The Always-on Supply Chain Always-on Supply Chain<p>​Robots, cloud computing, and other technologies are transforming supply chains, a recent study reports. More than half (52 percent) of supply executives say their organization will spend US$1 million or more on emerging technologies to enable digital supply chains in the next two years, a​ccording to the <a href="" target="_blank">2015 MHI Annual Industry Report​</a>. Twelve percent expect to spen​d at least US$10 million, and 3 percent will spend at least US$100 million, the report notes. </p><p>Deloitte interviewed 900 U.S. supply chain executives for the report, which was released in April at MHI's MODEX 2016 conference in Atlanta. MHI is a Charlotte, N.C.-based trade association representing the material handling, logistics, and supply chain industry.</p><p>"The 'always-on' supply chain has the potential to deliver massive economic and environmental rewards for our industry and society," MHI CEO George Prest says. "It can boost productivity and sustainability, drive new markets, encourage innovation, and create new, high-paying jobs."</p><h2>Eight Technologies</h2><p>The MHI report highlights eight emerging technologies that are having an impact on supply chain operations. </p><h3>Predictive Analytics </h3><p>This data-modeling technology can identify patterns that could enable organizations to predict consumer trends, inventory shortages, machine breakdowns, and other behavior and events. Thirty-seven percent of respondents say predictive analytics in the supply chain could provide a competitive advantage in their industry in the next 10 years, while 7 percent say it could disrupt their industry. The report forecasts the technology will experience the greatest growth, from 22 percent of responding organizations now to 80 percent in the next six to 10 years.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>Top Current Technologies</strong></p><ul style="text-align:left;"><li> <span style="line-height:1.6;">Cloud computing and storage – 45%</span><br></li><li> <span style="line-height:1.6;">Sensors and automatic identification – 44%</span><br></li><li> <span style="line-height:1.6;">Inventory and network optimization tools – 43%</span><br></li><li> <span style="line-height:1.6;">Robotics and automation – 35%</span><br></li></ul><p> <em> <br></em></p><p> <em>Source: MHI and Deloitte, 2016 MHI Annual Industry Report</em></p></td></tr></tbody></table><h3>Robotics and Automation </h3><p>The report notes these technologies are becoming "smarter" and less expensive, enabling organizations to use them for more "human-oriented" tasks, such as packaging, product inspections, and electronics assembly. More than half (51 percent) of respondents say robotics and automation could provide a competitive advantage or be a disruptive force in their industry.</p><h3>Sensors and Automatic Identification </h3><p>These technologies are vital to how the Internet of Things operates, with their ability to collect data from devices and communicate that data to users to aid in decision-making. There were 20 million sensors in operation in 2013, but industry advocates predict there could be 1 trillion sensors by 2022.</p><h3>Wearables and Mobile Technology </h3><p>Wearable technologies embedded in clothing, watches, and glasses can perform many tasks currently done by mobile phones and laptop computers, and can incorporate sensory and scanning capabilities those devices lack. The report notes wearables could "reshape how work gets done, how decisions are made, and how companies engage with employees, customers, and business partners." However, just 36 percent of respondents say these technologies could provide competitive advantage or disrupt supply chains.</p><h3>Driverless Vehicles and Drones </h3><p>Drone technology could aid in operations and logistics, such as monitoring functions, maintaining security, and providing data about a facility. Although new to the roadways, companies have used driverless vehicles for material handling for many years. Nearly 60 percent of respondents say these technologies are having some impact on supply chains, while 37 percent say they could provide a competitive advantage or disrupt supply chains.</p><h3>Inventory and Network Optimization Tools</h3><p>Organizations are using these decision-support tools to better deploy assets and position inventory, including transportation planning, production optimization, and inventory optimization. Nearly half of respondents (48 percent) say these technologies potentially could create a competitive advantage or disrupt supply chains. </p><h3></h3><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong style="line-height:1.6;">Future Forecast</strong> ​ <p> ​<br> </p><p>Predicted adoption of supply chain technologies in the next six to 10 years. </p><ul><li> <span style="line-height:1.6;">Inventory and network optimization tools – 90%</span><br></li><li> <span style="line-height:1.6;">Sensors and automatic identification – 87%</span><br></li><li> <span style="line-height:1.6;">Cloud computing and storage – 86%</span><br></li><li> <span style="line-height:1.6;">Predictive analytics – 80%</span><br></li></ul><p> <br> </p><p> <em>Source: MHI and Deloitte, 2016 MHI Annual Industry Report</em></p></td></tr></tbody></table><h3>Cloud Computing and Storage ​</h3><p>Cloud computing has become one of the most deployed technologies for supply chains, with 45 percent of respondents saying they have it in place. Companies are using the cloud to support data sharing with business partners, use staff resources more efficiently, and adapt to changing business needs. However, only 25 percent of respondents say it could be a competitive advantage, and only 4 percent consider cloud computing to be potentially disruptive to supply chains. </p><h3>3D Printing </h3><p>This technology uses 3D model data to build objects, which can enable businesses to create designs that might be difficult to make using traditional manufacturing methods. Despite the promise of faster and cheaper product design and development, only 17 percent of respondents say the technology could provide a competitive advantage. Just 48 percent of respondents say their organization will deploy 3D printing in their supply chain in the next six to 10 years.</p><h2>Overcoming Barriers</h2><p>Despite the transformative promise of these technologies, businesses face significant challenges to adopting them, the report states. Chief among these are a lack of a clear business case to justify investment (43 percent), lack of staff with skills to use the technology effectively (38 percent), and a risk-averse culture (35 percent). </p><p>To prepare to deploy new supply-chain technologies, respondents say their organizations are training staff to use them (56 percent), partnering with vendors to understand the benefits (46 percent), changing their organizational structure and incentives (43 percent), and increasing budgets (42 percent). Managing talent is chief among the report's recommendations to supply chain leaders. "The growth in digital, 'always-on' supply chains will only widen the talent gap that already exists in our industry," Prest says. "We need to train a new breed of supply chain professional who has technical, analytical, and problem-solving skills."</p><p>​<br></p>Tim McCollum0262
