1 / 46

IT Governance & Risk Considerations during Internal Audit Transformation

IT Governance & Risk Considerations during Internal Audit Transformation. 2015 IIA /ISACA Charlotte Chapter – Internal Audit Transformation October. What Makes a Person Worth Listening to? :.

nadine
Download Presentation

IT Governance & Risk Considerations during Internal Audit Transformation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Governance & Risk Considerations duringInternal Audit Transformation 2015 IIA /ISACA Charlotte Chapter – Internal Audit Transformation October

  2. What Makes a Person Worth Listening to? : A shepherd saw an expensive sports car speed toward him and then come to a screeching halt only a few feet from his large flock of sheep. Out stepped a well-dressed man wearing expensive sunglasses and a very nice watch.   The young man asked the shepherd, “If I can tell you exactly how many sheep you have, will you give one of them to me?”Amused, the shepherd nodded.  The young man immediately pulled out his cell phone and laptop, running several charts and consulting satellite imagery before looking up and confidently saying, “1,347.”The shepherd nodded again, and the man triumphantly moved toward the flock to select his sheep.After the young man returned to his car, the shepherd quietly asked, “If I can name your profession, will you return the animal to me?”The young man agreed, and the shepherd said, “You are a consultant.”Astonished, the man asks, “How did you know?”The shepherd replied, “Well, you came without invitation, told me something I already knew, and then charged me for it–all while knowing very little about my business. Now, can I have my dog back?”Of course, the joke is silly. But the question remains: In a world saturated with voices, opinion, and information, what makes a person worth listening to?

  3. Why Talk about Transformation? Insanity is defined as: “doing the same thing over and over again and expecting different results.” Albert Einstein Sources: IIA, ISACA, BankInfosecuriy.com, Experis Client Surveys, LinkedIn Cyber Risk Advisors Group , Compliance Week

  4. Observations & Objectives for today: Observations: • Standards and Regulations have proliferated at a dizzying pace. • Internal Audit organizations are struggling with staffing strategies for accomplishing the required audits. • Business reliance on IT has increased out of all proportion. • It is essential that your corporate governance addresses and manages your IT risk. • Learning Objective 1: • Gain an understanding of what other audit shops are doing to address staffing models for the future. • Learning Objective 2: • Gain an awareness of what the industry is saying about Internal Audit’s Role in Information Risk Governance.

  5. Points to Ponder Today • Strategy for accomplishing Internal Audits? • Standards Proliferation • Regulations • IT Risks • IT Security Today • IT Audit Governance • Key Observations about Audit today

  6. Internal Audit is more important than ever! Do you Outsource ? Strategy for accomplishing internal audits CONS: • Dependency: May create a reliance on that person. • Disruption: When that person leaves, you suffer disruption to your business while you try to replace that expertise. • This is not an issue when you outsource as each consultant works to a common process. PROS: Focus on your core business activities that make you $. Speed to Source Easier to buy services of an expert than it is to recruit and employ an expert. Multiple Needs Providers: Specialist consultancy firms can give you the range of skills that you won’t find in one person. • For example, you may not only need an accountant but also an information technology or human resources expert.

  7. Strategy for accomplishing internal audits • Innovative Approaches: • While there is a clear need for internal audit, do you create your own internal audit function or use the services of an external consultancy. • Build vs. Buy? • Employ: someone with the experience and qualifications to perform an internal audit role is expensive. • Recruit: If you try to recruit cheaply you will get someone who is poorly qualified; this may cost you in the future. There is a clear cost-benefit argument for outsourcing. • Outsourcing can ensure independence and objectivity. • SLAs You can monitor easily your relationship with your consultant through confidentiality and service-level agreements.

  8. Standards Proliferation Standard-setting has developed at a pace in recent years and will no doubt continue to do so in the future. • The Institute of Internal Auditors (IIA) Standards– • First published in 1978 and updated in 1998. • In doing so, the IIA redefined the role of an internal auditor, • introduced a “code of ethics”, • created “international standards” and • incorporated earlier guidelines. • Internal audit will continue to develop and evolve in the future. • Standards - strengthens the case for outsourcing • as you can be confident you are using up-to-date expertise.

