internal auditors at small companies need to help the business prevent and monitor for technology-related fraud or run the risk that it will become a victim. <br></p>Alisanne Gilmore-Allen13066
Internal Audit Enjoys Home-field Advantage in the Fight for Cybersecurity Audit Enjoys Home-field Advantage in the Fight for Cybersecurity<p>​<span style="line-height:1.6;">Cybersecurity continues to be a major concern for businesses, with seven in 10 chief audit executives surveyed identifying it as a high or critical priority, according to the just-released 2015 North American Pulse of Internal Audit report. This is not unexpected, but what I do find troubling is something that I'm hearing more and more in my discussions with CAEs around the world.</span></p><p>There appears to be a growing view that cybersecurity issues should reside in the domain of IT and security experts, with internal audit providing little more than support. The question I'm hearing too often is, "What can internal audit contribute?"</p><p>The answer is, plenty.</p><p>The fundamental truth about cybersecurity is that it is as much a business risk as it is a security risk, and it is imperative that our stakeholders understand this so that internal audit is sought out to provide the necessary assurance and governance guidance in this critical area.</p><p>Perhaps there is reticence in leading the fight against cybercrime because of the high stakes involved or the potential for negative publicity around high-profile failures. But our profession has never been one to shrink from complex risks or hard tasks.</p><p>Here's something that should provide some reassurance. There is a dirty little secret about cybersecurity risks that cybercriminals would rather we not know — we have home field advantage.</p><p>Cybercriminals have to come into our house, so to speak, so we have a natural advantage. In the large majority of cyber assaults, the cybercriminal does not know what we have of value, where to find it in the system, or what protections we have around that most valuable data. We do and, with proper planning, can force the attackers to play the game according to our rules. This knowledge should color our approach to creating the protocols that secure and protect our data.</p><p>Experts in data protection recommend a basic process to identify the most important information, what many refer to as the <em>crown jewels </em>of data. It is that data that must be protected at all costs, and it is up to internal audit to provide assurance to stakeholders that the processes in place to protect it are effective and efficient.</p><p>Organizations should begin by segmenting their data into three piles based on its value to the organization:</p><ul><li>Don't care — This is information that would have no appreciable impact on the organization or its clients if it is accessed by hackers, e.g. information readily accessible on the organization's website.</li><li>Reputational risk — This is information that could lead to negative publicity or embarrassment to the organization if it fell into the wrong hands, but it would not kill the company, e.g. employee disciplinary reports.</li><li>Real harm — This is information that could create major problems for a company or its clients if it is hacked, e.g. financial data, PCI, strategic business plans.</li></ul><p>Information in that final <em>crown jewels</em> pile must be separated from the first two piles, isolated and protected. This allows for resources to be concentrated where they are most useful rather than generically spread across the environment. Once protected, it is up to internal audit to do what it does best — test for effectiveness and efficiency of controls and protocols, and provide management and the board with assurance about those protections.</p><p>Daimon Geopfert, national leader for security and privacy consulting at McGladrey, has been a strong advocate of encouraging internal audit to step up on cybersecurity matters. A popular speaker, including at a number of IIA conferences, Geopfert offers straightforward insights that help put the cybersecurity issues squarely in the internal audit camp.</p><p>According to Geopfert:</p><ul><li>Internal audit can and should conduct data mapping and classification exercises to test protections. It is important to "follow the lifecycle" of the data — that is, know where it comes from, where it resides, who uses it and how, and how long it is kept in the system.</li><li>Such exercises will likely turn up instances where protected data is exported from its protected environment for local use, significantly raising the vulnerability to being successfully hacked.</li><li>Through such exercises, internal audit can drive the discussion on what data is most vulnerable and appropriate controls throughout its lifecycle no matter where it travels.</li><li>Internal auditors must learn to ask the right questions regarding data protection, focusing on what actually is happening in field, not just what is written in various policy statements.