Is Your HIPAA House in Order?

Expect enforcement of the HIPAA Security Rule, part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to increase in 2014. I recommend taking steps right now to ensure that your organization is, and can demonstrate that it is, doing everything the HIPAA Security Rule requires, particularly if – or when, as seems more likely – a government auditor comes calling. Read on, if you’re not convinced.

Recently, the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) published a critical report finding that the Department’s Office for Civil Rights (OCR) was not adequately overseeing and enforcing the HIPAA Security Rule. It found that the OCR has failed to provide for periodic audits, as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Instead, the OCR was following a complaint-driven approach to assessing compliance with the HIPAA Security Rule. The HHS OIG has concluded that level of oversight and enforcement is inadequate to meet federal requirements.

Continue reading

Assessing the Top Priorities for Today’s Internal Audit Functions

Protiviti’s research train keeps on rolling! Today we released the results of our latest Internal Audit Capabilities and Needs Survey. We’ve been conducting research to identify internal audit priorities and trends for eight years and have been very pleased with the response we continue to receive from the market. In looking at the major findings in our 2014 study, I expect this year will be no different. And kudos are due to our survey participants; they are the real “stars,” for without them studies of this nature would not be possible.

Infographic - 2014 Internal Audit Capabilities and Needs Survey

Infographic – 2014 Internal Audit Capabilities and Needs Survey

Internal audit functions today must anticipate and respond to a constant stream of new challenges – many of which deliver uncertain and still unfolding risk implications, from emerging technologies and new auditing standards to rapidly evolving business conditions. For example, in nearly every company over the past 12 months, the use of mobile and social media apps has presented new challenges, many of which are still emerging. Organizations’ growing reliance on cloud computing and data, in general, poses similarly complex challenges. Yet, these issues represent only a portion of those crowding internal audit’s 2014 priority list.

Our findings show that:

  • Social media, mobile applications, cloud computing and security (specifically with regard to the NIST Cybersecurity Framework) are critical areas of concern – Social media applications and related risks are top priorities for internal auditors to address, as are risks surrounding mobile applications, cloud computing and security.
  • CAATs and data analysis remain on center stage – As indicated in past years of our study, internal auditors plan to strengthen their knowledge of computer-assisted auditing tools, and continuous auditing and monitoring techniques.
  • Fraud management efforts focus more on technology as well as prevention – Auditors are concentrating more time and attention on fraud prevention and detection in increasingly automated business environments and workplaces.
  • “We have to keep pace with a raft of regulatory, rules-making and standards changes” – The updated COSO Internal Control – Integrated Framework represents a major change for internal audit, with significant implications for many financial, risk management and compliance activities. However, strengthening knowledge of the new COSO framework ranks as a lower priority compared to other critical rules-making changes internal auditors are digesting, including new Standards from The IIA and the new NIST Cybersecurity Framework.
  • Internal auditors want to take their collaboration with business partners to a new level – Internal audit’s longstanding desire to improve collaboration with the rest of the business has intensified, as is evident in the priority that CAEs and respondents place on communicating, and even marketing, the expertise and value that internal audit provides to the rest of the enterprise.

For more information and to download a copy of our full report, visit And I also encourage you to watch our short video:


Today’s IT Organization – Delivering Security, Value and Performance Amid Major Transformation

Today, Protiviti released the results of its 2014 IT Priorities Survey, and in it, there are some remarkable findings. Indeed, if there is one word to describe the state of IT organizations in 2014, it is transformation.

We found that nearly two out of three organizations are undergoing a major IT transformation. Consider the change and disruption this undoubtedly is creating within IT organizations, and it’s understandable to see why – as we found in our survey of more than 1,100 CIOs, IT executives and IT professionals – they have scores of significant priorities and likely are being pulled in multiple directions to address countless critical challenges. To no one’s surprise, these results show that IT is fundamental to executing the strategy of just about any company.

Take a look at our infographic:


Among the other key findings from our IT study:

  • Enhancing and protecting business value – The integration and alignment of IT planning and business strategy represents a paramount priority. In fact, enhancing and protecting the value of the organization – via data security as well as other IT risk management and business continuity capabilities – is top-of-mind not only for IT organizations, but also for their organizations’ boards and executive management teams.
  • All eyes are on security – Massive security breaches continue, with some organizations being questioned by congressional committees in recent months. More than ever before, this has IT departments – as well as boards and executive management – on edge, on notice and, in some cases, testifying under oath. Strengthening privacy and security around the organization’s systems and data is now a top priority across all industries. No organization is immune to this threat.
  • Managing and classifying all that data – As the need for stronger information security intensifies, CIOs and IT professionals are seeking out more effective ways to stratify the importance of the information they have, and organize and secure the growing volume of data they must manage.
  • Strengthening IT asset – and data – management – Companies are seeking to improve their data and information governance programs, a need no doubt driven by the growing use of mobile devices and applications, social media, and the continued integration of cloud computing into IT strategy and processes.
  • More mobile, more social – Mobile commerce management, mobile security and mobile integration remain focal points for IT departments in 2014, even as security-related priorities compete for their time and resources. A similar trend holds for social media, as organizations continue to rely on IT to support their investment in social media activities while improving the integration of these capabilities with other IT assets.

Let me know your thoughts on these IT challenges. And I invite you to visit our survey site at for more information and a free copy of our report.