2015 Wrap-up: It’s Been a Great Year, Thanks to You

Before the ball drops in Times Square to usher in a new year, I wanted to revisit some of the high points of 2015 here on this blog, and thank you for your participation and readership.

A couple of observations:

  • You’re consistent. This year’s most-viewed blog entries tended to be those tied to risk, change, and cybersecurity. That aligns with the key areas of interest expressed in several of our surveys this year, including our Internal Audit Capabilities and Needs Survey, our Executive Perspectives on Top Risks Survey, the IT Priorities Survey, and the 2016 Finance Priorities Survey.
  • You’re forward-thinking. The topics of disruptive innovation and emerging trends received plenty of attention. This is a very good sign. Technology and global movements of people and workforce will continue to challenge businesses, and those with an eye on the emerging risks horizon are going to be the likely winners.

Not surprisingly, our most popular post of 2015 was Brian Christensen’s take on an article by The Institute of Internal Auditors’ President and CEO Richard Chambers advocating for continuous risk assessment as a way to elevate risk management and keep up with a rapidly evolving risk landscape.

Carol Beaumier’s piece on the changing role of chief compliance officers was our second-most viewed entry, followed by my take on cybersecurity. Matt Moore’s piece on risk appetite was among the most shared, along with our blog post on best global internal audit practices, drawn from our Internal Auditing Around The World report, which we published for the 11th year in a row.

Overall, it was an exciting year, with many important topics to consider. One of my personal favorites was the opportunity to write about the threat and promise of the Internet of Things. I would be remiss, however, if I didn’t take time, in this season of retrospect and gratitude, to extend my appreciation to those without whom our conversations wouldn’t be possible.

First, I’d like to thank the thousands of dedicated executives and professionals who took the time to respond to Protiviti’s many surveys. Without your valuable input, Protiviti professionals would literally have nothing to talk about other than their own personal experiences in the marketplace. While anecdotal knowledge is valuable, it is greatly enhanced with the “voice of the market” made possible through empirical studies. My hat is off to our many survey respondents – you gave generously of your time and experience, to the benefit of all.

I also want to thank our guest bloggers, my colleagues and friends, whose contributions consistently ranked among our most-read and most-shared entries. Your words and wisdom are invaluable, and your insights, profound. I enjoy learning from all of you.

Finally, I’d like to thank you, our readers. Your continued readership and engagement – as shown through your viewership, sharing and rating of our content – makes this effort worthwhile. Thanks to those of you who offered suggestions for topics. I cannot thank all of you enough for taking the time to read and contribute to The Protiviti View.

All of us have one thing in common – we seek an edge that helps us make a difference in what we do in the market. It is through shared knowledge that we will all move forward, together, informed and empowered to meet whatever challenges may come our way.

Best of the season to you and yours, and on behalf of Protiviti, I wish you all success and prosperity in 2016.


Looking Back on 2015 and The IIA: The Updated Professional Guidance Framework

Kyle FurtisBy Kyle Furtis
Managing Director, Internal Audit and Financial Advisory




Looking back on 2015, an overlooked, but important development for internal audit professionals was the revision of the International Professional Practices Framework (IPPF), an evolving collection of guidance by The Institute of Internal Auditors (The IIA) that has provided professional direction to internal auditors worldwide since 1947.

Although the announcement back in July didn’t garner the headlines of, say, Sarbanes-Oxley, or even the 2013 update of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework, it really was important news. Here’s why:

  • The IIA, with more than 180,000 members around the world, is the internal audit profession’s global voice, chief advocate and principal educator.
  • The IPPF is the organization’s collection of both current thought and time-tested wisdom – a blueprint for how the body of knowledge and guidance fit together to support the professional practice of internal auditing.
  • Changes in today’s business world and the risks associated with them are accelerating like never before. This makes it imperative for those on the front lines to have the most progressive practical guidance to help their organizations successfully navigate these risks.

Granted, the changes to the IPPF weren’t radical – The IIA added a mission statement and articulated 10 core principles for the professional practice of internal auditing. The changes do not affect the content of other key mandatory IPPF elements, such as the definition of internal auditing, the code of ethics, or the international standards for the professional practice of internal auditing (Standards).

