The Internet of Things: A Game Changer for IT Audit

By Anthony Chalker, Managing Director
IT Audit Practice

 

 

 

I recently had the honor of attending the ISACA’s 2017 North America CACS Conference in Las Vegas, where I discussed how the Internet of Things (IoT) continues to transform the mission of IT auditors. The IoT is a perfect example of an all-around disruptor, including in IT audit departments, as businesses collect, analyze and act on data captured outside of the traditional IT boundaries. As a result, IT auditors now routinely must take steps to provide assurance over systems that are no longer under their direct control.

Auditors are fully aware of the challenge. Participants in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey acknowledge that they need to improve their IoT technical knowledge, or they’ll be unable to do their job. Technical knowledge ranked as a top-five issue among the most important internal audit priorities in the survey report. Without an in-depth understanding of the IoT, the technology that enables it and the business opportunities and risks it presents, we as auditors will be unable to quickly recognize innovations and how they could affect the organization’s business model or strategic objectives in the midst of a disruptive environment.

Below are just a few baseline points we covered during the conference discussion panel:

What is the IoT?
The IoT is an environment in which virtually any object, animal or person with a unique identifier on the internet has the ability to communicate over a network with another device, without the need for human-to-human or human-to-computer interaction. The IoT evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS) and the internet. In short, the IoT is giving the world a digital nervous system that’s connecting people, processes and systems, from devices, such as smartphones and tablets on the consumer level, to machine sensors on the industrial level.

What is driving the IoT’s growth?
The explosive growth of IoT is supported by several converging supporting technologies including:

  • Adoption of IpV6 – The ability to have a seemingly unlimited number of unique identifiers on the Internet. To put this in perspective, IpV6 allows every atom on the face of the earth to have its own identifier, with enough left over for another 100 Earths.
  • Enhanced sensors – The dramatic drop in cost combined with the equally dramatic increase in capabilities of sensors to capture, analyze, store and transmit data.
  • Low-power/wide area communications – The ability to transmit data from a wide range of sensors across a simplified and secure communication infrastructure utilizing batteries or other low-power sources designed for the expected useful life of the sensor.

The convergence of these developments is ushering in a new digital platform that allows organizations to devise new and inventive methods of reaching strategic objectives. In a recent McKinsey article, the authors estimate that the IoT will have a $4 to $11 trillion economic impact over the next eight years.

What is the role of the IT auditor in an IoT environment?
The IoT integrates technologies to enhance business information needs. However, this does not mean that IoT projects necessarily originate in the IT organization. Many of the current IoT projects are occurring outside of the traditional walls of IT. As such, the IoT does not represent as much of a change in the purpose of the IT landscape or the types of issues that auditors typically address as it represents a change in where strategy is being implemented. We need to acknowledge this shift and ensure that we have a seat at the table to understand how the organization’s strategy is driving the IoT vision and the related IT risks that need to be addresses to successfully fulfill that vision.

To be sure, IoT discussions are happening across organizations today, from purchasing to research and development. IoT is not limited to a single industry or business process. As an IT auditor, are you part of these conversations? Are you in the loop of your organization’s IoT strategic initiatives? Again, we need to ensure a seat at the table to effectively perform our role as risk counselors and assurance advisors to management and the board about this rapidly evolving area. Unlike many areas on our traditional risk plan, IoT does not have an embedded platform of existing policies and procedures to leverage.  If we are not part of the strategic discussion, it will be difficult to fulfill our risk advisory role. Simply stated, we need to get in the loop, or we’ll find ourselves  on the outside looking in.

IoT does not inherently require a new IT audit skill set as much as it demands a new approach to identifying the linkage of strategy to IoT solutions. Here are a few questions we as auditors should consider as we continue to develop and refine strategies and solutions to help businesses maximize their IoT experience:

  • How is the IoT deployed in our organization today, and who owns it or its respective components? This includes determining an organization’s potential IoT inventory and IoT’s business activity role. The IoT could play a part in the end products that a business sells, for example, or in internal process management. It most likely does not reside in the IT organization. In many cases, projects will not include the wording “IoT” in their project plans or definitions. This underscores the importance of having skilled IT auditors who are able to link strategy and the underlying implementation mechanisms to identify where the IoT exists within the organization.
  • Do we know what data is collected, stored and analyzed, and have we assessed the potential legal, security and privacy implications? If IoT technology is found within a company’s solution offerings, for example, customer agreements may require disclosures regarding what information the devices are capturing and sharing. Do the organization’s data governance policies cover the tremendous amount of data being captured through the thousands of deployed sensors? Does the collection of sensor data pose risks that data may be aggregated in a manner that would create privacy concerns?
  • Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Among other considerations, it is critical to identify how an organization uses IoT devices and how a partial or full network shutdown would impact the business. Does the loss of these devices pose a risk to our organizations or other organizations? Is there a risk that our devices sold to others could be compromised on a large scale? One well-publicized example was the utilization of thousands of internet-connected devices as part of a denial of service attack on Dyn in October of 2016.

