A Global Look at IT Audit Best Practices from ISACA and Protiviti

Brand.jpgby David Brand
Managing Director – Leader, IT Audit Practice



There is no disputing technology’s role in business today as an enabler of virtually every process and function. With this enablement and the advantages IT brings also come global risks – security, cyberattacks, privacy issues, data breaches, governance, asset management and much more. The critical question we ask is: Are IT audit practices keeping pace in order to assess, monitor and mitigate critical risks coupled to a technology-enabled business? This is what ISACA and Protiviti set out to determine in conducting the fourth annual IT Audit Benchmarking Survey.

Our 5 key findings from this year’s study:

  1. Cybersecurity and privacy are primary concerns – This area is rated as the top technology challenge and also may be driving trends such as increasing involvement from audit committees in IT auditing activities.
  1. Companies face significant IT audit staffing and resource challenges – Not only is this issue ranked among the top technology challenges, but it is an undercurrent in many of the survey findings, including the use of external resources to support IT auditing efforts.
  1. Audit committees, as well as organizations in general, are becoming more engaged in IT audit – More organizations have a designated IT audit leader, and over the past three years, the percentage of IT audit leaders that regularly attend audit committee meetings has doubled.
  1. IT audit risk assessments are not being conducted, or updated, frequently enough – Given the dynamic nature of technology change and risk, it is surprising to find that some companies still do not conduct IT audit risk assessments. Not only must IT audit risk assessments be performed, but they also should be reviewed and, if necessary, updated on a quarterly basis or more frequently. However, a majority of companies are conducting these reviews annually or even less frequently.
  1. There’s room for growth in IT audit reports and reporting structures – A majority of companies do not issue enough IT audit reports, and many still have the IT audit leader in a less-than-ideal reporting structure.

IT Audit Benchmarking Survey Infographic

Check out our infographic here. To view and download our report with detailed results from our study, visit www.protiviti.com/ITAuditSurvey.


You Can’t Protect Intellectual Property and Sensitive Data Unless You Know What You are Trying to Protect

Scott Moritz - Protiviti NY 2013 (hi res)

Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice


Rocco Grillo - Protiviti NY 2014 (hi res) (2)

Rocco Grillo
Managing Director – Leader, Protiviti’s Incident Response and Forensics Practice


In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.


Cyber-crime targeting of commercial enterprises and organizations is rampant. Increasingly sophisticated organized crime groups are gaining improper access to point-of-sale systems and corporate networks to steal credit card numbers, expiration dates, account holder names and CVV codes, intellectual property, as well as other sensitive data.

In addition, certain countries have historically utilized their intelligence agencies to use intelligence-gathering techniques to steal information such as computer source code, product formulas, and design information about new products or processes. These types of state-sponsored economic espionage often target technology-centric industries, including computer software and hardware, biotech, aerospace and defense, telecommunications, transportation and engine technology, automobiles, machine tools, energy, materials and coatings, and so on.

The high-tech sector is widely considered to be the most frequently targeted area for economic espionage, although any industry with information of possible use to foreign governments and their commercial sectors is at risk. Increasingly, these government intelligence agencies are using hacking techniques to gain access to commercial secrets.

Whether it is organized crime that is seeking to gain access to your network or a foreign government seeking to obtain the product formulation of the next wonder drug, companies’ most valuable information is stored electronically on their networks and individual computer workstations. While companies expend tremendous sums of money and resources securing their networks and testing their security, sometimes the issue is not knowing the universe of sensitive data that they possess, where and how it is stored, and who has access to it.

Knowing where your data resides is, in many instances, half the battle. Trying to identify an organization’s “crown jewels,” or key assets, is equally important. Boards of many major corporations are scrambling to implement security controls to processes in order to safeguard their organizations, but many also need to focus on risk management to identify their crown jewels when implementing these controls and safeguards.