Defending From the Top From the Top<p>​​<span style="line-height:1.6;">Forty percent of board members and senior executives surveyed don't feel responsible for the repercussions of a cyberattack, according to a recent study, The Accountability Gap: Cybersecurity and Building a Culture of Responsibility. That lack of accountability contributes to their organization's vulnerability to such incidents, notes the report, which was sponsored by NASDAQ and security and systems management company Tanium Inc. Researchers at Goldsmiths at the University of London surveyed 1,530 nonexecutive board directors and C-level executives — including chief information officers (CIOs) and chief information security officers (CISOs) — from Denmark, Finland, Germany, Japan, Norway, Sweden, the U.K., and the U.S.</span></p><p>The reports defines cybersecurity vulnerability as a combination of awareness of risks and readiness to address those risks. By those metrics, just 10 percent of respondents' organizations are considered to have low vulnerability, while 80 percent are considered to have medium vulnerability. The remaining 10 percent deemed to be highly vulnerable are likely to encounter a crisis if they don't address cybersecurity risks quickly, the report observes.</p><p>In highly vulnerable organizations, 91 percent of nonexecutive directors say they can't interpret a cybersecurity report. Moreover, 98 percent of executives in those organizations aren't confident that their organization tracks all devices and users on their systems. </p><p>"If the potential impact of cyberrisk is high, and you do not treat it as an enterprise risk … you are remiss in terms of how you are operating as a board and you have a potential oversight gap," Eric Brown, Tanium's chief financial and operating officer, says in the report.</p><h2>Awareness and Readiness</h2><p>The Knowledge Gap report identifies seven factors that may affect cybersecurity vulnerability. The first four are related to awareness.</p><p><strong>Cyber literacy.</strong> The lack of cyber literacy is most prevalent among nonexecutive directors. For example, 59 percent of U.S. nonexecutive directors consider themselves cyber-literate, compared to 77 percent of C-level executives and 78 percent of CIOs and CISOs. The report notes that directors in high vulnerability organizations seldom get updates on cyberthreats and only half of them receive cybersecurity training. The report suggests that such training should include case studies.</p><p><strong>Risk Appetite.</strong> Sixty-eight percent of respondents' organizations have assessed the likely losses from a cyberattack, but just 13 percent of highly vulnerable organizations have done so. "Low vulnerability respondents are nine times more likely than high vulnerability respondents to be aware of and understand the implications of a breach," the report points out.</p><p><strong>Threat Intelligence.</strong> Organizations need to monitor and communicate the most current cyberthreat information to executives and the board in an accessible way such as through a real-time dashboard, the report recommends. Organizations should constantly assess their risks from the current threat landscape and evaluate whether their current measures are still adequate.</p><p><strong>Legislation and Regulation.</strong> Overall, two-thirds of nonexecutive directors surveyed receive regular briefings on cybersecurity legislation and regulatory changes, but directors at highly vulnerable organizations are 54 percent less likely to know about forthcoming regulatory changes and compliance requirements. Executives in the Nordic nations were most likely to be briefed regularly about government policy.</p><p>The three other challenges relate to cybersecurity readiness.</p><p><strong>Network Resilience.</strong> Organizations that can't identify all the devices and users accessing their network won't be able to manage their IT assets to ensure they are configured appropriately and have the most current patches, the report observes. Eighty-seven percent of respondents in high-vulnerability organizations don't consider their malware, antivirus software, and patches to be fully up-to-date. In addition, organizations need a defined IT change management process to minimize service disruptions and system downtime.</p><p><strong>Response.</strong> The report notes that only 10 percent of respondents in the most vulnerable organizations know about the appropriate actions that need to be taken to prevent, detect, and neutralize cyberthreats. Recently, many organizations have begun shifting from a prevention-based strategy to one of rapid detection and response, which is reflected in The IIA's recent North American Pulse of Internal Audit report's emphasis on "cyber resiliency." </p><p><strong>Behavior.</strong> At the least vulnerable organizations, all respondents report they understand the risks employees pose to their systems; just 17 percent of respondents from the most vulnerable organizations understand this. The report recommends organizations shift the focus of cybersecurity awareness to acknowledge that cybersecurity is everyone's responsibility, rather than just an IT or information security job.​​</p><h2>Not Just for Techies</h2><p>That emphasis on organizationwide accountability for cybersecurity starts at the top. Where boards and executives previously may have deferred cyberrisk to their IT experts, the report stresses that organizations whose board and senior management are accountable for cybersecurity are most prepared to address cyber incidents successfully.</p>Tim McCollum01179
Internal Audit Should Be on Alert for "Phishy" Business Audit Should Be on Alert for "Phishy" Business<p>​It is no longer news that cybersecurity is one of the top risks facing organizations today. Cyber criminals are exhibiting increasingly ingenious tactics to hack public and private databases that contain millions of individuals' private records.</p><p>Organizations globally are working diligently to gird themselves against these increasingly sophisticated cyberattacks and developing crisis management plans to deal with any attacks that succeed. Yet there is a growing threat from cyber criminals that requires little more than access to the Internet, a bit of brazen ingenuity, and the hope that some overworked finance executives might not be on their toes. I'm talking about a basic email scheme that has resulted in billions of dollars in business losses.</p><p>Earlier this month, the U.S. Federal Bureau of Investigation (FBI) posted an alert about the ubiquitous "phishing" scheme where a cyber criminal poses as a company executive and directs an employee — typically someone in finance — to initiate an emergency wire transfer. According to the alert, this simple scam recently led to "massive financial losses" in the Phoenix, Ariz. area in the U.S., and the number of overall victims it has claimed has jumped 270 percent since January 2015. Indeed, there were nearly 18,000 identified victims of business email compromise scams between Oct. 2013 and Feb. 2016, with losses topping USD$2.3 billion, according to the FBI.</p><p>This is not just a U.S. problem. Law enforcement has received complaints from victims in at least 79 countrie​​s.</p><p>No business is immune from becoming a target. Victims reporting thefts to the FBI's <a href="">Internet Crime Complaint Center</a> range from large corporations to tech companies to small businesses. Many times these "phishing trips" target businesses with foreign suppliers or those that use wire transfer frequently.</p><p>This type of scheme hit close to home this month when The IIA's chief financial officer (CFO) received a directive from what appeared to be my email account seeking an immediate wire transfer. She became suspicious and reached out to me before taking any action and confirmed the email did not come from me. However, this serves as a good example of just how easily these schemes can be put together.</p><p>Something as benign as LinkedIn can provide the names and email addresses of a company's CEO and CFO. All that remains is doing a little homework about the company and its financial practices, and a crafty cyber criminal can be rewarded with a major payday. According to the FBI, the average take in the Arizona scam was USD$50,000.</p><p>Internal auditors should be on the front line in protecting organizations from succumbing to these kinds of scams, and it shouldn't be a heavy lift for most audit functions. Here are some easy steps organizations can take to protect themselves:</p><div><ul><li>Establishing good governance practices on wire transfers, such as multilevel authentication (confirmation from at least two executives) and verifying vendor payment changes.<br></li><li>​Working with IT to coordinate further precautionary steps, such as intrusion detection systems that identify suspect email addresses.<br></li><li>Discouraging the use of free, Web-based email accounts for any official business, as these are more easily hacked.<br></li><li>Being careful when posting financial or personnel information on company websites or in social media posts.<br></li><li>Testing, testing, and retesting.​​<br></li></ul><p></p><p>This last tip is crucial in boosting employee sensitivity to suspect emails. A high-profile U.S. federal inspector general, who spoke at a recent IIA conference, said she routinely sends phishing emails to unsuspecting staff within her organization to test their compliance with rules about sharing sensitive information or clicking on inviting links embedded in emails.</p></div><p>I have written on several occasions that the pace of technological change has created ever-more-complex risks for organizations, and I've urged internal auditors to learn to audit at the speed of risk. The battle against email phishing schemes is the low-hanging fruit in that high-tech garden. A strong partnership with IT, effective governance practices, and a regimen of staff training and testing of those practices can significantly lower the risk of your organization becoming the next victim of an email phishing scheme.</p><p>I welcome your comments.</p>Richard Chambers02949