  9. SOX – Regulation (US Law) Designed to protect stakeholders in listed companies by improving the accuracy of corporate disclosures and deterring corporate &accounting fraud. • the Act introduced the idea of the • Audit Committee to Overseecorporate financial reporting, • Established mandatory registration of auditors of listed companies, defined conflicts of interest, prohibited external auditors from providing certain services, and introduced a system of periodic rotation of auditors. • Impose on management the legal responsibility for the content of the financial report and for maintaining a system of controls to discourage fraud. • Trends - • Many non publically traded companies are adopting its requirements in the spirit of good governance. • Several countries around the world have developed legislation that has its roots in Sarbanes-Oxley.

  10. IT Risks & Steps to address Governance • Business reliance on IT has increased out of all proportion. • It is essential that your corporate governance addresses and manages your IT risk, and there are steps you can take to do this. • Review your IT SLAs and check that it meets the needs of your business. • Ensure your IT operates in a secure area, is reliable, and confidentiality and integrity are not compromised. • Make sure you provide adequate training and support to users. • React to issues and solve them as they arise. • Review your business continuity and other contingency plans to ensure they are robust and up to date. Have you implemented true IT Governance as part of your audit plan?

  11. IT Security Today 7 Notable Data Breaches • Data breaches had a ton of media attention, and with good reason: • 43 %of companies have experienced a data breach in the last year. • That’s a 10 % increase over last year! ….and it’s only expected to rise, according to a report from the Ponemon Institute. • Companies are attacked an average of 16,856 times a year • most incidences aren’t even a “blip” on our radars. • But the big ones are big -- huge -- and they get a ton of news coverage.

  12. IT Security Today - 7 Notable Data Breaches • Michaels January 2014, the craft-store chain confirmed a data breach, • A few months later, the company confirmed that 3 million customers’ credit and debit information was stolen through a breach in its payment system. The store's subsidiary, Aaron Brothers art framing, was also impacted: • 400,000 additional customer payment records were compromised. • The two independent security firms hired by Michaels to investigate the attack (the company’s second data breach in three years) said they had never encountered the highly sophisticated malware technology used to hack into the payment system.

  13. IT Security Today - 7 Notable Data Breaches 2. LivingSocial - • April 2014, hackers targeted the site and stole the • names, emails, birthdays and encrypted passwords of more than 50 million customers. • Culprits made off with passwords, which are frequently reused on other accounts. *** The GOOD : No customer financial data wasn’t compromised.

  14. IT Security Today - 7 Notable Data Breaches 3. eBay • May of 2014, informed the public that hackers had stolen • customer usernames, • encrypted email addresses and • passwords from its databases. • eBay asked its 145 million consumers to change their passwords as a precautionary measure but it’s unclear just how many users’ data was stolen. • ***.The BAD: • Raj Samani, VP & CTO of McAfee EMEA, told The Washington Post, “The reality is that this data that was stolen is going to be sold.”

  15. IT Security Today - 7 Notable Data Breaches 4. P.F. Chang's • August 2014, issued a statement saying 33 of its 211 locations were affected by a security breach. • June, the Secret Service alerted the company to the security compromise involving stolen credit and debit card data. • It is believed that criminals used malware to steal • card numbers, • expiration dates and • names of customers who dined at the restaurant during an eight-month time frame. *** The BAD: The exact number of those affected is unknown.

  16. IT Security Today - 7 Notable Data Breaches . 5 Snapchat • October 2014, almost 98,000 stolen files from Snapchat users were posted to The Pirate Bay. • Snapchat blamed 3rd party apps for the breach, but didn’t name a culprit. • An unnamed spokesperson for Snapsaved, a 3rd-party site that allows users to save Snapchat images, posted on Facebook, ”I would like to inform the public that snapsaved.com was hacked” due to a mistake in the setup of its web server. • Many stolen photos containing inappropriate and pornographic images, the images were quickly deleted by the sites’ moderators.