Often, information about what valuable data the company has, where it is stored and who may have access to it is determined only after there has been a breach. As network security experts trace the activities of the hackers to see what systems and applications were accessed illicitly, they learn what information was stored and whether it was exfiltrated from those devices. Indeed, one of the most challenging issues for internal auditors as well as IT security professionals is, when assessing their company’s information security, not only understanding the systems and the security controls designed to monitor, detect and prevent data breaches, but also taking an inventory of the various categories of sensitive data stored electronically across the organization, identify where specifically it is located, and who has access to it.

Without this critically important information, internal auditors and others charged with the responsibility of assessing the effectiveness of network security and the extent to which the company’s most sensitive data may be exposed are severely restricted.

Some sensitive data is of obvious interest to hackers, and it is fairly straightforward to assess how it is collected, where it is stored and how it can be accessed. Knowing who and when data was accessed is equally, if not more, important. Being able to pinpoint who has accessed data is critical to any organization trying to protect its data. Logging and monitoring controls enable organizations to accomplish this.

During a forensics investigation, trying to find the source of a breach is like trying to find a needle in a haystack. And without logging and monitoring controls or limited controls, that needle in the haystack becomes a needle in an open field. Sensitive data includes customer information, credit card numbers, personnel records, and payroll and banking information, among other assets deemed to be the organization’s crown jewels. The challenge is in determining what other types of sensitive data may exist and where. Such sensitive information includes corporate development (M&A) information, prototypes, source code, customer lists, proprietary pricing information, legal files, human resources data, and other data that, were it to be released, would be commercially damaging to the company.

What steps should companies take to better understand where their valuable data is?

  • Before companies understand where it is, they need to understand what it is or what their crown jewels are.
  • Survey key business units and obtain a list of their most sensitive data and IP by category.
  • Determine what added security may be in place to protect that data.
  • Request information about where the data is stored, how it is secured and how access is controlled.
  • Integrate what is learned by this data gathering exercise into future IT security audits.

Beware of the Fake Presidents

Scott Moritz - Protiviti NY 2013 (hi res)

by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice


In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.


We have become aware of an ongoing fraud scheme that initially was targeting Western European companies but appears to have emerged in the United States. The scheme involves social engineering and email spoofing, wherein the fraudster assumes the identity of a senior company executive and targets an employee from that same company, often someone in accounting or accounts payable.

The victim employee initially receives an email from the “fake president” concerning a highly confidential transaction, sometimes related to an acquisition. The communications often stress both urgency and the need for confidentiality. Recipients of these emails may also be directed that subsequent communications be directed to the “president’s” personal email, that of the president’s attorney, or both. They subsequently receive instructions by telephone and/or email containing bank routing, account number and account holder information to which the fake president needs a wire transfer to be sent.

The schemes about which we are aware have each involved accounts in Hong Kong, but this scheme could involve accounts in any foreign jurisdiction. In some instances, these schemes involve a single fraudulent wire transfer, but in other instances they may keep it going until and unless the company realizes it has been defrauded.

These schemes are often effective as a result of the research that the fraudsters have done in advance to identify the company executives and operations, as well as to identify an employee to target. It is believed that the initial target pool centered on EU-based companies because there is detailed information available in the public domain that makes the identification of executives and lower-level accounting or finance employees relatively easy compared to companies that are based elsewhere.

That said, these schemes have characteristics in common with other known and highly successful fraud schemes being perpetrated by criminal organizations. These characteristics include use of spoofed emails, blocked or anonymous phone numbers, offshore bank accounts in less cooperative jurisdictions, and the targeting of wire transfers.

The use of flattery, urgency and confidentiality is also characteristic of such fraud schemes undertaken by organized groups. The fraudster may make statements to lead the targeted employee to believe that the fake president has carefully selected him or her as being worthy of the president’s trust, leading the victim to believe that he or she has the trust of a high-level executive. The resulting excitement may cause the victim employee to ignore any obvious red flags out of misplaced hope that if he or she successfully executes the instructions, it will result in a career boost.