5 Steps to Agile Project Success Steps to Agile Project Success<p>​More and more organizations have been turning to the Agile methodology for their software development efforts. According to PricewaterhouseCoopers’ Global Portfolio and Programme Management Survey 2014, use of Agile has increased by 11 percent since 2012. At the same time, many internal audit functions are struggling with how to interact with Agile projects, especially those whose experience lies with more traditional, system development life-cycle (SDLC) controls. </p><p>Agile processes help project teams manage unpredictability through a focus on adaptive planning and rapid, flexible response to change. The Agile philosophy encompasses several iterative software delivery methodologies — including scrum, extreme programming, and feature-driven development — that emphasize a lean, interactive approach to product developm​ent. In fact, Agile is not confined to a single method of delivery — most organizations take a hybrid approach, drawing from multiple iterative development methodologies. The products to which Agile is applied typically emphasize making usable code available quickly to meet business needs. </p><p>Agile project management focuses on perceived value-add processes. The values that underpin this approach, as defined by the Agile Manifesto, specify that: a) individuals and interactions are more valuable than processes and tools, b) working software is a higher priority than comprehensive documentation, c) customer collaboration is more important than contract negotiation, and d) responding to change is preferable to following a rigid plan.</p><p>Auditors familiar with traditional SDLC controls will likely recognize that some of the Agile values conflict with more established methodology. The traditional controls are typically implemented “after the fact,” and they rely heavily on documentation — neither of which works well with Agile methodologies. To help close the gap between their knowledge of traditional models and the Agile method, internal auditors should consider five steps aimed at enhancing work with Agile teams. Following this approach, practitioners can help the team, and the organization, execute its compliance responsibilities effectively while making sure not to erode the value of Agile methodologies.</p><h2>1. Get Involved Early, Understand the Processes</h2><p>The earlier internal audit gets involved, the better. Working with Agile teams in the early stages of project development increases understanding of the project’s life cycle and its key benefits, drivers, and objectives. That understanding, in turn, enables internal audit to better contribute to the project as the team defines its risk management approach and strategy. </p><p>Before internal audit can begin scoping an Agile project, it has to understand the processes. Auditors should spend time with the process owners and ask them to explain their version of Agile. Although scrum is the most commonly used approach, auditors should never assume that scrum, or any other method, has been selected.</p><p>Numerous Agile variants exist, and some organizations even develop their own in-house methodology based on Agile’s core values. Several variants, in particular, are commonly encountered:<br></p><ul><li><p><strong>Scrum</strong> is often used interchangeably with Agile and focuses on the project management of the product or SDLC. The methodology emphasizes collaboration, functioning software, team self-management, and the flexibility to adapt to emerging business realities. Scrum is highly collaborative, often benefiting from cohabitation of resources.  </p></li></ul><ul><li><p><strong>Extreme programming (XP)</strong> is an Agile variant that focuses on the software engineering component of SDLC. The approach is best suited to small, focused teams and promotes simplicity of code. It features frequent releases in short development cycles, coding in pairs, and unit testing of all code. </p></li></ul><ul><li><p><strong>Lean development</strong> is a variant common to scrum that focuses on SDLC project management. Lean development’s roots are grounded in Lean manufacturing theories — the methodology consists of start-up, steady-state, and transition or renewal project phases.</p></li></ul><ul><li><p><strong>Crystal methods</strong> are a collection of various Agile-like methodologies focused on streamlined, optimized, integrated teams, with a specific method applied to each project depending on communication requirements, system criticality, and project priority. </p></li></ul><p>Other variants of Agile include hybrids such as feature-driven development, test-driven development, Waterfall-Agile, the dynamic system development model, and the Agile unified process. Internal auditors should make sure they understand the project methodology’s objectives, process controls, and documentation and process requirements before a risk management approach and strategy are defined. </p><h2>2. Assess Risk and Control </h2><p>Once the chosen methodology is understood, internal auditors should map out process control points — even if the project team doesn’t necessarily view them as controls. Two control points from the scrum methodology provide illustrative examples: <br></p><ul><li><p><strong>Product backlogs</strong> comprise the store of all user requirements in the form of stories that communicate what the end user should be able to do, and the benefits accruing from those features. A backlog, and variations of it, exists for every Agile project and should be available to everyone involved. Documentation such as test cases and results, as well as specifications, vary from team to team. If a product backlog can’t be produced, the auditor should inquire about it with members of the Agile team. </p></li></ul><p></p><ul><li><p><strong>Burn-up/burn-down charts</strong> are the primary tool many teams use for tracking their progress. They measure the total in-scope work, the amount of work that should have been completed by a particular time, and the work actually completed. In effect, the charts take the place of several traditional project controls and could be viewed as a type of earned value analysis. Such charts reveal where project efforts are focused, and where they should be focused, as well as help identify significant changes in scope. </p></li></ul><p>Once internal auditors develop an understanding of the inbuilt controls, they should examine the project’s inherent risk profile. While Agile development can provide significant benefits to a project — such as more frequent releases of code and better alignment between users’ needs and the finished product — it also introduces risks that need to be considered and managed correctly.</p><p>The traditional roles of business users, developers, testers, and IT experts have become more cross-functional and integrated to support leaner project teams and continuous delivery. Consequently, some of the traditional control gates may not exist as expected on Agile projects, particularly with regard to segregation of duties. That’s especially true in organizations that have adopted a development operations (DevOps) strategy. DevOps sees operations and development engineers working together throughout the life cycle, from design to production support.  </p><p>Auditors need to understand the project team’s approach to segregation of duties and code production, and examine controls within that approach. Agile processes should result in an increase in automation, including testing and approval, as opposed to traditional manual sign-offs. Internal audit must become familiar with those tools and processes as well as know how to interpret the outputs of automated systems and logs.</p><p>Auditors should also be mindful of the risk that Agile project iterations could become delayed by traditional functions such as change and release management. They should assess the project team’s ability to integrate with those functions, and raise issues related to interactions with them — including the functions’ ability to support rapid-delivery models.</p><p>Documentation issues may also present a risk. While Agile-delivery methodologies by their nature seek to generate less documentation than traditionally required, that doesn’t mean documentation should not exist. Auditors should work with the team to find the minimum documentation standard acceptable and determine whether the product backlog, or an extension of it, achieves the required level of comfort while still promoting Agile principles. </p><p>Lastly, one of Agile’s biggest benefits — its short turnaround cycles — also represents one of its inherent risks. The discipline’s iterative nature can make it difficult to realize the promised business value, if the effort’s scope is continually evolving. Agile teams need to put a mechanism in place that isolates the effort while still capturing future functionality in the product backlog. That functionality should then be turned into a separate effort that can be controlled independently.</p><h2>3. Know How Agile Teams Define Done</h2><p>One of scrum’s primary tenets states that teams following the methodology are self-organizing and self-directed, meaning that individual teams largely identify and implement their own standard practices and quality control metrics. And because quality measures can vary from one team to the next, differing notions of what constitutes project completion may exist. Examples of the Agile team’s methods for defining when a project is “done” include: <br></p><ul><li><p><strong>A code/configuration review process. </strong>The team may require many levels of solution-level reviews to confirm adherence to design or development standards, to promote optimized and sophisticated error logging and error handling, or to meet other required solution needs.</p></li></ul><p></p><ul><li><p><strong>Testing requirements.</strong> Different industries and their solutions may necessitate varying levels of testing standards and practices.</p></li></ul><ul><li><p><strong>Traceability.</strong> Many project teams apply the contents of the Agile Manifesto to promote a <em>document-free </em>process versus a <em>documentation-driven</em> process. However, a well-practiced Agile team can, for example, provide traceability that links working product features to requirements (user stories taken from an approved product backlog), design documentation, test evidence, and release strategy and documentation.</p></li></ul><p>Understanding the team’s definition of done leads to an entry point for a risk-based conversation about the effective use of Agile to deliver business value. The definition serves as a quality control mechanism, though it also acts to promote adherence to practices aimed at reducing risks associated with Agile development.</p><h2>4. Assemble the Right Skills</h2><p>Agile-based projects feature unique risks and control structures, and understanding them is crucial to the review process. Audit teams need to align the right expertise with planning and review activities, enabling practitioners to:<br></p><ul><li>Ensure a sound understanding of the problems and risks.</li></ul><p></p><ul><li>Establish credibility and confidence in the program team.</li></ul><p></p><ul><li>Build empathy with the delivery team.</li></ul><p></p><ul><li>Deliver practical, meaningful insight to the project team.</li></ul><p></p><ul><li><p>Provide actionable feedback that promotes more effective use of Agile without introducing additional business risk.</p></li></ul><p>Subject matter specialists with experience in both delivering and reviewing similar projects are also key to successful reviews. Specifically, auditors reviewing Agile projects should have more than a basic understanding of Agile processes, familiarity with the toolset being used, an understanding of how to extract and interpret the required information, and a grasp of the path to production that is being used by the project teams.  </p><p>Once the review team is in place, auditors should make sure their approach focuses on delivering value. In particular, they need to understand what the project team is trying to achieve and link audit activities to those aims. To achieve alignment, practitioners should consider an objectives-based audit program. Rather than reviewing compliance against a particular risk and issues template, for example, the team should determine whether the overall objective of “managing risks and issues effectively” has been met. Auditors may want to consider using an assessment framework that goes beyond control outcome.</p><p>Practitioners need to provide relevant, actionable, and timely feedback that will enhance the likelihood of project success. Moreover, reviews should not be limited to solution and delivery risk — practitioners may want to consider external and commercial risk and examine any corresponding mitigation strategies. These factors contribute to the likelihood of project success and may be critical to a meaningful review. Auditors should familiarize themselves with not only the expected controls outcomes of the project, but also the required technical and business outcomes, allowing for a more rounded view to be developed. </p><h2>5. Establish Reporting Parameters and Provide Real-time Feedback</h2><p>To deliver maximum value to the project team, auditors should explain the nature of the engagement and obtain agreement up front regarding how and when they will release reports. Is the review a formal internal audit, or is it a health check or other activity aimed at performance improvement? Will the reporting be delivered through standard channels or directly to the project’s governance structure? The answers to these questions guide the reporting for eventual review.</p><p>Internal audit and the business should also agree on the most efficient and practical reporting format. Agile projects run at high speed and in high-pressure environments — quite often, value can best be realized by near-real-time feedback. Timely, practical, and actionable reporting is key to Agile’s success. </p><h2>Relevance and Value</h2><p>As noted in PwC’s 2015 State of the Internal Audit Profession Study, internal audit functions that focus on adding value are outperforming other teams in terms of business alignment and talent models. Understanding a project’s objectives, as well as the risks associated with project methodology, helps enhance the value internal audit can deliver. The key is simple: Engage with teams early, understand what they’re doing, modify the approach as needed, and provide relevant feedback — all while helping the Agile teams and the organization better understand and control risk.</p>David Tilk03294