</li><li>Internal audit must be prepared to sacrifice some sacred cows (business practices), especially regarding behaviors that may make operations easier but increase vulnerability and, therefore, the likelihood of data breaches.</li><li>Internal audit must set expectations with stakeholders on data protection. High-level commitments to protecting certain data will make it easier to curtail risky behavior that simply makes work more convenient. </li></ul><p>The other bit of good news from Geopfert is a figure rarely seen in media coverage of cybersecurity issues. Basic data protections through sound practices and policies will likely discourage 60 percent to 70 percent of hackers, many of whom are not overly skilled, significantly reducing cybersecurity risks. These practices, e.g. limiting access to sensitive information, appropriate patching and monitoring, encryption on mobile devices and media, third-party-vendor security reviews, etc., already should be on internal audit's radar. </p><p>I'd like to hear your thoughts about what role internal audit should play in cybersecurity.</p>Richard Chambers04995
The Risk of Missing the Next New Technology Risk of Missing the Next New Technology<p>Is your organization sufficiently intelligent and agile to be able t​o deploy new technologies and obtain competitive advantage?</p><p>Are you so risk averse that you wait for others to lead before you think about following?</p><p>Do you have to wait because you don't have the capacity to address risks that may be created by new technologies?</p><p>In other words, are you running an unacceptable level of risk of being left behind?</p><p>McKinsey has shared some useful insights on one of the latest new technologies, 3-D printing (sometimes called additive manufacturing). <a href="" target="_blank">Are You Ready for 3-D Printing?</a> includes a useful list of known uses of the technology.</p><p>But the most important piece of information, for me, is this:</p><p> <span class="ms-rteiaStyle-BQ">"Two-thirds said that their companies lacked a formal, systematic way to catalog and prioritize emerging technologies in general."</span></p><p>Leaving the specifics of 3-D printing aside, how can this be acceptable?</p><p>We have all seen the enormous potential of new technology. It has revolutionized so many industries, from banking to retail to travel to manufacturing.</p><p>How can any organization fail to pay attention to the potential of new technologies?</p><p>Is this a risk your organization has identified?</p><table cellspacing="0" width="100%" style="height:296px;"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;"><h2>​More on 3-D Printing</h2> <span style="line-height:1.6;">Here are a few interesting links.</span> <ul><li> <a href="" target="_blank"> <span style="color:#000066;"></span></a></li><li> <a href="" target="_blank"> <span style="color:#000066;"></span></a></li><li> <a href="" target="_blank"> <span style="color:#000066;"></span></a></li><li> <a href="" target="_blank"> <span style="color:#000066;"></span></a></li><li> <a href="" target="_blank"> <span style="color:#000066;"></span></a></li><li> <span style="color:#000066;"> <a href="" target="_blank"> <span style="color:#000066;"></span></a></span></li></ul></td></tr></tbody></table><p>In my opinion, you can't leave this to the chief information officer and his team. While they are experts in technology, they may not have the insight and ability to dream about new uses by the organization. Business executives have to get involved, as well. </p><p>McKinsey correctly pointed out, "Many also admitted that their companies were ill prepared to undertake a cross-organizational effort to identify the opportunities." That cross-functional effort will very often be required because more than one business area, in addition to IT, should be involved in assessing opportunities, costs, and risk.</p><p>Coming back to 3-D printing, the cost of printers has dropped significantly over the last year or two, to the extent that retail shops are opening! McKinsey points out some of the potential uses for 3-D printing, and my belief is that it will, as is the case with so many new technologies, have a major impact on both our personal and work lives — from rapid design and prototyping to better and cheaper prosthetics to custom tooling on demand to the manufacture of drones, and so much more (see box at right).</p><p> Are you sufficiently agile and intelligent to understand the potential and then deploy new technology to advantage? If not, is this recognized as a strategic risk that needs to be addressed?​​<br></p>Norman Marks03381