Instilling a sense of urgency is another proven technique in fraud schemes (along with the sale of used cars and health club memberships). Applying time pressure, coupled with the fear of upsetting a very senior executive in connection with what has been described as a highly confidential matter, can cause people to disregard red flags had they taken the time to think about what is happening before it is too late.

What steps can be taken to reduce your organization’s susceptibility to fake president fraud?

  • Require telephonic and email confirmation to phone numbers and email addresses from the company directory – do not rely on the requestor’s email instructions.
  • Educate your employees about the prevalence of the various social engineering and email spoofing techniques being employed by fraudsters and the red flags to monitor, including non-standard transactions, urgency, confidentiality, offshore accounts and use of wire transfers, and use of personal emails.
  • Review fraud controls around wire transfer requests, ensure that those controls are being followed, and ensure that all approvers are aware of the prevalence of schemes targeting companies around fraudulent wire transfers.
  • Discuss fraud controls with your financial institutions to see if any enhancements can be made on their end to assist in protecting your organization against wire transfer fraud.

Cybersecurity in Retail: Hope for the Best but Plan for the Worst

Rocco Grillo - Protiviti NY 2014 (hi res) (2)

by Rocco Grillo
Managing Director – Leader, Protiviti’s Incident Response and Forensics Practice


The recent uptick in retail data breaches is significant for all companies in a couple of important ways. First, it is important to point out that some of these highly publicized breaches have occurred at companies that were “PCI compliant.” Second, just when it appeared that the breaches had become as widespread as one could imagine, the continued line of additional companies falling victim has gotten larger, with no end in sight.

Furthermore, law enforcement investigators have indicated that there are many other organizations that have been compromised – the only difference is that they don’t know it yet.

It’s becoming painfully apparent that there is no such thing as penetration-proof data security. It’s no longer even enough to assume that you CAN be breached. We advise companies to conduct exercises that simulate that they have been compromised, and to focus, going forward, on how to address vulnerabilities and minimize the damage through rapid detection and response – both in containing the breach and in communicating with customers, employees, shareholders and the media.

Further to identifying potential areas of compromise, organizations need to transition from being reactive with their incident response plan and create a “proactive response” to potential compromises. This should include enhancing response plans, testing them through simulated tabletop exercises, conducting simulated forensics investigations to determine “the unknown,” and ultimately having partners aligned in advance of a potential attack or compromise.

That’s not to say that vulnerability and penetration testing aren’t important. It’s critical for organizations to understand where they are vulnerable and establish strong security processes and measures to ensure data remains safe.

But as we explain in our Point-of-View paper, High-Value Targets – Retailers Under Fire, security is a lot more than having a strong firewall. It must be applied to all layers in the organization, not just the “outer shell.” The right security best practices can identify and disrupt a cyberattack at the perimeter and also prevent a data breach, even if the attacker gets past the first layer of defense.

It’s frightening to consider how many companies are still relying only on fixed-point-in-time data security methods, such as penetration testing. As we found in our just-released 2014 IT Security and Privacy Survey, many companies don’t even have a written incident response plan. Among those that do, many have plans that are out-of-date or not mature, and too few rehearse and drill it to perfection through table-top exercises or simulated forensics investigations to help address the all-too-common questions coming from the board: Are we prepared to respond to an attack? Are we secure?

This is akin to a football coach who devises a trick play and tells his players all about it, but neglects to have them run the play at practice. Imagine the chaos that would ensue if they decided to run that play in a big game. Needless to say, the fan base would not like what they see!

Practice makes perfect.

Going forward, we need to assume that breaches are inevitable. I’d go so far as to suggest you assume that your organization has already been breached. That assumption puts you in immediate response mode and adds urgency to subsequent efforts to address the issue. Believe it or not, many organizations don’t figure out that they’ve been hacked until weeks, or months, after the intrusion.