The new core principles highlight what effective internal auditing looks like in practice as it relates to the individual auditor, the internal audit function, and internal audit outcomes. These include, among other things, demonstrating integrity, objectivity, competence and due professional care. The principles also highlight the need for internal audit to be proactive, insightful and future-focused.

Other IPPF enhancements include:

  • Transitioning “Practice Advisories” to a more comprehensive suite of “Implementation Guidance,” and
  • Grouping “Practice Guides” and “Global Technology Audit Guides” (GTAGs) as “Supplemental Guidance.”

These are small but important changes toward making the IPPF stronger – exactly the kind of leadership we’d expect from The IIA. I recommend taking a few minutes to look them over if you haven’t yet, and I look forward to another strong internal audit year.

A Matter of Trust: Taking a Look at the CISA Controversy

Kurt UnderwoodBy Kurt Underwood
Global Leader of Protiviti’s IT Consulting Practice




Back in October, we issued a Flash Report on a senate move regarding a proposed law that has spurred controversy at home and abroad. The bill is intended to improve cybersecurity in the United States through enhanced sharing of threat information.

Now out of committee, and potentially up for a floor vote in the Senate soon, the Cybersecurity Information Sharing Act (CISA) would allow (but not require) the sharing of Internet traffic information between U.S. government agencies and technology and manufacturing companies, making it easier for companies to share cyber threat information with the government.

The bill provides legal immunity from privacy and antitrust laws to companies that provide threat information from, say, the private communications of users, to appropriate federal agencies and other companies. It also permits private entities to monitor and operate defensive countermeasures to detect, prevent or mitigate cybersecurity threats or security vulnerabilities on their own information systems, and, under certain conditions, the systems of other private or government entities.

Although the bill includes provisions to prevent the sharing of personally identifiable information (PII) irrelevant to cybersecurity, some worry whether those protections are adequate.

The U.S. Chamber of Commerce, National Cable & Telecommunications Association, and other advocacy groups support the measure, on the grounds that the information in question is already flowing freely to spies and criminals around the world. Others, including the Computer and Communications Industry Association and various prominent technology companies, oppose it as a violation of personal privacy.

In the end, it all boils down to trust. Repeated high-profile security breaches of PII and other sensitive data have raised questions regarding the ability of government and large corporations to secure their data. It is interesting to note that the Department of Homeland Security, the designated entry point for all submitted data under the proposed law, is among those opposed to the bill.

The concern crosses international borders. A European court recently struck down an agreement that previously allowed U.S. companies to import the personal information of EU citizens and store that information within the United States. The agreement was called into question over a lawsuit questioning the protection of PII from the U.S. government.

For a more detailed analysis of CISA, you can download the Protiviti Flash Report, Proposed Cybersecurity Information Sharing Act Sparks Controversy. I am interested in your take on the issue in the comments section below.

2015 IT Audit Benchmarking Survey: Key Takeaways

David BrandBy David Brand
Managing Director, Leader of Protiviti’s IT Audit Practice




With the global proliferation of mobile devices and the Internet of Things connecting technologies and people like never before, IT audit leaders have an increasingly critical role to play. They need to work in collaboration with executive management, the board of directors, IT, HR, and numerous other departments to ensure their organizations identify, mitigate and monitor an escalating volume of IT risks that could cripple the enterprise if left unmanaged.

ISACA and Protiviti surveyed more than 1,200 chief audit executives (CAEs), IT audit vice presidents and directors in the third quarter of 2015 to determine where IT audit functions stand in their capabilities to address these key challenges. We published the results in the 5th Annual IT Audit Benchmarking Survey.