Advice for the Board and C-suite on New Technology for the Board and C-suite on New Technology<p>​There's an interesting new post on the Cutter Consortium ​Blog. Bu​​t first, I want to draw your attention to a more detailed discussion of disruptive technology in <em style="line-height:1.6;">McKinsey Quarterly</em>.</p><p> <a href="" target="_blank">"The Economic Essentials of Digital Strategy"</a> makes it clear that understanding and taking advantage of new technologies is essential for survival, let alone success.</p><blockquote><p>​These days, something of a mix of the fear of sharks and the thrill of big-wave surfing pervades the executive suites we visit, when the conversation turns to the threats and opportunities arising from digitization. The digitization of processes and interfaces is itself a source of worry. But the feeling of not knowing when, or from which direction, an effective attack on a business might come creates a whole different level of concern. News-making digital attackers now successfully disrupt existing business models — often far beyond the attackers' national boundaries:</p><ul><li> <span style="line-height:1.6;">Simple (later bought by BBVA) took on big-cap banks without opening a single branch.</span><br></li><li> <span style="line-height:1.6;">A DIY investment tool from Acorns shook up the financial-advisory business.</span><br></li><li> <span style="line-height:1.6;">Snapchat got a jump on mainstream media by distributing content on a platform-as-a-service infrastructure.</span><br></li><li> <span style="line-height:1.6;">Web and mobile-based map applications broke GPS companies' hold on the personal navigation market.</span><br></li></ul><p> <br> </p><p>No wonder many business leaders live in a heightened state of alert. Thanks to outsourced cloud infrastructure, mix-and-match technology components, and a steady flood of venture money, start-ups and established attackers can bite before their victims even see the fin. At the same time, the opportunities presented by digital disruption excite and allure. Forward-leaning companies are immersing themselves deeply in the world of the attackers, seeking to harness new technologies, and rethinking their business models — the better to catch and ride a disruptive wave of their own. But they are increasingly concerned that dealing with the shark they can see is not enough — others may lurk below the surface.</p></blockquote><p>The authors describe many of the ways in which new technologies can disrupt an existing business as well as provide exciting opportunities for the future. They suggest one way to analyze the threats and opportunity, which I suggest is well worth considering.</p><p>Turning our attention to the much shorter Cutter<i></i> piece, it is simpler and in some ways more practical. </p><p>In <a href="" target="_blank">"Advice to C-suite(rs) About​ 'Game-Changing' Technology,"</a> Dr. Stephen J. Andriole suggests three questions that members of the C-suite should ask about new and disruptive technology:</p><ol><li> <span style="line-height:1.6;">What's your technology plan?</span><br></li><li> <span style="line-height:1.6;">What game-changing technologies are you tracking?</span><br></li><li> <span style="line-height:1.6;">How will these technologies drive revenue and profit?</span><br></li></ol><p>The article expands on each of these questions with examples of how they might be answered.</p><p>While he doesn't say so, the goal is to ensure that the organization is not only aware of the potential for new technology to contribute to its success (typically in radical fashion, as in the McKinsey piece) but has plans on which it will act to realize the potential.</p><p>If an organization does not seize the opportunity presented by new technology, it can fall behind its competitors and, eventually, fail. Just think of Nokia, Research in Motion, and so many more.</p><p>These three questions are a good start.</p><p>Let's build on them.</p><ol><li> <span style="line-height:1.6;">What is your business plan — not just technology plan? Have you considered the potential for new technologies to change your objectives and strategies?</span><br></li><li> <span style="line-height:1.6;">Which game-changing technologies are you tracking — and why? Why are you not tracking others? How do you know you have identified all the possibilities?</span><br></li><li> <span style="line-height:1.6;">Are you considering uses for the technologies that are different from what others are doing? How best can each be used in your business? Is your plan driven by the technology leaders or are the business-unit leaders taking the lead?</span><br></li><li> <span style="line-height:1.6;">What are you going to do with your current technology? Will you keep and maintain it? Will you have the resources to do so? Can you eventually migrate to new platforms and capabilities?</span><br></li><li> <span style="line-height:1.6;">Do you understand the risk as well as the reward? Will you be able to manage one and seize the other? Are you introducing new cyber, compliance, reputation, or other risks, such as providing retail customers access to your systems or creating a risk that robots will fail?</span><br></li><li> <span style="line-height:1.6;">How will you measure success? Can you delay or back out if necessary?</span><br></li><li> <span style="line-height:1.6;">How will you modify your plans if yet another new technology emerges that renders your current plans obsolete?</span><br></li><li> <span style="line-height:1.6;">Have you involved your risk, compliance, and internal audit teams to ensure you get all the insight and advice you need? Are they helping as you develop the strategy or are they only brought in after decisions have been made?</span><br></li></ol><p>If an organization does not have its eyes on the potential threats and opportunities presented by new technology, both the risk and audit teams should be concerned. The risk to the organization of being blind to either should be brought to the attention of the board.</p><p>Do you agree? Is your company ready?​</p>Norman Marks01437
Cyber in Focus in Focus<p>​Boards and internal audit departments alike are making cybersecurity a business risk issue — not just an IT risk concern — according to Protiviti Inc.'s <a href="" target="_blank">2016 Internal Audit Capabilities and Needs Survey​</a>. Nearly three-fourths (73 percent) of the 1,300 internal auditors who responded to the survey say cybersecurity is part of the internal audit plan, up from 53 percent in 2015. </p><p>Organizations are feeling outside pressure to make cybersecurity a priority. The survey notes that 57 percent of respondents' organizations have received inquiries from customers and insurance providers about their cybersecurity readiness.</p><p>Respondents say their top cybersecurity risks include brand and reputational damage, leakage of employee personal information, security of company information, and business disruption. They report that earlier identification of cybersecurity risk issues and control problems provides the greatest value to addressing cyberrisk. Monitoring reputational risk and improving operational performance also contributed to cyberrisk efforts.</p><p>The Protiviti report warns that those known risks may be just "the tip of the iceberg," though. "To focus on what may be lingering below the surface, cybersecurity risk management strategies not only should be in place, but they also must be effective," it advises.</p><h2>Boards Make a Difference</h2><p>The survey report asserts that high board engagement and understanding of cybersecurity is a big success factor in addressing cyberrisks. Organizations whose boards have a high engagement and understanding are three times more effective at identifying (57 percent), assessing (55 percent), and mitigating (45 percent) cyberrisks than other organizations. </p><table cellspacing="0" width="100%" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​ <p> <strong>Top 10 Priorities</strong></p><p>Internal auditors responding to Protiviti's latest Internal Audit Capabilities and Needs Survey identifies these priorities for 2016:</p><ol><li>ISO 27000 (data security).</li><li>Mobile applications.</li><li>NIST Cybersecurity Framework.</li><li>Global Technology Audit Guide 16: Data Analysis Technologies.</li><li>The Internet of things.</li><li>Agile risk and compliance.</li><li>ISO 14000 (environmental management).</li><li>Data analysis tools for statistical analysis.</li><li>Country-specific ERM frameworks.</li><li>​Big data and business intelligence.</li></ol></td></tr></tbody></table><p>Yet, the percentage of respondents who say their boards are highly engaged decreased this year, from 30 percent in 2015 to 24 percent today. "When it comes to cybersecurity and auditing processes, the highest performing organizations have audit committees and boards who actively engage with the internal audit function during the discovery and assessment of these risks," says Brian Christensen, Protiviti's executive vice president, global internal audit, in Menlo Park, Calif. </p><p>Likewise, organizations that have included cybersecurity in the internal audit plan are somewhat better able to identify (30 percent), assess (27 percent), and mitigate (22 percent) cyberrisks. </p><p>In both cases, respondents say they are more confident in their organization's ability to prevent a data breach or a targeted external attack than organizations with less engaged boards or that have not included cybersecurity in their audit plans. Such organizations also are more likely to have a cyberrisk strategy and policies in place, and they tend to include cyberrisk in their overall risk assessment.