Given the ubiquity of data breaches, organizations are going to be judged not by their ability to prevent an attack, but by the speed and efficacy of their response.

You have your board’s attention and directors want to know: Are you ready to respond? Are we secure? Are you sure? How do you know? If any of these questions give you pause, it’s time to up your game. Now more than ever, the bad guys are more sophisticated in attack techniques and with the holidays ahead, we’re entering the busy season for data theft. It may give “Black Friday” a new meaning in the retail industry.

Beware of the Slippery Slope – When Gifts, Entertainment, Favors and Philanthropy Become Problematic

Scott Moritz - Protiviti NY 2013 (hi res)

by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice


In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.


Having just completed my holiday gift list – a list that is free from foreign officials, I should point out – I thought it would be useful to discuss the various ways in which gifts, entertainment, favors and charitable giving can lead to some pretty negative outcomes.

The key is knowing the individuals to whom we are providing these items of value: Are any of them in positions of influence to award business to your organization? Are they government officials or employees of state-owned companies? Are these individuals connected in any way with charities to which we are donating?

Generally speaking, it is acceptable to give gifts to customers and prospects, entertain them, extend certain professional courtesies to them, and consider support for their favorite causes. What’s key, though, is ensuring these important social norms are not distorted into thinly disguised bribes given in an effort to obtain some type of unfair business advantage.

Several things are critically important to work out in advance to ensure that items of value and charitable donations pass the reasonableness test. First and foremost, your organization’s policies and procedures need to provide clear guidance, limits and preapproval requirements surrounding gift-giving, entertainment, defining other things of value (a category into which favors would fit), and charitable donations. Those policies and procedures should not only provide guidance and examples of appropriate and inappropriate gifts, entertainment, other items of value, and charitable donations, but they also should require that certain categories of recipient be subject to heightened approvals and, in some instances, prior approval before the value is exchanged.

For example, clients before whom there is a pending proposal in response to a formal RFP, as well as any client or contact that is a government official or employee of a state-owned company, may warrant a pre-approval such that a second set of eyes can evaluate the compliance risk objectively and any appearance of impropriety with regard to the proposed gift or other item of value. Those pre-approvals should not only take place, but both the request and the approval (or rejection) should be formally documented.

Even if the decision-making and associated documentation are found to be incorrect by a regulatory body or law enforcement agency, it would be difficult for the agency to assert that the company didn’t have controls and place and that the transaction was not transparent.

Another critical success factor in limiting compliance risk in this area is whether the company has a formal mechanism to determine whether recipients of gifts or any items of value are governments, government-owned and/or legitimate charities free from conflicts. Equally important is to have complete transparency with regard to the identity of each gift recipient. This last point may seem obvious, but often in marketing promotions or holiday gift giving, blocks of gifts, gift cards, tickets to sporting events or other items are given to distributors, sales agents or other intermediaries, and the company risks losing sight of who the ultimate recipients are.

Amazingly, charitable giving and political donations have also been abused and distorted to disguise bribes or kickbacks to government officials as legitimate philanthropy or efforts to be a good corporate citizen by supporting local charities. Like the other areas described above, it is important to understand how the charitable donation or political contribution was first solicited and by whom. It is equally important to be able to demonstrate a good understanding of the purpose of these donation or contributions, the charities and political organizations themselves, along with some degree of negative assurance that these organizations are free from conflicts of interest. It is a sound business practice to have a policy that governs such giving to include a requirement that all financial support require written pre-approval.

The bottom line here is that generosity, relationship management, and political and social consciousness require more than just financial support. They require strong policies and procedures, along with a keen awareness of the potential risks and controls to provide reasonable assurance that all of the company’s activities in these categories are reasonable and are well aligned with your policies, procedures, and local laws and regulations.