Thinking Holistically About Security Holistically About Security<p>​Today's organizations focus great attention on protecting network perimeters from sophisticated external attacks. A December 2014 survey report from the independent research firm Ponemon Institute reminds internal auditors that organizations also must focus attention on internal security while balancing employee productivity (see "Summarized Security Results" below). </p><p>The Ponemon research, sponsored by data protection company Varonis Systems, indicates that organizations are not taking a holistic approach to information ​security. Given the current publicized data breaches, organizations — including the board and senior executives — are focusing on ensuring their external borders are secure from outside threats. However, the survey points out that internal threats still need attention. ​</p><p>Internal auditors can help their organizations ensure current security initiatives are balanced between external and internal threats. To do this, the internal audit function should be engaged with the IT department and assign the appropriate personnel to add value to information security discussions. One way auditors can add value is by thinking outside the box regarding security approaches and providing a holistic view of security risks and considerations. </p><h2>Assessing Security Readiness</h2><p>​Auditors should be engaged early in the conversation regarding risks and potential information security solutions. In addition to its standard assurance service, internal audit should expand its advisory services role with the organization's IT activity to suggest ways to protect the organization from internal and external threats. Examples include working more closely with the security administration function and participating on the organization's security advisory committee.  </p><p>To be a credible contributor in today's changing IT risk landscape, internal audit needs personnel who are qualified to advise and work with IT and information security specialists. The internal auditor should have a basic understanding of the security technologies used and how they have been integrated with the organization's systems, processes, and procedures. The auditor could obtain this understanding by performing a detailed walkthrough or specific audit of each of these technologies. Additionally, previous experience in a security administration role also would benefit the internal auditor. </p><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​ <p> <strong>Summarized Survey Results</strong></p><p>A recent Ponemon Institute study, <a target="_blank" href=""> <span style="color:#000066;"> <span style="color:#000066;">Corporate Data: A Protected Asset or a Ticking Time Bomb</span></span><span style="color:#000066;">?</span></a>, surveyed more than 2,200 employees of organizations in France, Germany, the U.K., and the United States, with perspectives from both end users and IT and information security personnel. The findings highlight several internal threats that organizations may be overlooking:</p><ul><li>Users have access to confidential data they should not have or no longer require.</li><li>The growth of data in organizations has impacted users' ability to locate and access the data they need to perform their jobs.</li><li>Users encounter long wait times to gain access to data.</li></ul><p>Loss or theft of organizational data has occurred over the past two years.​</p></td></tr></tbody></table><p>​Regardless of the organization's overall approach to evaluating security risks, internal audit should perform its own risk assessment of the organization's security posture. By leveraging its broad view of the organization, internal audit's assessment can be sufficiently detailed to ensure appropriate coverage of both major and more basic security aspects such as how access is approved and how user security is handled for transferred employees. The Ponemon report points out that it's imperative that organizations cover these basic security activities and processes, because when they aren't working they often are the root causes of external data breaches and internal data losses. The evaluation results could be used as a baseline for annual security reviews.</p><p>If the organization contracts with external security providers to assess its security posture, internal audit should be involved from the beginning to ensure the appropriate coverage occurs and includes both external and internal threats. The provider's report should suggest ways to enhance the overall security posture. Based on its organizational experience, internal audit should review those suggestions with an open mind and consider enhancing the suggestions or providing alternatives to the consultant's solutions to best align the suggestions with the organization's philosophy and what's needed to address the risks. Where the consultant's review falls short of suggesting alternatives or may not have assessed certain areas, internal audit should provide additional suggestions and consider assessing areas that were not covered.</p><h2>Additional Opportunities</h2><p>Following the risk assessment, the internal audit function should be involved in the organization's discussions to address the risks that were uncovered, including recommending alternatives to standard remediation activities. For example, auditors could suggest supplementing the organization's security administration function with evolving security-as-a-service providers. Such providers could assume certain activities of the current security administration function to free up in-house resources to work on larger, higher-risk imperatives or core IT competencies such as providing virus definition updates, log management, simple provisioning, or expertise on current security events. </p><p>The security risk assessment may provide additional advisory or assurance<strong><em> </em></strong>opportunities for internal audit. Examples include suggesting best practices, such as performing more proactive assurance activities on high-risk areas, or recommending places where new security technologies, such as a data-loss prevention solution, could be implemented. As with the risk assessment, internal audit needs to strike a balance between its advisory and assurance roles. The key points for auditors to remember are to engage early, have the right staffing model, think holistically, and keep an open mind.</p>James Reinhard01641