Auditors recognize that they need to improve their IoT technical knowledge, a skill set that is only going to grow in demand given the rapid deployment of connected devices throughout industry. We need to continually communicate with IoT experts and company managements and boards to create policies and procedures that address IoT opportunities and risks for organizations and industries alike. Perhaps the biggest risk on the auditor’s side of the ledger is failing to help his or her organization utilize IoT to make the most of its growth potential.

From Analog to Analytics: 2017 a Turning Point for Internal Audit

By Barbi Goldstein, Managing Director
Internal Audit and Financial Advisory

 

 

 

With increasing demands for broader, more accurate and more efficient risk assurance, internal audit departments have officially entered the age of analytics. According to Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, two thirds of internal audit functions have begun using data analytics on at least a limited basis, with two-thirds of the remaining respondents indicating that they plan to begin using analytics within two years.

Respondents at organizations of all sizes reported that they have begun the transformation from labor-intensive manual processes to reliance on technology for things like sample selection and testing procedures. Most organizations are still early in the process. Only 16 percent said that they have a person dedicated full time to analytics, and only three percent indicated that they considered their audit analytics to be optimized.

I recently had the opportunity to review the survey results for participants in an April 12 webinar (available for streaming at the link). If you are interested in learning more about the survey results, I urge you to check it out. In the meantime, here are some action items for internal audit derived from the survey:

Recognize that the demand for data analytics is growing across all organizations and industries.

Internal audit organizations are under growing pressure to increase audit efficiency and coverage. Regulators across a wide array of industries are pushing for more use of data and quantitative inputs into the audit process, and auditors are finding that implementation of analytics allows them to provide broader assurance in less time than it would typically take to perform manual testing on a representative sample.

Seek opportunities to expand the internal audit function’s knowledge of sophisticated data analytics capabilities.

From peer-to-peer networking to engagement with industry groups and continuing education, it is critical for auditors to become familiar with the ways in which tools and techniques are being used across their industry.

Do not let budget and resource constraints and business-as-usual workloads limit internal audit’s ability to optimize data analytics efforts.

Look for practical applications you can showcase to gain buy-in from other auditors within your internal audit function. Understanding what peers are doing can also accelerate your organization’s analytic maturity.

Assign analytics champions to lead the effort.

Where a dedicated analytics function doesn’t exist, experience has shown that organizations that employ a champion network within their audit function benefit from broader analytics usage, more sophisticated techniques and greater adoption of analytics in the audit department. The ideal candidate for a data champion is someone with aptitude and interest in data analytics, and a person of influence whom others will follow.

Explore avenues to expand internal audit’s access to quality data.

Engage with stakeholders, such as IT and data governance, to understand how to gain access to data while following all applicable organizational policies and procedures.

Identify new data sources — both internal and external.

Internal auditors, because of their broad industry knowledge, risk focus and access to data and systems throughout the organization, are uniquely positioned to find and mine new data sources to analyze for risk assurance.

Increase use and reach of data-based continuous auditing and monitoring.

Once data sources have been identified, it is important for internal auditors to apply continuous auditing and monitoring tools to have a timely and accurate view of the state of risk in the organization. Visualization tools, such as dashboards, are useful for enabling real-time access to key risk indicators.

Use real-time risk snapshots to help focus audit efforts.

Related to the previous point, problem areas discovered through visualization tools, such as Tableau, can be flagged for additional research/root cause analysis.

Seek ways to increase stakeholder input when building/implementing data analytic capabilities.

Business owners understand and monitor the key risks in their business, as does risk management in its second-line role. It is important for internal audit to build relationships and work closely with the first and second lines of defense to continue to enhance their understanding of risk indicators in the business.

Implement steps to measure success of data analytics efforts.

Internal audit groups that can demonstrate tangible value will build a better business case for increased budgets and resources dedicated to data analysis. Metrics, such as logging requests for analytics in the audit process and number of audits that leverage analytics, are a good way to demonstrate the value of using analytics.