Bogus Vendors are the Single Most Common Way Companies are Defrauded

Scott Moritz - Protiviti NY 2013 (hi res)

by Scott Moritz
Managing Director – Leader, Protiviti’s Investigations and Fraud Risk Management Practice


In recognition of the Association of Certified Fraud Examiners and International Fraud Awareness Week, Protiviti, whose practitioners include over 100 members of the ACFE, is releasing a series of tips on fraud awareness to assist the ACFE in communicating the many ways that fraud can affect your organization. We also suggest proactive steps you can take to better position you and your organization in the ongoing fight against fraud.


We perform many internal investigations for companies every year. In our experience, the most common fraud committed against a company relates to vendors that either don’t exist, are corrupt, or are secretly owned by a company insider who is directing business to them.

Let’s start with companies that don’t exist. Seems simple enough, and yet it may not be. It is very easy to register a legal entity in any of the 50 states. All you need is an address, a contact person to serve as registered agent to receive mail on behalf of the company, and the ability to pay the registration fee (which is usually around $200). It is even easier to register a fictitious name and get a business certificate in that name.

Most banks will permit you to open a commercial bank account using either a company registration or a business certificate evidencing your registration of a fictitious name. There are more controls around registering a legal entity than there are a fictitious name. In practice, you are not supposed to be able to register a name of a company that already exists, and your application is supposed to be compared to a database of known companies to prevent having more than one company by that name.

Fictitious name registrations are not quite as stringent – it is possible to register a fictitious name that closely matches that of a real and possibly well-known company.

More Guidance: Leveraging the Right Technology Tools to Manage Fraud Risk

Once you have registered your fake company and used it to create a real bank account, you’re more than halfway there. To perpetrate the fraud, you then need to create authentic-looking invoices from that company that would fit with the business to which the invoice is being submitted so that it does not stand out from the crowd of hundreds of other invoices being processed by the company. Ideally, the person that approves the invoice for payment is in on the scheme so they don’t scrutinize it too closely and simply send it along.

Often, once a manager with invoice approval authority has approved it, many companies simply process it for payment. Often, a fraudster submitting bogus invoices will start with one fake company and will periodically submit an invoice for payment. If the scheme goes undetected, two things tend to happen. The size and frequency of the invoices increase, and new bogus vendors are added. Before long, there may be dozens of bogus vendors for which checks are being issued, though no goods or services are exchanged. Schemes like this have been known to go on for many years.

Another form of vendor fraud involves actual vendors of the company who act in collusion with one or more company insiders. This can happen in a number of ways. Vendors can submit invoices for services not performed or goods not delivered. These vendors may also submit invoices at inflated prices. All that’s required is that the vendor and someone in the company agree in advance how much the invoice should be, how much each conspirator will receive from the proceeds of the payment of the bogus or inflated invoice, and how the vendor will deliver the money to the corrupt company insider.

Vendor companies that are secretly owned by company insiders work in a similar way. The only difference is that they don’t have to take the extra step of deciding who gets what percentage of the proceeds of the fraud because the corrupt employee, as owner of the fraudulent vendor company, keeps it all.

How Can You Avoid Being a Victim of Vendor Fraud?

Here are some tips:

  • Obtain and review vendor master files and sort by aggregate spend.
  • Review any vendor name receiving significant aggregate spend for which no one recognizes the company name or for which the vendor file has limited to no supporting documentation.
  • Perform periodic background investigations of new vendors and existing vendors above a certain aggregate spend threshold and compare results to information contained in human resource databases, most notably last names, addresses and phone numbers that employees have in common with any vendors.
  • Be alert for companies with very little information in the public domain, with addresses in common with employees or officers, and/or with dates of establishment that correspond to the approximate time frame when the vendor first started receiving payments from the company.
  • Look for trends or patterns associated with approved invoices that are suspect, including whether they are similar in appearance, have the same font, are in recurring or round dollar amounts, were approved by the same person, etc.

Vendor fraud is one of the most common fraud schemes perpetrated against companies. If you’ve never experienced a vendor fraud, do you think it’s because you’re just lucky, or is it that you’re not looking carefully enough?