Notable takeaways include:

  • IT changes and IT security are top of mind – Respondents cited emerging technology, transformation, innovation, disruption and cybersecurity as their top technology challenges.
  • There are significant concerns about finding qualified resources and skills – Not only was this noted by respondents as one of today’s top IT challenges, but numerous results suggest that finding the right people with the right skills to do the job right remains a significant challenge.
  • Many IT audit reporting lines are still off the mark – Having the IT audit director report to the CAE or an equivalent role is ideal, yet many organizations still have other reporting lines in place, raising questions of objectivity and independence.
  • IT audit risk assessments are an absolute must – There is a small but meaningful number of companies that are not conducting any type of IT risk assessment. For these organizations, this represents a significant risk given the cybersecurity threat environment. Other organizations are adhering to best practices by conducting these risk assessments more frequently.
  • IT audit departments should get involved early in major IT projects – The good news: Half of all IT audit departments do. The survey found a moderate level of involvement in major technology projects among organizations, with many getting involved in the early planning and design stages. On the other hand, many have little to no involvement in such projects.
  • Effective communication is critical – A strong majority of IT audit leaders and professionals rate the ability to explain complex IT issues for a nontechnical audience as a critical part of their interpersonal skills.

With rapid change already the norm, and the future promising an even wilder ride, it is critical that organizations take the time now to establish a strong IT risk management and audit framework. When organizations do not know the risks they face, serious threats can go unaddressed and mushroom into major problems.

The 2015 survey is a fascinating study, and well worth your time. See results at a glance here and here. For a more in-depth discussion, listen to our recorded webinar, which I had the honor of hosting, along with Anthony Chalker, Internal Audit Managing Director at Protiviti, Nancy Cohen, Director of Privacy and Assurance Practices at ISACA, and Bob Kress, Managing Director of Global IT Audit at Accenture. I would be interested to read your reaction in the comment section below.

IT Security and Privacy Survey Webinar Highlights

Cal Slemp mugScott LaliberteBy Cal Slemp, Managing Director, IT Security and Privacy
and Scott Laliberte, Managing Director, Vulnerability and Penetration Testing



We covered the release of our 2015 IT Security and Privacy Survey here on our blog in September, but given the survey’s finding that there was a widespread lack of cybersecurity confidence among organizations surveyed, we wanted to revisit this important topic with discussion from our October 27 webinar.

Cyberattacks are increasing in frequency and sophistication. One in three targets falls victim. If your organization is not keeping pace with the threats, then you are falling behind.

Directors take note: The most significant differentiator in an organization’s preparedness for a security breach or cyberattack is the degree to which the board is engaged in IT security and asking hard questions that management has to answer. These include:

  • Does the organization have a formal and documented IT crisis response plan?
  • Is it tested at least annually?
  • How robust is the testing – perimeter only, or more enterprise-oriented war games? Does it evaluate the efficacy of breach detection and kill chain disruption?
  • How deep is our training/knowledge?
  • What is our average time to detection of breaches and how does it compare to the industry?
  • Are we testing for social engineering attacks?

Executives beware: The cyber threat landscape is evolving faster than typical IT security measures can keep up. One of the rising threats is social engineering attacks (especially spear phishing), designed to trick high-level executives into downloading malware/spyware. Statistics show that such schemes have over thirty percent success rate. This rate can drop significantly with proper training but even so, it only takes a single high-level breach to gain access to high-value, “crown jewel”-type information.

In addition to the questions listed above for board members, executives should be asking:

  • Who is responsible for IT governance – especially information security?
  • Does everybody in the organization know that?
  • How deep is our bench? If one or two key people were removed from the chain of command, would we still be able to effectively executive our crisis plan?
  • What are our “crown jewels?” What information do we have that needs to be protected?
  • How would we know if we’ve been breached?

IT leaders: Make sure you’ve got your bases covered. Recognize that the threat landscape is constantly changing. Stay up to date on data security certifications, such as ISO 27001 and PCI DSS. Make sure you have a solid, vetted IT crisis plan in place, test it regularly, communicate it to employees and train everyone in their role. Drill your team with real-life war game scenarios until you are confident that everyone knows their role and your plan will work as intended. Pull out a couple of key people and run the simulation again to ensure sustainability. Constantly ask yourself: “What are we missing?”

It is worth pointing out that most breaches go undetected for more than 6 months, and are usually discovered by a third party. This highlights the need to test detection capability, in addition to response capability.

The survey revealed a decrease in certain key IT security elements – such as policies and training – over the past three years. Although disconcerting, such dips are not uncommon as organizations transition from a rote “check-the-box” mentality to real readiness.

All signs point to an increased awareness of IT security challenges. For a more robust discussion and solid background on this issue, listen to the webinar and download the survey report.