The overarching theme that emerged from this year’s survey results is that data analytics has reached a tipping point. Internal audit functions that lead by embracing analytics and continuous monitoring will grow in value and stature with their stakeholders, regulators and peers. Those that fail to adapt will struggle to keep up with the rate of change and the state of risk at their organizations.

When Bad Things Happen to Good Companies — the Case For Culture Assurance

May is Internal Audit Awareness month. Over the course of the month, we will be taking a closer look at the internal audit profession from various perspectives, including industry, technology, and the “future auditor”— an embodiment of those skills and capabilities most valuable to the future of the internal audit function. Subscribe to our blog to follow the discussion.

 

 

By Brian Christensen, Managing Director
Global Internal Audit Leader

 

 

 

Within the internal auditing profession we’ve become accustomed to talking about “tone at the top,” and the importance of executives setting the right example. Most organizations have embraced the concept of core values — at least on paper. And still, we keep seeing headlines about major companies we respect and admire for their size and success in the marketplace that stumble and stub their toe over cultural issues — anything from sales practices, to the way they treat employees, customers or vendors.

Every organization has its own values or “ethos.” It turns out that that, in itself, is not enough to prevent faux-pas of the kind we have seen lately. When bad things happen to good companies, it is important to ask ourselves, “What happened, and how do we prevent it from happening again?” In the age of viral news, the topic is more relevant than ever; it is also the central theme of Internal Audit Around the World, Volume XIII, the 2017 edition of our popular performer perspectives series, which will be released at The IIA Global Conference in July.

It may seem obvious to everyone that culture is important, and that the risks associated with unhealthy organizational culture can derail operations,  damage the brand, drive away customers and put a sizeable dent in the bottom line. Yet for many organizations, culture continues to be a buzzword in the boardroom discussions but has been given short shrift as an operational priority. “Doing the right thing” is a key performance indicator that doesn’t appear as a line item on any balance sheet but contributes considerably to the “goodwill” capital of a company, and its loss or erosion presents a significant risk. Culture assurance then becomes something much more specific and necessary.

The job falls on internal auditors who, by virtue of their “all access” hall pass can provide assurance against cultural lapses. Because we already peer across all departments and business units at all levels of the company, we are uniquely positioned to monitor and report on the various tone and executional elements within an organization. In the most basic sense, a culture audit should determine whether policies and practices encourage and enable employees to do the right thing.

Too often, when bad things happen, executives tend to fall back on whether policies and procedures were followed. A culture audit should test and verify — through interviews and surveys — whether those policies and procedures enable operators to employ common sense in how they treat people, or whether they create duress and pressure for ethical compromise.

Culture audits are an opportunity for auditors to talk to employees, managers, customers and vendors, and measure whether conduct matches words, and report on whether the company is living its values, or whether they are hollow. Empowering people to better themselves is beneficial for the organization in the long run. You don’t want to be the company that becomes a running loop on social media or on the front page of the paper.

IT Audit Webinar: Your Questions Answered

By Gordon Braun, Managing Director
IT Audit

 

 

 

Following up on a recent blog post discussing the results of the 6th Annual IT Audit Benchmarking Study from ISACA and Protiviti, I want to revisit the subject by answering some of the audience questions we were unable to address live during the webinar, which I co-hosted with my Protiviti colleague David Brand and ISACA director Ed Moyle.

(I want to stress that we receive many great questions during our webinars but they may not always be answered in the limited window allowed by our webinar time constraints. I invite you to subscribe to our blog as we often follow up with these questions here.)

Q: How can growing organizations move from a reactionary approach to IT risk management to a more proactive approach and get ahead of emerging risk issues?

To be proactive, I think it is very important to invest in relationship-building activities with IT. Find a way to get invited to IT meetings and town halls and get added to key IT distribution lists. If you are not being included in those meetings, if you are not receiving IT organization announcements/distributions, and if you are not generally being considered a part of the IT “family,” you need to revisit your approach and take action to change your relationship status.

The goal should be to establish an ongoing dialogue so that internal audit knows what projects are in the pipeline and what technologies may be emerging in order to be appropriately  involved at the earliest stages of these projects. I’ve seen a lot of IT audit organizations struggle with this. It’s hard to see the risks around the corner if the IT auditor does not know in which direction IT is headed. Too often, IT audit is reacting well after the fact, and that’s not a good position to be in.

I also suggest that IT auditors partner with enterprise risk management to maintain a good understanding of the strategic direction of the company. An IT auditor needs to understand the direction of an organization in order to identify risks associated with the future demand for technology, as well as the technology skill sets likely to be required.