</p><h2>Action Items</h2><p>The Protiviti survey proffers 10 actions that CAEs and internal auditors should take to address cybersecurity risks. Chief among them is working with management and the board to develop a cybersecurity strategy and policy, and finding ways to improve the organization's ability to identify, assess, and mitigate cyberrisk to an acceptable level. Other actions include:</p><ul><li> <span style="line-height:1.6;">Assessing and mitigating potential threats coming from the actions of employees or business partners.</span><br></li><li> <span style="line-height:1.6;">Heightening board awareness </span> <span style="line-height:1.6;">of cyberthreats and ensuring the board remains engaged in cybersecurity matters.</span><br></li><li> <span style="line-height:1.6;">Integrating cyberrisk in the audit plan.</span><br></li><li> <span style="line-height:1.6;">Understanding how emerging technologies and trends affect the organization's cyberrisk profile.</span><br></li><li> <span style="line-height:1.6;">Evaluating the organization's cybersecurity program against the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as ISO 27001 and ISO 27002.</span><br></li><li> <span style="line-height:1.6;">Communicating to management the importance of combining human and technology security.</span><br></li><li> <span style="line-height:1.6;">Advising management to make cybersecurity monitoring and cyber-incident response a top priority.</span><br></li><li> <span style="line-height:1.6;">Addressing IT and audit staffing and resource shortages and technology tool needs.​</span><br><br></li></ul><p>In addition to these actions, internal auditors may benefit from refining their cybersecurity-related skills, which are among the areas of general technical knowledge survey respondents say they need to improve.​</p>Tim McCollum01831
Marketers Missing Social Media Pay-off Missing Social Media Pay-off<p>Organizations are investing m​​ore in social media, without signs that it is paying off for them, according to a recent survey sponsored by the American Marketing Association, Deloitte, and Duke University's Fuqua School of Business. The biannual <a href="" target="_blank">CMO Survey</a> reports that only 25 percent of the 289 U.S. chief marketing officers who responded say social media contributes to the organization's performance. Only 3 percent say social media makes a very high contribution.</p><p>One problem is that only 11 percent of respondents can quantify the impact social media investments have had on their business. Forty-one percent say they have a qualitative sense of social media's impact, but 48 percent haven't been able to demonstrate its impact. Business-to-consumer service organizations (18 percent) are most likely to have quantitative proof of social media's impact, while business-to-consumer product companies (9 percent) have the least proof.</p><p>Still, organizations continue to boost social media spending, the report notes. Currently, social media makes up 11 percent of marketing budgets at respondent organizations, but respondents say that will increase to 13 percent this year. Moreover, they predict social media will rise to nearly 21 percent of marketing spending in the next five years.</p><p>"Companies are spending a lot on social media right now, but demonstrating its contribution depends on more than investment in analytics," says Christine Moorman, the Duke business professor who directs the survey. "Firms must also take other steps to integrate social with the rest of the company's marketing strategies." </p><p>To achieve this, she says organizations will need to change where the social media function is located, how it is involved in marketing planning, and how the organization manages customer and brand assets within social media. These are areas where marketing functions struggle, though. The survey notes that social media is moderately linked to the marketing strategy at respondent organizations. However, the degree to which those organizations have integrated customer information across their purchasing, communication, and social media channels has slipped over the past year compared to previous surveys.</p><p>"This lack of 360-degree understanding of customers makes all of marketing, including social media, less effective," Moorman says.</p><p>Moving forward, respondents say their organization's top social media investment areas this year will be content creation (63 percent), analytics (44 percent), campaign optimization (41 percent), social listening (41 percent), and community engagement (40 percent). ​</p>Tim McCollum0672
Expanding the Foundation the Foundation<p>​The history of internal auditing, traced to its earliest roots, dates back to at least 4000 B.C., when businesses and governments in the Near East used the profession’s predecessors to ensure they were accounting for tax receipts and disbursements correctly. Technology and organizations advanced over the years, but one of internal auditing’s main functions remained largely the same — evaluating compliance.</p><p>That, of course, has changed over the past few decades, as new regulations, shifting priorities, and the need to improve efficiencies have altered the focus of internal audit work. Particularly in the last quarter-century, there has been dramatic movement in the roles and responsibilities of practitioners. With a rise in prominence, a larger voice in enacting change, and a hand in many aspects of the business, internal audit has matured into a highly respected function. Whereas auditors once operated as reclusive, task-oriented individuals, they’re now often called to be forward-thinking drivers of change who have strong leadership and people skills. <br></p><p>Internal audit has gone through “stages of maturation” over the years, each stage requiring its own changing skills, says Hans Spoel of AJS Consulting in Brussels. Spoel points to internal auditors’ progression from simply certifying the organization’s internal accounts to what he now calls the “effectiveness and efficiency” stage. “When internal audit was tucked away in the comptrollership, skills used to be basic and analytical,” he says. “Internal audit is now a serious partner at the table, and auditors need to be more communication-, presentation-, and consulting-oriented.”<br></p><h2>Technology’s Influence</h2><p>Many attribute the shift in audit to the changes in technology since the mid-1990s. Advanced computing and the Internet have increased the flow of information, allowing auditors to spend more time evaluating processes and understanding the business than dealing with tedious tasks like gathering data and taking inventories.<br></p><p>Günther Meggeneder, senior vice president of corporate internal audit and compliance at ista International GmbH in Essen, Germany, says technology has fundamentally changed the nature of information at auditors’ disposal. While auditors used to test “hand-picked samples” in the 1970s and 1980s, they can now evaluate entire populations of data. Internal auditors of the past conducted “theoretical” interviews, whereas today’s interviews are based on comprehensive analytics. “[Changes] have had a big impact on soft skills, but process knowledge and analytical thinking remains very important,” he says.</p><p>Richard Anderson, clinical professor at the Kellstadt Graduate School of Business at DePaul University in Chicago and a retired partner from PricewaterhouseCoopers LLP, also points to the importance of technology-related advancements in the 1970s and 1980s. He says the rise of computers required auditors to have new skills in IT, prompting organizations to start developing IT audit groups that were “different from other internal auditors.” By the 1990s, the simplification of computers made them easier to operate and, to an extent, merged the two types of practitioners. Soon enough, auditors learned to leverage the Internet, applications, and devices to take some of the legwork out of obtaining data. Moving from manual auditing to a continuous auditing process has also enhanced the need for analytical skills, Anderson says.