What CIOs Have To Say About Cyber, Information Security, and More CIOs Have To Say About Cyber, Information Security, and More<p>T​​he <a href="" target="_blank">Feb. 10 issue of the <em>Wall Street Journal</em> included a "CIO Network" section</a> (PDF) ​that makes interesting reading. Congratulations to the <em>WSJ</em>, by the way, for making this special report available on the Web.</p><p>Here are some excerpts of note (with my highlights):</p><p> <span class="ms-rteiaStyle-BQ">"The global chief information officers (CIOs) who gathered at the third annual CIO Network in San Diego last week are a chastened crew. <strong>When asked who hasn't been hacked, just one hand went up in the audience, and that CIO got a lot of skeptical looks.</strong> And when asked if business and the government were making progress against hacking or were <strong>losing the battle</strong>, the group overwhelmingly said the latter. But the conversation quickly got pragmatic. 'Don't go overboard on security,' one CIO said. 'I still have to address other matters.' Company networks need to grow and be flexible, interact with vendors and customers, and accommodate internal innovation. <strong>Cybersecurity has become just one more item on the corporate risk-management list — albeit high on the list</strong>, several CIOs said."</span></p><p><span class="ms-rteiaStyle-BQ">"Finding on-ramps to the <strong>cloud</strong> is the No. 1 priority on my agenda."</span></p><p><span class="ms-rteiaStyle-BQ">"Some 44 percent of the CIOs said their companies now tackle <strong>big data projects</strong> 'all the time.'"</span></p><p><span class="ms-rteiaStyle-BQ">"Use current challenges such as market conditions, cybersecurity, innovation, and data analytics as a <strong>catalyst for engagement in the boardroom</strong>. Use the opportunity to drive the components of your business agenda."</span></p><p><span class="ms-rteiaStyle-BQ">"<strong>Take risks</strong> and refrain from simply checking a box. Be open to raw talent who have the smarts, the ambition, the enthusiasm, and the <strong>curiosity</strong>. Also look for people who understand how 'Year Zero' works with technology, and who are <strong>commercially minded</strong>. This strategy requires the CIO to take ownership and develop and install a path for their success."</span></p><p><span class="ms-rteiaStyle-BQ">"Change is constant; look for people who come at problems from a different perspective. Are we talking about a risk taker? Yes. But not someone who just takes risks. Recruit people who are incredibly adaptive to and can drive rapid change, both personally and professionally."</span></p><p><span class="ms-rteiaStyle-BQ">"Categorize what data in your company is the most critical. <strong>Make it clear to everyone how a breach would translate to business impact</strong>."</span></p><p><span class="ms-rteiaStyle-BQ">"<strong>Cybersecurity needs to be elevated to an international level</strong>; firms across industries and governments across regions must organize for this battle. They should view it as securing a common cyberborder."</span></p><p><span class="ms-rteiaStyle-BQ">"CIOs should think about how <strong>digital disruptors</strong> would approach their industry. Understand how to <strong>partner with the business</strong>. Find radically new revenue models and zero-cost supply models. CIOs should partner with early-stage external entities to find new business models."</span></p><p>Does any of this surprise me? No. I am encouraged by the CIOs' generally pragmatic approach. They recognize the importance of cybersecurity and that they can't keep the best hackers out, but need to keep tha​t risk in perspective. They need to enable the business as a whole to succeed, not just avoid harm. They are also very much aware of the threat and opportunity posed by new, disruptive technology — and the essential need to partner with business for strategic advantage.</p><p>What do you think?</p>Norman Marks03865

  • TeamMate_May2015
  • Ideagen_Pentana_May2015
  • IIA Audit Awareness_May15



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
For Internal Audit - Is the General Counsel Friend or Foe? Internal Audit - Is the General Counsel Friend or Foe?2015-05-11T04:00:00Z2015-05-11T04:00:00Z
Internal Audit's Work With General Counsel Doesn't Have to Be a Privilege Audit's Work With General Counsel Doesn't Have to Be a Privilege2015-05-18T04:00:00Z2015-05-18T04:00:00Z