  17. IT Security Today - 7 Notable Data Breaches 6. The Home Depot • September 2014, its payment system was hacked, and about 56 million card records were stolen. • This attack is said to revolve around malware that was installed on payment systems. *** The Good: The data breach didn’t seem to impact business, as it has with Target, with the company reporting a 20 % increase in profit during its 3rd fiscal quarter. *** The Bad: Both Consumer and State agencies have filed Lawsuits

  18. IT Security Today - 7 Notable Data Breaches 7. JP Morgan Chase • October 2014, reported that 76 million households and 8 million small businesses were exposed in a data breach. • JPMorgan believed hackers found root access to many of its servers, which is startling because the bank was considered to have the most exemplary security controls in place. • More details will emerge as the investigation continues, but the event is shaping up to be among the biggest data breaches in history.

  19. IT Security Today - Already this year! 1. Anthem Healthcare • February 2015: • Hackers have stolen information on tens of millions of Anthem Inc. customers, in a massive data breach that ranks among the largest in corporate history. • The company operates plans including Anthem Blue Cross, Anthem Blue Cross and Blue Shield Amerigroup and Healthlink. • The compromised database contained up to 80 million customer records. • Formerly known as Wellpoint, Anthem (ANTM) is the second-largest health insurer in the United States. • The company operates plans including Anthem Blue Cross, Anthem Blue Cross and Blue Shield Amerigroup and Healthlink.

  20. IT Audit Governance - • Information Risk Environment— • Most all audit departments expected to grow for the next 2 years …to address the need for assurance over information risk . • IT Audit Staffing— • Most departments have a dedicated IT audit team, but • only a third of departments believe they have enough resources to cover their greatest IT risks. • Departments conducting fewer IT-related audits per year are significantly more likely to use outsourced/co-sourced staff, • whereas the opposite is true for departments conducting a higher number of IT-related audits. • Information Risk Governance— • Opinions vary over who is responsible for key activities in governing information risk, causing a lack of clarity as to what effective governance of information risk looks like.

  21. Key Observations for Internal Audit Transformation

  22. Key Observations for Internal Audit Transformation • State of the Current Information Risk Environment (Growing) • Information Technology Audit Coverage (Lacking Qualified Resources) • IT Audit Staffing Structure (IT Audit staff <10 Out and >10 IN) • IT Auditor Skill Competencies (Tech yes / Business No) • Information Risk Governance (Ownership and Responsibility Cloudy) • Internal Audit’s Role in Information Risk Governance (Critical) • Third-Party Risks and Assurance (Growing need for Audit)

  23. Key Observations (continued) 1. State of the Current Information Risk Environment (GROWTH!) Need for assurance over information risk is expected to grow for 90% of audit departments over the next two years. Most departments are using a hybrid approach to satisfy the need for this additional coverage by: Combining audits of specific IT controls with a holistic review of the information risk management and control processes throughout the organization Auditors are most concerned about regulatory noncompliance: customer data protection and privacy and targeted phishing. Auditors are not generally very concerned about state-sponsored attacks, Conversely - heads of Information Security find this to be the 2nd most critical threat, suggesting a potential blind spot for Internal audit.

  24. Key Observations (continued) 2. Information Technology Audit Coverage (Found Lacking) Audit departments spend about 20% of time on IT-related assurance work. A majority of this time is allocated to testing core IT systems and controls. IT systems & controls are usually the most common reported core significant audit findings: Specifically access-based controls and use of administrative privilege controls. COBIT is the most common IT and risk management framework used to guide internal audit through IT audits and risk assessments. ISO27xxx & NIST are growing in favor as complements

  25. Key Observations (continued) 3. IT Audit Staffing Structure (Size does Matter) • Few CAEs believe they have enough staff to cover their greatest IT risks. • Over Half of CAEs plan to grow their IT audit capabilities over the next two years. • Most companies have some dedicated IT resources. • The structure of those teams is greatly influenced by the total number of IT audits conducted per year. • Departments that conduct < 10 IT-related audits per year • are significantly more likely to use outsourced/co-sourced audit staff to conduct these audits. • Conversely – the opposite is true for departments conducting 10+ IT-related audits per year. • Out sourced/co -sourced resources are most commonly used for cyber security, external network security, and other IT security control audits.