<br></p><p>Technology has also brought with it an entirely new set of risks that internal auditors must understand, says Rod Winters, retired general auditor for Microsoft Corp. Those risks require practitioners to understand not only organizational processes, but the technology and systems that enable them. “Technology not only became an internal audit compliance tool but also came with its own set of risks,” Winters says.<br></p><h2>Soft Skills and Business Acumen</h2><p>Sridhar Ramamoorti, associate professor at the School of Accountancy and director of the Corporate Governance Center at Kennesaw State University in Kennesaw, Ga., says the psychology of audit also became more complex over the years, requiring more soft skills. Today’s internal auditors need to use a “chemistry approach” of adaptability, flexibility, and relationship-building acumen. “Internal auditors now need to have the people skills to demonstrate the competence and credibility of the internal audit function,” Ramamoorti says.<br></p><p>Betty McPhilimy, associate vice president for audit and advisory services at Northwestern University in Evanston, Ill., cites the early-2000s as a “big turning point” for the profession. In 2002, The IIA changed the definition of internal auditing, redefining the responsibilities to be “more than just the testing and sampling of transactions.” Internal auditors started to provide advisory services with recommendations to enhance efficiency, effectiveness, and controls. “What really evolved was the ability [and expectation] to add value,” McPhilimy says. “It completely changed how organizations view internal audit and the skill sets auditors were expected<br>to have.” <br></p><p>Anderson explains that several events changed skill sets since the 1970s. One was that the focus on internal control “really started to develop as a knowledge set.” By the 1990s, he says companies were upgrading and professionalizing their internal audit groups, looking for people who had experience with accounting and internal controls. Another change was that companies started looking for internal auditors who had been in the business for a while and knew about procedures and operations. “There was a lot of growth by acquisition, and companies needed internal auditors who knew about the business,” Anderson says.<br></p><p>As internal auditors became instruments of improvement and change, they needed more leadership skills than in the past, Winters says. That move from mere financial compliance is leading organizations to seek internal auditors with strategic thinking capabilities, strong communication skills, and the ability to influence others. <br></p><p>In the earlier days of the profession, internal auditors were simply supposed to look for problems. Now they’re expected not only to do that, but to look for improvements, identify solutions, and sell them to management and decision-makers. “It grew into a bigger role, and auditors were expected to have much broader skill sets and business acumen than they did in the past,” Winters says. “Relationship-building, networking, and demonstrating competency in multiple facets of the organization became more important.”  <br></p><p>If Winters were hiring an auditor in 1985, it would have been an accountant or IT person who “sat in an area by themselves,” he says. Today, Winters would be hiring a person who had knowledge of operations and strong people skills.<br></p><p>“There’s still a need for traditional skills,” he says. “But internal auditors now need long-term adaptability, continuous learning, critical thinking, and judgment.”   <br></p>Craig Guillot01854
Medical Device Cybersecurity Device Cybersecurity<p>​<span style="line-height:1.6;">S</span><span style="line-height:1.6;">ecuring computer systems is common practice, but the same cannot be said for off-the-shelf (OTS) medical devices containing embedded computer systems, which are vulnerable to threats that could expose patients to harm. For example, attackers could exploit flaws in wireless-enabled medical implants to trick an insulin pump into delivering a lethal dose or reset a pacemaker to deliver a fatal shock. </span></p><p>Concerns over such attacks prompted former U.S. Vice President Dick Cheney’s doctors to disable the wireless functionality of his pacemaker in 2013. The potential threat from criminal organizations, hostile nations, and others is so great that the U.S. Department of Homeland Security is working with the U.S. Food and Drug Administration (FDA), medical device manufacturers, and health-care professionals to address device vulnerabilities. </p><p>In addition to threatening patients’ health, compromised medical devices connected to health-care provider networks may enable hackers to steal patient data, resulting in the unauthorized disclosure of personal health information (PHI). According to Reuters, medical information is worth 10 times more than customer credit card numbers on the black market because it can be used to create fake IDs to buy medical equipment or drugs, as well as to file fraudulent insurance claims. Based on these safety and data security concerns, internal auditors who work in the health-care industry or for benefit providers need to be aware of medical device risks and ensure their organizations have effective mitigation programs in place.           </p><h2>Governmental and Industry Concerns</h2><p>In 2012, the FDA released Strengthening Our National System for Medical Device Postmarket Surveillance, which advocated several key objectives:</p><ul><li><span style="line-height:1.6;">Establish a multistakeholder planning board to identify the governance structure, practices, policies, procedures, and business models necessary to facilitate the creation of an integrated medical device post-market surveillance system.</span><br></li><li><span style="line-height:1.6;">Establish a unique device identification (UDI) system and promote its incorporation into electronic health information.</span><br></li><li><span style="line-height:1.6;">​Develop national and international device registries for selected products.</span><br></li><li><span style="line-height:1.6;">Modernize adverse event reporting and analysis.</span><br></li><li><span style="line-height:1.6;">Develop and use new methods for evidence generation, synthesis, and appraisal.</span><br></li></ul><p>The FDA’s October 2014 guidance for the medical device industry, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, encouraged manufacturers to consider cybersecurity risks throughout the development and manufacturing cycle. In addition to the FDA, the Institute of Electrical and Electronics Engineers (IEEE) released Building Code for Medical Device Software Security to help manufacturers mitigate cybersecurity weaknesses. </p><p>Collectively, these guidelines are not easily enforceable, can be difficult to implement, and may not be legally binding. As such, health-care providers that rely on these devices for patient care and services should exercise their own due diligence to ensure they are safe, reliable, and secure.   </p><h2>Risk Factors </h2><table width="100%" cellspacing="0" class="ms-rteiaTable-default"><tbody><tr><td class="ms-rteiaTable-default" style="width:100%;">​<strong>OTS Medical Device Categories</strong><br><br>Modern medical devices represent the culmination of scientific research and technological breakthroughs that have enhanced the quality of patient care. Numerous manufacturers around the world build these OTS devices with varying degrees of software hardening standards that often leave them prone to cybersecurity vulnerabilities. <br> <br>Device categories include:<br><ul><li>Implantable: Cardiac defibrillators/ pacemakers, cochlear implants, neuro-stimulators, gastric stimulators, and insulin pumps.</li><li>Diagnostic: Blood gas analyzers, CT and MRI scanners, and ultrasound and X-ray machines.</li><li>Life support: Heart-lung, kidney dialysis, and respiratory ventilator machines.</li><li>Monitoring: Electro-cardiogram and electro-encephalogram monitoring systems.</li><li>Therapeutic: Continuous Positive Airway Pressure machines, drug delivery systems, blood/plasma infusion pumps, medical lasers, and LASIK.</li><li>Procedural: Remote-controlled surgical robotics.