For IT, the most important incentive for building a strong relationship with IT audit is the value IT audit can bring to that organization, and IT audit should be able to communicate that benefit. IT auditors are not only good evaluators, but they are individuals that can help the IT organization be successful in achieving its objectives. When reporting on IT, it is important to consider the context in which IT is operating. How information is presented — whether it is perceived as collaborative and constructive — can have a significant impact on the IT / IT audit relationship.

Q: Do you see more IT audit shops leveraging continuous auditing to focus on some of the challenges highlighted in the survey?

I see the second line of defense doing more continuous monitoring and then IT audit shops allowing for flexibility in the IT audit plan to allow for a shift based on the findings of continuous monitoring activities. As issues are identified in the second line, top-performing audit shops are able to shift activities and focus on emerging or more urgent items that require attention.

Q: Should the IT audit director report directly to the audit committee?

Not usually. While we are seeing the IT audit director attend more audit committee meetings, the line of reporting is typically up through the chief audit executive.

Q: Where does the responsibility for IT risk assessment live with the IT organization or the IT audit function?

Certainly, IT has to be responsible for managing its own risk. But it is very common today to have a specific IT risk assessment process occurring through the internal audit organization. As technology, automation and digitization become a more integral part of our lives, boards and management are going to want more assurance around the tech environment, and that starts with an effective risk assessment process.

A coordinated or collaborative activity is the smart approach. It is best practice that IT does its own risk assessment. The trouble starts when there is a significant disconnect between the assessment results coming from IT and IT audit. Parallel assessments are perfectly legitimate and expected but there should be some effort to coordinate, collaborate and understand/reconcile any major differences.

Ultimately, you want to have an efficient risk management and IT governance process that delivers results that are easily understandable and interpreted by executive management and the board.

You can access the archived version of the webinar and more Q&As from it here.

Cyber Safety Tips for Private Equity Managers

By Michael Seek, Director
Internal Audit and Financial Advisory

 

 

 

Cybersecurity vendor FireEye, in March, reported an increase in fake emails targeting lawyers and compliance officers with malware disguised as a Microsoft Word document from the Securities and Exchange Commission. That, on the heels of a reported uptick in fake drawdown requests targeting private equity clients, prompted us to put together a list of ways private equity firms and portfolio managers can protect their clients from these increasingly sophisticated attacks. This list has applicability to other companies as well.

  1. Distributions – Protect investors (both internal and external) with controls requiring positive verification of the Investor’s identity prior to making any change to banking/wire instructions. The request should come directly from the Investor or from a contact that the Investor has provided written authorization to act on the Investor’s behalf. An independent email should be sent to the authorized email contact of record notifying them that a change was made and advising them to contact the firm if they did not request the change. This process should mirror those utilized by banks.
  2. Capital Calls/Drawdowns – Capital calls should be presented to Investors via a secure system or mechanism other than email. Note that hackers have been known to establish authentic-looking fake websites designed to capture LP account information. Protiviti recommends strong multifactor authentication routines (again, similar to banks) to thwart such efforts.
  3. System Security – Continuous monitoring for breach detection and a vigorously tested and rehearsed response/recovery plan have become the table stakes for operating any financial services business. If you have a proprietary system for investor distributions, that system should be secured on par with your ERP system.
  4. Deal Sourcing Data – At Protiviti, we emphasize the importance of knowing your “crown jeweIs” — that is, critical data that must be protected, such as investor account data. However, the protection of pipeline data, and information on target companies (e.g., potential deals), is at times overlooked. Data security must be established over systems, sites and network drives where confidential deal data is stored, including security over data rooms associated with due diligence activities. Additionally, employee communications should be monitored to ensure that no confidential information is being “leaked” via company networks.
  5. Board Members – Boards of directors need to ensure that the organizations they serve are improving their cybersecurity capabilities continuously in the face of ever-changing cyber threats. This point was mentioned in our recent Board Perspectives newsletter (Issue 90).That need also extends to the security of board emails and electronic communication of sensitive board materials. Of particular concern is the widespread use of “free” email services. Given the confidentiality of the information contained in many board emails, many organizations provide directors with in-house email addresses.

In a world rife with cyber crime, the incentives to commit it grow ever stronger as just about everything of value – whether an action or an asset – has a digital component. Vigilance continues to be the name of the cyber risk game – for private equity firms and portfolio managers in managing their clients, and for other sectors as well.