  26. Key Observations (continued) 4. IT Auditor Skill Competencies (Business vs Tech) • IT-related audit skills effectiveness are not keeping up with the ability to deliver assurance over information risks. • Which is more important to your company? • Business knowledge of operations or • IT Risk Management • SURVEY’s say: • IT audit staff typically provide necessary IT -related skills sets, such as knowledge of information security and knowledge of technology systems. • However, IT auditors typically lack sufficient knowledge of business operations, hindering their ability to effectively evaluate Information risk management beyond technical controls.

  27. Key Observations (continued) 5. Information Risk Governance (Who owns this stuff?) • Audit opinions vary over who is responsible for key activities in governing information risk, • This suggest a challenge among assurance functions to define what effective governance of information risk should look like. • A large discrepancy exists between the perception of information risk governance activity ownership between audit and legal departments. • Audit departments believe the majority of information risk governance activities are driven by: • information security, • information technology departments, and • business unit staff, • where as in-house legal departments perceive that these activities are primarily owned by IT, legal, and cross functional committees. How does your companies handle this dilemma?

  28. Key Observations (continued) 6. Internal Audit's Role in Information Risk Governance (Considered Critical) • 98% of audit departments believe auditing information risk governance will enable greater assurance over information risk. • Internal audit departments indicate that the most critical areas to assess while auditing information risk governance are: • the level of audit committee education, • effective integration of security testing into product development lifecycles • the maturity of the organization’s information security risk management process.

  29. Key Observations (**concluded) 7. Third-Party Risks and Assurance (Growing Audit Priority) • New 3rd -party vendors can have a negative impact on your organization's overall ability to manage information risk. • Audit departments that proactively audit the procurement of 3rd parties are more confident in the overall assurance of information risks. • Critical approaches to providing effective Information risk assurance include: • Due Diligence Testing - the effectiveness of existing vendor information risk management, • Soundness of the organization’s information risk governance of 3rd Parties • the information security risk management of the organization’s most critical vendors.

  30. IT Audit Skill & Resource Strategies for Internal Audit Transformation

  31. Most audit departments reported at least one significant audit finding related to core information security controls. IT Risk Areas with Significant Audit Findings • Most departments reported significant audit findings in: • Access-based controls • Use of administrative privilege controls • Account monitoring • Information risk governance • 3rd-party risk management

  32. Prevalence of IT Audit Staff CAEs response to addressing IT Audit needs _____ Only 20% dedicated to IT related assurance work

  33. Dedicated IT Audit Team Structure

  34. Prevalence of Outsourced/Co-Sourced Resources Cyber Audit Trends: Audit departments are using more outsourced/co-sourced resources for • cyber security, • external network security, and • other IT security control audits. Traditional Audit trends: Audit departments are outsourcing/co-sourcing a greater percentage of traditional IT audit work, specifically in the following areas: • Business continuity and disaster recovery • Change Control • Management, Planning, and Organization of IT and/or IS

  35. Typical Outsourced/Co-sourced Resources, by Audit Type Outsourced/Co-sourced IT Audit Coverage • System Development Life Cycle • Business Continuity and Disaster Recovery • Data Privacy and Protection • Cloud Platforms • Information Risk Governance • Third-Party Security • Other IT Audit Work • Data Classification • Software Quality & Effectiveness • Management, Planning, and Organization of IT and/or IS • Network Security (External) • Change Controls • Security Awareness Programs • Software Development, Acquisition, Implementation, and Maintenance • Cyber Security • Incident Response Management • Risk Identification, Assessment, Monitoring, & Reporting Processes

  36. What are your Top 5? IT Audit Skills Effectiveness Knowledge of Information Security Relationship Management and Business Partnering Root-Cause Analysis Knowledge of Technology Systems Analytical Skills Oral Communication Written Communication Knowledge of Business Operations

  37. Information-Related Professional Certifications Average Percentage of Audit Staff Holding the Certification In-house audit staff certifications Note: Related data on certifications from the 2013 CEB Audit Budget and Head Count Benchmarking Report reflect lower percentages of total auditors with each certification. That data represents a larger population of our membership and includes many more respondents who are less concerned with IT auditing and information risk.