</li></ul></td></tr></tbody></table><p>To understand what needs to be protected, internal auditors must first become familiar with the FDA and IEEE guidelines and other health-care industry sources. OTS medical device areas that should be scrutinized by internal audit include:</p><ul><li><em style="line-height:1.6;">Operating systems.</em><span style="line-height:1.6;"> Many medical devices still run on old, unsupported operating systems that are vulnerable to hacking exploits and UNIX variants with unsecure default configuration settings.</span><br></li><li><em style="line-height:1.6;">Security patching.</em><span style="line-height:1.6;"> Unlike conventional network components, medical devices typically cannot accept security patch updates because they rely on closed operating systems that can only be updated by the manufacturer.</span><br></li><li><em style="line-height:1.6;">Application software.</em><span style="line-height:1.6;"> IT teams usually cannot access medical device internal software to ensure cybersecurity safeguards are in place and operating e</span><span style="line-height:1.6;">ffectively.</span></li><li><em style="line-height:1.6;">Antivirus and antispyware.</em><span style="line-height:1.6;"> The ability to install and update antivirus and antispyware capabilities within medical devices is typically restricted to the manufacturer.</span><br></li><li><em style="line-height:1.6;">Passwords</em><span style="line-height:1.6;">.</span><span style="line-height:1.6;"> Device passwords most often are not changed when installed and remain set at the manufacturer’s default value, which easily can be guessed or obtained from user manuals and other sources on the Internet.  </span><br></li><li><em style="line-height:1.6;">Wi-Fi and Internet connectivity</em><span style="line-height:1.6;">.</span><span style="line-height:1.6;"> Home-use therapeutic and monitoring devices with Wi-Fi and Internet cloud connectivity allow the patient’s health-care team to monitor medical informatio</span><span style="line-height:1.6;">n in real time, as well as change settings remotely, if needed. Although convenient, threat actors can exploit compromised devices to hijack connections, steal patient information, and alter device settings that could threaten the patient’s well-being. </span><br></li></ul><p>Internal auditors should determine whether their organization has an OTS medical device risk mitigation program in place that includes:</p><ul><li><span style="line-height:1.6;">​Documented policies and procedures to manage and secure medical devices.</span><br></li><li><span style="line-height:1.6;">​</span><span style="line-height:1.6;">Processes to maintain an up-to-date inventory of medical devices with UDI tracking capabilities.  </span><br></li><li><span style="line-height:1.6;">Routine security risk assessments using defined metrics to identify which devices are at high risk and require remediation, replacement, or to be placed out of service.</span><br></li><li><span style="line-height:1.6;">A</span><span style="line-height:1.6;"> vendor management program that coordinates with device manufacturers to address security updates for embedded applications, operating systems, software patches, and anti-malware.</span><br></li><li><span style="line-height:1.6;">Stakeholder partnership with the Medical Device Postmarket Surveillance System Planning Board.</span><br></li><li><span style="line-height:1.6;">Organizational collaboration with manufacturers and security experts to identify device security gaps, vulnerabilities, and remediation solutions.</span><br></li><li><span style="line-height:1.6;">Procedures to ensure that medical device default passwords are replaced with complex passwords that are changed frequently.</span><br></li><li><span style="line-height:1.6;">Disabling device Wi-Fi and Internet connectivity, if it is not required.         </span><br></li></ul><h2>Additional Considerations </h2><p>Aside from securing OTS medical devices themselves, health-care providers should invest significantly in a robust, hardened IT infrastructure supported by multilayered security solutions to detect and defend their networks against cyberattacks that exploit compromised medical devices. Data loss prevention solutions also should be in place to mitigate risks associated with the theft of PHI.   </p><p>A health-care provider’s ability to remove high-risk, network-connected devices and disable patient-owned equipment may not be feasible because such measures might disrupt patient care and services and be too costly. Accordingly, providers may be forced to accept risks associated with vulnerable devices until viable solutions can be implemented. Providers faced with this dilemma should reassess their risks and revisit their insurance coverage to ensure they address damages caused by compromised medical devices. Organizations also should ensure that their incident response teams and public relations departments have plans in place to effectively respond to incidents stemming from compromised medical devices.  </p><p>Health-care providers that overlook or ignore the pervasive cybersecurity threats associated with OTS medical devices may face elevated legal, regulatory, and reputation risks. To ensure compliance with legal and regulatory requirements, internal audit at these organizations should advise management about these concerns in addition to including reviews of these devices in their audit plan. </p>Lance Semer11009
Make the Company Better the Company Better<h2>​What is internal audit’s role at Xerox?</h2><p>Internal audit’s role is to make Xerox better. Using a collaborative approach focused on improvements has been well-received by the business. Because we have a separate internal control function that handles Sarbanes-Oxley testing, internal audit can focus on other areas. We have a continuously expanding role to tackle different types of financial, control, operational, IT, governance, and compliance projects. </p><h2>What skills do you look for when staffing Xerox’s internal audit department?</h2><p>The key things I look for are a collaborative mentality, good critical thinking skills, strong interpersonal skills, solid writing skills, and subject matter expertise. A positive attitude and a desire to travel to different locations are always helpful. The department currently has a mix of diverse backgrounds with concentrations in auditing, internal control, and IT. Recently, our focus is bringing in people with more IT, analytics, and health-care experience. Professional credentials are also important.</p><h2>What does Xerox do to support professional development within internal audit?</h2><p>This is one of my top priorities. The department pays for membership to The IIA and has set a 60-hour continuing professional education requirement. I try to have the whole team attend either the International Conference or the All Star Conference and then add on a few extra days for department meetings and team building. That is supplemented by local IIA trainings, training from our cosource provider EY, and webcasts. The department also pays for additional certifications including the certified internal auditor, certified public accountant, certified information systems auditor, and certified fraud examiner. We have copies of study guides the team can use for the exams.  </p><h2>How does your staff keep up with changing technology risks?</h2><p>Keeping up with the pace of change is always a challenge. To identify areas of risk the team attends technical training and reads articles on recent trends. To get the latest perspective we use EY subject matter experts on our projects. We also partner with Xerox's chief information security officer to ensure our work is addressing emerging risk areas. Attending roundtables with other CAEs who are facing similar issues is another great way to get ideas on new risks and how to tackle them. </p><p><br></p>Staff0800

  • IAO_CaseWare_May2016Prem1
  • SCCE_May2016_Prem2
  • IIA RFCollabAuditing_Prem3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
5 Steps to Agile Project Success Steps to Agile Project Success2016-04-13T04:00:00Z2016-04-13T04:00:00Z
Conditioning the Organization for Risk Agility vs Resiliency the Organization for Risk Agility vs Resiliency2016-05-16T04:00:00Z2016-05-16T04:00:00Z
Regulator Talks About Culture Talks About Culture2016-05-14T04:00:00Z2016-05-14T04:00:00Z