Health Check on Emerging Growth Companies: PCAOB Reports High Incidence of Material Weaknesses

By Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit

 

 

 

A new white paper from the Public Company Accounting Oversight Board (PCAOB) and an April increase in qualifying revenue limits have put emerging growth companies (EGCs) in the news recently.

The EGC designation, established under the Jumpstart Our Business Startups (JOBS) Act of 2012, makes it easier for small and growing businesses — specifically those on track for an initial public offering — to attract investors and access capital by relaxing regulatory requirements and cutting some red tape. There are a number of benefits to a registrant being classified as an EGC – see Protiviti’s Guide to Public Company Transformation for what they are.

The original law established a revenue cap of $1 billion for a company to qualify as an EGC, but provided for that cap to be adjusted every five years for inflation. The Securities and Exchange Commission (SEC) made the first adjustment in April 2017, raising the revenue cap to $1.07 billion.

Another provision of the JOBS act was a mandate for the PCAOB to report via white papers, semiannually, on the extent to which EGCs actually benefitted from regulatory relief, and any unintended consequences stemming from the more permissive environment. The purpose of the PCAOB’s white papers is to provide general data about EGCs to inform the analysis contained in PCAOB rulemaking releases regarding the impact of applying new standards to the audits of EGCs.

The latest white paper, published in March 2017, found that of 1,951 companies reporting as EGCs in the 18 months prior to the reporting period, more than half (51 percent), received an explanatory paragraph in their most recent auditor’s report expressing substantial doubt about the company’s ability to continue as a going concern. Equally important, within that group of 1,951 EGC filers, 1,262 provided a management report on internal control over financial reporting in their most recent annual filing, and 47 percent – nearly one-half of all EGC filers – reported material weaknesses.

Protiviti explores the findings in the PCAOB’s March white paper at length in a recent Flash Report, but I wanted to highlight a few of the takeaways here.

First and foremost, while certain regulatory exemptions and benefits may be attractive, they do not mean that EGCs should accept or minimize issues surrounding potential findings of material weaknesses. These deficiencies in internal control over financial reporting may undermine a company’s reputation and reduce company value, to say the least.

The risk is real and should be addressed proactively. Protiviti has developed a financial reporting risk profile (FRRP) to identify financial reporting issues in advance and manage them to avoid potential financial restatements.

An effective FRRP focuses on six areas: accounting principle selection and application, estimation processes, related-party transactions, business transaction and data variability, sensitivity analysis, and measurement and planning. The underlying objective is to identify the most likely areas of potential misstatements and apply the appropriate oversight and control.

Second, EGCs should take the steps necessary to document key business processes so that these processes are well-defined and repeatable, reducing reliance on ad hoc activity by key employees. These processes may include a fair amount of financial reporting; related policies and activities, such as those that aid in the preparation of financial schedules for external auditors in the support of audits; filings; executive compensation; and employee benefits. Pre-public companies should design and implement a process for documenting conclusions on reporting and accounting matters.

Internal controls and documentation are critical because they minimize the risk of material weaknesses in the organization’s financial reporting. Consider the effects of just one material weakness: erosion of shareholder confidence, potential share price reduction, a fair amount of distraction throughout the organization, reduced brand quality, and significant remediation costs.

The high incidence of material weaknesses among EGCs is disappointing but, in many cases, generally preventable. It is important not to wait until the first auditor attestation to address potential issues. Many of the preventive measures – governance protocols, fraud controls, internal controls over financial reporting – should be in place prior to the company’s first public filing (e.g., 10Q filings, 302/906 certifications), and others should be in place prior to the initial management assertion on the effectiveness of internal control over financial reporting, as required by Sarbanes-Oxley Section 404(a). If these areas have not been addressed and the first public filing is upcoming, the organization should prepare itself by putting in place a robust remediation program. See the Protiviti Flash Report for additional points and information.

 

DOJ Fraud Section Puts Boards of Directors on Notice Regarding “Conduct at the Top”

In February 2017, the U.S. Department of Justice (DOJ) Fraud Section published its latest guidance on corporate compliance programs with the release of the very useful document titled “Evaluation of Corporate Compliance Programs.”

While many legal and compliance scholars have rightly stated that this latest publication isn’t anything radically different than prior authoritative guidance issued by the DOJ and other organizations, what jumps out is the reframing of the well-worn expression, “tone at the top,” with the potentially more insightful, and arguably much scarier, “conduct at the top.” In a just-released Flash Report, we put forth questions and insights that illustrate the degree to which the DOJ is examining senior management and the board of directors while evaluating a corporate compliance program.