  38. Impact of Auditing Third Parties • *** This risk is only 2nd to new & emerging information threats, including APTs • 3rd Party Partners should contractually allow “Right to Audit” including: • SLA / Contract Alignment Reviews • Personnel Security Skills and Bandwidth • “Your” company’s vested interest and conflict of interest with other 3rd party customers • Cloud strategy • Insurance

  39. Who is Responsible in the Cloud? Cloud Computing Adds Complexity to Audits SAAS PAAS IAAS * Responsibility may shift depending on your specific contract terms Have you considered this in your Security and IT audit plans?

  40. 3rd-Party Risk Management Information Risk Assurance Top Considerations: • Effectiveness of Existing Vendor Due Diligence Checks for Information Risk Management • Soundness of the Organization’s Information Risk Governance Over 3rd Parties • Information Security Risk Management of Its Company’s Most Critical Vendors • Strength of Ongoing Monitoring of Third-Party Performance Against Key (Contractual) Security Requirements • Relevant Contract Workers Receive Necessary Security Awareness Training • Formal Data Classification Schemes are extended to Third Parties Who Manage Critical Information Assets on Your Behalf • Correct Background Check Process Is in Place to Contract Workers Who Have Access to Critical Information

  41. 2015 Coming Attractions

  42. FDIC - Why Banks Need a Disaster Plan for Cyber Threats • Federal banking regulators are pushing banks and credit unions to enhance their cybersecurity assessment and risk management strategies. • The FDIC's "Supervisory Insights" summer 2015, published in August, reminds financial institutions about exercises designed to help them prepare to deal with emerging cyber risks. • “Preparing for natural disasters and other physical threats, business continuity now also means preserving access to customer data and the integrity and security of that data in the face of cyber-attacks."  • FDIC's Cyber Challenge - is available on the FDIC's website. • The program includes four real-world attack and cyber-threat scenarios presented in brief videos. • After viewing the scenarios, participants are directed to materials that pose questions and possible solutions for banking teams to discuss.

  43. 'Game of War: Fire Age' Insider Arrested • Fired Software Com[any Manager Employee “Zeng” Charged With Bargaining Trade Secrets for better Severance Pay • If convicted, he faces a max. sentence of 10 years in prison and a fine of up to $250,000, plus the potential of paying restitution. • Confidentiality Agreement - • The case centers in part on Tableau, an off-the-shelf data analytics and business intelligence application that is used by Machine Zone "to collect valuable data regarding customer use that is used to optimize the performance of its video game," • At the same time, Zeng was copying corporate data to external devices, according to the affidavit: • "On June 19, 2015, the Machine Zone IT department captured log files relating to Zeng's computer for the period June 17, 2015, through June 19, 2015. The files show Zeng attached external storage devices to his laptop.“

  44. 'Game of War: Fire Age' Insider Arrested • FBI Surveillance • At that point, Machine Zone contacted the FBI and relayed what had been happening, after which the bureau arranged to conduct an audio recording and surveillance of Zeng's Aug. 17 meeting with agent Leydon. • According to the affidavit, Zeng told Leydon that he had copied corporate files to three external hard drives, and suggested one of the drives might be at his girlfriend's house in China, and another at his house in San Ramon, Calif. • Using the hard drives as leverage, Zeng - citing tax bills - said he wanted to renegotiate his severance package, which had been based on 3 months' salary, and requested a 6 or 7 month severance package, according to the affidavit. He also warned that he was due to depart for China on Aug. 20. MORE to COME……..

  45. What’s on Tap at the Top • Cybersecurity and privacy are primary concerns • Companies face significant IT audit staffing and resource challenges • Audit committees, as well as organizations in general, are becoming more engaged in IT audit • IT audit risk assessments are not being conducted, or updated, frequently enough – • Surprising that some companies still do not conduct IT audit risk assessments. • Not conducted or updated frequently enough . • Growth in IT audit reports and reporting structures – • Need for more transparency of holistic IT Risks.

  46. Thank you for your time and interaction today! Danny Shaw National Practice Leader IT Risk Advisory Services 678-910-4355 (c) Experis7000 Central Parkway, NW Suite 950Atlanta, GA 30328-4592 www.experis.us/Clients/Finance.htm

More Related